ISO 9001 and ISO 27001: The Relationship
When you eat out, the optimal experience is to have both a nice time and to eat quality food. If you had to choose, your meal likely means more—you trust the chef with your order and deliver something scrumptious. But it’s also important that you receive great service from the hostess and waitstaff—both together make you happy as a customer.
The relationship between ISO 27001 and ISO 9001 can be likened to something similar. ISO certifications in general have become very popular in demonstrating an organization’s compliance with certain standards. While 27001 itself can give your customers quite a lot of reassurance, there’s also something to be said about combining it with 9001.
To help you understand whether or not it’s a combination that works for you, we’re going to delve deeper. As an ISO Certification Body, Schellman has performed over 450 27001 and 9001 certifications collectively in just the last year so we’ve got a good understanding of both paths and their relationship.
In this article, we’ll briefly overview ISO 9001 before we get into the similarities and differences between it and 27001. Then, we’ll detail the benefits of integrating the two and their management systems so that you’re entirely clear on how you can benefit from one or the other of these ISO certifications—or maybe even both together.
ISO 27001 vs. ISO 9001
As you may already know, ISO 27001 evaluates how your organization addresses information security. There’s an extensive set of requirements your implemented information security management system must meet to reap all the benefits of becoming certified. If you’re ISO 27001 certified, your customers effectively manage information security risks. Think of 27001 as the meal half of your customers’ “restaurant” experience—they trust you to protect their information the same way you trust a chef to not make you sick.
On the flip side, if you’re certifying against the ISO 9001 standard, that means you’re meeting its requirements to demonstrate that you have an effective quality management system (QMS) in place that allows you to consistently provide value-driven products and services. Taken into consideration are:
- Your process operating environment for products/ services
- Customer focus on quality
- Design and development of products and services
- Design inputs and outputs
- How externally provided processes and services are managed.
To establish a QMS and become 9001 certified will mean taking ISO’s promoted interrelated process approach. The idea is that understanding and managing the processes necessary to meet customer requirements as a system can improve your organizational effectiveness and efficiency. You do this using the Plan, Do, Check, Act (PDCA) cycle with an overall focus on risk-based thinking that will enable you to take advantage of opportunities and prevent undesirable results.
ISO 27001 and ISO 9001
ISO certifications are notorious for requiring ample preparation. ISO 27001 and ISO 9001, which each take a holistic approach to two different important aspects of business, align well in terms of customer satisfaction—similarly to good service and food at a restaurant.
They also complement each other in terms of implementation—if you’re already fulfilling one standard requirement, you may not be far away from achieving the same requirement under the other.
To illustrate what we mean, let’s explore both the differences and similarities of these two certification standards.
Differences Between ISO 9001 and ISO 27001
These are two different standards that address two different things, so there are some divergences necessary to achieve the individual goals of the respective management systems. And so before we can get into the aforementioned alignment, we need to address the items that will require separate efforts, the largest of which is the Information Security Risk Assessment and risk treatment that ISO 27001 requires you complete for your ISMS.
You’ll need to develop a methodology for the identification of information security risks while also applying one or several of the information security controls listed within the standard’s Annex A to mitigate risk—this will need to be completely independent of your addressing risk and opportunities with 9001.
Here’s a little more detail on other significant areas where these two standards and their required efforts diverge, though this is not a comprehensive list:
- Determining the Scope – You must define the scope of the management system for both standards, but ISO 9001 requires products and services to be considered here whereas ISO 27001 requires consideration of interfaces and dependencies between the processes.
* ISO 9001 also allows you to exclude requirements that are not applicable only if the exclusion does not affect your ability or responsibility to ensure the enhancement of customer satisfaction.
- Leadership and Commitment – Unlike 27001, ISO 9001 takes a customer-focused approach to ensure their requirements (i.e., applicable statutory and regulatory, etc.) are consistently met and how will customer satisfaction be determined, understood, enhanced, and maintained.
- Policy – While these requirements between the two standards are very similar and could even be met in a single document, ISO 9001 additionally requires you to establish a quality policy and communicate it.
- Established Control Set – Both standards specifically require the identification of risks and opportunities in different contexts. While ISO 27001 provides a list of control measures that can be used to mitigate these risks in the form of Annex A, ISO 9001 does not have a control set in place.
