ISO 27001 and ISO 9001: How an integrated response can work

Many high tech businesses who are implementing a Quality Management System (QMS) to gain ISO 9001:2015, are increasingly considering whether they need to obtain ISO 27001:2013 as well.

What is ISO 27001: 2013?

ISO 27001:2013 is the international standard that describes best practice for an Information Security Management System (ISMS). The standard takes a risk-based approach to information security, requiring organisations to identify threats to their company and then adopt appropriate controls across their business to tackle them.

Who needs ISO 27001?

Any organisation which gathers and stores sensitive customer data, is a supplier to an organisation who does, or wishes to ensure their own data is managed and secured in a comprehensive way; may want or need to obtain the standard.

The provisions of ISO 27001 are not just relevant for IT companies or departments, therefore. Instead, they set the standard for the way every employee operates (and is allowed to operate) as they handle data and information collected, stored or generated by their organisation.

What is ISO 9001: 2015?

The ISO 9001 standard specifies the requirements for an organisation to demonstrate they have a quality management system in place and can consistently provide quality products and services which meet customer needs and regulatory requirements.

Like 27001 there is a burden on the organisation for this management system to be auditable by regulators to prove compliance.

Increasingly, high tech companies seeking ISO 9001 as they develop cutting edge products and components that gather or otherwise process end-user data, are finding they also need ISO 27001 to win business and go to market.

ISO 9001: 2015 - How to apply risk-based thinking to quality processes [Part 1]

Information Management Systems vs Quality Management Systems

Although Information Management and Quality Management clearly have separate and distinct objectives, the system requirements that ISO 27001 and ISO 9001 specify for each, have certain commonalities.

This means the software and other tools you deploy to help set up and maintain the required approaches, processes and procedures for one system can have obvious applications for both.

What requirements do ISO 27001 and ISO 9001 have in common?

• Scoping – Both standards require consideration of the way internal/ external issues, impact on the ability of a business to deliver consistent quality of end product, or maintain the required security of the information they handle.
• Leadership - Both standards require support from top management in terms of resources, communication, and through aligning the management system’s objectives with the overall objectives of the business
• HR support –Both require adequate support for the implementation and ongoing maintenance of the management systems
• Document management system – both standards specify the need for a set of formal controls, processes and procedures to manage the systems’ documentation requirements
• Internal audit – both standards require confirmation that an independent and objective review of the management system can be performed regularly and at will
• Measurement and monitoring – both standards require confirmation that the operations of the management system are monitored and regularly reviewed for effectiveness
• Management review – both standards require evidence that relevant management personnel review the ongoing performance, suitability, adequacy, and effectiveness of the management system
• Continual improvement – both standards require an ongoing and proactive effort to improve the overall effectiveness of the management system

Obviously, this is not the whole story - the two systems exist for different reasons so both have unique requirements to observe. For example, ISO 27001 demands the use of controls from ISO 27002 to support its ISMS, with an accompanying statement of applicability.

However, both standards share a fundamental requirement for the management and control of documentation, to govern the capture and observation of every process and procedure that ensures the quality of products being produced and the security of information being held by the company.

A Document Management System is central to meeting the requirements of ISO 9001 and ISO 27001

The way this documentation is handled is also fundamental to the commitment to the continuous improvement of processes which both systems enshrine.

Formal, digital Document Management Systems (DMS) accessible to approved stakeholders, locked for editing, with an auditable change history, can make it much easier for companies to assess and track the progress they are making in operational improvements.

At the same time, the way a DMS can be used to gather feedback on changes to processes, then seek approval and ‘publish’ when agreed, can impose the suggested Plan, Do, Check, Act cycle for all the procedures that govern quality and security within an organisation.

Towards an efficient integration

In this way a good DMS can become a central repository for the organisational knowledge concerning every element of quality and security, plus offer a set of tools that can control access and editing privileges over every piece of data and information that your business needs to store.

The right DMS can thus form the central spine of an integrated Quality and Information Management System, making the procedures and processes that govern them both visible and auditable to regulators.

In turn, this can improve organisational performance, reduce the risk of fines or business failure and increase customer satisfaction overall.