Integrating ISO 9001 and ISO 27001

 Integrating ISO 9001 and ISO 27001

 

Overview

ISO 27001 is one of the fastest-growing standards in the world, and I see many companies have a need for information security with the increased use of information technology, clouds, etc. If you already have implemented ISO 9001 and want to implement ISO 27001, or you plan to implement both standards at once, the best approach is to create an Integrated Management System (IMS) that will meet the requirements of both standards.  This will save you a great amount of time in the implementation, and it will also decrease the effort of maintaining the system and achieving continual compliance with both standards.  

By implementing an integrated approach your implementation team will save time and use fewer resources. It will also decrease the effort of maintaining the system and achieving continual compliance with both standards. The big plus will be it can save you money as integrated standards as audited as one which means Certification bodies will have to visit your site less often each year resulting in lower assessment costs. 

 

Download Also:

• Planning and Schedule Free Templates 
• Over 500 Contract Templates Free Download 

ISO27001-2013

ISO 27001 is an international standard published by the International Standardization Organization (ISO), and it describes how to manage information security in a company. The latest revision of this standard was published in 2013, and its full title is now ISO/IEC 27001:2013. The first revision of the standard was published in 2005, and it was developed based on the British standard BS 7799-2.  ISO 27001 can be implemented in any kind of organization, profit or non-profit, private or state-owned, small or large. 

It was written by the world’s best experts in the field of information security and provides a methodology for the implementation of information security management in an organization. It also enables companies to become certified, which means that an independent certification body has confirmed that an organization has implemented information security compliance with ISO 27001.  ISO 27001 has become the most popular information security standard worldwide and many companies have certified against it.

ISO 27001 certification demonstrates to existing and potential customers that an organization has identified and implemented best-practice information security processes. ISO 27001 is the only auditable international standard that defines the requirements of an ISMS (information security management system).

Information Security Management System ISMS

An information security management system (ISMS) is a set of policies, procedures and systems that manage information risks, such as cyber-attacks, hacks, data leaks or theft.

ISO/IEC 27001 based Information Security Management Key concepts of ISMS

Protects information assets     

• Achieves its goals using a combination of strategy and tactics:     
• Risk assessment and treatment     
• CIA (Confidentiality, Integrity, Availability)    
• Incident handling, management, and avoidance     
• Securing people, processes, and technology     
• Protects information against various threats
• Reduces risks and improves business continuity 
• Reduces financial losses and other impacts 
• Optimizes return on investments 
• Creates opportunities to do business safely 
• Maintains privacy and compliance 

By implementing ISO 27001, the organization can benefit greatly: avoiding the losses and financial penalties associated with data breaches, winning new business, and strengthening relationships with existing clients.

• Support an organization to implement an Information Security Management System that complies with ISO/IEC 27001     
• Understand the Information Security Management System implementation process     
• Provide continual prevention and assessments of threats within your organization     
• Higher chances of being distinguished or hired in an Information Security market place.     
• Help to understand the risk management process, controls, and compliance obligations     
• Acquired the necessary expertise to manage a team to implement an ISMS     
• Provide the ability to support organizations in the continual improvement process of their Information Security Management System     
• Provide the necessary skills to audit an organization’s Information Security Management System 

How does ISO 27001 work

The focus of ISO 27001 is to protect the confidentiality, integrity, and availability of the information in a company. This is done by finding out what potential problems could happen to the information (i.e., risk assessment), and then defining what needs to be done to prevent such problems from happening (i.e., risk mitigation or risk treatment). Therefore, the main philosophy of ISO 27001 is based on managing risks: find out where the risks are, and then systematically treat them.

The safeguards (or controls) that are to be implemented are usually in the form of policies, procedures and technical implementation (e.g., software and equipment). However, in most cases, companies already have all the hardware and software in place, but they are using them in an unsecured way – therefore, the majority of the ISO 27001 implementation will be about setting the organizational rules (i.e., writing documents) that are needed in order to prevent security breaches.  Since such implementation will require multiple policies, procedures, people, assets, etc. to be managed, ISO 27001 has described how to fit all these elements together in the information security management system (ISMS). 