- Resources – Both standards require the necessary resources for process execution. While the same can be used in some cases, ISO 9001 also requires specific resources surrounding personnel, infrastructure, and knowledge when it comes to the conformity of your products/services.
- Operational Planning and Control – Though the clause names may be the same, that for ISO 9001 focuses on defining and controlling processes whereas ISO 27001 focuses on establishing information security controls.
- Requirements for Products and Services – ISO 9001 is unique in that it specifically requires you to:
- Establish customer communication
- Determine and review requirements for products and services, including those regarding control of production, traceability, preservation, and post-delivery activities, among others.
- Verify that said requirements have been met at planned arrangements or appropriate stages before release to customers can proceed
- Changes – ISO 9001 also specifically requires that you determine the need for changes and that they are carried out in a planned manner with the considerations of purpose, integrity, resource availability, and allocation of responsibilities.
Similarities Between ISO 9001 and ISO 27001
Despite these differences, there are a lot of complementary facets between ISO 9001 and ISO 27001 that can be accomplished together or at the same time. Here’s where 27001 and 9001 align:
- Context of the Organization – Both standards require organizations to identify the internal and external issues relevant to the company (albeit from a different viewpoint).
- Interested Parties – You can use the same process to determine the interested parties and their needs and expectations relating to both quality and information security.
- Responsibility and Authority – Both standards require the roles and responsibilities of the respective QMS and ISMS to be defined. Although these roles may be different, the same process to identify and define these roles can be the same.
- Competence, Awareness, Communication, and Documented Information – These requirements are similar for many standards—not just ISO 9001 and 27001—and can be addressed in the same way and, in many cases, at the same time.
- Measurement and Monitoring – Both require ongoing monitoring of management system operations to maintain certification.
- Internal Audits and Management Review – Although the audit criteria and management review input and outputs will differ, this process is exactly the same. Depending on the size or complexity of your organization, they can be done together or separately.
- Nonconformity and Corrective Action – Both systems require a process for handling nonconformities and corrective action, and again, you can use one process for both.
Benefits of Integrating ISO 27001 and ISO 9001
These similarities do line up in a way that makes integrating 9001 and 27001 “easier.” But is that the right step for your organization? What are the benefits of making this kind of effort to become certified in both?
- Holistic Management System Approach: Integration of these two different standards and their management systems will mean your organization puts processes into place that will cover a lot of ground within operations and security, which will streamline man hours and reduce administrative burden—both of which will contribute to improved organizational performance.
- Compliance with Two International Standards:
- ISO certification demonstrates compliance with rigorous requirements to customers and regulatory bodies alike.
- Demonstration of Both Security and Quality of Processes
- You can simultaneously demonstrate your ability and commitment to information security risk management while also validating your dedication to the optimal delivery of quality products and services.
- Increased Marketability
- Not one but two ISO certifications will mean a significant competitive advantage—your customers will not only be confident in your having reduced risk and the required mitigation practices established, but they’ll know you’re in a position to provide better customer satisfaction. All that will only boost your reputation among new prospects.
- Better Positioned for Other Compliance Projects
- Because ISO is so comprehensive, mapping to other regulations or standards should be made simpler.
Moving Forward with Both ISO 9001 and ISO 27001
Though it will take some effort, making the moves to become certified in both ISO 9001 and ISO 27001 will mean giving your customers a more full experience—if they were eating at a restaurant, they’ll be confident in getting both a great meal and great service from you. Now, you also understand how giving them that also benefits you.
The similarities between these standards indicate a more easily charted path forward, but it’s likely you still have some questions about how it all works. If so, reach out to us so that one of our subject matter experts can walk you through the particulars, after which you can move more confidently toward certification.
About Daniel Valentin
Daniel Valentin is a Manager with Schellman based in Tampa, Florida. Prior to joining Schellman in 2014, Daniel worked as an Internal Auditor in the industry as part of a Risk Management department specializing in physical safety and security for over 150 locations in the U.S. and Puerto Rico. Before focusing his career on professional services, Daniel worked as a Corporate Internal Auditor specializing in audit and compliance which included Sarbanes-Oxley (SOX), Mergers and Acquisitions (M&A), and fraud investigations where he gained experience in IT system analysis and project management. Daniel is now focused primarily on ISO certifications for organizations across various industries.