ISO 27001:2013

a major change from 2005 to 2013 is the continuous improvement methodology. PDCA is not strictly necessary but any way that will do is also acceptable.

• Establishment, implement, maintenance, and continuous improvement.
• Plan, Support, Operation, Evaluation, and Improvement.
• Controls in Annex are for risk assessment of Plan Clause.
• Clauses 4-10 are the new MUST.