ISO 9001-2015

As stated above, ISO 9001:2015 is an internationally recognized standard for creating, implementing and maintaining a Quality Management System for any company. It is intended to be used by organizations of any size or industry and can be used by any company. As an international standard, it is recognized as the basis for any company to create a system to ensure customer satisfaction and improvement, and as such, many companies demand this as the minimum requirement for an organization to be a supplier. Because we are auditing your processes, as well as having a certification body audit them, your customers themselves do not need to audit your company.

It is because of this that ISO 9001 has become a necessity for many companies to compete in the market.In addition, your customers will be reassured that you have established a Quality Management System based on the seven quality management principles of ISO 9001.   In fact, ISO 9001 is such a basic and influential standard that it is used as the basis when industry groups want to add specific industry requirements, thus creating their own industry standard. 

Quality Management System

The Quality Management System, which is often referred to as a QMS, is a collection of policies, processes, documented procedures, and records. This collection of documentation defines the set of internal rules that will govern how your company creates and delivers your product or service to your customers. The QMS must be tailored to the needs of your company and the product or service you provide, but the ISO 9001 standard provides a set of guidelines to help make sure that you do not miss any important elements that a QMS needs to be successful.

The ISO 9001-2015 Structure

The ISO 9001 structure is split into ten sections. The first three are introductory, with the last seven containing the requirements for the Quality Management System. Here is what the seven main sections are about:

Section 5: Leadership

The leadership requirements cover the need for top management to be instrumental in the implementation of the QMS. Senior management needs to demonstrate commitment to the QMS by ensuring customer focus, defining and communicating the quality policy and assigning roles and responsibilities throughout the organization. 

 

Section 6: Planning 

Top management must also plan for the ongoing function of the QMS. Risks and opportunities of the QMS in the organization need to be assessed, and quality objectives for improvement need to be identified and plans made to accomplish these objectives. 

Section 7: Support

The support section deals with the management of all resources for the QMS, covering the necessity to control all resources, including human resources, buildings and infrastructure, the working environment, monitoring, and measurement resources and organizational knowledge. The section also includes requirements around competence, awareness, communication and controlling documented information (the documents and records required for your processes). 

 

Section 8: Operation

The operation requirements deal with all aspects of the planning and creation of the product or service. This section includes requirements on planning, product requirements review, design, controlling external providers, creating and releasing the product or service and controlling nonconforming process outputs. 

Section 9: Performance evaluation

This includes the requirements needed to make sure that you can monitor whether your QMS is functioning well. It also includes monitoring and measuring your processes, assessing customer satisfaction, internal audits, and ongoing management review of the QMS. Section 

 

10: Improvement

This last section includes the requirements needed to make your QMS better over time. This includes the need to assess process nonconformity and taking corrective actions for processes

Why integrating ISO 9001 and ISO 27001 works

The management of data in terms, how it is used but also how it is protected are now becoming key areas of concern for businesses.  For many organizations that already implement ISO 9001 and are now choosing to implement ISO 27001, the challenge for them is how do we make this all work in sync?  A common practice we see with organizations is they treat both management systems as separate projects but in fact, the best way to implement these standards is to integrate them as one system which will meet all the requirements.  

 

By implementing an integrated approach your implementation team will save time and use fewer resources. It will also decrease the effort of maintaining the system and achieving continual compliance with both standards.  The big plus will be it can save you money as integrated standards as audited as one which means Certification bodies will have to visit your site less often each year resulting in lower assessment costs.

No Duplication neither repetition

Traditionally ISO 9001 (Quality) and ISO 14001 (Environmental) have been the more popular integrated standard, ISO 9001 and ISO 27001 actually have many similar traits and can be fully integrated.  Both standards focus on the internal/external issues relevant to the company, but from different perspectives. Both standards follow the Annex SL structure which means there are similarities in what the documentation and procedures required to effectively implement the system.  

 

When integrating the two standards, you will reduce man-hours and resources.  By ensuring the implementation team have a clear understanding of both standards and understand where the standards overlap.  The implementation project should be based not only on the current state of your organization, in terms of compliance with the requirements of these two standards, but also on spotting shortcuts and low-hanging fruit.  Some of the most important places where you can speed up the implementation are the following common requirements of both standards.

1. Interested Parties and their Requirements

The organization will have to determine interested parties and their requirements related to quality and information security. These requirements can be addressed with the same process, and an integrated list of interested parties can be created. 

