SlideShare a Scribd company logo

NQA ISO 9001 to ISO 27001 Gap Guide

NQA
NQA

ISO 27001:2013 the Information Security Management Standard is one of the fastest growing standards right now; partly due to the ever evolving digital landscape and the recent introduction of the new GDPR. Similarly to ISO 9001, ISO 27001 is the internationally recognized standard for information security management. It is the most widely used ISMS standard in the world, with over 35k certificates issued to organizations in 178 countries. What do these standards have in common? And if you have one management system can you have the other?

1 of 4
Download to read offline
ISO 27001:2013 the Information Security Management Standard is one of the fastest growing standards right now; partly due to the ever evolving digital landscape and the recent introduction of the new General Data Protection Regulations (GDPR). Similarly to ISO 9001, ISO 27001 is the internationally recognized standard for information security management. It is the most widely used ISMS standard in the world, with over 35k certificates issued to organizations in 178 countries. What do these standards have in common? And if you have one management system can you have the other? The best way to implement another management system if you already have one is to implement an Integrated Management System (IMS). This way both systems meet the requirements of the standard and you won’t be duplicating lots of work. How do you start though? Firstly look at the easy bits - what’s common. If you are already fulfilling one standard requirement, chances are you may not be far away from achieving the same requirement under a different standard. Within this brief you will see that we have mapped out the various different clauses within both ISO 9001:2015 and ISO 27001:2013 to help you understand how implementing another standard on top of existing processes and procedures can be achieved successfully. First a brief overview of the main clauses and the similarities. • Context of the organization Both standards require organizations to identify the internal and external issues relevant to the company albeit from a different viewpoint. ISO 9001 focuses on Quality and ISO 27001 focuses on Information Security • Interested parties Organizations must determine the interested parties plus their needs and expectations relating to quality or information security. This can be achieved in the same process with a combined list created • Responsibility and authority Both standards require the roles and responsibilities for the QMS and ISMS to be defined. Although these roles may be different the same process for the identification and definition of these roles can be the same • Competence, awareness, communication and documented information These requirements are similar for many standards and not just ISO 9001 & 27001. They can be addressed in the same way and in many cases at the same time • Internal audits and management review Although the audit criteria and management review input and outputs will differ, the process is exactly the same and depending on the size or complexity of the organization can be done together or separately • Nonconformity and corrective action Both systems require a process for handling nonconformities and corrective action. This can be the same with no reason to keep them separate THE DIFFERENCE ISO 27001:2013 differs from ISO 9001:2015 in that it adds Information Security Risk Assessment and risk treatment into the ISMS. For an Information Security Risk Assessment, the organization must develop a methodology for the identification of information security risks. This is a separate process than that of addressing risk and opportunities with 9001. MANAGE YOUR INTEGRATION ISO 9001 TO ISO 27001 GAP GUIDE The Information Security Risk Treatment process requires an organization to apply one or several of the information security controls listed within Annex A in an attempt to mitigate risk. MAPPING The following table shows the various clauses in the standards and their similarities:
ISO 9001:2015 ISO 27001:2013 GUIDANCE 4 Context of the Organization 4 Context of the Organization 4.1. Understanding the organization and its context 4.1. Understanding the organization and its context Both standards require organizations to determine internal and external issues related to the suitability of the management system achieving its intended outcome. 4.2. Understanding the needs and expectations of interested parties 4.2. Understanding the needs and expectations of interested parties Both standards require organizations to identify relevant interested parties as well as their needs and expectations. 4.3 Determining the scope of the quality management system 4.3 Determining the scope of the information security management system The scope of the management system must be defined for both standards. The difference is that ISO 9001 requires products and services to be considered, and ISO 27001 requires consideration of interfaces and dependencies between the processes when defining the scope. 4.4. Quality management system and its processes 4.4. Information security management system The requirements are exactly the same, each system must be established, implemented, documented, and continually improved. 5 Leadership 5 Leadership 5.1 Leadership and commitment 5.1 Leadership and commitment Both standards require management to implement policies, make provisions for resources, Continual Improvement assigning roles and responsibilities etc. 5.1.1 General No similar clause in ISO 27001. 5.1.2 Customer focus No similar clause in ISO 27001. 5.2 Policy 5.2 Policy The requirements are very similar and could be met in a single document. Some policies are written as separate documents. If separate the policies should be compatible with each other. 5.2.1 Establishing the quality policy No similar clause in ISO 27001. 5.2.2 Communicating the quality policy No similar clause in ISO 27001. 5.3 Organizational roles, responsibilities and authorities 5.3 Organizational roles, responsibilities and authorities The requirements from the standard are the same in that roles, responsibilities and authorities can be communicated in the same way. This means, for example, the Quality Manager can also be the Information Security Manager and, based on competency could perform the internal audits on both systems.
