iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO/IEC 27013:2021/PRF Amd 1

(Amendment)

Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 — Amendment 1

Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 — Amendment 1

Sécurité de l'information, cybersécurité et protection de la vie privée — Recommandations pour la mise en œuvre intégrée de l'ISO/IEC 27001 et de l'ISO/IEC 20000-1 — Amendement 1

General Information

Status
Not Published
ICS
03.080.99 - Other services
03.100.70 - Management systems
35.020 - Information technology (IT) in general
35.030 - IT Security
Technical Committee
ISO/IEC JTC 1/SC 27 - Information security, cybersecurity and privacy protection
Drafting Committee
ISO/IEC JTC 1/SC 27 - Information security, cybersecurity and privacy protection
Current Stage
5020 - FDIS ballot initiated: 2 months. Proof sent to secretariat
Completion Date
15-Oct-2024
Ref Project

Relations

Amends
ISO/IEC 27013:2021 - Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1
Effective Date
29-Oct-2022

Buy Standard

ISO/IEC 27013:2021/PRF Amd 1 - Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 — Amendment 1 Released:15. 10. 2024ISO/IEC 27013:2021/PRF Amd 1 - Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 — Amendment 1 Released:15. 10. 2024
PreviousNext
Draft
ISO/IEC 27013:2021/PRF Amd 1 - Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 — Amendment 1 Released:15. 10. 2024
English language
4 pages
sale 15% off
Preview
sale 15% off
Preview
REDLINE ISO/IEC 27013:2021/PRF Amd 1 - Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 — Amendment 1 Released:15. 10. 2024REDLINE ISO/IEC 27013:2021/PRF Amd 1 - Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 — Amendment 1 Released:15. 10. 2024
PreviousNext
Draft
REDLINE ISO/IEC 27013:2021/PRF Amd 1 - Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 — Amendment 1 Released:15. 10. 2024
English language
4 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


International
Standard
ISO/IEC 27013
Third edition
Information security, cybersecurity
2021-11
and privacy protection — Guidance
on the integrated implementation of
AMENDMENT 1
ISO/IEC 27001 and ISO/IEC 20000-1
AMENDMENT 1
Sécurité de l'information, cybersécurité et protection de la vie
privée — Recommandations pour la mise en œuvre intégrée de
l'ISO/IEC 27001 et de l'ISO/IEC 20000-1
AMENDEMENT 1
PROOF/ÉPREUVE
Reference number
ISO/IEC 27013/Amd. 1:2024(en) © ISO/IEC 2024

ISO/IEC 27013/Amd. 1:2024(en)
© ISO/IEC 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
PROOF/ÉPREUVE
© ISO/IEC 2024 – All rights reserved
ii
ISO/IEC 27013/Amd. 1:2024(en)
Information security, cybersecurity and privacy protection —
Guidance on the integrated implementation of ISO/IEC 27001
and ISO/IEC 20000-1
AMENDMENT 1
2  Normative references
Replace reference to ISO/IEC 27001 with the following:
ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security
management systems — Requirements
Also replace all references to ISO/IEC 27001:2013 throughout the text of the document with
ISO/IEC 27001:2022.
4.2  ISO/IEC 27001 concepts
nd
Replace the last sentence of the 2 paragraph with the following:
Examples of requirements relevant to interested parties include business requirements, legal and regulatory
requirements and contractual obligations.
Replace the reference to ISO/IEC 27001:2013 with ISO/IEC 27001:2022.

4.4  Similarities and differences
Replace the third paragraph with the following:
See Annex A for details of the correspondence between ISO/IEC 27001:2022, Clauses 1 to 10, and
ISO/IEC 20000-1:2018, Clauses 1 to 10. See Annex B for a comparison of terms and definitions between
ISO/IEC 27000 and ISO/IEC 20000-1.

