It’s Time For An Upgrade: Transitioning Your Current ISMS From ISO 27001:2005 To ISO 27001:2013

Upgrade to ISO 27001:2013

A new version of ISO 27001 has been issued and if it’s your job to upgrade your company’s ISO 27001 program from 2005 to 2013, we’re here to help.   The standard was revised for a number of reasons including addressing new technology, to comply with the ISO/IEC directive and make compliance simpler for organization that are certified with more than one management system.  So now that you know he why, let’s look at the how. The first thing you’ll want to look at is the deadlines and make a timeline for transition, which will depend on the current state of your ISMS.  The deadlines for transition are as follows:

New implementations

    • Can be performed using the ISO/IEC 27001:2005 until October 1, 2014


    • Can be performed (2005 to the 2013 standard) until October 1, 2015

Complete Transition

    • After October 1, 2015 all new certifications are required to use the 2013 standard

Next, it’s important to know the key changes to the ISO 27001:2013 program.  Those include realignment of the management system requirements to clauses 4 through 10, risk assessment focus is shifted to risk owners and the realignment of Control Annex A as well as the addition of controls. Finally you’ll want to look at the key implementation steps.  Those include:

    • Review current process and management system documentation
    • Update Statement of Applicability (SoA) based on the new framework
    • Update documentation
    • Ensure internal audits and management review are being planned and performed

This is a simplified overview of what needs to be done to transition from your company’s ISO 27001:2005 to the ISO 27001:2013 standard.  Click here to download the full guide.

If you have questions about your ISO 27001 transition, call us at 888-702-5446 or email