6 Planning 6 Planning 6.1 Actions to address risks and opportunities 6.1 Actions to address risks and opportunities Both standards specifically require the identification of risks and opportunities arising from the context of the organization in terms of quality and information security. The only difference with ISO 27001 is that the standard provides a list of control measures which can be used to mitigate these risks in the form of Annex A. 6.2 Quality objectives and plans to achieve them 6.2 Information security objectives and planning to achieve them Both standards stipulate a need to establish objectives and their plans for realisation. These can be separate documents or placed together. 6.3 Planning of changes No similar clause in ISO 27001. ISO 9001:2015 ISO 27001:2013 GUIDANCE 7 Support 7 Support 7.1 Resources 7.1 Resources The standards require the organization to determine and provide the necessary resources for process execution. This means the same processes can be used, such as; a purchasing process to fulfil requirements. 7.1.1 General No similar clause in ISO 27001. 7.1.2 People No similar clause in ISO 27001. 7.1.3 Infrastructure No similar clause in ISO 27001. 7.1.4 Environment for the operation of processes No similar clause in ISO 27001. 7.1.5 Monitoring and measuring resources No similar clause in ISO 27001. 7.1.5.2 Measurement Traceability No similar clause in ISO 27001. 7.1.6 Organizational knowledge No similar clause in ISO 27001. 7.2 Competence 7.2 Competence Both standards require the organization to identify and provide training for the necessary competencies of employees and also to keep records regarding those competencies. 7.3 Awareness 7.3 Awareness A requirement of both standards is that employees are aware of the relevant policies and procedures. This also includes awareness of the role they play within the management system and how they impact the organizations performance with regards to quality and information security. 7.4 Communication 7.4 Communication Both standards require the same thing and can be met via the same methods or processes. 7.5 Documented information 7.5 Documented information The requirement is the same and the same processes/ procedures can be applied.
ISO 9001:2015 ISO 27001:2013 GUIDANCE 8 Operation 8 Operation 8.1 Operational planning and control 8.1 Operational planning and control Although the clause names are the same they have different scopes between the standards. ISO 9001 – focuses on defining and controlling process ISO 27001 – focuses on establishing information security controls. 8.2 Requirements for products and services No similar clause in ISO 27001. 8.3 Design and development of products and services A.6.1.5 Information security in project management A.6.1.5 is a control measure from ISO 27001 Annex A and can be part of the procedure for design and development. 8.4 Control of externally provided processes, products and services A.15 Supplier relationships Although different clause numbers – very similar requirements. Contracts entered into with suppliers should include a consideration of information security clauses. Indeed, information security can be used as criteria for the evaluation of suppliers. 8.5 Production and service provision A.12 Operations security Any IT processes that support the production and service provision should have the information security requirements taken into account. 8.6 Release of products and services No similar clause in ISO 27001. 8.7 Control of nonconforming outputs No similar clause in ISO 27001. 9 Performance evaluation 9 Performance evaluation 9.1 Monitoring, measurement, analysis and evaluation 9.1 Monitoring, measurement, analysis and evaluation The effectiveness of the management system must be monitored using the parameters that the organization has identified as being important for the process realization. ISO 9001 also monitors customer satisfaction (9.1.2). 9.2 Internal Audit 9.2 Internal Audit The same procedure can be applied to both standards regarding internal audits. 9.3 Management review 9.3 Management review The clause and requirements are the same however both standards have different input elements. The same documentation can be used however the separate input elements must be contained. 10 Improvement 10 Improvement 10.1 General No similar clause in ISO 27001. 10.2 Nonconformity and corrective action 10.1 Nonconformity and corrective action The same process can used to meet the similar requirements of both standards. 10.3 Continual improvement 10.2 Continual improvement As with every management system an emphasis is placed on continual improvement which can be conducted via a joint procedure for corrective action. If you already have a robust Quality management system in place under ISO 9001:2015, the benefits of implementing an Information Security Management System as well are countless. Not only does it help to demonstrate compliance to the new GDPR but it also highlights to your customers, employees and stakeholders that you take information security and data security seriously. You may already be doing more than you think. www.nqa.com

