Sie sind auf Seite 1von 5

ISO/IEC 27001 Information Security Management System

Information Security
Management System

ISO/IEC 27001:2013, ISO 9001:2008 and DIS 9001:2015 relationships.


Aims of this paper is to show which relationships are in place between ISO/IEC 27001:2013, ISO 9001:2008 and DIS 9001:2015 (hoping the final release will be
not so far from what DIS states). This comparison can be useful for point out common items and in order to speed up synergies in developing a common
strategy in approaching the "Information Security" in your business.

Quartarone Luciano

Luciano Quartarone - http://www.lucianoquartarone.it - +44 (0) 7984 700 240 - +39 392 512 7104 - info@lucianoquartarone.it
ISO/IEC 27001 Information Security Management System

ISO/IEC 27001:2013, ISO 9001:2008 and DIS 9001:2015 relationships.

ISO/IEC ISO DIS


27001:2013 9001:2008 9001:2015

ISO/IEC 27001:2013 ISO 9001:2008 DIS 9001:2015 Explanation


0 Introducion 0 Introduction 0 Introduction
0.1 General 0.1 General 0.1 General These clauses have the same requirements for
0.2 Compatibility with other 0.4 Compatibility with other 0.6 Compatibility with other both standards.
management systems management systems management system
standards
1 Scope 1 Scope 1 Scope
2 Normative references 2 Normative references 2 Normtive references
3 Terms and definitions 3 Terms and definitions 3 Terms and definitions
4 Context and 4 Context of the
organization organization
4.1 Understanding the 4.1 Understanding the There are no similar clauses in ISO 9001:2008, but
organization and its context organization and its context in DIS 9001:2015 seems to be reintroduced.
4.2 Understanding the needs 5.1.a Management commitment 4.2 Understanding the needs While for 9001:2008 you can use the same
and expectations of and expectations of document to list statutory and regulatory,
interested parties interested parties requirements regarding your organization, in DIS
9001:2015 seems there is a perfect aligment to this
clause.
4.3 Determining the scope of the 4.2.2.a Quality manual 4.3 Determining the scope of the The requirements are the same, especially in DIS
information security quality management system 9001:2015, and can be met through the same
management system document.
4.4 Information security 4.1 General requirements 4.4 Quality management system The requirements are the same, even thoughwith
management system and its processes two different prospective; each system must be
established, implemented, documented and
continually improved.
Luciano Quartarone - http://www.lucianoquartarone.it - +44 (0) 7984 700 240 - +39 392 512 7104 - info@lucianoquartarone.it
ISO/IEC 27001 Information Security Management System

5 Leadership 5 Management 5 Leadership


responsibility
5.1 Leadership and commitment 5.1 Management commitment 5.1 Leadership and commitment The requirements are almost the same and the
management has to treat all standards in the same
way regarding implementing the policies,
provision of resources, continual improvement,
assigning roles and responsibilities, etc.
5.2 Policy 5.2 Quality policy The requirements are almost the same, and in
theory they could be met through a single
document, but in my opinion, is better if the
policies are written as separate documents, in
which case they must be compatible with each
other (obviously).
5.3 Organizational roles, 5.3 Organizational roles, Roles, responsibilities and authorities for all
responsibilities and responsibilities and standards can be communicated in the same way.
authorities authorities
6 Planning
6.1.1 Actions to address risks and 8.5.3 Preventive action 6.1 Actions to address risks and In ISO 9001:2008, addressing risks can be
opportunities - general opportunities considered as preventive action, but it cant be
merged in the same document. In DIS 9001:2015
the requirements are almost the same.
6.1.2 Information security risk - - - - There are no similar clauses in ISO 9001.
assessment
6.1.3 Information security risk - - - - There are no similar clauses in ISO 9001.
treatment
6.2 Information security 5.1 Management commitment 6.2 Quality objectives and The requirement are almost the same in all
objectives and planning to planning to achieve them standards. Objectives and plans for their
achieve them realization for both standards can be placed in one
document.
7 Support 6 Resource management 7 Support
7.1 Resources 6.1 Provision of resources 7.1 Resources Organization has to determine and provide
6.2 Human resources necessary resources for process execution in order
6.3 Infrastructure to meet requirements for both standards. In DIS
6.4 Work environment 9001:2015, the requirements are more close to
ISO/IEC 27001.
Luciano Quartarone - http://www.lucianoquartarone.it - +44 (0) 7984 700 240 - +39 392 512 7104 - info@lucianoquartarone.it
ISO/IEC 27001 Information Security Management System

7.2 Competence 6.2.2 Competence, training and 7.2 Competence The requirements are the same and can be met
awareness
through the same processes.

7.3 Awareness 7.3 Awareness The requirements are the same and can be met

through the same processes

7.4 Communication 5.5.3 Internal communication 7.4 Communication The requirements are the same and can be met
through the same processes
7.5 Documented information 4.2 Documentation requirements 7.5 Documented information The requirements are the same and can be met
through the same processes
8 Operation 8 Operation
8.1 Operational planning and 8.2.3 Monitoring and 8.1 Operational planning and The requirements are the same and you can set
control measurement of processes control and describe a KPI framework for processes of all
standards, in a single document.
8.2 Information security risk - - - - There are no similar clauses in ISO 9001.
assessment
8.3 Information security risk 8.5.3 Preventive action - - As stated in DIS 9001:2015, A.4, "[...]The concept
treatment of preventive action is expressed through a risk-
based approach to formulating quality
management system requirements.". Although
risks and opportunities have to be determined and
addressed, there is no requirement for formal
risk management or a documented risk
management process. DIS 9001:2015 obsoletes
the approach used 9001:2008.
9 Performance evaluation 9 Performance evaluation
9.1 Monitoring, measurement, 8 Measurement, analysis and 9.1 Monitoring, measurement, The requirements are the same.
analysis and evaluation improvement analysis and evaluation
8.1 General 9.1.1 General
8.2.3 Monitoring and - -
measurement of processes
8.2.4 Monitoring and - -
measurement of product
9.2 Internal Audit 8.2.2 Internal audit 9.2 Internal Audit The same approach for internal audit can be
applied for all standards.
Luciano Quartarone - http://www.lucianoquartarone.it - +44 (0) 7984 700 240 - +39 392 512 7104 - info@lucianoquartarone.it
ISO/IEC 27001 Information Security Management System

9.3 Management review 5.6 Management review 9.3 Management review The requirements are the same, even though they
shall be addressed with different inputs.
10 Improvement 8.5 Improvement 10 Improvement
10.1 Nonconformity and 8.3 Control of nonconforming 10.2 Nonconformity and The requirements are the same and can be met
corrective action product corrective action through the same procedure. In DIS 9001:2015
"Nonconformity" and Corrective action are
merged in the same document.
8.5.2 Corrective action - -
10.2 Continual improvement 8.5.1 Continual improvement 10.3 Continual Improvement The requirements are the same.

Quartarone Luciano
via San Bartolomeo, 8 - 20861 Brugherio (MB)
l.quartarone@icloud.com - luciano.quartarone@pec.it -
http://www.lucianoquartarone.it
C.F.: QRTLCN74P29M052G - P.IVA.: 08278730968

Luciano Quartarone - http://www.lucianoquartarone.it - +44 (0) 7984 700 240 - +39 392 512 7104 - info@lucianoquartarone.it