A detailed comparison between ISO 9001 and 27001
If you would like more information about the overlaps and differences between these two standards, download our detailed guide today.
.jpg?ext=.jpg)
I'm ISO 9001 Certified. Do I Need ISO 27001?
If your organization already has an ISO 9001 certification, do you need to pursue the ISO 27001? This is a complicated question that can look more like a “Choose Your Own Adventure” book than a business decision. In this article, we are going to help you make the right decision for your organization.
ISO 9001: A Review
If you already have an ISO 9001, you know that essentially ISO 9001 is a quality management system. ISO 9000 is based upon seven key quality management principles according to ISO. Those principles are:
-
Customer Focus: This is the heart of ISO 9000. Companies should make sure they are meeting customer requirements and exceeding customer expectations. An ISO 9000 company strives to bring value to a customer with every interaction.
-
Leadership: In an ISO 9001 organization it is up to leadership to provide direction and make sure everyone has a clear understanding of the organization’s objectives.
-
Engagement of People: The aim of the ISO 9000 family is to create an organization where everyone can be engaged in the work. All individuals should be respected and should feel empowered to help achieve what the organization’s goals are.
-
Process Approach: One of the objectives of ISO 9001 is to create consistently high-quality products or services. This is part of the customer-centric approach. In order to achieve this goal, ISO 9001 ensures there are processes in place that will help all facets of the organization run smoothly. The more stable the processes are in an organization, the better the results will be.
-
Improvement: The work of an organization is never done. While a company can be ISO 9001 certified, that is not the end of the journey. Challenges and opportunities will always arise. Companies need to be ready to improve, whether that is sharpening a process, increasing overall understanding of a policy, or something else.
-
Evidence-Based Decision Making: ISO 9001 is a management system so it is not a surprise that evidence-based decisions are part of the core principles. Everything ties into the foundation of this principle. Without a focus on customers, a strong leadership team, and engaged employees, the decision-making process will run adrift. It is up to the management of a company to make sure all ideas and evidence are analyzed and closely considered as the decision-making process unwinds.
-
Relationship Management: Finally, ISO 9001 depends upon maintaining healthy relationships with interested parties beyond the customers. This might be vendors, suppliers, or another group that interfaces with the business.
In short, ISO 9001 is a top-down management system that creates a cohesive unit instead of multiple silos moving in different directions. The goal is for everyone to benefit, inside and outside of the company.
Whereas ISO 9001 is built on seven core principles, the ISO 27001 standard rests on three. Those are confidentiality, integrity of data, and availability of data.
The ISO 27001 Difference
Obviously ISO 9001 is fairly comprehensive. If you are already certified, why would you pursue the ISO 27001? Should you?The main differentiation between the two standards is while ISO 9001 focuses on broad management principles, ISO 27001 focuses specifically on information management and security.
Here are a couple of points to consider in order to determine whether the ISO 27001 is something you need:
If your company is considering an Information Security Management System (ISMS), ISO 27001 is definitely a good option for you to consider. Indeed, ISO 27001 is the ISO standard that details how to implement and maintain an ISMS. ISO 9001 does not correspond to your organization's ISMS.
If your company sells internationally or works with international partners, pursuing the ISO 27001 is also advisable. Some companies may even stipulate the certification to ensure you are meeting GDPR standards, among other information security standards.
Won't this be difficult?
Adding the ISO 27001 standard to your company’s toolbelt is not a particularly heavy lift. The management and control that your organization built while pursuing the 9000 will help, and much of ISO 27001 overlaps with ISO 9001. The main separation between the standards are the 14 controls in the ISO 27001 Annex A. This is where the concentration shifts away from general management and more specifically to information security issues like access control.Are you feeling confused? Would you like some help in navigating this decision? Schedule a meeting with one of our cybersecurity experts, free of charge.