Recommended

ISO Annex SL Clause 7: Support
ISO Annex SL Clause 7: SupportISO Annex SL Clause 7: Support
ISO Annex SL Clause 7: Support
Robert Clements
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB
 
Cobit itil and iso 27001 mapping
Cobit itil and iso 27001 mappingCobit itil and iso 27001 mapping
Cobit itil and iso 27001 mapping
Muhammad Aslam
 
Best Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
Best Approach to Integrate ISO 9001 and ISO 27001 SimultaneouslyBest Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
Best Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
PECB
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Services
mcloete
 
Certificación de Sistemas de Gestión de Seguridad de la Información según ISO...
Certificación de Sistemas de Gestión de Seguridad de la Información según ISO...Certificación de Sistemas de Gestión de Seguridad de la Información según ISO...
Certificación de Sistemas de Gestión de Seguridad de la Información según ISO...
CRISEL BY AEFOL
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
PECB
 
ISO 9001: 2015
ISO 9001: 2015ISO 9001: 2015
ISO 9001: 2015
Prasenjit Puri
 

Recommended

ISO Annex SL Clause 7: Support
ISO Annex SL Clause 7: SupportISO Annex SL Clause 7: Support
ISO Annex SL Clause 7: Support
Robert Clements
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB
 
Cobit itil and iso 27001 mapping
Cobit itil and iso 27001 mappingCobit itil and iso 27001 mapping
Cobit itil and iso 27001 mapping
Muhammad Aslam
 
Best Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
Best Approach to Integrate ISO 9001 and ISO 27001 SimultaneouslyBest Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
Best Approach to Integrate ISO 9001 and ISO 27001 Simultaneously
PECB
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Services
mcloete
 
Certificación de Sistemas de Gestión de Seguridad de la Información según ISO...
Certificación de Sistemas de Gestión de Seguridad de la Información según ISO...Certificación de Sistemas de Gestión de Seguridad de la Información según ISO...
Certificación de Sistemas de Gestión de Seguridad de la Información según ISO...
CRISEL BY AEFOL
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
PECB
 
ISO 9001: 2015
ISO 9001: 2015ISO 9001: 2015
ISO 9001: 2015
Prasenjit Puri
 
GDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping ELGDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping EL
Eugene Lee
 
ISO 9001-2015 Revision Training Presentation
ISO 9001-2015 Revision Training PresentationISO 9001-2015 Revision Training Presentation
ISO 9001-2015 Revision Training Presentation
DQS Inc.
 
ISO/IEC 27001:2013
ISO/IEC 27001:2013ISO/IEC 27001:2013
ISO/IEC 27001:2013
Ramiro Cid
 
Internal Audit Checklist__For ISO 9001_2015_.pdf
Internal Audit Checklist__For ISO 9001_2015_.pdfInternal Audit Checklist__For ISO 9001_2015_.pdf
Internal Audit Checklist__For ISO 9001_2015_.pdf
NagarajPatil57
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
technakama
 
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
ISACA Riyadh
 
Soc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organizationSoc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organization
VISTA InfoSec
 
ISO 9001-2015 Awareness.pdf
ISO 9001-2015 Awareness.pdfISO 9001-2015 Awareness.pdf
ISO 9001-2015 Awareness.pdf
yousrazeidan1
 
Understanding IT Governance and Risk Management
Understanding IT Governance and Risk ManagementUnderstanding IT Governance and Risk Management
Understanding IT Governance and Risk Management
jiricejka
 
Iso27001vs iso27003
Iso27001vs iso27003Iso27001vs iso27003
Iso27001vs iso27003
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
New ISO 20000-1:2018 Changes, Implementation Steps
New ISO 20000-1:2018 Changes, Implementation StepsNew ISO 20000-1:2018 Changes, Implementation Steps
New ISO 20000-1:2018 Changes, Implementation Steps
Integration Technologies Group Inc
 
Iso 27001 in images - sample slides from different levels of training, e.g. F...
Iso 27001 in images - sample slides from different levels of training, e.g. F...Iso 27001 in images - sample slides from different levels of training, e.g. F...
Iso 27001 in images - sample slides from different levels of training, e.g. F...
Stratos Lazaridis
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Вопросы для интервью ISO 27001
Вопросы для интервью ISO 27001Вопросы для интервью ISO 27001
Вопросы для интервью ISO 27001
Ivan Piskunov
 
2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf
ControlCase
 
Supply management 1.1.pdf
Supply management 1.1.pdfSupply management 1.1.pdf
Supply management 1.1.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0Rasmi Swain
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
Schellman & Company
 
Iso9001 2015
Iso9001 2015Iso9001 2015
Iso9001 2015
German Jordanian university
 
Normas iso-27000
Normas iso-27000Normas iso-27000
Normas iso-27000Pedhro Acuario
 
ISO 27001:2013 - Changes
ISO 27001:2013 - ChangesISO 27001:2013 - Changes
ISO 27001:2013 - Changes
n|u - The Open Security Community
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 

More Related Content

What's hot

GDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping ELGDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping EL
Eugene Lee
 
ISO 9001-2015 Revision Training Presentation
ISO 9001-2015 Revision Training PresentationISO 9001-2015 Revision Training Presentation
ISO 9001-2015 Revision Training Presentation
DQS Inc.
 