2. Responsibility and Authority to be identified

The roles and responsibilities within the QMS and the ISMS are different, but again, they must be defined. This can be done in the same way. 

3. Competence, Awareness, Communication, Control of System Documents and Records

All these requirements are common not only for ISO 9001 and ISO 27001, but for other standards as well – and, they can be addressed in the same way and at the same time. 

4. Internal Audit and Management Review   

Of course, the requirements to be audited and the review inputs and outputs are different, but the way the process is conducted is the same. Depending on the size and complexity of the company and its processes, internal audit or management review can be done at the same time or separately. 

5. Both require systems for nonconformity and corrective actions

The process of handling nonconformities and corrective actions can be the same for both standards, and there is no reason to separate them.  With all these common elements, it would seem logical to maintain one system for each common element. Keep in mind that although some requirements seem the same and can be covered with the same process, that doesn’t mean they will have the same results for both standards.  The focus of ISO 9001 is on quality products and services and customer satisfaction, while ISO 27001 is focused on information security; therefore, the results of the management review, as well as the inputs, will be different, and the same is with most of the above-mentioned common clauses.

Additional requirements of ISO 27001

The differences between the standards usefully supplement each other, which decisively contribute to increasing business success: information security secures the company’s potential, and quality management creates it. After addressing the common requirements of the standards, the company must deal with their differences that are mostly present in clauses 6 and 8. ISO 27001 adds the following into the IMS:

1. Information security risk assessment

The organization needs to develop a methodology for the identification and evaluation of information security risks.  This process shouldn’t be mixed with addressing risks and opportunities in ISO 9001 since the second has far fewer requirements and applying the same methodology can be overwhelming and unproductive in ISO 9001. 

2. Information security risk treatment

This process doesn’t have a peer in ISO 9001, so it can be done independently. It basically requires the organization to apply one or more information security controls listed in Annex A of ISO 27001. 

How to integrate ISO 9001 and ISO 27001

ISO 27001 is one of the fastest-growing standards in the world, and I see many companies have a need for information security with the increased use of information technology, clouds, etc. If you already have implemented ISO 9001and want to implement ISO 27001, or you plan to implement both standards at once, the best approach is to create an Integrated Management System (IMS) that will meet the requirements of both standards. This will save you a great amount of time in the implementation, and it will also decrease the effort of maintaining the system and achieving continual compliance with both standards.

Start with the common ground

The key to saving time and effort is good planning. Your implementation project should be based not only on the current state of your organization, in terms of compliance with the requirements of these two standards, but also on spotting shortcuts and low-hanging fruit. Some of the most important places where you can speed up the implementation are the following common requirements of both standards:

• Context of the Organization – Both standards require identification of internal and external issues relevant to the company, but from different perspectives. ISO 9001 focuses on quality, and ISO 27001 focuses on information security.      
• Interested Parties and their Requirements – The organization will have to determine interested parties and their requirements related to quality and information security. These requirements can be addressed with the same process, and an integrated list of interested parties can be created.      
• Responsibility and Authority to be identified – The roles and responsibilities within the QMS and the ISMS are different, but again, they must be defined. This can be done in the same way.      
• Competence, Awareness, Communication, Control of System Documents and Records – All these requirements are common not only for ISO 9001 and ISO 27001, but for other standards as well and, they can be addressed in the same way and at the same time.     
• Internal Audit and Management Review – Of course, the requirements to be audited and the review inputs and outputs are different, but the way the process is conducted in the same. Depending on the size and complexity of the company and its processes, internal audit or management review can be done at the same time or separately.     
• Both require systems for nonconformity and corrective actions – The process of handling nonconformities and corrective actions can be the same for both standards, and there is no reason to separate them.

With all of these common elements, it would seem logical to maintain one system for each common element. Keep in mind that although some requirements seem the same and can be covered with the same process, that doesn’t mean they will have the same results for both standards. The focus of ISO 9001 is on quality products and services and customer satisfaction, while ISO 27001 is focused on information security; therefore, the results of the management review, as well as the inputs, will be different, and the same is with most of the above-mentioned common clauses.

