Relationship between ISO 9001 (quality management) and ISO 27001 (information security)
In 2018, ISO 27001 was implemented with the GDPR law throughout Europe. In 2016, ISO 27001 certification increased by 20% compared to 2015 in Europe (source : ISO.org ). Data management in terms of terms, how to use it, as well as its protection, is now a concern for businesses.
For many organizations that have already implemented ISO 9001 certification and have now decided to implement ISO 27001 , the challenge for them is how to do this harmoniously. A common approach is to use both systems. Use management as separate projects. But in fact the best way to implement these standards is to integrate them as a system that meets all requirements.
Implementing an integrated approach saves time and less resources. It also reduces the effort to maintain the system and achieves continuous compliance with both standards.
ISO 9001 certification (quality management) and ISO 14001 certification (environmental management) are the most popular integrated standards. ISO 9001 and ISO 27001 also have many similar features and can be fully integrated.
Both standards focus on internal and external issues of the company, but from different perspectives. Both standards follow the structure of the SL appendix, which means that there are similarities in the documentation and steps required for effective system implementation. There is.
When these two standards are combined, you will reduce people and human resources. It also ensures that your executive team has a thorough understanding of both standards and knows that the standards overlap. Some of the most important things you can do to speed up your implementation are the common requirements for both standards. We express:
1- Stakeholders and their requirements
The organization must identify stakeholders and requirements related to the quality and security of the information. These requirements can be considered through the same process, and an integrated list of stakeholders can be established.
2- Defining responsibilities and authorities
The roles and responsibilities in ISO 9001 and ISO 27001 are different, but need to be redefined.
3- Competence, knowledge, communication, control of documents and system records
All of these requirements apply not only to ISO 9001 and ISO 27001, but also to other standards, which can be addressed in the same way at the same time.
4- Internal review and management review
Requirements should be audited. Review inputs and outputs are different, but the procedure is the same. Depending on the size and complexity of the company and its processes, an internal audit or management review may be performed simultaneously or separately.
5- They need a system for non-compliance and corrective measures
The process of dealing with inconsistencies and corrective actions can be the same for both standards and there is no reason to separate them.
Despite these common elements, it makes sense to maintain a system for each common element. Keep in mind that although some requirements may seem the same and can be met by the same process, this does not mean that they are Have similar results for both standards.
ISO 9001 certification focuses on quality products and services and customer satisfaction, while ISO 27001 certification focuses on information security. Therefore, the results of the management review as well as the inputs will be different and different from most of the above paragraphs.
Additional requirements in ISO 27001
The differences between the standards complement each other beneficially. This plays a decisive role in increasing the success of the business: information security ensures the company’s potential and creates quality management. After addressing the common requirements of the standards, the company must address its differences in paragraphs 6 and 8. ISO 27001 adds the following to IMS:
1- Information security risk assessment
The organization needs to develop a method for identifying and assessing information security risks. This process should not be combined with addressing the risks and opportunities in ISO 9001, as the latter requires much less, and using the same method can be ineffective in ISO 9001.
2- Information security risk
This process is not unique to ISO 9001, so it can be done independently. This essentially requires the organization to apply one or more of the information security controls listed in Annex A to ISO 27001.
Apply for ISO now
By integrating the two management systems, you can save time (up to 30%), cost and maintain and improve the management system.
With a comprehensive management system approach that performs best internationally, organizations can demonstrate compliance with both ISO 27001 and ISO 9001 to customers, certification bodies, and regulators.
In addition, by integrating quality management and information security, organizations can demonstrate both the quality and security of their processes and a significant competitive advantage by improving organizational performance, reducing risk, better customer satisfaction and increasing reputation and marketing. Become.