ISO/IEC 27001:2013
ISO/IEC 27001:2013ISO/IEC 27001:2013
ISO/IEC 27001:2013
Ramiro Cid
 
Internal Audit Checklist__For ISO 9001_2015_.pdf
Internal Audit Checklist__For ISO 9001_2015_.pdfInternal Audit Checklist__For ISO 9001_2015_.pdf
Internal Audit Checklist__For ISO 9001_2015_.pdf
NagarajPatil57
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
technakama
 
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
ISACA Riyadh
 
Soc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organizationSoc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organization
VISTA InfoSec
 
ISO 9001-2015 Awareness.pdf
ISO 9001-2015 Awareness.pdfISO 9001-2015 Awareness.pdf
ISO 9001-2015 Awareness.pdf
yousrazeidan1
 
Understanding IT Governance and Risk Management
Understanding IT Governance and Risk ManagementUnderstanding IT Governance and Risk Management
Understanding IT Governance and Risk Management
jiricejka
 
Iso27001vs iso27003
Iso27001vs iso27003Iso27001vs iso27003
Iso27001vs iso27003
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
New ISO 20000-1:2018 Changes, Implementation Steps
New ISO 20000-1:2018 Changes, Implementation StepsNew ISO 20000-1:2018 Changes, Implementation Steps
New ISO 20000-1:2018 Changes, Implementation Steps
Integration Technologies Group Inc
 
Iso 27001 in images - sample slides from different levels of training, e.g. F...
Iso 27001 in images - sample slides from different levels of training, e.g. F...Iso 27001 in images - sample slides from different levels of training, e.g. F...
Iso 27001 in images - sample slides from different levels of training, e.g. F...
Stratos Lazaridis
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Вопросы для интервью ISO 27001
Вопросы для интервью ISO 27001Вопросы для интервью ISO 27001
Вопросы для интервью ISO 27001
Ivan Piskunov
 
2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf
ControlCase
 
Supply management 1.1.pdf
Supply management 1.1.pdfSupply management 1.1.pdf
Supply management 1.1.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0Rasmi Swain
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
Schellman & Company
 
Iso9001 2015
Iso9001 2015Iso9001 2015
Iso9001 2015
German Jordanian university
 

What's hot (20)

GDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping ELGDPR and ISO27001 mapping EL
GDPR and ISO27001 mapping EL
 
ISO 9001-2015 Revision Training Presentation
ISO 9001-2015 Revision Training PresentationISO 9001-2015 Revision Training Presentation
ISO 9001-2015 Revision Training Presentation
 
ISO/IEC 27001:2013
ISO/IEC 27001:2013ISO/IEC 27001:2013
ISO/IEC 27001:2013
 
Internal Audit Checklist__For ISO 9001_2015_.pdf
Internal Audit Checklist__For ISO 9001_2015_.pdfInternal Audit Checklist__For ISO 9001_2015_.pdf
Internal Audit Checklist__For ISO 9001_2015_.pdf
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
 
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
COBIT 5.0 Vs ISO / IEC 38500 (IT Governance)
 
Soc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organizationSoc 2 attestation or ISO 27001 certification - Which is better for organization
Soc 2 attestation or ISO 27001 certification - Which is better for organization
 
ISO 9001-2015 Awareness.pdf
ISO 9001-2015 Awareness.pdfISO 9001-2015 Awareness.pdf
ISO 9001-2015 Awareness.pdf
 
Understanding IT Governance and Risk Management
Understanding IT Governance and Risk ManagementUnderstanding IT Governance and Risk Management
Understanding IT Governance and Risk Management
 
Iso27001vs iso27003
Iso27001vs iso27003Iso27001vs iso27003
Iso27001vs iso27003
 
New ISO 20000-1:2018 Changes, Implementation Steps
New ISO 20000-1:2018 Changes, Implementation StepsNew ISO 20000-1:2018 Changes, Implementation Steps
New ISO 20000-1:2018 Changes, Implementation Steps
 
Iso 27001 in images - sample slides from different levels of training, e.g. F...
Iso 27001 in images - sample slides from different levels of training, e.g. F...Iso 27001 in images - sample slides from different levels of training, e.g. F...
Iso 27001 in images - sample slides from different levels of training, e.g. F...
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdf
 
Вопросы для интервью ISO 27001
Вопросы для интервью ISO 27001Вопросы для интервью ISO 27001
Вопросы для интервью ISO 27001
 
2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf
 
Supply management 1.1.pdf
Supply management 1.1.pdfSupply management 1.1.pdf
Supply management 1.1.pdf
 
SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
 
Iso9001 2015
Iso9001 2015Iso9001 2015
Iso9001 2015
 
Normas iso-27000
Normas iso-27000Normas iso-27000
Normas iso-27000
 

Similar to NQA ISO 9001 to ISO 27001 Gap Guide

ISO 27001:2013 - Changes
ISO 27001:2013 - ChangesISO 27001:2013 - Changes
ISO 27001:2013 - Changes
n|u - The Open Security Community
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
Upload iso 9001 2015 presentation
Upload iso 9001 2015 presentationUpload iso 9001 2015 presentation
Upload iso 9001 2015 presentation
Rajeesh Thumpayil
 
Auditing Information Security Management System Using ISO 27001 2013
Auditing Information Security Management System Using ISO 27001 2013Auditing Information Security Management System Using ISO 27001 2013
Auditing Information Security Management System Using ISO 27001 2013
Andrea Porter
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
Yerlin Sturdivant
 