6.2.1  Requirements and controls
Replace the entire subclause with the following:
ISO/IEC 27001:2022, Clauses 4 to 10, specifies requirements for an ISMS. In addition, ISO/IEC 27001:2022,
Annex A, contains an extensive list of controls. The controls in ISO/IEC 27001:2022, Annex A, are not
requirements and are not mandatory. ISO/IEC 27001:2022, 6.1.3, specifies that the organization defines and
applies an information security risk treatment process to determine all controls necessary to implement
information security risk treatment options chosen and then compare the necessary controls with those in
ISO/IEC 27001:2022, Annex A, and verify that no necessary controls have been omitted. The statement of
applicability (SoA) is then used to record which controls are relevant to the organization’s ISMS. The controls
listed in ISO/IEC 27001:2022, Annex A, are not exhaustive and can be substituted with others, or additional
controls can be added as needed. This means it is possible for the organization’s SoA to:
a) include only a subset of the controls in ISO/IEC 27001:2022, Annex A;
PROOF/ÉPREUVE
© ISO/IEC 2024 – All rights reserved
ISO/IEC 27013/Amd. 1:2024(en)
b) not include any of the ISO/IEC 27001:2022, Annex A, controls;
c) include alternative controls;
d) include a combination of controls from ISO/IEC 27001:2022, Annex A, and other sources.
Any control within ISO/IEC 27001:2022, Annex A, that would not modify one or more unacceptable risks,
is unnecessary for the organization. Similarly, controls not included in ISO/IEC 27001:2022, Annex A, can
be determined as necessary to modify risk. Organizations can design controls as required or identify them
from any source.
ISO/IEC 20000-1 specifies requirements for the SMS but does not list any controls and does not specify a
requirement for a Statement of Applicability, so there is no direct correlation between ISO/IEC 27001:2022,
Annex A, and ISO/IEC 20000-1. However, ISO/IEC 20000-1:2018, 8.7.3.2, includes a requirement to determine
controls to address information security risks to the SMS and the services, and to document the decisions
about these controls. In addition, there is a requirement to monitor and review the effectiveness of these
controls, and to take action if required.
Organizations wishing to integrate an ISMS and an SMS should distinguish between the requirements
specified in ISO/IEC 27001 and ISO/IEC 20000-1, and the information security controls specified in
ISO/IEC 27001:2022, Annex A. Even if it appears that there is a common topic area between a requirement
specified in ISO/IEC 20000-1 and a control included in ISO/IEC 27001:2022, Annex A, the distinction
between requirements and controls should be understood and communicated to avoid confusion within the
organization.
6.2.2   Assets and configuration items
Replace the reference to ISO/IEC 27001:2013 with ISO/IEC 27001:2022.
Add the following as a new final paragraph to 6.2.2:
ISO/IEC 27001:2022, Annex A includes control 8.9 for "configuration management". This term is also used in
ISO/IEC 20000-1, but not in the same sense, so care should be taken to not assume any relationship
...


