ISO 9001 specifies how the quality management systems (QMS) should look like, while ISO/IEC 27001 specifies the information security management systems (ISMS). Management’s philosophy Systems has grown from the concept developed by W. Edwards Deming throughout the second half of 20th century and is based on the Plan-Do-Check-Act cycle. Basically, this cycle includes the following: at the Plan phase you need to plan what you would like to achieve with the management system, at the Do phase you employ it, in the Check stage you constantly monitor whether you have achieved what you planned and in the Act period you make improvements, i.e. fill the gap between what you have planned and what you have achieved.
Although this cycle was invented with quality control in mind, it was recognized as a base for many other management systems – data security (ISO/IEC 27001), environment (ISO 14001), business continuity (BS 25999-2), etc. It means that some of the components you have employed for the quality control system based on ISO 9001 you can use to your information security management system as well – here’s the list:
- Document management – the process used for document management in QMS may be utilized for the same function in ISMS, with only minor alterations
- Internal audit – exactly the same process can be used for both QMS and ISMS, although the internal audit itself could usually be done by different people because It is not very likely that one individual would have deep enough knowledge of both data security and quality
- Corrective and preventative actions – the process used for QMS may be utilized for the same function in ISMS, although it is likely that different persons will be solving problems related to QMS or ISMS
- Human resources management – the same cycle of HR planning, evaluation and training is used for the two management systems; obviously, the distinction is in the profile of necessary knowledge and skills
- Management review – the principles for management review are the same for both management systems; even though it would not be recommendable to execute both reviews in parallel, direction will be accustomed to making decisions in QMS, so they will have greater understanding of how to make decisions in the context of ISMS
- Setting the company goals and monitoring whether they have been attained – the same mechanism is put down in both criteria, so management will be utilized to these systematic planning
Therefore, if you have Implemented ISO 9001, you will have a simpler job implementing iso 27001 training and vice versa you can save as much as 30% of time. Further, you will have cheaper certification audits since certification bodies are providing the so called integrated audits, which means they will do both ISO 9001 and ISO 27001 at precisely the identical audit, charging you a much smaller fee compared to split audits.