Taking Control of Information Security
Taking Control of Information SecurityTaking Control of Information Security
Taking Control of Information Security
PECB
 
ISO9001_2015_Frequently_Asked_Questions.docx
ISO9001_2015_Frequently_Asked_Questions.docxISO9001_2015_Frequently_Asked_Questions.docx
ISO9001_2015_Frequently_Asked_Questions.docx
Sunil Arora
 
ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptx
jojo82637
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
ControlCase
 
UL DQS India News Letter - iSeeek jun_2014
UL DQS India News Letter - iSeeek jun_2014UL DQS India News Letter - iSeeek jun_2014
UL DQS India News Letter - iSeeek jun_2014
DQS India
 
Internal auditor 9001 day 1
Internal auditor 9001 day 1Internal auditor 9001 day 1
Internal auditor 9001 day 1
Dr Madhu Aman Sharma
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001
Chandan Singh Ghodela
 
Quality management system services 'QMS' in India
Quality management system services 'QMS' in IndiaQuality management system services 'QMS' in India
Quality management system services 'QMS' in India
ManojHosur
 
ISO_27001_Auditor_Checklist.pdf
ISO_27001_Auditor_Checklist.pdfISO_27001_Auditor_Checklist.pdf
ISO_27001_Auditor_Checklist.pdf
Qasim965490
 
Unit 4 standards.ppt
Unit 4 standards.pptUnit 4 standards.ppt
Unit 4 standards.ppt
ClashWithGROUDON
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Assignment
AssignmentAssignment
Assignment
Haya Haroon
 
Understanding changes of ISO 9001-2008 to ISO 9001-2015
Understanding changes of ISO 9001-2008 to ISO 9001-2015Understanding changes of ISO 9001-2008 to ISO 9001-2015
Understanding changes of ISO 9001-2008 to ISO 9001-2015
Jose Alejandro Soto Zevallos
 

Similar to NQA ISO 9001 to ISO 27001 Gap Guide (20)

ISO 27001:2013 - Changes
ISO 27001:2013 - ChangesISO 27001:2013 - Changes
ISO 27001:2013 - Changes
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
Upload iso 9001 2015 presentation
Upload iso 9001 2015 presentationUpload iso 9001 2015 presentation
Upload iso 9001 2015 presentation
 
Auditing Information Security Management System Using ISO 27001 2013
Auditing Information Security Management System Using ISO 27001 2013Auditing Information Security Management System Using ISO 27001 2013
Auditing Information Security Management System Using ISO 27001 2013
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
 
Taking Control of Information Security
Taking Control of Information SecurityTaking Control of Information Security
Taking Control of Information Security
 
Infosec Audit Lecture_4
Infosec Audit Lecture_4Infosec Audit Lecture_4
Infosec Audit Lecture_4
 
ISO9001_2015_Frequently_Asked_Questions.docx
ISO9001_2015_Frequently_Asked_Questions.docxISO9001_2015_Frequently_Asked_Questions.docx
ISO9001_2015_Frequently_Asked_Questions.docx
 
ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptx
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
UL DQS India News Letter - iSeeek jun_2014
UL DQS India News Letter - iSeeek jun_2014UL DQS India News Letter - iSeeek jun_2014
UL DQS India News Letter - iSeeek jun_2014
 
Internal auditor 9001 day 1
Internal auditor 9001 day 1Internal auditor 9001 day 1
Internal auditor 9001 day 1
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001
 
Quality management system services 'QMS' in India
Quality management system services 'QMS' in IndiaQuality management system services 'QMS' in India
Quality management system services 'QMS' in India
 
ISO_27001_Auditor_Checklist.pdf
ISO_27001_Auditor_Checklist.pdfISO_27001_Auditor_Checklist.pdf
ISO_27001_Auditor_Checklist.pdf
 
Bsi annex-sl-whitepaper
Bsi annex-sl-whitepaperBsi annex-sl-whitepaper
Bsi annex-sl-whitepaper
 
Unit 4 standards.ppt
Unit 4 standards.pptUnit 4 standards.ppt
Unit 4 standards.ppt
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
Assignment
AssignmentAssignment
Assignment
 
Understanding changes of ISO 9001-2008 to ISO 9001-2015
Understanding changes of ISO 9001-2008 to ISO 9001-2015Understanding changes of ISO 9001-2008 to ISO 9001-2015
Understanding changes of ISO 9001-2008 to ISO 9001-2015
 

More from NQA

NQA ISO 27001 27017 27018 27701 Mapping
NQA ISO 27001 27017 27018 27701 MappingNQA ISO 27001 27017 27018 27701 Mapping
NQA ISO 27001 27017 27018 27701 Mapping
NQA
 
NQA ISO 13485 Introduction Guide
NQA ISO 13485 Introduction GuideNQA ISO 13485 Introduction Guide
NQA ISO 13485 Introduction Guide
NQA
 
NQA Measuring Operational Resilience Guide
NQA Measuring Operational Resilience GuideNQA Measuring Operational Resilience Guide
NQA Measuring Operational Resilience Guide
NQA
 
