Iso 9001 management system

1. Iso 9001 management system
You have already implemented ISO 9001? You have heard that ISO 27001 might be a
good idea? But how can something that has to do with quality help you implement
information security?
It can, more than you may think. ISO 9001 specifies how the quality management
systems (QMS) must look like, while ISO/IEC 27001 specifies the information security
management systems (ISMS). Therefore, the "management systems" part is the same - so
what is it actually?
The philosophy of management systems has grown from the theory developed by W.
Edwards Deming during the second half of 20th century, and is based on the Plan-Do-
Check-Act cycle. Basically, this cycle consists of the following: in the Plan phase you
have to plan what you want to achieve with the management system, in the Do phase you
implement it, in the Check phase you constantly monitor whether you have achieved
what you planned, and in the Act phase you make improvements, i.e. fill the gap between
what you have planned and what you have achieved.
Although this cycle was invented with quality management in mind, it was established as
a foundation for all other management systems - information security (ISO/IEC 27001),
environment (ISO 14001), business continuity (BS 25999-2), etc. It means that some of
the elements you have implemented for the quality management system according to ISO
9001 you can use for the information security management system as well - here is the
list:
• Document management - the procedure used for document management in QMS
can be used for the same purpose in ISMS, with only minor adjustments
• Internal audit - the same procedure can be used for both QMS and ISMS,
although the internal audit itself would usually be done by different people since
it is not very likely that one person would have deep enough knowledge of both
information security and quality
• Corrective and preventive actions - the procedure used for QMS can be used for
the same purpose in ISMS, although it is likely that different persons will be
solving issues related to QMS or ISMS
• Human resources management - the same cycle of HR planning, training and
evaluation is used for both management systems; naturally, the difference is in the
profile of needed skills and knowledge
• Management review - the principles for management review are the same for both
management systems; although it would not be recommendable to perform both
reviews in parallel, management will already be accustomed to making decisions
in QMS, so they will have better understanding of how to make decisions in the
context of ISMS

2. • Setting the business goals and tracking whether they have been achieved - the
same mechanism is laid down in both standards, so management will be used to
such systematic planning
Therefore, if you have already implemented ISO 9001, you will have an easier job
implementing ISO 27001 (and vice versa) - you could save up to 30% of time. Further,
you will have cheaper certification audits since certification bodies are offering the so
called "integrated audits", which means they will do both ISO 9001 and ISO 27001 in the
same audit, charging you a smaller fee compared to separated audits.
If your QMS is functioning well, you will find your ISMS project developing rather
smoothly - management will have better understanding of potential business benefits,
while all organizational units will be accustomed to the necessity of defining precise
procedures, responsibilities and documentation.
Having a QMS indeed provides very good foundation for information security - if you
already have ISO 9001, do give a serious thought to ISO 27001.
If you want to download over free 50 ebook for iso 9001 standard, you can visit:
http://iso9001ebooks.info
Best regards