Organizations that meet the standard may be certified compliant by an independent and accredited certification body download iso 27001 standard pdf successful completion of a formal compliance audit. Annexes B and C of 27001:2005 have been removed.
The 2013 standard puts more emphasis on measuring and evaluating how well an organization’s ISMS is performing, and there is a new section on outsourcing, which reflects the fact that many organizations rely on third parties to provide some aspects of IT. It does not emphasize the Plan-Do-Check-Act cycle that 27001:2005 did.
Other continuous improvement processes like Six Sigma’s DMAIC method can be implemented. More attention is paid to the organizational context of information security, and risk assessment has changed.
IEC 20000, and it has more in common with them. A very important change in the new version of ISO 27001 is that there is now no requirement to use the Annex A controls to manage the information security risks. Thus almost every risk assessment ever completed under the old version of ISO 27001 used Annex A controls but an increasing number of risk assessments in the new version do not use Annex A as the control set. This enables the risk assessment to be simpler and much more meaningful to the organization and helps considerably with establishing a proper sense of ownership of both the risks and controls.
This is the main reason for this change in the new version. 2005 standard had 133 controls in 11 groups. IEC 27001:2013 and not use any of these controls. IEC 27001:2013 – Information technology — Security techniques — Information security management systems — Requirements”.