Risk management where addressed only in part 2 document, the part 1 now includes a new chapter on ‘Risk Assessment and Treatment’ requirements

1. ‘Asset classification and control’ evolve into a more holistic ‘Asset management’ approach
2. ‘Personnel Security’ evolve into ‘Human resources security’ which now emphasis on what’s needed before, during and on termination of employment
3. ‘Communication and operations management’ now includes service delivery management of 3^rd parties (i.e.: outsourcer performance and security obligation monitoring)

Introduction of ‘Technical Vulnerability Management’

Incident management controls that where spread all around the previous version of the standard are now consolidated within a new chapter titled ‘Information Security Incident Management’

• In short: 2 new control families, a new total of 135 controls, over 80 changes within the existing controls (deletion/addition/modification)