Since 1947, the International Organisation for Standardisation (ISO) has developed international standards to support organisations across all industry sectors at a global level. It was only in 2012, however, that ISO developed the ‘Annex SL Structure’. This structure provides consistency and compatibility between various management system standards, such as ISO 9001 and ISO 27001.
Background
The introduction of the Annex SL Structure now makes it easier for organisations to understand and integrate multiple management system standards, as all the content is now categorised under the 10 clauses of the Annex SL Structure, with Clauses 4 – 10 being the ones that are audited by certification bodies.
The Structure applies ‘Plan-Do-Check-Act’ - an iterative design and management methodology to control and continually improve processes, products, and services.
There are a multitude of management system standards that organisations can implement and potentially certify to, but here we are focusing on two of the most popular standards, ISO 9001, and ISO 27001. One of the main purposes of this blog is to highlight possible opportunities to merge various processes and policies that form part of the two management systems when implementing both standards.
Core Purpose
ISO 9001 is a quality management system (QMS). It was first issued in 1987 and today is one of the most well-used management tools. It provides a framework that enables organisations to:
- Ensure consistent quality in the provision of products and services that meet customer and regulatory/statutory requirements
- Identify and address areas for improvement
- Enhance customer satisfaction.
It encompasses the daily operational activities required to produce and deliver products and services and can be implemented by any organisation, regardless of size or business sector.
ISO 27001 is a management system standard for Information Security Management Systems (ISMS) that can also be applied to any organisation, regardless of size or type. It was first published in 2005 and is an effective and pragmatic tool for minimising information security risks. It promotes the effective management of:
- Confidentiality of information, to prevent unauthorised access or disclosure
- Data integrity, i.e., accuracy, consistency, reliability, and trustworthiness
- Availability, or accessibility to information by authorised users.
Where an organisation has implemented a management system based on either ISO 9001 or ISO 27001, it is possible to expand the existing system to incorporate the other Standard.
In summary:
- A QMS is a compilation of business processes and procedures that work together to provide products and services that meet customer expectations.
- An ISMS is a systematic approach to managing the privacy and security of information controlled by an organisation during the conduct of its business activities.
Comparison
Whilst similar, the requirements of each Standard differ in terms of their context, i.e., ISO 27001 requirements are specific to information security management and ISO 9001 requirements are specific to quality management. These contextual differences are not addressed here.
Clause 4: Context of the Organisation
Both Standards require organisations to determine relevant internal and external issues that affect their management system (MS), as well as interested parties and their requirements – including relevant legal (statutory and regulatory) requirements.
ISO 27001, however, allows organisations to select which relevant requirements of interested parties will be addressed by the ISMS (Clause 4.2c), whereas ISO 9001 does not.
In both Standards, there is a requirement to define and document the boundaries and applicability (scope) of the management system.
A key difference when determining scope is that ISO 27001 requires the organisation to consider the dependencies and interfaces with activities performed by other organisations. This is not a requirement of ISO 9001, although it does include control of externally-provided processes, products, and services in Clause 8.4.
It should be noted that while ISO 27001 explicitly forbids an organisation from excluding requirements of the Standard from the scope of its MS, ISO 9001 does allow exclusions if documented and justified. These exclusions must not adversely impact the conformance of the product or service, or customer satisfaction.
Many organisations exclude Clause 8.3 (design and development of products and services) from their QMS. However, if an organisation introduces or changes its service provision, this can require design and development activities.
Clause 5: Leadership
Both Standards require organisational leadership (top management) to take accountability for the effectiveness of the MS. ISO 9001, however, stipulates an additional element of leadership, i.e., it requires a customer-focused approach.
Both Standards have similar criteria for a policy, which can be addressed in one document, although ISO 27001 also requires additional ‘topic specific’ policies in its Annex A.
Roles, responsibilities, and authorities required by ISO 27001 focus on information security, while ISO 9001 refers to all business processes within the scope of the QMS.
