iso/iec 27001:2013, iso 9001:2008 and dis 9001:2015 ... · pdf fileiso/iec 27001:2013, iso...
TRANSCRIPT
ISO/IEC 27001 Information Security Management System
Luciano Quartarone - http://www.lucianoquartarone.it - +44 (0) 7984 700 240 - +39 392 512 7104 - [email protected]
ISO/IEC 27001:2013, ISO 9001:2008 and DIS 9001:2015 relationships. Aims of this paper is to show which relationships are in place between ISO/IEC 27001:2013, ISO 9001:2008 and DIS 9001:2015 (hoping the final release will be not so far from what DIS states). This comparison can be useful for point out common items and in order to speed up synergies in developing a common strategy in approaching the "Information Security" in your business.
Quartarone Luciano
Information Security Management System
ISO/IEC 27001 Information Security Management System
Luciano Quartarone - http://www.lucianoquartarone.it - +44 (0) 7984 700 240 - +39 392 512 7104 - [email protected]
ISO/IEC 27001:2013, ISO 9001:2008 and DIS 9001:2015 relationships.
ISO/IEC 27001:2013 ISO 9001:2008 DIS 9001:2015 Explanation 0 Introducion 0 Introduction 0 Introduction 0.1 General 0.1 General 0.1 General These clauses have the same requirements for
both standards. 0.2 Compatibility with other management systems
0.4 Compatibility with other management systems
0.6 Compatibility with other management system standards
1 Scope 1 Scope 1 Scope 2 Normative references 2 Normative references 2 Normtive references 3 Terms and definit ions 3 Terms and definit ions 3 Terms and definit ions 4 Context and
organization 4 Context of the
organization
4.1 Understanding the organization and its context
4.1 Understanding the organization and its context
There are no similar clauses in ISO 9001:2008, but in DIS 9001:2015 seems to be reintroduced.
4.2 Understanding the needs and expectations of interested parties
5.1.a Management commitment 4.2 Understanding the needs and expectations of interested parties
While for 9001:2008 you can use the same document to list statutory and regulatory, requirements regarding your organization, in DIS 9001:2015 seems there is a perfect aligment to this clause.
4.3 Determining the scope of the information security management system
4.2.2.a Quality manual 4.3 Determining the scope of the quality management system
The requirements are the same, especially in DIS 9001:2015, and can be met through the same document.
4.4 Information security management system
4.1 General requirements 4.4 Quality management system and its processes
The requirements are the same, even thoughwith two different prospective; each system must be established, implemented, documented and continually improved.
ISO/IEC 27001:2013
ISO 9001:2008
DIS 9001:2015
ISO/IEC 27001 Information Security Management System
Luciano Quartarone - http://www.lucianoquartarone.it - +44 (0) 7984 700 240 - +39 392 512 7104 - [email protected]
5 Leadership 5 Management responsibil ity
5 Leadership
5.1 Leadership and commitment 5.1 Management commitment 5.1 Leadership and commitment The requirements are almost the same and the management has to treat all standards in the same way regarding implementing the policies, provision of resources, continual improvement, assigning roles and responsibilities, etc.
5.2 Policy 5.2 Quality policy The requirements are almost the same, and in theory they could be met through a single document, but in my opinion, is better if the policies are written as separate documents, in which case they must be compatible with each other (obviously).
5.3 Organizational roles, responsibilities and authorities
5.3 Organizational roles, responsibilities and authorities
Roles, responsibilities and authorities for all standards can be communicated in the same way.
6 Planning 6.1.1 Actions to address risks and
opportunities - general 8.5.3 Preventive action 6.1 Actions to address risks and
opportunities In ISO 9001:2008, addressing risks can be considered as preventive action, but it can’t be merged in the same document. In DIS 9001:2015 the requirements are almost the same.
6.1.2 Information security risk assessment
- - - - There are no similar clauses in ISO 9001.
6.1.3 Information security risk treatment
- - - - There are no similar clauses in ISO 9001.
6.2 Information security objectives and planning to achieve them
5.1 Management commitment 6.2 Quality objectives and planning to achieve them
The requirement are almost the same in all standards. Objectives and plans for their realization for both standards can be placed in one document.
7 Support 6 Resource management 7 Support 7.1 Resources 6.1 Provision of resources 7.1 Resources Organization has to determine and provide
necessary resources for process execution in order to meet requirements for both standards. In DIS 9001:2015, the requirements are more close to ISO/IEC 27001.
6.2 Human resources 6.3 Infrastructure 6.4 Work environment
ISO/IEC 27001 Information Security Management System
Luciano Quartarone - http://www.lucianoquartarone.it - +44 (0) 7984 700 240 - +39 392 512 7104 - [email protected]
7.2 Competence 6.2.2 Competence, training and awareness
7.2 Competence The requirements are the same and can be met
through the same processes.
7.3 Awareness 7.3 Awareness The requirements are the same and can be met
through the same processes
7.4 Communication 5.5.3 Internal communication 7.4 Communication The requirements are the same and can be met through the same processes
7.5 Documented information 4.2 Documentation requirements 7.5 Documented information The requirements are the same and can be met through the same processes
8 Operation 8 Operation 8.1 Operational planning and
control 8.2.3 Monitoring and
measurement of processes 8.1 Operational planning and
control The requirements are the same and you can set and describe a KPI framework for processes of all standards, in a single document.
8.2 Information security risk assessment
- - - - There are no similar clauses in ISO 9001.
8.3 Information security risk treatment
8.5.3 Preventive action - - As stated in DIS 9001:2015, A.4, "[...]The concept of preventive action is expressed through a risk-based approach to formulating quality management system requirements.". Although risks and opportunities have to be determined and addressed, there is no requirement for formal risk management or a documented risk management process. DIS 9001:2015 obsoletes the approach used 9001:2008.
9 Performance evaluation 9 Performance evaluation 9.1 Monitoring, measurement,
analysis and evaluation 8 Measurement, analysis and
improvement 9.1 Monitoring, measurement,
analysis and evaluation The requirements are the same.
8.1 General 9.1.1 General 8.2.3 Monitoring and
measurement of processes - -
8.2.4 Monitoring and measurement of product
- -
9.2 Internal Audit 8.2.2 Internal audit 9.2 Internal Audit The same approach for internal audit can be applied for all standards.
ISO/IEC 27001 Information Security Management System
Luciano Quartarone - http://www.lucianoquartarone.it - +44 (0) 7984 700 240 - +39 392 512 7104 - [email protected]
9.3 Management review 5.6 Management review 9.3 Management review The requirements are the same, even though they shall be addressed with different inputs.
10 Improvement 8.5 Improvement 10 Improvement 10.1 Nonconformity and
corrective action 8.3 Control of nonconforming
product 10.2 Nonconformity and
corrective action The requirements are the same and can be met through the same procedure. In DIS 9001:2015 "Nonconformity" and Corrective action are merged in the same document.
8.5.2 Corrective action - - 10.2 Continual improvement 8.5.1 Continual improvement 10.3 Continual Improvement The requirements are the same.
Quartarone Luciano via San Bartolomeo, 8 - 20861 Brugherio (MB)
[email protected] - [email protected] -
http://www.lucianoquartarone.it
C.F.: QRTLCN74P29M052G - P.IVA.: 08278730968