NQA ISO 22301 Transition Gap Guide
NQA ISO 22301 Transition Gap GuideNQA ISO 22301 Transition Gap Guide
NQA ISO 22301 Transition Gap Guide
NQA
 
NQA Ten Tips for Planning and Preparing
NQA Ten Tips for Planning and PreparingNQA Ten Tips for Planning and Preparing
NQA Ten Tips for Planning and Preparing
NQA
 
NQA ISO 13485 Implementation Guide
NQA ISO 13485 Implementation GuideNQA ISO 13485 Implementation Guide
NQA ISO 13485 Implementation Guide
NQA
 
NQA ISO 22301 Business Continuity Checklist
NQA ISO 22301 Business Continuity ChecklistNQA ISO 22301 Business Continuity Checklist
NQA ISO 22301 Business Continuity Checklist
NQA
 
NQA Your Risk Assurance Partner
NQA Your Risk Assurance PartnerNQA Your Risk Assurance Partner
NQA Your Risk Assurance Partner
NQA
 
NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001
NQA
 
NQA ISO 50001 Implementation Guide
NQA ISO 50001 Implementation GuideNQA ISO 50001 Implementation Guide
NQA ISO 50001 Implementation Guide
NQA
 
NQA ISO 45001 Implementation Guide
NQA ISO 45001 Implementation GuideNQA ISO 45001 Implementation Guide
NQA ISO 45001 Implementation Guide
NQA
 
NQA ISO 45001 Gap Guide
NQA ISO 45001 Gap GuideNQA ISO 45001 Gap Guide
NQA ISO 45001 Gap Guide
NQA
 
NQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation GuideNQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation Guide
NQA
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
NQA ISO 22000 Implementation Guide
NQA ISO 22000 Implementation GuideNQA ISO 22000 Implementation Guide
NQA ISO 22000 Implementation Guide
NQA
 
NQA ISO 14001 Implementation Guide
NQA ISO 14001 Implementation GuideNQA ISO 14001 Implementation Guide
NQA ISO 14001 Implementation Guide
NQA
 
NQA ISO 9001 Implementation Guide
NQA ISO 9001 Implementation GuideNQA ISO 9001 Implementation Guide
NQA ISO 9001 Implementation Guide
NQA
 
NQA Journey to Certification
NQA Journey to CertificationNQA Journey to Certification
NQA Journey to Certification
NQA
 
NQA 10 Steps to IMS Guide
NQA 10 Steps to IMS GuideNQA 10 Steps to IMS Guide
NQA 10 Steps to IMS Guide
NQA
 
NQA ISO 22000 Food Safety Transition Gap Guide
NQA ISO 22000 Food Safety Transition Gap GuideNQA ISO 22000 Food Safety Transition Gap Guide
NQA ISO 22000 Food Safety Transition Gap Guide
NQA
 

More from NQA (20)

NQA ISO 27001 27017 27018 27701 Mapping
NQA ISO 27001 27017 27018 27701 MappingNQA ISO 27001 27017 27018 27701 Mapping
NQA ISO 27001 27017 27018 27701 Mapping
 
NQA ISO 13485 Introduction Guide
NQA ISO 13485 Introduction GuideNQA ISO 13485 Introduction Guide
NQA ISO 13485 Introduction Guide
 
NQA Measuring Operational Resilience Guide
NQA Measuring Operational Resilience GuideNQA Measuring Operational Resilience Guide
NQA Measuring Operational Resilience Guide
 
NQA ISO 22301 Transition Gap Guide
NQA ISO 22301 Transition Gap GuideNQA ISO 22301 Transition Gap Guide
NQA ISO 22301 Transition Gap Guide
 
NQA Ten Tips for Planning and Preparing
NQA Ten Tips for Planning and PreparingNQA Ten Tips for Planning and Preparing
NQA Ten Tips for Planning and Preparing
 
NQA ISO 13485 Implementation Guide
NQA ISO 13485 Implementation GuideNQA ISO 13485 Implementation Guide
NQA ISO 13485 Implementation Guide
 
NQA ISO 22301 Business Continuity Checklist
NQA ISO 22301 Business Continuity ChecklistNQA ISO 22301 Business Continuity Checklist
NQA ISO 22301 Business Continuity Checklist
 
NQA Your Risk Assurance Partner
NQA Your Risk Assurance PartnerNQA Your Risk Assurance Partner
NQA Your Risk Assurance Partner
 
NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001NQA Your Complete Guide to ISO 27001
NQA Your Complete Guide to ISO 27001
 
NQA ISO 50001 Implementation Guide
NQA ISO 50001 Implementation GuideNQA ISO 50001 Implementation Guide
NQA ISO 50001 Implementation Guide
 
NQA ISO 45001 Implementation Guide
NQA ISO 45001 Implementation GuideNQA ISO 45001 Implementation Guide
NQA ISO 45001 Implementation Guide
 