Annex A of ISO 27001 includes a requirement to ensure segregation of duties where appropriate. While this is specific to an ISMS, it is good business practice for any management system to ensure there is no conflict created when allocating responsibilities and authorities.
Clause 6: Planning
Both Standards require the identification of risks and opportunities within the context of that particular Standard. However, it’s important to note that ISO 27001 is far more stringent in the assessment of these risks, and the subsequent application of risk treatment options/plans.
A fairly obvious and fundamental difference between the two standards is that unlike ISO 9001, ISO 27001 includes an annex, i.e., Annex A - Information security controls reference. The Annex details a list of control measures to be implemented to manage risks identified during the risk analysis process and associated with the ISMS. These controls are aligned to themes, Clauses 5-8.
This clause includes a requirement to establish objectives, and plan to achieve them. It is important to consider and plan how objectives are to be achieved.
Clause 7: Support
For both Standards, an organisation needs to determine and provide resources necessary to establish, implement, maintain, and continually improve their MS. ISO 9001, however, has more extensive requirements relating to the business infrastructure, environment and knowledge that support the processes.
Competency requirements apply to all personnel, including management. It is not unusual for organisations to overlook competency requirements for those activities that are not day to day, e.g. internal auditors need to be competent in auditing and be knowledgeable about the relevant Standard.
Clause 8: Operations
Although both Standards require operational planning and control, it is here where major differences between ISO 9001 and ISO 27001 occur.
ISO 27001 has two subclauses which focus on the application of the risk assessment methodology, previously established in Clause 6, and the subsequent use of the control measures which have been identified from Annex A. The two sub-clauses are:
ISO 9001 on the other hand has seven subclauses which focus on defining and controlling the processes for the provision of products and services, including:
- Operational planning and control
- Requirements for products and services
- Design and development of products and services
- Control of externally provided processes, products, and services
- Production and service provision
- Release of products and services
- Control of nonconforming outputs.
While organisations are generally well versed in these operations, there is a tendency to overlook the need to control and manage changes at the operational level, so careful consideration should be given to this when developing and implementing an ISMS or QMS.
Clause 9: Performance Evaluation
Both Standards require ongoing monitoring, measurement, analysis, and evaluation of the MS, although again, because of the focus of the Standard, ISO 27001 does not include customer satisfaction.
The processes for audits and management review are very similar, with variations again relating to the subject matter focus of the Standards, e.g., ISO 9001 requires changes to the organisation to be considered when developing the audit programme.
Organisations generate a mountain of data, and careful consideration needs to be given to what needs to be monitored and measured, and why. The allocation of personnel to these activities needs to ensure appropriate independence and objectivity.
Clause 10: Improvement
Information security and quality management systems can use the same processes, as both Standards require continual improvement of the suitability, adequacy, and effectiveness of the MS. The objective of this clause is to effectively identify and action opportunities for improvement as well as manage nonconformities and implement appropriate correction and corrective action.
It is not uncommon for organisations to confuse ‘correction’ and ‘corrective action’ which can result in unnecessary activities. It is beneficial to ensure these are clearly defined and implemented as appropriate.
How URM Can Help
URM has helped over 400 organisations conform and/or certify to ISO 27001 and other management system standards such as ISO 9001 and ISO 22301, without a single failed certification project. Our large team of ISO 27001 consultants and other ISO management system specialists can assist you in merging the various management systems into an integrated business management system. This will also allow you to streamline the processes involved in various conformance activities, such as your ISO 9001 and ISO 27001 audits.
If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.
URM can assist with all aspects of implementation and maintenance of your medical device quality management system.
URM can help you achieve ISO 27001 certification
Due to the increased use of technologies and the ‘human’ involvement, it is inevitable we are all going to face more and more information security incidents.
URM’s blog provides advice and guidance on how you can meet the ISO 27001 requirements around interested parties and their needs and expectations.
This blog talks about information classification. So, what exactly do we mean by information classification?