Two standards, two buyer concerns
ISO 9001 and ISO/IEC 27001 are both widely requested during supplier onboarding, but they do not answer the same question. ISO 9001 is about quality management: how the organization controls processes, complaints, corrective actions, suppliers, and continual improvement. ISO/IEC 27001 is about information security management: how the organization identifies risks, protects information, manages access, handles incidents, and monitors controls.
When ISO 9001 is the better first answer
ISO 9001 is often the right starting point when the buyer is concerned about consistent service delivery, product quality, complaints, process control, supplier management, or operational reliability. It is common in manufacturing, construction, logistics, professional services, training, and general supplier approval. A buyer may ask for ISO 9001 when they want assurance that the supplier can repeatedly deliver what was promised.
When ISO/IEC 27001 is the better first answer
ISO/IEC 27001 is usually stronger when the supplier handles customer data, cloud systems, software platforms, healthcare data, payment-adjacent systems, or confidential information. It is common for SaaS, IT services, managed service providers, edtech, healthtech, fintech, and data processors. A buyer may ask for ISO/IEC 27001 because the biggest risk is not product quality; it is unauthorized access, data loss, weak incident response, or poor security governance.
When both may be relevant
Some organizations need both. A software company, for example, may need ISO 9001 to show disciplined development and customer support, and ISO/IEC 27001 to show information security management. A medical device software supplier may also need ISO 13485 or privacy evidence. The right sequencing depends on the buyer's immediate wording and the revenue opportunity tied to the request.
Evidence differences
For ISO 9001, useful evidence includes process maps, quality policy, complaint records, corrective actions, supplier controls, management review, and customer feedback. For ISO/IEC 27001, useful evidence includes ISMS scope, risk assessment, risk treatment, access records, incident procedures, backup records, supplier security controls, and internal review. Sending the wrong evidence slows review and can make the applicant look less prepared.
Decision rule
If the buyer's concern is delivery quality, start with ISO 9001. If the buyer's concern is information security, start with ISO/IEC 27001. If the wording says both quality and security, map the requirement before paying. AQX can review the buyer wording and recommend the route that best matches the commercial use.