This blog is a membership based discussion forum on Project Management, Software Quality, CMMI® for development, ISMS and associated subjects. It provides a common platform for our training participants and others to share views and obtain expert opinion on issues related to above subjects. Also, it is used by QualityMentors training participants to upload their personal details in a secured manner in line to the guidelines laid down in ISO/IEC 17024:2003. This blog draws its strength from its members who are welcome to share professional and personal experiences, comments, articles and reference links to make it a preferred knowledge repository for their collective use. It encourages fact based decision making as an success enabler for projects in member organizations.
Neeraj Rawat from BSCIC asked whether compliance to GDPR can be achieved by being compliant to ISO 27001:2013 and ISO 27018:2014.
ISO 27001 provides an excellent starting point for achieving the technical and operational requirements necessary to prevent a data breach under the General Data Protection Regulation (GDPR). A company that has effectively implemented ISO 27001 has already achieved about 50% of GDPR compliance by minimising the risks on CIA of information and data. The GDPR states that organisations must adopt appropriate policies, procedures and processes to protect the personal data they hold. This is achieved by implementing defining policies and processes under ISO 27001, keeping GDPR guidelines in mind.
Additional requirements in the GDPR that are covered by a privacy framework like BS 10012:2017 – Specification for a personal information management system (PIMS) have to be met before an organization is GDPR compliant.
ISO 27018:2014 is meant for protecting personally identifiable information in clouds. That means, being compliant to ISO 27001 and 27018 cannot guarantee compliance to ISO 27001.
Today I concluded conducting an IRCA authorized QMS Lead Auditors Course. During the mock audits conducted as part of the course curriculum, the participants’ ability to identify most appropriate clause of ISO 9001:2015 against an NC remained a challenge. In real life first/second/third party audits, even experienced auditors find it challenging to map a given NC to the right clause of the standard. For example, an NC about product delivery with known defects is mapped not only to clause 8.6 of ISO 9001 but also to 8.5.2 (Identification and tractability), 8.7 (control of NC outputs), 9.1 (monitoring and measurements etc) and 7.3 (competence). Needless to say, by doing this the focus on right correction and corrective action is lost, leading to vague responses from auditees.
My advice to auditors is to think for a few moments on the NC or the situation on hand and then mentally map it to ‘most appropriate clause’. Only if necessary, start going through the clauses of the standard for such mapping, To the extent possible, map the situation to one clause only, unless off-course when there is a genuine need to refer to two clauses.
In no case, more than two clauses should be mapped.
Alex Dali from The Global Institute for Risk Management Standards posted this question on LinkedIn group ISO 27001: "ISO 27001:2013 aligns its risk assessment & treatment with ISO 31000 (see clause 6.1.3) but ISO 27002:2013, clause 0.2 says such guidelines are provided by ISO 27005. Which one should be followed?" Here is my response: Answer to this question lies in the titles of the two standards referred by you. ISO 31000 is "Risk Management- Principles and Guidelines" while ISO 27005 is "IT-Security Techniques- Info Security Risk management". So which one is more appropriate for implementing information security? Obviously, ISO 27005. Alex, please let me know if you have different views. Thanks!
My friend AKM Desai (firstname.lastname@example.org ) wants me to comment on this topic.
ISO 9000:2005 defines the term risk as ‘effect of uncertainty’, i.e. any potential deviation from expected results which may be positive or negative…
ISO 19011:2011 introduced the concept of risk in auditing. It included both, the risk of the audit process not achieving its objectives and the risk of the audit to interfere with the auditee’s activities and processes. However, it does not provide specific guidance on the
organization’s risk management process.
Specific requirements for managing an effective risk management is provided in Annex SL standards like ISO 9001:2015 (QMS Requirements), ISO 27001:2013 (ISMS Requirements) and ISO 27002:2013 (Implementation guidance to ISMS) etc. Internal and external audits conforming to ISO 19001:2011 guidelines and clause 9.2 of requirements standards like ISO 9001:2015 and ISO 27001:2013 can be defined as ‘Risk based auditing’. Such internal and external audits should be conducted in a seemliness manner to achieve stated audit objectives, without interfering with organisational operations to the extent possible and with full conformance to the requirements in clause 4, 6 and 8 of above requirements standards.
A friend asked me this question yesterday…
If you search for the term ‘security’ in ISO 9001:2008, it is not there. If I were to map information security to ISO 9001, only clause I can map it is 6.4: Work Environment which reads like: “The organization shall determine and manage the work environment to achieve conformity to product requirements”. With IT increasingly being part of everyday business, a secured work environment to protect businesses from loss of confidentiality, integrity and availability becomes a prerequisite. Information security works around identification of risks, planning for their mitigation and effectively implementing those plans. The 2008 version of ISO 9001 has included ‘risks associated with environment’ right in the beginning, in its clause 0.1a: Introduction.
Recently, I encountered a few queries and clarifications on implementation of controls in ISO 27001. Almost in all cases, details available in ISO 27002 cleared doubts and gray areas. I advise practitioners to frequently refer to ISO 27002 for all their doubts.
My post on this topic in LinkedIn ISO 27001 Forum:
Famous quality Guru Joseph Juran says quality does not come a company without management commitment. He says he didn’t see a single exception to this rule in his entire career (and his career spanned over 80 yrs). While earlier, ‘management commitment’ used to be a requirement of process improvement standards, off late it has been ‘Leadership and its commitment’…see MBNQA, EFQM, ISO 27001:2013 etc. Effective and planned management review at pre-defined intervals is one such act of demonstrating management and/ or leadership commitment.
Why is it important?
Management in any company is at the driving seat. Unless they review various aspects of business performance, it will not be able to achieve defined objectives.
In very large corporations, 2 or 3 tiered management reviews may be planned and conducted with top management reviewing only with a few senior managers who have conducted their respective management reviews. Some of the companies conduct management reviews on video conferences while in a few smaller ones, such reviews are conducted by top manager going to different locations or different lines of business, one by one.
Inputs and outputs:
All those specified in the standards (e.g clause 9.3 of ISO 27001:2013) and BUSINESS DEVELOPMENTS/ EVENTS/ INCIDENTS/ POLITICAL OR SOCIAL SCENARIO/ EMPLOYEE ISSUES etc-etc.