NQA ISO 45001 Gap Guide
NQA ISO 45001 Gap GuideNQA ISO 45001 Gap Guide
NQA ISO 45001 Gap Guide
 
NQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation GuideNQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation Guide
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
 
NQA ISO 22000 Implementation Guide
NQA ISO 22000 Implementation GuideNQA ISO 22000 Implementation Guide
NQA ISO 22000 Implementation Guide
 
NQA ISO 14001 Implementation Guide
NQA ISO 14001 Implementation GuideNQA ISO 14001 Implementation Guide
NQA ISO 14001 Implementation Guide
 
NQA ISO 9001 Implementation Guide
NQA ISO 9001 Implementation GuideNQA ISO 9001 Implementation Guide
NQA ISO 9001 Implementation Guide
 
NQA Journey to Certification
NQA Journey to CertificationNQA Journey to Certification
NQA Journey to Certification
 
NQA 10 Steps to IMS Guide
NQA 10 Steps to IMS GuideNQA 10 Steps to IMS Guide
NQA 10 Steps to IMS Guide
 
NQA ISO 22000 Food Safety Transition Gap Guide
NQA ISO 22000 Food Safety Transition Gap GuideNQA ISO 22000 Food Safety Transition Gap Guide
NQA ISO 22000 Food Safety Transition Gap Guide
 

