It is common for organizations to refer to their ISMS as clauses 4 through 8. However, with the release of the newly revised 2013 version of ISO 27001, organizations will now have to refer to the ISMS requirements as clauses 4 through 10. That’s right - two additional clauses were added; nonetheless, this does not mean that the addition of two clauses results in two additional components of an ISMS. Rather, the reformatting of the management system requirements within ISO 27001:2013 is driven by the fact that it now better resembles the requirement formatting of other ISO management system requirements.
With the release of the newly revised 2013 version of ISO 27001, organizations will now have to refer to the ISMS requirements as clauses 4 through 10.
To help organizations better understand how the requirements of the 2005 version of ISO 27001 relate to those of the 2013 version, the Schellman ISO team has compiled a brief mapping. It is important that the assumption is not made that the cross references are a one-for-one transition. In fact, the requirements in ISO 27001:2013 resemble those of ISO 27001:2005, and that an organization must fully understanding the newly revised requirements and identifies their own gaps during the transition process.