There are some helpful areas of overlap between ISO 9001/14001/45001 and ISO 27001. When it comes to ISO 9001, Chapters 4, 5, 7, 9, and 10 are very similar, and for the most part, you can utilize the same processes and existing materials with little to no adjustments. However, depending on how your management systems have been implemented, adding ISO 27001 might significantly increase ongoing administrative work. The real differences are in chapters 6 and 8, which have much higher demands for risk management processes, risk identification, and mitigation—substantially higher! These demands could overwhelm you if you’re not well-equipped with systematic support and expertise. This is where the unique policy and goals for Information Security come into play; but that’s the easy part. The risk management and the implementation of the necessary security measures are usually what throw a spanner in the works. These should be linked to Annex A in ISO 27001 and accounted for in an official Statement of Applicability, which will be shown on the certificate. That’s an art in and of itself.
“It’s not just about having an ISO 27001 Management System in place; the real goal is to protect your information and enhance your cybersecurity in a tangible way.”
Carolin Hellestam – Founder and CCO
We have a presentation that highlights the similarities and differences between the ISO 9001/14001/45001 and ISO 27001 standards which we’ve presented to boards and management teams a number of times. Let us know if that could be helpful for you. Another option is for StrollingRock to conduct a GAP analysis or a ‘temperature check’ remotely. This can take anywhere from half a day to two days, depending on the size of your company, reviewing the existing management system to identify any gaps. And, it goes without saying, if you decide to embark on a journey towards ISO 27001 we can help you get there, with Less Pain and More Value.
Visit the StrollingRock homepage.