Formatted: Centered
DRAFT AMENDMENT
Style Definition: Heading 1
Style Definition: Heading 2
ISO/IEC 27013:2021/DAM/Amd. 1:2023(E2024(en)
Style Definition: Heading 3
Style Definition: Heading 4
ISO/IEC JTC 1/SC 27
Style Definition: Heading 5
Secretariat: DIN
Style Definition: Heading 6
Style Definition: ANNEX
Date: 2023-07-202024-10-15
Style Definition: AMEND Terms Heading
Information security, cybersecurity and privacy protection — Guidance on the integrated
Style Definition: AMEND Heading 1 Unnumbered
implementation of ISO/IEC 27001 and ISO/IEC 20000-1
Style Definition: zzCopyright
AMENDMENT 1 Style Definition: zzSTDTitle: Font: Cambria, 14 pt, Font
color: Blue, Left
Sécurité de l'information, cybersécurité et protection de la vie privée — Recommandations pour la
Style Definition: zzCover: Font: Cambria, Right
mise en oeuvre intégrée de l'ISO/IEC 27001 et de l'ISO/IEC 20000-1
Formatted
Formatted: Font: 11 pt, French (Switzerland)
AMENDEMENT 1
Formatted: Left
Formatted: Font: 11 pt, French (Switzerland)
Formatted: Font: 11 pt, French (Switzerland)
Formatted: Font: 11 pt, Font color: Auto, French
(Switzerland)
Formatted: Font: 11 pt, Font color: Auto
Formatted: Font: 11 pt, Font color: Auto
Formatted: Font: 11 pt
Formatted: Font: 11 pt
Formatted: Font: 11 pt
Formatted: Font: Italic
Formatted: Font: Italic
Formatted: Centered
ISO/IEC 27013:2021/DAM 1:2023(E)
Formatted: Font: Not Bold
© ISO/IEC 2023 2024
Formatted
Formatted: Default Paragraph Font
All rights reserved. Unless otherwise specified, or required in the context of its
implementation, no part of this publication may be reproduced or utilized otherwise in any
form or by any means, electronic or mechanical, including photocopying, or posting on the
internet or an intranet, without prior written permission. Permission can be requested
from either ISO at the address below or ISO’sISO's member body in the country of the
requester.
ISO copyright officeCopyright Office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
Phone: + 41 22 749 01 11
Email: copyright@iso.org
Email: copyright@iso.org
Website: www.iso.orgwww.iso.org
Formatted: English (United Kingdom)
Published in Switzerland. Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
Formatted: English (United Kingdom)
Formatted: English (United Kingdom)
ii © ISO/IEC 2023 – All rights reserved

ISO/IEC 27013:2021/DAM/Amd. 1:2023(E2024(en)
Formatted: Centered
Formatted: Font: Not Bold
Formatted: Space Before: 0 pt, Line spacing: single,
Information security, cybersecurity and privacy protection —
Hyphenate
Guidance on the integrated implementation of ISO/IEC 27001 and
ISO/IEC 20000-1
AMENDMENT 1
2  Normative references
Replace reference to ISO/IEC 27001 with the following:
ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information
security management systems — Requirements
Also replace all references to ISO/IEC 27001:2013 throughout the text of the document with
ISO/IEC 27001:2022.
4.2  ISO/IEC 27001 concepts
nd
Replace the last sentence of the 2 paragraph with the following:
Examples of requirements relevant to interested parties include business requirements, legal and
regulatory requirements and contractual obligations.
Replace the reference to ISO/IEC 27001:2013 with ISO/IEC 27001:2022.

4.4  Similarities and differences
Replace the third paragraph with the following:
See Annex A for details of the correspondence between ISO/IEC 27001:2022, Clauses 1 to 10, and
ISO/IEC 20000-1:2018, Clauses 1 to 10. See Annex B for a comparison of terms and definitions
between ISO/IEC 27000 and ISO/IEC 20000-1.

