The first question that come to the mind while planning to upgrade the certification to 2013 version is on the Risk Assessment. It is true that the new version of the standard is transforming to a risk based approach, but at the same time there is a flexibility provided as well.
The 2013 version of the standard is not mentioning how to perform the risk assessment. The clause 6.1.2 of the standard mentions on the risk assessment to be performed & 6.1.3 mentions on the risk treatment. The major changes to the risk Assessment in ISO 27001:2013 compared to ISO 27001:2005 are;
- You can define a methodology for risk assessment based on your choice, whereas in 2005, you had a definite mandate on how to perform the Risk Assessment
- In 2013 you need to identify the risk owner for each of the risk, whereas in 2005 there is no mention on the risk owner
- 2013 require the risk owner to accept the residual risk and approve the treatment options, 2005 requires management to accept the residual risk.
- Unlike 2005 , 2013 does not explicitly mention on risk treatment options like avoiding, accepting ,transferring the risk and implementing controls from Annexue A. You have the flexibility & freedom to choose your own option for risk treatment.
- 2005 required risk assessment to be established as a part of the ISMS Policy (Ref: 4.2.1 b), however 2013 requires a risk assessment approach to be defined, but not at ISMS Policy level.
ISO27001:2013 gives the freedom & flexibility to choose our own methodology & approach for risk assessment. If you feel that the current methodology holds good, you can always continue with it by incorporating points 2 & 3 mentioned above.