Organisations have spent the past few years rushing to address mounting information security risks, from the rising threat of cyber attacks to the possibility of sizeable fines under the GDPR (General Data Protection Regulation).
For many, that has taken the form of implementing ISO 27001. The international standard provides a framework to address all aspects of information security – people, processes and technology – in a way that mirrors the GDPR’s compliance requirements.
In the two years following the introduction of the GDPR, the number of organisations that certified to ISO 27001 increased from 31,910 to 44,499.
Those organisations will have learned that implementing ISO 27001 takes time and resources, but they are now reaping the benefits.
An ISO 27001-compliant ISMS (information security management system) ensures that organisations are prepared for an ever-evolving threat landscape and that they can remain on top of their compliance requirements.
The only thing standing in many people’s way is their uncertainty as to whether ISO 27001 can work alongside other management systems – with ISO 9001, which contains the best practices for a QMS (quality management system), being the most common stumbling block.
Organisations often fall into the trap of treating each standard as a separate project and thinking it’s too much work. However, the two have enough in common that it’s possible to integrate them in one system and meet both sets of compliance requirements.
It’s half the effort and can result in a holistic approach that addresses information security and quality management.
Why integrate ISO 9001 and ISO 27001?
Although ISO 9001 and ISO 27001 address separate issues – quality management and information security respectively – there is a clear link between them. As Certification Europe explains, “information security secures the company’s potential, and quality management creates it”.
Moreover, the two standards have a similar framework, following the Annex SL structure. This means that there are similarities in the documentation and procedures that are required to implement the system.
But it’s not simply that integrating ISO 9001 and ISO 27001 is possible; there are also many benefits of doing do. For a start, you will combine resources and save time.
If you have already implemented one standard, you can build your implementation project for the other around an existing framework. Alternatively, if you are looking to adopt both at the same time, you can use a single approach that is adjusted for the specifics of each.
Plus, once you’ve achieved certification, you can continue to use the same process to maintain the systems and achieve continual compliance with both standards.
Similarities between ISO 9001 and ISO 27001
To understand how you can integrate ISO 9001 with ISO 27001, it’s important to see the similarities between the two.
Here are six things they have in common, which will help you integrate the standards:
1. Context of the organisation
Both standards state that organisations must understand the context of their operations to implement it effectively.
As such, the implementation project should begin with identifying relevant internal and external issues – although the specific issues will be broken into quality management and information security.
2. Interested parties
With both ISO 9001 and ISO 27001, organisations must determine interested parties and their expectations relating to quality management and information security.
These requirements can be addressed with the same process, and organisations can develop an integrated list of interested parties and supplementary information.
3. Responsibility and authority
The roles and responsibilities of a QMS and an ISMS are different, but in both cases, they must be defined. Organisations can use a single process for identifying and defining roles.
They also both need to be led by top management, who can integrate their messaging where relevant.
4. Competence, awareness, communication and documented information
These requirements are found in both ISO 27001 and ISO 9001, and are common even outside ISO standards. In every case, they can be addressed and managed in a uniform way and as part of a single process.
5. Internal audits
Internal audits are a crucial part of any implementation project. Although the audit criteria differ between ISO 9001 and ISO 27001, the process of performing audits is similar enough that audit programmes can be aligned to minimise disruption.
Depending on the size and complexity of the organisation, it might be possible to perform internal audits of both management systems simultaneously.
6. Corrective actions
ISO 9001 and ISO 27001 both require organisations to adopt a process to perform corrective action. Because there is much in common between the standards, organisations can conduct and track the necessary tasks as part of a single process.
Getting started with your integration project
If your organisation is ready to adopt ISO 9001 and ISO 27001, IT Governance is here to help.
For those that have already adopted ISO 9001 and are now looking to address information security management, our ISO 27001 Toolkit provides all the support you need.
It contains more than 140 customisable ISO 27001 documentation templates, including policies, procedures, work instructions and records.
The toolkit also comes with tools to help you complete the essential compliance tasks, including gap assessments, the Statement of Applicability and the roles and responsibilities matrix.
Meanwhile, organisations that have already implemented ISO 27001 and are looking for guidance on quality management should look at our ISO 9001 Documentation Toolkit.
As with the ISO 27001 Toolkit, it contains a complete list of template policies, procedures, work instructions and records, which you can tailor to your organisation’s requirements.
You can ensure full coverage of the Standard with the comprehensive compliance tools, including the ISO 9001 gap analysis tool, conversion tool, roles and responsibilities matrix and project plan template.