6.2.1  Requirements and controls
Replace 6.2.1the entire subclause with the following:
ISO/IEC 27001:2022, Clauses 4 to 10, specifies requirements for an ISMS. In addition, ISO/IEC
27001:2022, Annex A, contains an extensive list of controls. The controls in ISO/IEC 27001:2022,
Annex A, are not requirements and are not mandatory. ISO/IEC 27001:2022, 6.1.3, specifies that
the organization defines and applies an information security risk treatment process to determine
all controls necessary to implement information security risk treatment options chosen and then
compare the necessary controls with those in ISO/IEC 27001:2022, Annex A, and verify that no
necessary controls have been omitted. The statement of applicability (SoA) is then used to record
which controls are relevant to the organization’s ISMS. The controls listed in ISO/IEC
27001:2022, Annex A, are not exhaustive and can be substituted with others, or additional
controls can be added as needed. This means it is possible for the organization’s SoA to:
Formatted: Normal, Centered, Space After: 24 pt, Tab
a) include only a subset of the controls in ISO/IEC 27001:2022, Annex A;
stops: 17.2 cm, Right
© ISO/IEC 2023 – All rights reserved 1
© ISO/IEC 2024 – All rights reserved
ISO/IEC 27013:2021/DAM 1:2023(E)
Formatted: Font: Not Bold
b) not include any of the ISO/IEC 27001:2022, Annex A, controls;
c) include alternative controls;
d) include a combination of controls from ISO/IEC 27001:2022, Annex A, and other sources.
Any control within ISO/IEC 27001:2022, Annex A, that would not modify one or more
unacceptable risks, is unnecessary for the organization. Similarly, controls not included in
ISO/IEC 27001:2022, Annex A, can be determined as necessary to modify risk. Organizations can
design controls as required or identify them from any source.
ISO/IEC 20000-1 specifies requirements for the SMS but does not list any controls and does not
specify a requirement for a Statement of Applicability, so there is no direct correlation between
ISO/IEC 27001:2022, Annex A, and ISO/IEC 20000-1. However, ISO/IEC 20000-1:2018, 8.7.3.2,
includes a requirement to determine controls to address information security risks to the SMS
and the services, and to document the decisions about these controls. In addition, there is a
requirement to monitor and review the effectiveness of these controls, takingand to take action
if required.
Organizations wishing to integrate an ISMS and an SMS should distinguish between the
requirements specified in ISO/IEC 27001 and ISO/IEC 20000-1, and the information security
controls specified in ISO/IEC 27001:2022, Annex A. Even if it appears that there is a common
topic area between a requirement specified in ISO/IEC 20000-1 and a control included in ISO/IEC
27001:2022, Annex A, the distinction between requirements and controls should be understood
and communicated to avoid confusion within the organization.
Remove the following sentence:
Annex B of this document provides a comparison of topics between the requirements specified in
ISO/IEC 2
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/IEC 27013:2021(Main)
Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1

This document gives guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 for organizations intending to: a) implement ISO/IEC27001 when ISO/IEC 20000-1 is already implemented, or vice versa; b) implement both ISO/IEC27001 and ISO/IEC 20000-1 together; or c) integrate existing management systems based on ISO/IEC27001 and ISO/IEC 20000-1. This document focuses exclusively on the integrated implementation of an information security management system (ISMS) as specified in ISO/IEC 27001 and a service management system (SMS) as specified in ISO/IEC 20000-1.

  • Standard
    60 pages
    English language
    sale 15% off
  • Standard
    60 pages
    English language
    sale 15% off
ISO
ISO/IEC 27013:2021(Main)
Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1

This document gives guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 for organizations intending to: a) implement ISO/IEC27001 when ISO/IEC 20000-1 is already implemented, or vice versa; b) implement both ISO/IEC27001 and ISO/IEC 20000-1 together; or c) integrate existing management systems based on ISO/IEC27001 and ISO/IEC 20000-1. This document focuses exclusively on the integrated implementation of an information security management system (ISMS) as specified in ISO/IEC 27001 and a service management system (SMS) as specified in ISO/IEC 20000-1.

  • Standard
    60 pages
    English language
    sale 15% off
  • Standard
    60 pages
    English language
    sale 15% off
ISO
ISO/IEC 14882:2024(Main)
Programming languages — C++

This document specifies requirements for implementations of the C++ programming language. The first such requirement is that they implement the language, so this document also defines C++. Other requirements and relaxations of the first requirement appear at various places within this document. C++ is a general purpose programming language based on the C programming language as described in ISO/IEC 9899:2018 Programming languages — C (hereinafter referred to as the C standard). C++ provides many facilities beyond those provided by C, including additional data types, classes, templates, exceptions, namespaces, operator overloading, function name overloading, references, free store management operators, and additional library facilities.

  • Standard
    2104 pages
    English language
    sale 15% off
ISO
ISO 19996:2024(Main)
Charge conditioning of aerosol particles for particle characterization and the generation of calibration and test aerosols

This document specifies requirements and provides guidance for the use of charge conditioners for aerosol particles, especially for particle characterization and for the generation of calibration and test aerosols. This document provides a methodology to specify the performance of charge conditioners and for adequate quality control, with respect to their application in: — particle size and concentration measurement with differential mobility analysing systems (DMAS); —particle size classification with differential electrical mobility classifiers (DEMC). For these applications, this document covers particle charge conditioning for particle sizes ranging from approximately 1 nm to 1 µm and for particle number concentrations at the inlet of the charge conditioner up to approximately 107 cm-3. This document does not address specific charge conditioner designs or other applications besides those specified in Clause 1. Radiation safety for charge conditioners with radioactive sources or x-ray tubes is not covered by this document.

