MANAGE YOUR INTEGRATION:

COMBINING ISO 27001

WITH ISO 9001

OVER

CERTIFICATES TRANSPARENT
GLOBALLY
INTRODUCTION
ISO 27001:2022 (Information Security THE SIMILARITIES
Management) is one of the fastest
•  Context of the organisation
growing standards right now. Both standards require organisations to identify
ISO 27001:2022, the Information Security the internal and external issues relevant to the
Management Standard, is one of the company. ISO 9001 focuses on quality and
most popular certified ISO standards ISO 27001 focuses on cyber security and data
privacy.
globally, due to the constant evolution
of threats in the digital landscape, • Interested parties
and an increased focus on data being Organisations must determine the interested
parties plus their needs and expectations
considered a cherished business asset.
relating to quality and/or information security.
This can be achieved in the same process with a
combined list.
Similarly to ISO 27001, ISO 9001:2015 is the internationally
recognised standard for quality management. It is the • Responsibility and authority
most widely used QMS standard in the world, with over 1.1 Both standards require the roles and
million certificates issued to organisations in 178 countries. responsibilities to be defined. Although these
What do these standards have in common and if you have roles may be different, the same process for
one management system, can you have the other? identifying and defining these roles can be used.
The best way to implement a second management • Competence, awareness, communication
system if you already have one is to combine them into and documented information
an Integrated Management System (IMS). This way both These requirements are similar for many
systems meet the requirements of the standards and you standards and not just ISO 9001 and ISO 27001.
won’t be duplicating lots of work. They can be addressed in the same way and in
many cases at the same time.
HOW TO START:
• Internal audits and management review
If you’re already meeting the requirements of one Although the audit criteria and management
standard, the chances are that you may not be far away review input and outputs will differ, the process is
from achieving the same requirement under a different exactly the same and depending on the size or
standard. complexity of the organisation can be completed
This guide maps out out the various different clauses together or separately.
within both ISO 9001:2015 and ISO 27001:2022 to help
you understand how implementing another standard on • Nonconformity and corrective action
top of existing processes and procedures can be achieved Both systems require a process for handling
successfully. nonconformities and corrective action.
These can be the same, with no reason
to separate them.

THE DIFFERENCE
ISO 27001:2022 differs from ISO 9001:2015 in that it
specifically requires information security risk assessment
and treatment. Your organisation must implement a
methodology that allows you to identify information
security risks.
The information security risk treatment process requires an
organisation to apply one or several of the controls listed
within Annex A and to publish a Statement of Applicability
(SoA), to mitigate risk.

MAPPING
The following table shows the various clauses in the
standards and their similarities:
GAP GUIDE AND GUIDANCE
ISO 9001:2015 ISO 27001:2022 GUIDANCE

4 Context of the organisation

4.1. U
 nderstanding the 4.1. Understanding the Both standards require organisations to determine
organisation and organisation and its internal and external issues related to the suitability
its context context of the management system achieving its intended
outcome.
4.2. Understanding 4.2. Understanding Both standards require organisations to identify
the needs and the needs and relevant interested parties as well as their needs and
expectations of expectations of expectations.
interested parties interested parties
4.3 Determining 4.3 Determining the The scope of the management system must be
the scope of scope of the defined for both standards. The difference is that
the quality information security ISO 9001 requires products and services to be
management management system considered, and ISO 27001 requires consideration of
system dependencies between all processes when defining
the scope.
4.4. Quality 4.4. Information security The requirements are exactly the same, each system
management management system must be established, implemented, documented, and
system and its continually improved.
processes

5 Leadership

5.1 L
 eadership and 5.1 Leadership and Both standards require management to implement
commitment commitment policies, make provisions for resources, continual
improvement assigning roles and responsibilities etc.
5.2 Policy 5.2 Policy The requirements are very similar and could be met
in a single document. Some policies are written as
separate documents. If separate the policies should
be compatible with each other.
5.3 Organisational 5.3 Organisational roles, The requirements from the standard are the same
roles, responsibilities and in that roles, responsibilities and authorities can
responsibilities authorities be communicated in the same way. This means,
and authorities for example, the Quality Manager can also be
the Information Security Manager and, based on
competency could perform the internal audits on
both systems.

