Beruflich Dokumente
Kultur Dokumente
Use and completion of the ISO/IEC 27001:2013 transition checklist for systems currently compliant to ISO/IEC 27001:2005.
1. Use this checklist to record evidence of conformance to the new and enhanced requirements of ISO/IEC 27001:2013. You may complete it
during one or more visits.
2. The client enters references to related evidence to demonstrate that the requirement has been met.
3. The assessor reviews this, adding any further details to support conformance either on this checklist or in the related report, but cross-
referencing them appropriately by entering the visit date and process box or finding reference to give traceability.
4. At the visit when all requirements have been examined and found compliant (subject to any findings raised with appropriate corrective
action plans) and the assessor is making a recommendation for approval:
Make a statement in the executive summary outcome of the visit report
Include a draft certificate in the visit report.
Include this Checklist
5. Subject to Technical Review a new certificate will be issued.
NOTE – The clause numbering has changed between the the old and new standards. The numbers are taken from ISO/IEC 27001:2013.
In some cases there are new requirements, and in others there has been some clarification to requirements. There has also been some
moving of requirements from one section to another. You may already have policies, procedures and controls in place for these
requirements, but please complete all sections of the checklist to confirm how the explicit clauses noted are met.
Some sections have explanatory notes which may be deleted before completing the response.
Transition requirement Clause Supporting evidence
1. General
ISO/IEC 27000:2012
ISO/IEC 27001:2013
ISO/IEC 27002:2013
5. Leadership
The client must be able to demonstrate that top management 5.1h) Note: for requirement 5.1h) the client should identify here the
are supportive of other relevant management roles to governance mechanisms they have in place (reviews, briefings,
demonstrate their leadership. 1to1s etc.) to achieve this.
7.4 Communication
The client must demonstrate that they have determined the 7.4
need for internal and external communication relevant to the
information security management system as defined in Clause
7.4.
9. Performance Evaluation
The client must demonstrate that they have determined the 9.1
requirements for monitoring and measurement of the ISMS in
accordance with Clause 9.1 of the standard and implemented
accordingly.
The client should demonstrate that management review now 9.3
incorporates the results of monitoring and measurement, the
fulfilment of information security objectives, the results of
risk assessment and risk treatment, and opportunities for
continual improvement. 5.1e)
A.6.1.1 Management commitment to information security Covered by main requirements of standard - Leadership
A.6.1.2 Information security co-ordination Covered by main requirements of standard
A.6.1.4 Authorisation process for information processing facilities Deleted
A.6.2.1 Identification of risks related to external parties Covered by main requirements of standard - Risk Assessment
A.6.2.2 Addressing security when dealing with customers Covered by main requirements of standard - Risk Assessment
A.8.1.1 Roles and responsibilities Covered by main requirements of standard - (5.3)
A.10.2.1 Service delivery Covered by other controls (A.15.2.1)
A.10.4.2 Controls against mobile code Covered by other controls (A.12.2.1)
A.10.7.4 Security of system documentation Covered by main requirements of standard - Risk Assessment
A.10.8.5 Business information systems Deleted
A.10.9.3 Publicly available information Covered by other controls (A.14.1.2)
A.10.10.2 Monitoring system use Covered by other controls (A.12.4.1)
A.10.10.5 Fault logging Covered by other controls (A.12.4.1)
A.11.4.2 User authentication for external connections Covered by other controls (A.9.1.2, A.9.4.2)
A.11.4.3 Equipment identification in networks subsumed into A.13.1
A.11.4.4 Remote diagnostic and configuration port
protection subsumed into A.13.1
A.11.4.6 Network connection control subsumed into A.13.1
A.11.4.7 Network routing control subsumed into A.13.1
A.11.5.5 Session time-out subsumed into A.13.1
A.11.5.6 Limitation of connection time Covered by other controls (A.9.4.2)
A.11.6.2 Sensitive system isolation subsumed into A.11.2.1 & A13.1.3
A.12.2.1 Input data validation subsumed into A.14.1.1 & A.14.2.5
A.12.2.2 Control of internal processing Covered by other controls (A.14.2.5)
A.12.2.3 Message integrity subsumed into A.14.1.1 & A.14.2.5
A.12.2.4 Output data validation subsumed into A.14.1.1 & A.14.2.5
A.12.5.4 Information leakage subsumed into A 13.1 & A 13.2
A.14.1.3 Developing and implementing continuity plans including
information security subsumed into A17.1.2
A.14.1.4 Business continuity planning framework subsumed into A17.1.2
A.15.1.5 Prevention of misuse of information processing facilities Covered by main requirements of standard - Risk Assessment
A.15.3.2 Protection of information systems audit tools subsumed into 9.4