ISO 27001 is a specification for an information security management system (ISMS). Organisations which meet the standard may be accredited by an independent accreditor. ISO 27001:2013 is a new standard that was published on 25, September, 2013.
Here is a short FAQ on the new standard
1. I already am certified to the 2005 standard. Should I get certified again to the 2013 standard?
Organizations already certified have a 2 year transition period before which you must be certified to the new standard. The standard was published on 25, September, 2013. SO, you have till 25, September, 2015 before which the transition should take place.
2. We have already started the process of certification, which standard should we use – 2005 or 2013?
You can certify against the old standard till 25, September, 2014 (1 year from the date of publication of the standard). But, you must transition to the new standard by 25, September, 2015.
3. Are there more controls in the new standard?
No. The number of controls has actually come down from 133 to 114, while the number of sections in Annex A has gone up from 11 to 14.
4. What are the new controls?
A.6.1.5 Information security in project management
A.12.6.2 Restrictions on software installation
A.14.2.1 Secure development policy
A.14.2.5 Secure system engineering principles
A.14.2.6 Secure development environment
A.14.2.8 System security testing
A.15.1.1 Information security policy for supplier relationships
A.15.1.3 Information and communication technology supply chain
A.16.1.4 Assessment of and decision on information security events
A.16.1.5 Response to information security incidents
A.17.2.1 Availability of information processing facilities
5. Which areas have changed the most?
Interested parties & Objectives, monitoring & measurement
Information Security, SSAE 16, ISO 27001, CISA, Cert-IN