Learn in small groups from top experts and real-life examples
  • (0)

    ISO 27001 & ISO 22301 Blog

    Using ISO 9001 for implementing ISO 27001

    You have already implemented ISO 9001? You have heard that ISO 27001 might be a good idea? But how can something that has to do with quality help you implement information security?

    It can, more than you may think. ISO 9001 specifies how the quality management systems (QMS) must look like, while ISO/IEC 27001 specifies the information security management systems (ISMS). Therefore, the “management systems” part is the same – so what is it actually?

    The philosophy of management systems has grown from the theory developed by W. Edwards Deming during the second half of 20th century, and is based on the Plan-Do-Check-Act cycle. Basically, this cycle consists of the following: in the Plan phase you have to plan what you want to achieve with the management system, in the Do phase you implement it, in the Check phase you constantly monitor whether you have achieved what you planned, and in the Act phase you make improvements, i.e. fill the gap between what you have planned and what you have achieved.

    Although this cycle was invented with quality management in mind, it was established as a foundation for all other management systems – information security (ISO/IEC 27001), environment (ISO 14001), business continuity (BS 25999-2), etc. It means that some of the elements you have implemented for the quality management system according to ISO 9001 you can use for the information security management system as well – here is the list:

    • Document management – the procedure used for document management in QMS can be used for the same purpose in ISMS, with only minor adjustments
    • Internal audit – the same procedure can be used for both QMS and ISMS, although the internal audit itself would usually be done by different people since it is not very likely that one person would have deep enough knowledge of both information security and quality
    • Corrective and preventive actions – the procedure used for QMS can be used for the same purpose in ISMS, although it is likely that different persons will be solving issues related to QMS or ISMS
    • Human resources management – the same cycle of HR planning, training and evaluation is used for both management systems; naturally, the difference is in the profile of needed skills and knowledge
    • Management review – the principles for management review are the same for both management systems; although it would not be recommendable to perform both reviews in parallel, management will already be accustomed to making decisions in QMS, so they will have better understanding of how to make decisions in the context of ISMS
    • Setting the business goals and tracking whether they have been achieved – the same mechanism is laid down in both standards, so management will be used to such systematic planning

    Therefore, if you have already implemented ISO 9001, you will have an easier job implementing ISO 27001 (and vice versa) – you could save up to 30% of time. Further, you will have cheaper certification audits since certification bodies are offering the so called “integrated audits”, which means they will do both ISO 9001 and ISO 27001 in the same audit, charging you a smaller fee compared to separated audits.

    If your QMS is functioning well, you will find your ISMS project developing rather smoothly – management will have better understanding of potential business benefits, while all organizational units will be accustomed to the necessity of defining precise procedures, responsibilities and documentation.

    Having a QMS indeed provides very good foundation for information security – if you already have ISO 9001, do give a serious thought to ISO 27001.

    This free webinar will also help you: ISO 27001 implementation: How to make it easier using ISO 9001.

    BS 25999-2 Foundations Part 3: Business Continuity Planning
    Advisera Dejan Kosutic
    Dejan Kosutic
    Leading expert on cybersecurity / information security and author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become certified against ISO 27001 and other ISO standards. He believes that making ISO standards easy-to-understand and simple-to-use creates a competitive advantage for Advisera's clients. As an ISO 27001 expert, Dejan is sought out to help companies find the best way to obtain certification by eliminating overhead and adapting the implementation to the specifics of their size and industry.