ISO 27001:2013 is the predecessor version of the international standard for information security management systems. The systematic implementation of 114 Annex A controls is the primary implementation requirement, delivering the business benefit of enhanced data confidentiality, integrity, and availability through a globally recognised governance framework.
What is ISO 27001-2013?
ISO 27001:2013 is the 2013 version of the international standard for an Information Security Management System (ISMS). It provides a globally recognised framework for organisations to manage and protect their sensitive information assets systematically. This version was a significant update from its 2005 predecessor, adopting a new high-level structure (Annex SL) to make it easier to integrate with other management system standards like ISO 9001 (Quality) and ISO 14001 (Environment).
While the standard has since been updated to ISO 27001:2022, the 2013 version remains widely used and understood. Organisations that were certified under the 2013 version are currently in a transition period to the 2022 version.
ISO 27001 Context
The standard itself is a set of requirements that organisations must meet to protect the confidentiality, integrity, and availability of their information. It is designed to be applicable to organisations of all types and sizes, and its core principle is a risk-based approach to information security
How to implment ISO 27001:2013
Implementing the ISO 27001:2013 standard requires a structured approach to building an Information Security Management System (ISMS) that protects your organisation’s data. As a Lead Auditor, I have defined these 10 essential steps to ensure your implementation is technically sound, compliant with the 114 Annex A controls, and ready for a successful UKAS-accredited certification audit.
1. Define the ISMS Scope and Boundaries
Provision a formal Scope Statement to identify the physical, organisational, and technical boundaries of your ISMS. This prevents scope creep and ensures all critical assets are protected. Technical requirements include:
- Documenting all physical office locations and remote working perimeters.
- Identifying cloud infrastructure, internal server segments, and third-party dependencies.
- Aligning the scope with the specific business requirements of ISO 27001:2013 Clause 4.3.
2. Formalise Leadership Commitment and Governance
Establish a security steering committee to ensure senior management provides the necessary resources and oversight for the ISMS. Leadership involvement is a mandatory requirement of Clause 5. Key actions involve:
- Authoring the high-level Information Security Policy.
- Assigning formal security roles and responsibilities within the organisation.
- Establishing Identity and Access Management (IAM) governance for privileged roles.
3. Provision the Risk Assessment Framework
Formalise a risk assessment methodology that identifies vulnerabilities and threats to your information assets. This ensures that security investments are prioritised based on actual business risk. Technical requirements include:
- Creating an Asset Register that categorises hardware, software, and data.
- Defining the criteria for assessing the Confidentiality, Integrity, and Availability (CIA) of assets.
- Documenting the Risk Treatment Plan (RTP) to address identified security gaps.
4. Document the Statement of Applicability (SoA)
Produce the Statement of Applicability to define which of the 114 Annex A controls are applicable to your organisation. The SoA is the primary document used by auditors to verify your security posture. Requirements include:
- Justifying the inclusion or exclusion of each ISO 27001:2013 control.
- Linking applicable controls to the identified risks in your Risk Treatment Plan.
- Ensuring the document is version-controlled and approved by management.
5. Enforce Access Controls and Multi-Factor Authentication
Provision technical controls to secure access to sensitive systems and data. This reduces the risk of unauthorised access through compromised credentials. Implementation steps involve:
- Mandating Multi-Factor Authentication (MFA) for all remote and administrative access.
- Implementing the Principle of Least Privilege (PoLP) across all IAM roles.
- Regularly reviewing user access permissions to identify and revoke unnecessary privileges.
6. Implement Technical and Physical Security Controls
Deploy the administrative and technical safeguards required by the 14 domains of Annex A. These controls provide the layer of protection for your infrastructure and operations. Critical controls include:
- Configuring endpoint protection, firewalls, and Intrusion Detection Systems (IDS).
- Enforcing encryption for data at rest and data in transit.
- Securing physical entry points to server rooms and office environments.
7. Execute the Internal Audit Programme
Audit your ISMS internally to verify that the implemented controls are operating effectively and meet the ISO 27001:2013 requirements. This identifies gaps before the external assessment. Requirements include:
- Appointing a competent and independent internal auditor.
