Compare ISO 9001:2015 to ISO 27001:2022
Similar to ISO 9001, ISO 27001 is an internationally recognized standard that is based on Annex L (originally called Annex SL, then renamed in 2019 as Annex L), a management system format that helps streamline creation of new standards, and makes implementing multiple standards within one organization easier.
If you are interested in integrating the two standards, the best place to start is by identifying requirements common to both standards. Since they are based on the same structure, if you have one in place, you may not be far from fulfilling the requirements of the other standard.
- Context of the Organization: First, start with defining the context of your company, your goals, internal and external issues relevant to the standards.
- Interested Parties: As an organization you will have to determine interested parties and their requirements related to quality and information security. These requirements can be addressed using the same process.
- Documentation system: It is required to document your systems and their effectiveness. Everything occurring physically in your system must be documented and revisions must have an assigned number and review date.
- Responsibility and Authority Identification: Although the roles and responsibilities are unique within each standard, both need to be defined and can be done the same way at the same time.
- Management Reviews: Management reviews need to be conducted on a schedule (either monthly, quarterly, annually, etc) and properly. This includes having documented minutes of the meetings and the agenda.
- Internal Audits: Internal audits are a requirement for both standards. Audits need to be conducted on a schedule and senior management is required to give support to both auditors and auditees during this time.
- Nonconformities and Corrective Actions: The process of handling nonconformities and corrections can be implemented into a single process, which will help streamline actions and address nonconformance gaps.
- Continual Improvement: Continuous improvement is a requirement for both standards – the process to identify improvements can be the same for both standards and taken underway at the same time.
Unique Requirements of ISO 27001
After addressing the common requirements of the standards, your company must deal with their differences. These major differences between the two are mostly present in Clauses 6 and 8.
- Information security risk assessment: The organization is required to develop a methodology for identification and evaluation of information security risks. This process should be kept separate with risks and opportunities addressed in ISO 9001. ISO 9001 has fewer requirements and applying the same methodology to both standards may become overwhelming and unnecessary for ISO 9001.
- Information security risk treatment: This process is unique to ISO 27001 and can be done independently for this standard. It basically requires the organization to apply one or more information security controls listed in Annex A of ISO 27001.
ISO 9001:2015 to ISO/IEC 27001:2022
|ISO 9001: 2015||ISO/IEC 27001:2022|
|4 Context of the organization||4 Context of the organization|
|4.1 Understanding the organization and its context||4.1 Understanding the organization
and its context
|4.2 Understanding the needs and expectations of interested parties||4.2 Understanding the needs and
expectations of interested parties
|4.3 Determining the scope of the quality management system||4.3 Determining the scope of the
information security management
|4.4 Quality management system and its processes||4.4 Information security management
|5 Leadership||5 Leadership|
|5.1 Leadership and commitment||5.1 Leadership and commitment|
|5.1.1 Leadership and commitment for the quality management system|
|5.1.2 Customer focus|
|5.2 Quality policy||5.2 Quality policy|
|5.3 Organizational roles, responsibilities and authorities||5.3 Organizational roles,
responsibilities and authorities
|6 Planning for the quality management system||6 Planning for the ISMS|
|6.1 Actions to address risks and opportunities||6.1 Actions to address risks and
|6.2 Quality objectives and planning to achieve them||6.2 Information Security objectives
and planning to achieve them
|6.3 Planning of changes|
|7 Support||7 Support|
|7.1 Resources||7.1 Resources|
|7.1.4 Environment for the operation of processes|
|7.1.5 Monitoring and measuring resources|
|7.1.6 Organizational knowledge|
|7.2 Competence||7.2 Competence|
|7.3 Awareness||7.3 Awareness|
|7.4 Communication||7.4 Communication|
|7.5 Documented information||7.5 Documented information|
|7.5.1 General||7.5.1 General|
|7.5.2 Creating and updating||7.5.2 Creating and updating|
|7.5.3 Control of documented Information||7.5.3 Control of documented
|8 Operation||8 Operation|
|8.1 Operational planning and control||8.1 Operational planning and control|
|8.2 Determination of requirements for products and services||8.2 Information security risk
|8.2.1 Customer communication|
|8.2.2 Determination of requirements related to products and services|
|8.2.3 Review of requirements related to the products and services|
|8.3 Design and development of products and services||8.3 Information security risk
|8.3.2 Design and development planning|
|8.3.3 Design and development Inputs|
|8.3.4 Design and development controls|
|8.3.5 Design and development outputs|
|8.3.6 Design and development changes|
|8.4 Control of externally provided products and services|
|8.4.2 Type and extent of control of external provision|
|8.4.3 Information for external providers|
|8.5 Production and service provision|
|8.5.1 Control of production and service provision|
|8.5.2 Identification and traceability|
|8.5.3 Property belonging to customers or external providers|
|8.5.5 Post-delivery activities|
|8.5.6 Control of changes|
|8.6 Release of products and services|
|8.7 Control of nonconforming process outputs, products and services|
|9 Performance evaluation||9 Performance evaluation|
|9.1 Monitoring, measurement, analysis and evaluation||9.1 Monitoring, measurement,
analysis and evaluation
|9.1.2 Customer satisfaction|
|9.1.3 Analysis and evaluation|
|9.2 Internal audit||9.2 Internal audit|
|9.3 Management review||9.3 Management review|
|10 Improvement||10 Improvement|
|10.2 Nonconformity and corrective action||10.2 Nonconformity and corrective
|10.3 Continual Improvement||10.1 Continual Improvement|
|Annex A – directly derived from and
aligned with controls listed in
ISO/IEC 27002:2022 and shall be
used in context with Clause 6.1.3
|93 controls, divided into 4 chapters