  • Standard
    58 pages
    English language
    sale 15% off
ISO
ISO 19403-7:2024(Main)
Paints and varnishes — Wettability — Part 7: Measurement of the dynamic contact angles and the roll-off angle on a tilt stage

This document specifies a method for the dynamic measurement of the roll-off angle on a tilt stage of a liquid drop on a solid surface. This document also specifies how the dynamic advancing and receding contact angles of the drop rolling off can be determined. The roll-off angle determined through this method can be applied when evaluating easy-to-clean or anti-adherent surfaces.

  • Standard
    13 pages
    English language
    sale 15% off
  • Standard
    13 pages
    French language
    sale 15% off
ISO
ISO 19403-5:2024(Main)
Paints and varnishes — Wettability — Part 5: Determination of the polar and dispersive fractions of the surface tension of liquids from contact angles measurements on a solid with only a disperse contribution to its surface energy

This document specifies a test method to determine the polar and dispersive fractions of the surface tension of liquids by optical methods. The method can be applied for the characterization of liquid coating materials. If applied to liquids with non-Newtonian flow behaviour (see ISO 3219-1:2021, 3.22), restrictions can apply.

  • Standard
    6 pages
    English language
    sale 15% off
  • Standard
    6 pages
    French language
    sale 15% off
ISO
ISO 19403-6:2024(Main)
Paints and varnishes — Wettability — Part 6: Measurement of dynamic advancing and receding angle by changing the volume of a drop

This document specifies a method to measure the dynamic contact angle with an optical method. The dynamic advancing and the dynamic receding contact angles are determined. By using the measurement specified in this document, the wetting and dewetting properties can be characterized. The morphological and chemical homogeneity of interfaces can also be determined.

  • Standard
    11 pages
    English language
    sale 15% off
  • Standard
    11 pages
    French language
    sale 15% off
ISO
ISO/TS 23361:2024(Main)
Nanotechnologies — Crystallinity of cellulose nanomaterials by powder X-ray diffraction (Rietveld analysis)

This document specifies the determination of the bulk crystallinity (crystalline contribution relative to the total crystalline and amorphous contributions in the material) of cellulose nanomaterials using powder X-ray diffraction followed by deconvolution of the diffraction patterns based on Rietveld analysis. It is applicable to all types of cellulose nanomaterials, assuming a representative sample.

  • Technical specification
    22 pages
    English language
    sale 15% off
ISO
ISO/TS 6204:2024(Main)
Health Informatics — Categorial structures for representation of Ayurvedic medicinal water — Decocting process in Ayurveda

This document specifies categorial structures including characterizing categories, domain constraints and semantic links for the representation of preparation of a decoction – an Ayurvedic medicinal water. This document does not cover: — the specification of categorial structures for hot infusion and cold infusion; — the specification of categorial structures for the representation of post-manufacturing processes such as packaging and labelling of Ayurvedic medicinal water; — individual Ayurvedic or herbal medicinal products.

  • Technical specification
    5 pages
    English language
    sale 15% off
ISO
ISO 19403-4:2024(Main)
Paints and varnishes — Wettability — Part 4: Determination of the polar and dispersive fractions of the surface tension of liquids from an interfacial tension

This document specifies a test method to determine the polar and dispersive fractions of the surface tension of liquids from an interfacial tension with optical methods. The method can be applied for the characterization of liquid coating materials, especially if drying effects occur during alternative measurement. If applied to liquids with non-Newtonian flow behaviour (see ISO 3219-1:2021, 3.22), restrictions can apply.

  • Standard
    8 pages
    English language
    sale 15% off
  • Standard
    8 pages
    French language
    sale 15% off