- Developing a technical audit checklist based on your SoA.
- Documenting findings in a formal Internal Audit Report.
8. Conduct the Formal Management Review
Present the performance of the ISMS to senior leadership to ensure its continued suitability and effectiveness. Management reviews are a critical part of the Plan-Do-Check-Act cycle. Review inputs involve:
- Reviewing the results of internal audits and risk assessments.
- Analysing security incidents and the effectiveness of response playbooks.
- Allocating budget for continual improvement initiatives.
9. Implement Corrective Actions for Non-conformities
Revoke security risks by addressing any non-conformities identified during the audit or management review. This process ensures the ISMS evolves to meet new threats. Implementation steps are:
- Conducting a Root Cause Analysis (RCA) for all identified weaknesses.
- Documenting the specific actions taken to prevent the recurrence of issues.
- Verifying the effectiveness of the remediation through technical testing.
10. Secure the External Certification Audit
Appoint a UKAS-accredited certification body to conduct a Stage 1 and Stage 2 audit of your ISMS. Successful completion results in a citable ISO 27001 certification. Audit stages involve:
- Stage 1: A technical document review to ensure the ISMS framework is compliant.
- Stage 2: A thorough onsite verification of control implementation and operational evidence.
- Closing any final audit findings to maintain the validity of the certificate.
ISO 27001:2013 FAQ
What is ISO 27001:2013?
ISO 27001:2013 is the second iteration of the international standard for Information Security Management Systems (ISMS). It provides 114 security controls across 14 Annex A categories. While widely used for over a decade, it has been officially superseded by the ISO 27001:2022 version.
Is ISO 27001:2013 still valid for certification?
No, ISO 27001:2013 is no longer valid for certification as of 31 October 2025. All organisations were required to transition to the ISO 27001:2022 revision by this deadline. Any certificate referencing the 2013 version is now considered legacy and invalid for formal compliance requirements.
What are the main differences between ISO 27001:2013 and 2022?
The primary difference is the structural consolidation of Annex A controls from 114 down to 93. While the 2013 version utilised 14 distinct domains, the 2022 update re-organises these into 4 themes: Organisational, People, Physical, and Technological. Additionally, 11 new controls were introduced in the update.
How many controls are in Annex A of ISO 27001:2013?
ISO 27001:2013 contains exactly 114 controls. These are organised into 14 sections, ranging from A.5 (Information security policies) to A.18 (Compliance). These controls represent the technical and administrative safeguards organisations implement to mitigate information security risks within their defined ISMS scope.
Related ISO 27001 Controls
| Related ISO 27001 Control / Clause | Relationship Description |
|---|---|
| Glossary: ISO 27001:2022 | Successor Standard: The 2022 version replaced ISO 27001:2013, introducing a restructured Annex A and updated controls. Organizations certified under the 2013 version must transition to this newer version. |
| Glossary: ISMS | Standard Purpose: ISO 27001:2013 defines the specific requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). |
| Glossary: Annex SL | Structural Foundation: ISO 27001:2013 was the first version of the standard to adopt the Annex SL high-level structure, facilitating easier integration with other standards like ISO 9001 and ISO 14001. |
| Glossary: CIA Triad | Core Security Goal: Like all versions of the standard, ISO 27001:2013 is built to protect the Confidentiality, Integrity, and Availability of information assets. |
| Glossary: Risk Assessment | Fundamental Principle: The 2013 version emphasizes a “risk-based approach,” making risk assessment a central requirement for determining which security controls are necessary. |
| ISO 27001 Clause Guides | Standard Requirements: The clauses (4-10) in the 2013 version established the management system requirements that remain the foundation for the current 2022 standard. |
| ISO 27001 Annex A Guides | Control Implementation: Annex A of ISO 27001:2013 contained 114 controls across 14 domains, which organizations used to treat identified security risks. |
| ISO 27001 Glossary of Terms (Main Index) | Parent Directory: The central index where ISO 27001:2013 is categorized as a historical yet still highly relevant version of the international security standard. |
The Tools We Use.
100% Audit Success. Zero AI Guesswork.
About the author
