As organizations work to continue to meet customer and legal requirements for compliance, it is becoming more common for those organizations to have a need to obtain and maintain multiple ISO certifications. One common combination of certifications that continues to gain popularity is ISO 9001:2015 (ISO 9001) and ISO/IEC 27001:2013 (ISO 27001).
The ISO 9001 standard specifies the requirements for an organization to demonstrate that an effective quality management system is in place and consistently provides quality driven products and services which meet customer and regulatory requirements. Achieving an ISO 9001 certification for an organization means the successful demonstration of an organization’s sound quality process, while taking into consideration the environment for the operations of process for products/ services, customer focus on quality, infrastructure, design and development of products and services, design inputs and outputs, and how externally provided processes and servicers are managed. To go with it, ISO 27001 is the internationally recognized standard which guides an organization to implement and maintain an effective information security management system. If an organization achieves a 27001 certification, it has demonstrated the ability to effectively manage information security risks by implementing an information security management system with supporting ISO 27002 Annex A controls—this is as they are applicable to the organization, per the organization’s statement of applicability.
The International Organization for Standardization (ISO) defines a management system as “a system in which an organization manages the reciprocal parts of its business in order to achieve its objectives.” Regarding the ISO 9001 and ISO 27001 standards, though they regulate two separate management systems, they do share some of the most basic commonalities, which include the following:
- Scoping – consideration of internal/ external issues, as well as interested parties
- Leadership – support from top management regarding resources, communication, and aligning the management system’s objectives with those of the organization’s overall business objectives
- Human resources support – confirmation of adequate support for the implementation and ongoing maintenance of the management systems
- Document management – documentation process and procedure for management system documentation
- Internal audit – confirmation that an independent and objective review of the management system is performed
- Measurement and monitoring – confirmation that the operations of the management system is monitored
- Management review – evidence that relevant management personnel reviews the ongoing performance, continued suitability, adequacy, and effectiveness of the management system
- Continual improvement – ongoing and forward-thinking effort to improve overall management system
With that being said, the differences between the two systems--some of which are highlighted below--should, of course, also be considered:
- Objective: To maintain the expected quality standards in the organization
- Does not require a Statement of Applicability
- Objective: To provide requirements for establishing, implementing, maintaining and continuously improving ISMS
- Utilizes controls from ISO 27002 to support its ISMS
Obviously, there are more commonalities between the two management systems than differences, and those differences that do exist between them can also peripherally benefit and complement the other management system. Therefore, achieving this dual certification of an ISO 9001 and ISO 27001 can prove incredibly useful—in doing so, an organization can simultaneously demonstrate an organization’s ability and commitment to information security risk management, while also validating their dedication to the optimal delivery of their quality products and services.