The Benefits of Integrating ISO 9001 and ISO/IEC 27001

ISO/IEC 27001:2013 is the globally recognized standard for an information security management system (ISMS). An ISMS is a framework to inform an organization’s risk management process. The standard aims to:

• Examine the risks to an organization’s information and implement controls to manage them
• Manage threats to information assets
• Establish, maintain and continually improve an ISMS

THE CIA TRIAD

The CIA Triad includes confidentiality, integrity and availability. Confidentiality is about preventing unauthorized access or disclosure. Integrity centers on safeguarding information accuracy and completeness, and processing methods. Availability focuses on ensuring that authorized users can access information and the associated processing methods. The loss of any of these attributes can cause commercial harm, embarrassment and/or serious business damage.

THE BENEFITS OF CERTIFICATION

ISO/IEC 27001 certification:

• Demonstrates that your organization can keep confidential information secure
• Increases customer, third-party and stakeholder confidence in your risk management and that their data is protected, accessible and stored securely
• Shows that you can meet tender requirements that help secure new business
• Differentiates you from your competitors
• Safeguards your valuable data and intellectual property
• Manages and minimizes risk exposure to avoid penalties

ANNEX SL & INTEGRATED MANAGEMENT SYSTEMS

According to Annex SL, a management system standard structure should consider scope, normative references, terms and definitions, context of the organization, leadership, planning, support, operation, performance evaluation and improvement.

Integrated management systems must cover the context of the organization, responsibility and authority, competence, awareness, communication and documentation, internal audits, management review, nonconformity and corrective action, and continual improvement.

MOVING TOWARD ISO/IEC 27001

You must consider several areas when moving from ISO 9001 to ISO/IEC 27001.

An organization needs to harness Annex SL and implement the shared clauses, an information security risk assessment/treatment and Clause 4.4 – quality management system (QMS) – and its processes, as well as include the 14 ISMS process areas in the QMS.

DOCUMENTATION IS REQUIRED

The next step is documentation. The following requirements will be familiar if you have dealt with ISO 9001.

You must provide evidence of the risk assessment process, summarize the management framework and have policy statements, including clear desk, cryptography and access control.

Specific operational and procedural documentation, management responsibilities and reviews, and evidence of effectiveness and monitoring and measuring results come next.

Finally, you must have an appropriate retention period, retrieval, versioning, approval and ownership in place.

MAPPING YOUR PROCESSES

You will need to consider several process maps, which we can help with. These include human resources, incident management, physical security, supplier relations, operations security, communications, access control, information systems and business continuity process maps.

HOW WE CAN HELP

As the leading certification company and with expertise in all major industries, we understand each sector’s pain points and have the technical skills and logistical capabilities to ensure realistic outcomes.

SGS Academy also offers a range of complementary services, including an:

• ISO/IEC 27001 Introduction Training Course​
• ISO/IEC 27001 Implementation Training Course​
• ISO/IEC 27001 Auditor/Lead Auditor Training Course​
• ISO/IEC 27001 Internal Auditor Training Course