April 10, 2012

Last Updated on January 13, 2024

A potential client asked us if being ISO 9001 certified helped companies achieve ISO 27001 certification.
In order to give the best answer possible, we decided to ask for feedback from a client we helped achieve 27001 certification that happens to be 9001 certified already.
In the response, you will see that having 9001 certification can put a company on the right path, with a head start, towards 27001 – but the road is winding with bumps along the way.
The client offered the following feedback to share with the new company and with our blog readers:

“I’d say it helped us significantly, because some of the requirements are the same in both systems, such as these:

  • Documentation Requirements (Control of Documents, Control of Records)
  • Management Responsibility (Management Commitment, Resource Management, Provision of Resources, Training, Awareness and Competence)
  • Internal Audits
  • Management Review
  • Improvement (Continual Improvement, Corrective Action, Preventive Action)

With all of these we were very familiar, in principal, and they just needed minor adjustments to address specific ISO 27001 requirements.
However, the danger is that so much apparent overlap might lead you to believe that you’re mostly done already with 27001, which is NOT true (and we found that out the hard way by still having major shortcomings in our Stage 1 – ISO 27001 audit). Most of the work to get 27001 is actually “hidden” in clauses

  • 4.1 (General Requirements)
  • 4.2 (Establishing and Managing the ISMS)
  • Appendix A (Control Objectives and Controls)

It took us a very long time to get a handle on these, because there is a lot of detail required, and a lot of technology to back it up.
In short, having 9001 in place is very helpful, as long as you understand that the core of the work for 27001, the actual risk management and technology piece, has nothing to do with 9001.”

As you can see, our client believes that having ISO 9001 certification helped them in the winding road to ISO 27001 certification. However, the trip had its bumps along the way. With our expertise and help – and their dedication to becoming 27001 certified, the project was a success and they crossed the finish line.