Some of the major changes in the controls are:
- Inclusion of System engineering and project management: New controls added to address information security in project management, Secure development policy, Secure system engineering principles.
- Mobile device policy: This is to address increasing use of mobile devices in information processing and also use of personal devices to access organizational information assets.
- System security testing: information processing systems should be tested for its compliance to security requirements. This testing is in addition to the regular system acceptance test conducted after system changes.