ISO/IEC 27001 Information Security Management System

Luciano Quartarone - http://www.lucianoquartarone.it - +44 (0) 7984 700 240 - +39 392 512 7104 - info@lucianoquartarone.it

ISO/IEC 27001:2013, ISO 9001:2008 and DIS 9001:2015 relationships. Aims of this paper is to show which relationships are in place between ISO/IEC 27001:2013, ISO 9001:2008 and DIS 9001:2015 (hoping the final release will be not so far from what DIS states). This comparison can be useful for point out common items and in order to speed up synergies in developing a common strategy in approaching the "Information Security" in your business.

Quartarone Luciano

Information Security Management System

ISO/IEC 27001 Information Security Management System

Luciano Quartarone - http://www.lucianoquartarone.it - +44 (0) 7984 700 240 - +39 392 512 7104 - info@lucianoquartarone.it

ISO/IEC 27001:2013, ISO 9001:2008 and DIS 9001:2015 relationships.

ISO/IEC 27001:2013 ISO 9001:2008 DIS 9001:2015 Explanation 0 Introducion 0 Introduction 0 Introduction 0.1 General 0.1 General 0.1 General These clauses have the same requirements for

both standards. 0.2 Compatibility with other management systems

0.4 Compatibility with other management systems

0.6 Compatibility with other management system standards

1 Scope 1 Scope 1 Scope 2 Normative references 2 Normative references 2 Normtive references 3 Terms and definit ions 3 Terms and definit ions 3 Terms and definit ions 4 Context and

organization 4 Context of the

organization

4.1 Understanding the organization and its context

4.1 Understanding the organization and its context

There are no similar clauses in ISO 9001:2008, but in DIS 9001:2015 seems to be reintroduced.

4.2 Understanding the needs and expectations of interested parties

5.1.a Management commitment 4.2 Understanding the needs and expectations of interested parties

While for 9001:2008 you can use the same document to list statutory and regulatory, requirements regarding your organization, in DIS 9001:2015 seems there is a perfect aligment to this clause.

4.3 Determining the scope of the information security management system

4.2.2.a Quality manual 4.3 Determining the scope of the quality management system

The requirements are the same, especially in DIS 9001:2015, and can be met through the same document.

4.4 Information security management system

4.1 General requirements 4.4 Quality management system and its processes

The requirements are the same, even thoughwith two different prospective; each system must be established, implemented, documented and continually improved.

ISO/IEC  27001:2013  

ISO  9001:2008  

DIS  9001:2015  

ISO/IEC 27001 Information Security Management System

Luciano Quartarone - http://www.lucianoquartarone.it - +44 (0) 7984 700 240 - +39 392 512 7104 - info@lucianoquartarone.it

5 Leadership 5 Management responsibil ity

5 Leadership

5.1 Leadership and commitment 5.1 Management commitment 5.1 Leadership and commitment The requirements are almost the same and the management has to treat all standards in the same way regarding implementing the policies, provision of resources, continual improvement, assigning roles and responsibilities, etc.

5.2 Policy 5.2 Quality policy The requirements are almost the same, and in theory they could be met through a single document, but in my opinion, is better if the policies are written as separate documents, in which case they must be compatible with each other (obviously).

5.3 Organizational roles, responsibilities and authorities

5.3 Organizational roles, responsibilities and authorities

Roles, responsibilities and authorities for all standards can be communicated in the same way.

6 Planning 6.1.1 Actions to address risks and

opportunities - general 8.5.3 Preventive action 6.1 Actions to address risks and

opportunities In ISO 9001:2008, addressing risks can be considered as preventive action, but it can’t be merged in the same document. In DIS 9001:2015 the requirements are almost the same.

6.1.2 Information security risk assessment

- - - - There are no similar clauses in ISO 9001.

6.1.3 Information security risk treatment

- - - - There are no similar clauses in ISO 9001.

6.2 Information security objectives and planning to achieve them

5.1 Management commitment 6.2 Quality objectives and planning to achieve them

The requirement are almost the same in all standards. Objectives and plans for their realization for both standards can be placed in one document.

7 Support 6 Resource management 7 Support 7.1 Resources 6.1 Provision of resources 7.1 Resources Organization has to determine and provide

necessary resources for process execution in order to meet requirements for both standards. In DIS 9001:2015, the requirements are more close to ISO/IEC 27001.

6.2 Human resources 6.3 Infrastructure 6.4 Work environment

ISO/IEC 27001 Information Security Management System

Luciano Quartarone - http://www.lucianoquartarone.it - +44 (0) 7984 700 240 - +39 392 512 7104 - info@lucianoquartarone.it

7.2 Competence 6.2.2 Competence, training and awareness

7.2 Competence The requirements are the same and can be met

through the same processes.

7.3 Awareness 7.3 Awareness The requirements are the same and can be met

through the same processes

7.4 Communication 5.5.3 Internal communication 7.4 Communication The requirements are the same and can be met through the same processes

7.5 Documented information 4.2 Documentation requirements 7.5 Documented information The requirements are the same and can be met through the same processes

8 Operation 8 Operation 8.1 Operational planning and

control 8.2.3 Monitoring and

measurement of processes 8.1 Operational planning and

control The requirements are the same and you can set and describe a KPI framework for processes of all standards, in a single document.

8.2 Information security risk assessment

- - - - There are no similar clauses in ISO 9001.

8.3 Information security risk treatment

8.5.3 Preventive action - - As stated in DIS 9001:2015, A.4, "[...]The concept of preventive action is expressed through a risk-based approach to formulating quality management system requirements.". Although risks and opportunities have to be determined and addressed, there is no requirement for formal risk management or a documented risk management process. DIS 9001:2015 obsoletes the approach used 9001:2008.

9 Performance evaluation 9 Performance evaluation 9.1 Monitoring, measurement,

analysis and evaluation 8 Measurement, analysis and

improvement 9.1 Monitoring, measurement,

analysis and evaluation The requirements are the same.

8.1 General 9.1.1 General 8.2.3 Monitoring and

measurement of processes - -

8.2.4 Monitoring and measurement of product

- -

9.2 Internal Audit 8.2.2 Internal audit 9.2 Internal Audit The same approach for internal audit can be applied for all standards.

ISO/IEC 27001 Information Security Management System

Luciano Quartarone - http://www.lucianoquartarone.it - +44 (0) 7984 700 240 - +39 392 512 7104 - info@lucianoquartarone.it

9.3 Management review 5.6 Management review 9.3 Management review The requirements are the same, even though they shall be addressed with different inputs.

10 Improvement 8.5 Improvement 10 Improvement 10.1 Nonconformity and

corrective action 8.3 Control of nonconforming

product 10.2 Nonconformity and

corrective action The requirements are the same and can be met through the same procedure. In DIS 9001:2015 "Nonconformity" and Corrective action are merged in the same document.

8.5.2 Corrective action - - 10.2 Continual improvement 8.5.1 Continual improvement 10.3 Continual Improvement The requirements are the same.

Quartarone Luciano via San Bartolomeo, 8 - 20861 Brugherio (MB)

l.quartarone@icloud.com - luciano.quartarone@pec.it -

http://www.lucianoquartarone.it

C.F.: QRTLCN74P29M052G - P.IVA.: 08278730968