ISO 27001 implementation: How to make it easier using

ISO 9001?

Presenter: Dejan Kosutic

©2016 27001Academy advisera.com/27001academy

GoToWebinar Control Panel

• Open and close your Panel

• View, Select, and Test your audio

• Submit text questions – they will be addressed throughout the session

• Raise your hand 6

©2016 27001Academy advisera.com/27001academy 3

How to use ISO 9001 to make your ISO 27001 implementation less painful.

You have already implemented ISO 9001, or you are planning to implement both ISO 9001 and ISO 27001.

In most of the cases ISO 9001 can save up to 25% of time needed for ISO 27001 implementation.

©2016 27001Academy advisera.com/27001academy 4

ISO 27001 is much more similar to

ISO 9001 than it may seem at first sight!

©2016 27001Academy advisera.com/27001academy

Agenda

5

• Similarities

• Differences

• Implementation issues & roles

• Top management issues

• Implementing both standards

• Certification

• Greatest challenges with ISO 27001

©2016 27001Academy advisera.com/27001academy

Similarities – PDCA cycle

6

Plan

CheckDo

Act

Define

what you

want to

achieve

Implement

what you

have

planned for

Measure

if you

achieved

the

objectives

Fill the

gap

©2016 27001Academy advisera.com/27001academy

… Similarities

7

• Process approach

• Document control

• Corrective actions

• Human resources management

• Internal audits

• Management review

• Setting the objectives and measuring

• ISO 27001 Annex A – exclusions are possible

©2016 27001Academy advisera.com/27001academy

… And differences

8

Selecting controls

(risk assessment)

Quality manual

ISO 9001 ISO 27001

Statement of

Applicability

Security

Incidents

Customer

complaints

©2016 27001Academy advisera.com/27001academy

Implementation issues

9

• Integrate ISMS and QMS in one single management system

• For ISO 9001 clause 7.1.3 (Infrastructure) use ISO 27001

• PAS 99 Integrated Management

• Do not merge Quality Policy and Information Security Policy

©2016 27001Academy advisera.com/27001academy

Roles

10

• QMS management representative

• CISO (Chief Information Security Officer)

• Project team

• Top management / sponsor

©2016 27001Academy advisera.com/27001academy

Top management issues

11

• If QMS is already implemented, they will understand the benefits (or drawbacks) of ISMS easier

• The management review can be done at the same time for both ISO 27001 and ISO 9001

• System for setting objectives and measuring them can be the same

©2016 27001Academy advisera.com/27001academy

Implementing both standards in parallel

12

Objectives

ISMS, QMS

policies

Document

management

Risk

Assessment

+ Annex A

Core

operating

procedures

Internal audits,

Management

reviews,

Corrective

actions

ISO 27001 ISO 9001ISO 27001 + ISO 9001

©2016 27001Academy advisera.com/27001academy

Certification

13

Integrated audit

→ it will save you time and money!

©2016 27001Academy advisera.com/27001academy

Greatest challenges with ISO 27001

14

• Mapping them both to make single documents be it policies or Quality Manual

• Educating executives that the need for compliance is a business case not just an IT case

• Commitment both from upper management and staying involved

• To get buy-in from the other employees in order to put the appropriate controls in place

• Making sure you have the right capabilities/ resources in IT

©2016 27001Academy advisera.com/27001academy

Conclusions

15

ISO 27001 and ISO 9001 have a very similar core management system

→ ISO 9001 is an excellent foundation for ISO 27001 implementation

Q & A

Dejan Kosutic

http://advisera.com/27001academy/webinars

Thank you!