QualityMentors Blog

This blog is a membership based discussion forum on Project Management, Software Quality, CMMI® for development, ISMS and associated subjects. It provides a common platform for our training participants and others to share views and obtain expert opinion on issues related to above subjects. Also, it is used by QualityMentors training participants to upload their personal details in a secured manner in line to the guidelines laid down in ISO/IEC 17024:2003. This blog draws its strength from its members who are welcome to share professional and personal experiences, comments, articles and reference links to make it a preferred knowledge repository for their collective use. It encourages fact based decision making as an success enabler for projects in member organizations.

Category Archives: ISMS

GDPR Compliance with ISO 27001 and ISO 27018

Neeraj Rawat from BSCIC asked whether compliance to GDPR can be achieved by being compliant to ISO 27001:2013 and ISO 27018:2014.

ISO 27001 provides an excellent starting point for achieving the technical and operational requirements necessary to prevent a data breach under the General Data Protection Regulation (GDPR). A company that has effectively implemented ISO 27001 has already achieved about 50% of GDPR compliance by minimising the risks on CIA of information and data. The GDPR states that organisations must adopt appropriate policies, procedures and processes to protect the personal data they hold. This is achieved by implementing defining policies and processes under ISO 27001, keeping GDPR guidelines in mind.

Additional requirements in the GDPR that are covered by a privacy framework like BS 10012:2017 – Specification for a personal information management system (PIMS) have to be met before an organization is GDPR compliant.

ISO 27018:2014 is meant for protecting personally identifiable information in clouds. That means, being compliant to ISO 27001 and 27018 cannot guarantee compliance to ISO 27001.

Mapping an NC to applicable standard’s clauses during audits

Today I concluded conducting an IRCA authorized  QMS Lead Auditors Course. During the mock audits conducted as part of the course curriculum, the participants’ ability to identify most appropriate clause of ISO 9001:2015 against an NC remained a challenge. In real life first/second/third party audits, even experienced auditors find it challenging to map a given NC to the right clause of the standard.  For example, an NC about product delivery with known defects is mapped not only to clause 8.6 of ISO 9001 but also to 8.5.2 (Identification and tractability), 8.7 (control of NC outputs), 9.1 (monitoring and measurements etc) and 7.3 (competence). Needless to say, by doing this the focus on right correction and corrective action is lost, leading to vague responses from auditees.

My advice to auditors is to think for a few moments on the NC or the situation on hand and then mentally map it to ‘most appropriate clause’.  Only if necessary, start going through the clauses of the standard for such mapping, To the extent possible, map the situation to one clause only, unless off-course when there is a genuine need to refer to two clauses.

In no case, more than two clauses should be mapped.


Risk Management Guidelines

Alex Dali from The Global Institute for Risk Management Standards posted this question on LinkedIn group ISO 27001:

"ISO 27001:2013 aligns its risk assessment & treatment with ISO 31000 (see clause 6.1.3) but ISO 27002:2013, clause 0.2 says such guidelines are provided by ISO 27005. Which one should be followed?"

Here is my response:

Answer to this question lies  in the titles of the two standards referred by you. ISO 31000 is "Risk Management- Principles and Guidelines" while ISO 27005 is "IT-Security Techniques- Info Security Risk management". So which one is  more appropriate for implementing information security? Obviously, ISO 27005.                                                               Alex, please let me know if you have different views. Thanks!


Risk based auditing

My friend AKM Desai (desaiakm@hotmail.com ) wants me to comment on this topic.

ISO 9000:2005 defines the term risk as ‘effect of uncertainty’, i.e. any potential deviation from expected results which may be positive or negative…

ISO 19011:2011 introduced the concept of risk in auditing. It included  both, the risk of the audit process not achieving its objectives and the risk of the audit to interfere with the auditee’s activities and processes. However, it does not provide specific guidance on the
organization’s risk management process.

Specific requirements for managing an effective risk management is provided  in Annex SL standards like  ISO 9001:2015 (QMS Requirements), ISO 27001:2013 (ISMS Requirements) and ISO 27002:2013 (Implementation guidance to ISMS) etc. Internal and external audits  conforming to  ISO 19001:2011 guidelines and clause 9.2 of requirements standards like ISO 9001:2015 and ISO 27001:2013 can be defined  as ‘Risk based auditing’. Such internal and external audits  should be conducted in a seemliness  manner to achieve stated audit objectives, without interfering with organisational operations to the extent possible  and with full conformance to the requirements in clause 4, 6 and 8  of above requirements standards.


Where is information security in ISO 9001:2008?

A friend asked me this  question yesterday…

If you search for the term ‘security’ in ISO 9001:2008, it is not there. If I were to map information security to ISO 9001, only clause I can map it is 6.4: Work Environment which reads like: “The organization shall determine and manage the work environment to achieve conformity to product requirements”. With IT increasingly being part of everyday business, a secured work environment to protect businesses from loss of confidentiality, integrity and availability becomes a prerequisite. Information security works around identification of risks, planning for their mitigation and effectively implementing those plans. The 2008 version of ISO 9001 has included ‘risks associated with environment’ right in the beginning, in its clause 0.1a: Introduction.

Interpretation of ISO 27001:2013 Controls

Recently, I encountered a few queries and clarifications on implementation of controls in ISO 27001. Almost in all cases, details available in ISO 27002 cleared doubts and gray areas. I advise practitioners to frequently refer to ISO 27002 for all their doubts.

Courses on newly published ISO 27001:2013

Quality Mentors have started offering two new ISMS course as in-house, public or eLearning trainings. Please see these links:

1. ISO 27001:2013 Implementation

2. Changes in ISO 27001:2013

How to deal with NCs noticed after closure of the audit?

New standard from ISO: Information Security Risk Management

The International Organization for Standardization (ISO) has published a new standard on information security risk management. It is  designed to help organizations better manage information security risks.
The new standard, named ISO 27005:2011, consists of context establishment, risk assessment, risk treatment, risk acceptance, risk communication, and risk monitoring/ review. It incorporates a number of previously issued risk management documents: ISO 31000:2009, ISO/IEC 31010:2009, and ISO Guide73:2009.
The standard is currently available from ISO site. After a gap of a few months, it will be available from national standards bureaus and suppliers of standard.

Generic Checklists on ISMS Audits

As an organization that is planning to implement ISO 27001, i would be grateful if any of the members here could share generic Audit checklists for auditing various departments / functions of the organization. Espescially for Top Management,  MR etc.




%d bloggers like this: