Changes to the Standards.

The first point to underline is that the new international standard is not significantly different from the British version of the standard; it was not the intention of the International Standards Organisation (ISO) to contradict or drastically change what had gone before, or to impose unnecessary extra work on organisations already using it. All international and national standards are subjected to a periodic review process. The review cycle for the transition from BS7799 to ISO 27001 saw some 4,000 comments submitted by national standards organisations. As part of this feedback it was determined that the standard needed a refresh and additional clarity to help its successful adoption as the internationally recognised best practice. As a result a number of structural changes have been made to 27001, such as the creation of a new section on incident management using controls previously found in the personnel section. There are now a total of 133 controls in eleven sections. There are eight new control objectives, five consolidated or combined controls, 17 new controls to cover additional issues and nine deleted controls. The most significant change is the new requirement for the measurement of the effectiveness of the controls (or groups of controls) to be implemented. The rationale being that you cannot properly manage what you cannot measure, and there is limited benefit in implementing something whose usefulness you cannot measure.