Académique Documents
Professionnel Documents
Culture Documents
ISO 9001:2008
ISO/IEC 27001:2013
0 Introduction
0 Introduction
0.1 General
0.1 General
Explanation
1 Scope
1 Scope
ISO 27001 does not allow exclusions of clauses (it only allows exclusions of
controls from Annex A), in contrast to ISO 9001, which allows exclusions
from clause 7 of the standard.
2 Normative references
2 Normative references
1.1 General
1.2 Application
4.2 Documentation
requirements
5 Management responsibility
5 Leadership
The requirements are the same, and the management has to treat both
standards in the same way regarding implementing the policies, provision
of resources, continual improvement, assigning roles and responsibilities,
etc.
ISO 9001:2008
ISO/IEC 27001:2013
Explanation
5.2 Policy
Objectives and plans for their realization for both standards can be placed
in one document. See sample document here: Quality Objectives.
7.4 Communication
The requirement is the same and can be met through the same processes.
E.g., writing announcements on noticeboard, sending emails, regular staff
meetings.
ISO 9001:2008
ISO/IEC 27001:2013
Explanation
6 Resource management
7 Support
7.1 Resources
7.2 Competence
7.3 Awareness
6.3 Infrastructure
7.1 Resources
7.1 Resources
7 Product realization
7.1 Planning of product
realization
7.4 Communication
ISO 9001:2008
ISO/IEC 27001:2013
7.4 Purchasing
Explanation
Contracts made with suppliers should include information security clauses,
and information security can be one of the criteria for evaluation of
suppliers. See sample document here: Procedure for Purchasing and
Evaluation of Suppliers.
Information security should be included in IT processes that support the
production and service provision. Quality plan can refer to information
security policies. See sample document here: Quality Plan.
There are no similar clauses in ISO 27001.
9 Performance evaluation
8.1 General
ISO 9001:2008
ISO/IEC 27001:2013
8.5 Improvement
10 Improvement
Explanation
Procedure for nonconforming products refers to all nonconformities,
including nonconformities occurring in the ISMS. See sample document
here: Procedure for Control of Non-Conforming Products.
Monitoring and measurement results must be analyzed to give input for
management review and continual improvement. Both standards have the
same requirements that can be fulfilled through the same document. See
sample document here: Data Analysis Report.
Like in every management system, the emphasis is on continual
improvement, which is conducted through a joint procedure for corrective
actions.
Two clauses from ISO 9001 are joined together in ISO 27001, but the
requirements are the same and can be met through the same procedure.
See sample document here: Procedure for Corrective Action.
Preventive actions as a term are not mentioned in ISO 27001, but a risk
treatment plan can be regarded as a preventive action. The output of the
risk treatment process can be input into preventive actions.