 

Additional requirements of ISO 27001

The differences between the standards usefully supplement each other, which decisively contribute to increasing business success: information security secures the company’s potential, and quality management creates it. After addressing the common requirements of the standards, the company must deal with their differences that are mostly present in clauses 6 and 8. ISO 27001 adds the following into the IMS: 

• Information security risk assessment – The organization needs to develop a methodology for the identification and evaluation of information security risks. This process shouldn’t be mixed with addressing risks and opportunities in ISO 9001 since the second has far fewer requirements and applying the same methodology can be overwhelming and unproductive in ISO 9001.      
• Information security risk treatment – This process doesn’t have a peer in ISO 9001, so it can be done independently. It basically requires the organization to apply one or more information security controls listed in Annex A of ISO 27001. 

Do Integrating systems provide ROI

By integrating the two management systems, there are many synergies that allow for combined resources to save time (up to 30%) and money on maintaining and improving the management system.  With a holistic management system approach that embodies international best practices, organizations can demonstrate compliance with both the ISO 27001 and ISO 9001 standards to customers, certification bodies, and regulatory authorities.  In addition, by integrating the management of quality and information security, organizations can demonstrate both the quality and security of their processes, as well as achieve a significant competitive advantage through improved organizational performance, reduced risk, better customer satisfaction, and enhanced reputation and marketability. 

Why is ISO 9001 a good idea for the organization?

With a holistic management system approach that embodies international best practices, organizations can demonstrate compliance with both the ISO 27001 and ISO 9001 standards to customers, certification bodies, and regulatory authorities. In addition, by integrating the management of quality and information security, organizations can demonstrate both the quality and security of their processes, as well as achieve significant competitive advantage through improved organizational performance, reduced risk, better customer satisfaction, and enhanced reputation and marketability. The benefits of ISO 9001 cannot be overstated; companies large and small have used this standard to great effect, discovering and securing tremendous cost and efficiency savings. Here are just a few of these benefits:

Improve your image and credibility

When customers see that you are certified by a recognized certification body, they will understand that you have implemented a system that is focused on meeting customer requirements and improvement. This improves their trust that you will deliver what you have promised.

Improve customer satisfaction

One of the key principles of the ISO 9001 QMS is the focus on improving customer satisfaction by identifying and meeting customer requirements and needs. By improving satisfaction, you improve repeat customer business.

Fully integrated processes

By using the process approach of ISO 9001, you not only look at the individual processes in your organization but also at the interactions of those processes. By doing this, you can more easily find areas for improvement and resource savings within your organization.

Use evidence-based decision making

Ensuring that you are making decisions based on good evidence is key to the success of an ISO 9001 QMS. By ensuring that your decisions are based on good evidence, you can better target resources to the best effect to correct problems and improve your organizational efficiency and effectiveness.

Create a culture of continual improvement

With continual improvement as the main output of the QMS, you can attain ever-increasing gains in savings of time, money and other resources. By making this the culture of your company, you can focus your workforce on improving the processes they are directly responsible for.

Engage your people

Who better than the people working within a process to help find the best solutions for improving that process? By focusing your workforce on not only managing but also improving the processes, they will be more engaged in the outcome of the organization.

 

Related Topics:

• CMMI vs. ISO 
• Integrating ISO 9001 and ISO 27001 
• Managing risks with ISO 27000 plugs into ISO 31000 standards.

The Author: Ala'a Elbeheri

 

 

                                        

About:

A versatile and highly accomplished senior certified IT risk management Advisor and Senior IT Lead Auditor with over 20 years of progressive experience in all domains of ICT.  

• Program and portfolio management, complex project management, and service delivery, and client relationship management.      

• Capable of providing invaluable information while making key strategic decisions and spearheading customer-centric projects in IT/ICT in diverse sectors.    

• Displays strong business and commercial acumen and delivers cost-effective solutions contributing to financial and operational business growth in international working environments.      

• Fluent in oral and written English, German, and Arabic with an Professional knowledge of French.  

• Energetic and dynamic relishes challenges and demonstrates in-depth analytical and strategic ability to facilitate operational and procedural planning.  

• Fully conversant with industry standards, with a consistent track record in delivering cost-effective strategic solutions.    

• Strong people skills, with proven ability to build successful, cohesive teams and interact well with individuals across all levels of the business. Committed to promoting the ongoing development of IT skills  throughout an organization