iso 27001 implementation: how to make it easier using iso ......how to use iso 9001 to make your iso...
TRANSCRIPT
ISO 27001 implementation: How to make it easier using
ISO 9001?
Presenter: Dejan Kosutic
©2017 27001Academy advisera.com/27001academy
GoToWebinar Control Panel
• Open and close your Panel
• View, Select, and Test your audio
• Submit text questions – they will be addressed throughout the session
• Raise your hand 6
©2017 27001Academy advisera.com/27001academy 3
How to use ISO 9001 to make your ISO 27001 implementation less painful.
You have already implemented ISO 9001, or you are planning to implement both ISO 9001 and ISO 27001.
In most of the cases ISO 9001 can save up to 25% of time needed for ISO 27001 implementation.
©2017 27001Academy advisera.com/27001academy 4
ISO 27001 is much more similar to
ISO 9001 than it may seem at first sight!
©2017 27001Academy advisera.com/27001academy
Agenda
5
• Similarities
• Differences
• Implementation issues & roles
• Top management issues
• Implementing both standards
• Certification
• Greatest challenges with ISO 27001
©2017 27001Academy advisera.com/27001academy
Similarities – PDCA cycle
6
Plan
CheckDo
Act
Define
what you
want to
achieve
Implement
what you
have
planned for
Measure
if you
achieved
the
objectives
Fill the
gap
©2017 27001Academy advisera.com/27001academy
… Similarities
7
• Process approach
• Document control
• Corrective actions
• Human resources management
• Internal audits
• Management review
• Setting the objectives and measuring
• ISO 27001 Annex A – exclusions are possible
©2017 27001Academy advisera.com/27001academy
… And differences
8
Selecting controls
(risk assessment)
Quality manual
ISO 9001 ISO 27001
Statement of
Applicability
Security Incidents
Customer complaints
©2017 27001Academy advisera.com/27001academy
Implementation issues
9
• Integrate ISMS and QMS in one single management system
• PAS 99 Integrated Management
• For ISO 9001 clause 7.1.3 (Infrastructure) use ISO 27001
• Do not merge Quality Policy and Information Security Policy
©2017 27001Academy advisera.com/27001academy
Roles
10
• QMS management representative
• CISO (Chief Information Security Officer)
• Project team
• Top management / sponsor
©2017 27001Academy advisera.com/27001academy
Top management issues
11
• If QMS is already implemented, they will understand the benefits (or drawbacks) of ISMS easier
• The management review can be done at the same time for both ISO 27001 and ISO 9001
• System for setting objectives and measuring them can be the same
©2017 27001Academy advisera.com/27001academy
Implementing both standards in parallel
12
ObjectivesISMS, QMS
policiesDocument
managementRisk
Assessment
+ Annex A
Core operating
procedures
Internal audits, Management
reviews, Corrective
actions
ISO 27001 ISO 9001ISO 27001 + ISO 9001
©2017 27001Academy advisera.com/27001academy
Certification
13
Integrated audit
→ it will save you time and money!
©2017 27001Academy advisera.com/27001academy
Greatest challenges with ISO 27001
14
• Lot of related ISO standards (ISO 19011, ISO 9001, ISO 27000 family, ISO 31000, etc.)
• Defining the scope of implementation
• Management and colleague commitment
• Risk management since ISO 9001:2015 doesn't really need a formal risk process
• Creating Integrated Management System
©2017 27001Academy advisera.com/27001academy
Conclusions
15
ISO 27001 and ISO 9001 have a very similar core management system
→ ISO 9001 is an excellent foundation for ISO 27001 implementation
Q & A
Dejan Kosutic