Before I left Excel in the USA to return home to London I wrote the first version of their ISO 27001 Lead Auditor course. Here are a few things you might want to keep in mind as an ISO 9001-registered company considering ISO 27001:
1. It's an excellent framework for systematically evaluating and managing risks to information security. It can share infrastructure like doc control and corrective action with the QMS.
2. If customers care, it's a good way of demonstrating their information is secure in your hands. If they don't care, the costs of registration can be hard to justify unless the management team are foresighted.
3. Information security is more than IT, although that is a big part of it. For example, some of the major breaches recently have been people leaving laptops in cars and having them stolen: IT alone can't manage this kind of situation, HR and line management are involved as well.
4. Define the scope in terms of the information assets (files, papers, disks) you need to protect, and from what they need protecting. If the scope is too broad you can find yourself protecting orders for paper clips because the order is regarded as "information" ! For example, define the scope to protect your designs and other patented information, customer's credit card data or healthcare information, etc, etc.
5. ISO 27001 defines many "controls" and they are all optional, though some are more optional than others. You decide which ones you'll use according to your risk assessment. The risk assessment is a mandatory requirement -- but how to do it is quite broadly defined. Auditors will have to be very, very careful in how they audit the risk assessment in order to avoid mandating their own subjective opinions of the risks you face. After auditing the risk assessment, they audit the controls you define in your "statement of applicability". I believe that good auditors, if they disagree with your risk assessment, will include objective evidence for the risks they believe you have mis-assessed in their findings; arm waving and "in my experience" won't count.
6. Auditors must have some sound IT experience to audit successfully. Even though managing risks to information assets is more than an IT problem, much of the system is concerned with IT and you certainly cannot, in this modern world, audit an Information Security Management System (ISMS) without visiting IT and understanding what they show you when, for example, you ask about firewalls. They also need to understand the confidentiality aspects of information security and what that means for the questions they ask, their handling of objective evidence and their reporting. For example, we don't ask for the ISMS manual to be e-mailed to us for a desk check because that might be a security risk: we go visit, physically, and take nothing off the premises with us.
7. The ISMS can extend to subcontractors. To see how, map the processes that they use to handle your information assets. For example, what happens to backups? -- "Oh, they're held in a secure vault off site." Sounds good. But how do they get there? "Courier service." Sounds good -- but do they manage the courier. A short while ago a bank lost millions of credit card details when the courier lost the tape on the way to the secure vault. (As in regular quality management, we can't blame our vendors for information security beaches.)
8. Some companies appoint a "Director of Information Security" reporting independently from quality and IT. The benefits of this approach are to protect the ISMS budget, to assure that internal information security audits are independent, and to limit knowledge of certain information security measures to a small number of people on a "need to know" basis.
Hope this helps,
Patrick