Recently uploaded

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 

NQA ISO 9001 to ISO 27001 Gap Guide

  • 1. ISO 27001:2013 the Information Security Management Standard is one of the fastest growing standards right now; partly due to the ever evolving digital landscape and the recent introduction of the new General Data Protection Regulations (GDPR). Similarly to ISO 9001, ISO 27001 is the internationally recognized standard for information security management. It is the most widely used ISMS standard in the world, with over 35k certificates issued to organizations in 178 countries. What do these standards have in common? And if you have one management system can you have the other? The best way to implement another management system if you already have one is to implement an Integrated Management System (IMS). This way both systems meet the requirements of the standard and you won’t be duplicating lots of work. How do you start though? Firstly look at the easy bits - what’s common. If you are already fulfilling one standard requirement, chances are you may not be far away from achieving the same requirement under a different standard. Within this brief you will see that we have mapped out the various different clauses within both ISO 9001:2015 and ISO 27001:2013 to help you understand how implementing another standard on top of existing processes and procedures can be achieved successfully. First a brief overview of the main clauses and the similarities. • Context of the organization Both standards require organizations to identify the internal and external issues relevant to the company albeit from a different viewpoint. ISO 9001 focuses on Quality and ISO 27001 focuses on Information Security • Interested parties Organizations must determine the interested parties plus their needs and expectations relating to quality or information security. This can be achieved in the same process with a combined list created • Responsibility and authority Both standards require the roles and responsibilities for the QMS and ISMS to be defined. Although these roles may be different the same process for the identification and definition of these roles can be the same • Competence, awareness, communication and documented information These requirements are similar for many standards and not just ISO 9001 & 27001. They can be addressed in the same way and in many cases at the same time • Internal audits and management review Although the audit criteria and management review input and outputs will differ, the process is exactly the same and depending on the size or complexity of the organization can be done together or separately • Nonconformity and corrective action Both systems require a process for handling nonconformities and corrective action. This can be the same with no reason to keep them separate THE DIFFERENCE ISO 27001:2013 differs from ISO 9001:2015 in that it adds Information Security Risk Assessment and risk treatment into the ISMS. For an Information Security Risk Assessment, the organization must develop a methodology for the identification of information security risks. This is a separate process than that of addressing risk and opportunities with 9001. MANAGE YOUR INTEGRATION ISO 9001 TO ISO 27001 GAP GUIDE The Information Security Risk Treatment process requires an organization to apply one or several of the information security controls listed within Annex A in an attempt to mitigate risk. MAPPING The following table shows the various clauses in the standards and their similarities:
  • 2. ISO 9001:2015 ISO 27001:2013 GUIDANCE 4 Context of the Organization 4 Context of the Organization 4.1. Understanding the organization and its context 4.1. Understanding the organization and its context Both standards require organizations to determine internal and external issues related to the suitability of the management system achieving its intended outcome. 4.2. Understanding the needs and expectations of interested parties 4.2. Understanding the needs and expectations of interested parties Both standards require organizations to identify relevant interested parties as well as their needs and expectations. 4.3 Determining the scope of the quality management system 4.3 Determining the scope of the information security management system The scope of the management system must be defined for both standards. The difference is that ISO 9001 requires products and services to be considered, and ISO 27001 requires consideration of interfaces and dependencies between the processes when defining the scope. 4.4. Quality management system and its processes 4.4. Information security management system The requirements are exactly the same, each system must be established, implemented, documented, and continually improved. 5 Leadership 5 Leadership 5.1 Leadership and commitment 5.1 Leadership and commitment Both standards require management to implement policies, make provisions for resources, Continual Improvement assigning roles and responsibilities etc. 5.1.1 General No similar clause in ISO 27001. 5.1.2 Customer focus No similar clause in ISO 27001. 5.2 Policy 5.2 Policy The requirements are very similar and could be met in a single document. Some policies are written as separate documents. If separate the policies should be compatible with each other. 5.2.1 Establishing the quality policy No similar clause in ISO 27001. 5.2.2 Communicating the quality policy No similar clause in ISO 27001. 5.3 Organizational roles, responsibilities and authorities 5.3 Organizational roles, responsibilities and authorities The requirements from the standard are the same in that roles, responsibilities and authorities can be communicated in the same way. This means, for example, the Quality Manager can also be the Information Security Manager and, based on competency could perform the internal audits on both systems.
  • 3. 6 Planning 6 Planning 6.1 Actions to address risks and opportunities 6.1 Actions to address risks and opportunities Both standards specifically require the identification of risks and opportunities arising from the context of the organization in terms of quality and information security. The only difference with ISO 27001 is that the standard provides a list of control measures which can be used to mitigate these risks in the form of Annex A. 6.2 Quality objectives and plans to achieve them 6.2 Information security objectives and planning to achieve them Both standards stipulate a need to establish objectives and their plans for realisation. These can be separate documents or placed together. 6.3 Planning of changes No similar clause in ISO 27001. ISO 9001:2015 ISO 27001:2013 GUIDANCE 7 Support 7 Support 7.1 Resources 7.1 Resources The standards require the organization to determine and provide the necessary resources for process execution. This means the same processes can be used, such as; a purchasing process to fulfil requirements. 7.1.1 General No similar clause in ISO 27001. 7.1.2 People No similar clause in ISO 27001. 7.1.3 Infrastructure No similar clause in ISO 27001. 7.1.4 Environment for the operation of processes No similar clause in ISO 27001. 7.1.5 Monitoring and measuring resources No similar clause in ISO 27001. 7.1.5.2 Measurement Traceability No similar clause in ISO 27001. 7.1.6 Organizational knowledge No similar clause in ISO 27001. 7.2 Competence 7.2 Competence Both standards require the organization to identify and provide training for the necessary competencies of employees and also to keep records regarding those competencies. 7.3 Awareness 7.3 Awareness A requirement of both standards is that employees are aware of the relevant policies and procedures. This also includes awareness of the role they play within the management system and how they impact the organizations performance with regards to quality and information security. 7.4 Communication 7.4 Communication Both standards require the same thing and can be met via the same methods or processes. 7.5 Documented information 7.5 Documented information The requirement is the same and the same processes/ procedures can be applied.
  • 4. ISO 9001:2015 ISO 27001:2013 GUIDANCE 8 Operation 8 Operation 8.1 Operational planning and control 8.1 Operational planning and control Although the clause names are the same they have different scopes between the standards. ISO 9001 – focuses on defining and controlling process ISO 27001 – focuses on establishing information security controls. 8.2 Requirements for products and services No similar clause in ISO 27001. 8.3 Design and development of products and services A.6.1.5 Information security in project management A.6.1.5 is a control measure from ISO 27001 Annex A and can be part of the procedure for design and development. 8.4 Control of externally provided processes, products and services A.15 Supplier relationships Although different clause numbers – very similar requirements. Contracts entered into with suppliers should include a consideration of information security clauses. Indeed, information security can be used as criteria for the evaluation of suppliers. 8.5 Production and service provision A.12 Operations security Any IT processes that support the production and service provision should have the information security requirements taken into account. 8.6 Release of products and services No similar clause in ISO 27001. 8.7 Control of nonconforming outputs No similar clause in ISO 27001. 9 Performance evaluation 9 Performance evaluation 9.1 Monitoring, measurement, analysis and evaluation 9.1 Monitoring, measurement, analysis and evaluation The effectiveness of the management system must be monitored using the parameters that the organization has identified as being important for the process realization. ISO 9001 also monitors customer satisfaction (9.1.2). 9.2 Internal Audit 9.2 Internal Audit The same procedure can be applied to both standards regarding internal audits. 9.3 Management review 9.3 Management review The clause and requirements are the same however both standards have different input elements. The same documentation can be used however the separate input elements must be contained. 10 Improvement 10 Improvement 10.1 General No similar clause in ISO 27001. 10.2 Nonconformity and corrective action 10.1 Nonconformity and corrective action The same process can used to meet the similar requirements of both standards. 10.3 Continual improvement 10.2 Continual improvement As with every management system an emphasis is placed on continual improvement which can be conducted via a joint procedure for corrective action. If you already have a robust Quality management system in place under ISO 9001:2015, the benefits of implementing an Information Security Management System as well are countless. Not only does it help to demonstrate compliance to the new GDPR but it also highlights to your customers, employees and stakeholders that you take information security and data security seriously. You may already be doing more than you think. www.nqa.com