QualityMentors Blog

This blog is a membership based discussion forum on Project Management, Software Quality, CMMI® for development, ISMS and associated subjects. It provides a common platform for our training participants and others to share views and obtain expert opinion on issues related to above subjects. Also, it is used by QualityMentors training participants to upload their personal details in a secured manner in line to the guidelines laid down in ISO/IEC 17024:2003. This blog draws its strength from its members who are welcome to share professional and personal experiences, comments, articles and reference links to make it a preferred knowledge repository for their collective use. It encourages fact based decision making as an success enabler for projects in member organizations.

Category Archives: ISO 27001:2013

GDPR Compliance with ISO 27001 and ISO 27018

Neeraj Rawat from BSCIC asked whether compliance to GDPR can be achieved by being compliant to ISO 27001:2013 and ISO 27018:2014.

ISO 27001 provides an excellent starting point for achieving the technical and operational requirements necessary to prevent a data breach under the General Data Protection Regulation (GDPR). A company that has effectively implemented ISO 27001 has already achieved about 50% of GDPR compliance by minimising the risks on CIA of information and data. The GDPR states that organisations must adopt appropriate policies, procedures and processes to protect the personal data they hold. This is achieved by implementing defining policies and processes under ISO 27001, keeping GDPR guidelines in mind.

Additional requirements in the GDPR that are covered by a privacy framework like BS 10012:2017 – Specification for a personal information management system (PIMS) have to be met before an organization is GDPR compliant.

ISO 27018:2014 is meant for protecting personally identifiable information in clouds. That means, being compliant to ISO 27001 and 27018 cannot guarantee compliance to ISO 27001.

Mapping an NC to applicable standard’s clauses during audits

Today I concluded conducting an IRCA authorized  QMS Lead Auditors Course. During the mock audits conducted as part of the course curriculum, the participants’ ability to identify most appropriate clause of ISO 9001:2015 against an NC remained a challenge. In real life first/second/third party audits, even experienced auditors find it challenging to map a given NC to the right clause of the standard.  For example, an NC about product delivery with known defects is mapped not only to clause 8.6 of ISO 9001 but also to 8.5.2 (Identification and tractability), 8.7 (control of NC outputs), 9.1 (monitoring and measurements etc) and 7.3 (competence). Needless to say, by doing this the focus on right correction and corrective action is lost, leading to vague responses from auditees.

My advice to auditors is to think for a few moments on the NC or the situation on hand and then mentally map it to ‘most appropriate clause’.  Only if necessary, start going through the clauses of the standard for such mapping, To the extent possible, map the situation to one clause only, unless off-course when there is a genuine need to refer to two clauses.

In no case, more than two clauses should be mapped.


Risk Management Guidelines

Alex Dali from The Global Institute for Risk Management Standards posted this question on LinkedIn group ISO 27001:

"ISO 27001:2013 aligns its risk assessment & treatment with ISO 31000 (see clause 6.1.3) but ISO 27002:2013, clause 0.2 says such guidelines are provided by ISO 27005. Which one should be followed?"

Here is my response:

Answer to this question lies  in the titles of the two standards referred by you. ISO 31000 is "Risk Management- Principles and Guidelines" while ISO 27005 is "IT-Security Techniques- Info Security Risk management". So which one is  more appropriate for implementing information security? Obviously, ISO 27005.                                                               Alex, please let me know if you have different views. Thanks!


Risk based auditing

My friend AKM Desai (desaiakm@hotmail.com ) wants me to comment on this topic.

ISO 9000:2005 defines the term risk as ‘effect of uncertainty’, i.e. any potential deviation from expected results which may be positive or negative…

ISO 19011:2011 introduced the concept of risk in auditing. It included  both, the risk of the audit process not achieving its objectives and the risk of the audit to interfere with the auditee’s activities and processes. However, it does not provide specific guidance on the
organization’s risk management process.

Specific requirements for managing an effective risk management is provided  in Annex SL standards like  ISO 9001:2015 (QMS Requirements), ISO 27001:2013 (ISMS Requirements) and ISO 27002:2013 (Implementation guidance to ISMS) etc. Internal and external audits  conforming to  ISO 19001:2011 guidelines and clause 9.2 of requirements standards like ISO 9001:2015 and ISO 27001:2013 can be defined  as ‘Risk based auditing’. Such internal and external audits  should be conducted in a seemliness  manner to achieve stated audit objectives, without interfering with organisational operations to the extent possible  and with full conformance to the requirements in clause 4, 6 and 8  of above requirements standards.


Where is information security in ISO 9001:2008?

A friend asked me this  question yesterday…

If you search for the term ‘security’ in ISO 9001:2008, it is not there. If I were to map information security to ISO 9001, only clause I can map it is 6.4: Work Environment which reads like: “The organization shall determine and manage the work environment to achieve conformity to product requirements”. With IT increasingly being part of everyday business, a secured work environment to protect businesses from loss of confidentiality, integrity and availability becomes a prerequisite. Information security works around identification of risks, planning for their mitigation and effectively implementing those plans. The 2008 version of ISO 9001 has included ‘risks associated with environment’ right in the beginning, in its clause 0.1a: Introduction.

Interpretation of ISO 27001:2013 Controls

Recently, I encountered a few queries and clarifications on implementation of controls in ISO 27001. Almost in all cases, details available in ISO 27002 cleared doubts and gray areas. I advise practitioners to frequently refer to ISO 27002 for all their doubts.

Courses on newly published ISO 27001:2013

Quality Mentors have started offering two new ISMS course as in-house, public or eLearning trainings. Please see these links:

1. ISO 27001:2013 Implementation

2. Changes in ISO 27001:2013

Why is management review important for ISO 27001 and ISO 22301?

My post on this topic in LinkedIn ISO 27001 Forum:

Famous quality Guru Joseph Juran says quality does not come a company without management commitment. He says he didn’t see a single exception to this rule in his entire career (and his career spanned over 80 yrs). While earlier, ‘management commitment’ used to be a requirement of process improvement standards, off late it has been ‘Leadership and its commitment’…see MBNQA, EFQM, ISO 27001:2013 etc. Effective and planned management review at pre-defined intervals is one such act of demonstrating management and/ or leadership commitment.

Why is it important?
Management in any company is at the driving seat. Unless they review various aspects of business performance, it will not be able to achieve defined objectives.

Alternative approaches:
In very large corporations, 2 or 3 tiered management reviews may be planned and conducted with top management reviewing only with a few senior managers who have conducted their respective management reviews. Some of the companies conduct management reviews on video conferences while in a few smaller ones, such reviews are conducted by top manager going to different locations or different lines of business, one by one.
Inputs and outputs:
All those specified in the standards (e.g clause 9.3 of ISO 27001:2013) and BUSINESS DEVELOPMENTS/ EVENTS/ INCIDENTS/ POLITICAL OR SOCIAL SCENARIO/ EMPLOYEE ISSUES etc-etc.

Clarification on ISO 27001:2013

Read more of this post

%d bloggers like this: