ISO 27001 implementation: How to make it easier using ISO 9001?

Presenter: Dejan Kosutic

How to use ISO 9001 standard to make your ISO 27001 implementation less p p painful. You have already implemented ISO 9001 or 9001, you are planning to implement both ISO 9001 and ISO 27001. 27001 In 90% of cases ISO 9001 can save up to 33% of time needed for ISO 27001 implementation.
2010 Information Security & Business Continuity Academy www.iso27001standard.com 2

ISO 27001 is much more similar to ISO 9001 than it may seem at first sight!

2010 Information Security & Business Continuity Academy www.iso27001standard.com

Agenda
Similarities Differences Diff Implementation issues & roles Top management issues Implementing both standards Certification Greatest h ll G t t challenges with ISO 27001 ith

2010 Information Security & Business Continuity Academy www.iso27001standard.com

Similarities PDCA cycle S C

Define what you y want to achieve Fill the gap

Plan

Act

Implement what you have planned for

Do

Check

Measure if y you achieved the objectives

5

2010 Information Security & Business Continuity Academy www.iso27001standard.com

S Similarities
Process approach 4 mandatory procedures Human resources management Internal audits Management review M t i Setting the objectives and measuring ISO 27001 Annex A exclusions are possible
2010 Information Security & Business Continuity Academy www.iso27001standard.com 6

Differences ff

ISO 9001

ISO 27001

Risk assessment Q Quality y manual Customer complaints Statement of Applicability Security Incidents

2010 Information Security & Business Continuity Academy www.iso27001standard.com

Implementation issues
Integrate ISMS and QMS in one single management system ( ) For ISO 9001 clause 6.3 (Infrastructure) use ISO 27001 PAS 99 Integrated Management Do not merge Quality Policy and ISMS Policy

2010 Information Security & Business Continuity Academy www.iso27001standard.com

Roles
QMS management representative CISO (Chief Information Security Officer) j Project team Top management / sponsor

2010 Information Security & Business Continuity Academy www.iso27001standard.com

Top management issues

If QMS is already implemented, they will understand the benefits (or drawbacks) of ISMS easier The management review can be done at the same time for both ISO 27001 and ISO 9001 System for setting objectives and measuring them can be the same

2010 Information Security & Business Continuity Academy www.iso27001standard.com

10

Implementing both standards in parallel

Objectives ISMS, QMS policies li i Document management Risk Assessment + Annex A Internal audits, Management reviews, i Corrective and preventive actions ti
2010 Information Security & Business Continuity Academy www.iso27001standard.com 11

Core operating procedures d

Certification C f

Integrated audit it will save you time and money!

2010 Information Security & Business Continuity Academy www.iso27001standard.com

12

Greatest challenges with ISO 27001

Implementation of 133 controls p Getting people to change Conducting risk assessment Commitment of senior management Effectively manage the system with as little overhead as possible

2010 Information Security & Business Continuity Academy www.iso27001standard.com

13

Conclusion
ISO 27001 and ISO 9001 have a very similar core management system ISO 9001 is a very g y good foundation for ISO 27001 implementation Get your management buy-in for ISO 27001!

2010 Information Security & Business Continuity Academy www.iso27001standard.com

14

Q&A

Dejan Kosutic

2010 Information Security & Business Continuity Academy www.iso27001standard.com

15

Thank you!
www.iso27001standard.com