Upload
others
View
46
Download
0
Embed Size (px)
Citation preview
ISO 27001 implementation: How to make it easier using
ISO 9001?
Presenter: Dejan Kosutic
©2016 27001Academy advisera.com/27001academy
GoToWebinar Control Panel
• Open and close your Panel
• View, Select, and Test your audio
• Submit text questions – they will be addressed throughout the session
• Raise your hand 6
©2016 27001Academy advisera.com/27001academy 3
How to use ISO 9001 to make your ISO 27001 implementation less painful.
You have already implemented ISO 9001, or you are planning to implement both ISO 9001 and ISO 27001.
In most of the cases ISO 9001 can save up to 25% of time needed for ISO 27001 implementation.
©2016 27001Academy advisera.com/27001academy 4
ISO 27001 is much more similar to
ISO 9001 than it may seem at first sight!
©2016 27001Academy advisera.com/27001academy
Agenda
5
• Similarities
• Differences
• Implementation issues & roles
• Top management issues
• Implementing both standards
• Certification
• Greatest challenges with ISO 27001
©2016 27001Academy advisera.com/27001academy
Similarities – PDCA cycle
6
Plan
CheckDo
Act
Define
what you
want to
achieve
Implement
what you
have
planned for
Measure
if you
achieved
the
objectives
Fill the
gap
©2016 27001Academy advisera.com/27001academy
… Similarities
7
• Process approach
• Document control
• Corrective actions
• Human resources management
• Internal audits
• Management review
• Setting the objectives and measuring
• ISO 27001 Annex A – exclusions are possible
©2016 27001Academy advisera.com/27001academy
… And differences
8
Selecting controls
(risk assessment)
Quality manual
ISO 9001 ISO 27001
Statement of
Applicability
Security
Incidents
Customer
complaints
©2016 27001Academy advisera.com/27001academy
Implementation issues
9
• Integrate ISMS and QMS in one single management system
• For ISO 9001 clause 7.1.3 (Infrastructure) use ISO 27001
• PAS 99 Integrated Management
• Do not merge Quality Policy and Information Security Policy
©2016 27001Academy advisera.com/27001academy
Roles
10
• QMS management representative
• CISO (Chief Information Security Officer)
• Project team
• Top management / sponsor
©2016 27001Academy advisera.com/27001academy
Top management issues
11
• If QMS is already implemented, they will understand the benefits (or drawbacks) of ISMS easier
• The management review can be done at the same time for both ISO 27001 and ISO 9001
• System for setting objectives and measuring them can be the same
©2016 27001Academy advisera.com/27001academy
Implementing both standards in parallel
12
Objectives
ISMS, QMS
policies
Document
management
Risk
Assessment
+ Annex A
Core
operating
procedures
Internal audits,
Management
reviews,
Corrective
actions
ISO 27001 ISO 9001ISO 27001 + ISO 9001
©2016 27001Academy advisera.com/27001academy
Certification
13
Integrated audit
→ it will save you time and money!
©2016 27001Academy advisera.com/27001academy
Greatest challenges with ISO 27001
14
• Mapping them both to make single documents be it policies or Quality Manual
• Educating executives that the need for compliance is a business case not just an IT case
• Commitment both from upper management and staying involved
• To get buy-in from the other employees in order to put the appropriate controls in place
• Making sure you have the right capabilities/ resources in IT
©2016 27001Academy advisera.com/27001academy
Conclusions
15
ISO 27001 and ISO 9001 have a very similar core management system
→ ISO 9001 is an excellent foundation for ISO 27001 implementation
Q & A
Dejan Kosutic