Last Updated on December 17, 2015
Part of the ISO 9000 family of quality management standards, ISO 9001 enables organizations to meet multiple overlapping legislative and regulatory requirements by providing the framework for a formal quality management system (QMS). By implementing a QMS within a globally recognized framework such as ISO 9001, organizations can demonstrate legislative and regulatory compliance and reduce exposure to risk—including information security risk.
In addition, by extending an existing QMS to encompass the requirements of an information security management system (ISMS) that complies with ISO 27001, organizations can enhance their compliance and achieve improvement throughout the organization. Integrating QMS and ISMS enables organizations to comply with an increasing number of legal and regulatory requirements and enables the adoption of an integrated approach to compliance management.
By reducing duplication between multiple management system standards, an integrated approach to compliance management enables organizations to reduce short- and long-term one-off and ongoing costs, dramatically decrease duplication of effort and increase effectiveness throughout the organization. Streamlining a company’s approach to compliance management also drives greater return on investment (ROI) in supporting technology and systems.
By adopting a holistic approach to managing quality and information security, organizations can integrate the processes common to both ISO 9001 and ISO 27001, such as documented information control, Internal audits, management review, Control of Nonconformance, continual improvement and corrective action.
Among the elements/procedures that are common to both ISO 27001 and ISO 9001 implementations are:
- Defining objectives and tracking that they have been achieved
- Document management
- Management review
- Conducting internal audits
- Taking corrective actions
- Control of Non conformance
- Continual improvement
For organizations that already have a certified QMS in place, the ISMS can be integrated with the existing QMS, as the document management requirements of both ISO 9001 and ISO 27001 have been designed to enable organizations to develop management systems that integrate the requirements of both standards. For example, clauses 7.5.1, 7.5.2, 7.5.3 of ISO 27001, which specify the requirements for documented information, can be met by extending the documentation control requirements of the existing ISO 9001 QMS.
By extending an existing QMS to encompass the requirements of an ISMS, organizations can achieve compliance to an internationally recognized standard, which also supports compliance with various regional legal and regulatory requirements. Organizations can likewise demonstrate the increased security in place around their information to internal and external auditors, as well as their customers—thus enhancing the QMS by meeting and exceeding customer expectations to achieve and sustain customer satisfaction.
With a holistic management system approach that embodies international best practice, organizations can demonstrate compliance with both the ISO 27001 and ISO 9001 standards to customers, certification bodies and regulatory authorities. In addition, by integrating the management of quality and information security, organizations can demonstrate both the quality and security of their quality and information security processes, as well as achieve significant competitive advantage through improved organizational performance, reduced risk, better customer satisfaction and enhanced reputation and marketability.
As you might expect, it is easier to implement ISO 9001 if you already have ISO 27001 compliant management system in place, or vice versa. Similarly, organizations that might want to demonstrate compliance with both ISO 27001 and ISO 9001 will save significant time, money and effort if they plan on integrating these efforts from the start.
To find out more about how you can benefit from ISO 9001 certification, contact Pivot Point Security.