6 Planning

6.1 A
 ctions to 6.1 Actions to Both standards specifically require the identification
address risks and address risks and of risks and opportunities arising from the context of
opportunities opportunities the organisation in terms of quality and information
security. The only difference with ISO 27001 is that
the standard provides a list of control measures that
can be used to mitigate these risks in the form of
Annex A.
6.2 Q
 uality objectives 6.2 Information security Both standards stipulate a need to establish
and plans to objectives and plans objectives and their plans for realisation. These can
achieve them to achieve them be separate documents or placed together.
GAP GUIDE AND GUIDANCE
ISO 9001:2015 ISO 27001:2022 GUIDANCE

7 Support

7.1 Resources 7.1 Resources The standards require the organisation to determine
and provide the necessary resources for process
execution. This means the same processes can
be used, such as a purchasing process to fulfil
requirements.
7.2 Competence 7.2 Competence Both standards require the organisation to identify
and provide training for the necessary competencies
of employees and also to keep records regarding
those competencies.
7.3 Awareness 7.3 Awareness A requirement of both standards is that employees
are aware of the relevant policies and procedures.
This also includes awareness of the role they play
within the management system and how they impact
the organisation’s performance with regards to
quality and information security.
7.4 Communication 7.4 Communication Both standards require the same level of
communication support, which can be met with the
same method.
7.5 Documented 7.5 Documented The requirement is the same and the same
information information processes can be applied.

8 Performance evaluation

8.1 Operational 8.1 Operational Although the clause names are the same, they have
planning and planning and different scopes between the standards.
control control
ISO 9001 focuses on defining and controlling
processes, whereas ISO 27001 focuses on
establishing information security controls.’
8.3 D
 esign and A.5.8 Information A.5.8 is a control measure from ISO 27001 Annex
development of security in project A and can be part of the procedure for design and
products and management development.
services
8.4 C
 ontrol of A.5.19 Information Although they have different clause numbers, the
externally provided security in two standards share similar requirements. Contracts
processes, supplier entered into with suppliers should include a
products and relationships consideration of information security clauses.
services
8.5 P
 roduction and Throughout Annex A No specific control can be directly mapped to this
service provision clause. ISO 27001 has numerous controls, including
A.5.37, which directly relate to production and
service provision.
GAP GUIDE AND GUIDANCE
ISO 9001:2015 ISO 27001:2022 GUIDANCE

9 Performance evaluation

9.1 Monitoring, 9.1 Monitoring, The effectiveness of the management system

measurement, measurement, must be monitored using the parameters that the
analysis and analysis and organization has identified as being important for the
evaluation evaluation process realization.
ISO 9001 also monitors customer satisfaction (9.1.2).
9.2 Internal audit 9.2 Internal audit The same procedure can be applied to both
standards regarding internal audits.
9.3 Management 9.3 Management review The clause and requirements are the same, however
review both standards have different input elements.
The same documentation can be used, but the input
elements that separate the standards have to be
included.

10 Improvement

10.2 Nonconformity 10.1 Nonconformity and The same process can used to meet the similar
and corrective action corrective action requirements of both standards.
10.3 Continual 10.1 Continual As with every management system, an emphasis
improvement improvement is placed on continual improvement that can be
conducted via a joint procedure for corrective action.

If you already have a robust quality management system in place under ISO 9001, there are huge
benefits in implementing an information security management system.
Not only does it help demonstrate compliance with the latest GDPR rules, but ISO 27001 provides the
perfect framework for organisations to show that ‘Secure by Design’ is embedded throughout their
business, products and services.

www.nqa.com