K
keres
Last edited by a moderator:
Got a question on ISMS (ISO 27001), I thought as it being a very basic question, I shall put it here.
When compared to other ISO Systems like QMS or EMS, why there is no "Objectives" for ISMS?. I am a layman in ISMS, but while trying to compare the systems, I could see that there is no specific mention on ISMS Objectives. Can the experienced members give me an insight on why it is not required.
Thanks
Zubin
Continual improvement in an ISMS is certainly driven by the objectives for the ISMS as defined in the policy, but there are two dimensions: continual review of the risks (which change for a variety of reasons) and continual review of the effectiveness of the controls in mitigating the risks.
Arguably, ISO 9001 ought to have a similar approach. Continual improvement of processes, such as making them faster or more efficient, is a waste of time if risks to the business -- such as markets moving away from the product, evolving technologies making it out of date or redundant, copyright infringements -- have not been identified and mitigated. ISO 9001 says nothing about risk management, and IMHO it should.
Hope this helps,
Pat
The adoption of a QMS should be a strategic decision. The design and implementation of a QMS is influenced by
a) its organizational environment, changes in the environment and the risks associated with the environment...