What does ISO 9001:2015 mean for government information and cyber security professionals?
Formula for data quality
By John DiMaria CSSBB, HISP, MHISP, AMBCI, CERP
Today’s risk landscape
Government security risks can be diverse with the new era of threats, including cybercrime and information security, increasingly posing some of the most significant risks in this new modern reality. However, the more traditional issues of ensuring customer satisfaction and producing quality products and services haven’t gone away. In fact, the more effectively an organization responds to the rising threats of today, the more likely they are to keep stakeholders satisfied by protecting quality services or products as well as a brand’s reputation.
According to the ASQ Global State of Quality 2 Research (www.globalstateofquality.org) study of nearly 1,700 companies in 20 countries, quality process-oriented companies are three times as likely to be identified as successful and half as likely to have customer service/quality disasters.
So it is no surprise then that the world’s most popular quality management standard, ISO 9001, has recently been updated as ISO 9001:2015 and this will be especially beneficial to government entities looking to increase their security.
Today, as management system standards are updated, they are done so against Annex SL, also known as the high level structure, or HLS. This is a framework for a generic management system and the blueprint for all new and revised management system standards going forward. ISO/IEC 27001 was one of the first to lead the way in 2012, and now the world’s most widely adopted standard has followed suit. This is great news for government, particularly on the topic of risk and integration.
Risk-based thinking is a key element brought in by the HLS, so organizations can be better equipped to reduce risk while being well-placed to spot opportunities. This won’t be new to professionals already working with standards such as ISO/IEC 27001 or ISO 22301 however it is quite a shift change for ISO 9001:2015. While the concept of risk has always been implicit, the new standard ensures it is built into the whole management system and more importantly encourages a proactive action that is part of the organization’s strategic planning.
So what is ISO 9001:2015?
ISO 9001 is a global standard that sets out the requirements for a quality management system, or QMS. Certification to new ISO 9001:2015 further helps government organizations to continually monitor and manage quality across their entire organization with this new focus on risk-based thinking.
By adopting ISO 9001:2015 to embed quality management into government, organizations are required to establish a systematic approach to risk, rather than treating it as a single component of a quality management system. The good news is, if you are already working with systems aligned to the HLS you are in a great position to gain efficiencies.
Why? Before HLS, organizations could have multiple, disparate systems in place that involved duplicate time, effort, and resources to continually run these systems. With Annex SL organizations can benefit from aligning separate systems and conduct one business risk assessment that enables concerns on different topics to be managed, or taken advantage of, for maximum business gain.
Not only does the new ISO 9001:2015 help embed risk management into the heart of your organization but the common elements can help you align a QMS with other management systems you have in place. Or even if this is the start, it’s a great best-practice framework to manage your security efforts more effectively and efficiently, and helps you to be best-placed to add in more specific systems in the future.
Adding value with quality management
Data is a critical enterprise asset. By weaving ISO 9001:2015 into your ISO/IEC 27001 system it facilitates enhanced data quality and integrity, which can prove very important in the event you launch, or are a target of, an investigation.
- Accuracy – Valid data are considered accurate: They measure what they are intended to measure
- Reliable – The data are measured and collected consistently; definitions and methodologies are the same over time
- Completeness – Completely inclusive: the Document Management System (DMS) represents the complete data and not a fraction of the information
- Precision – The data have sufficient detail; in this case the “accuracy” of the data refers to the fineness of measurement units
- Timeliness – Data are up-to-date (current), and information is available on time; the DMS produces reports under deadline
- Presentable – The data must be neat and tidy and fit-for-purpose (ready as evidence in court or as record of regulatory compliance)
- Integrity – The data are protected from deliberate bias or manipulation for political or personal reasons
Integrating ISO 9001:2015 with your Information Security Management System ensures you not only receive top management commitment on data integrity and security, but it aligns with the strategic direction of the organization and their overall approach to business risk. This removes a silo mentality, makes it easier to engage stakeholders at all levels of the organization, and allows focus on a common purpose, which can bring only positive results.
Whether or not you’re in a position to integrate multiple systems, HLS provides a great structure to bring different people together and collaborate to strengthen an organization’s resilience and achieve greater results. ISO 9001 hasn’t been adopted by over 1.1 million businesses around the world by accident. It remains the world most popular standard for a reason and the new ISO:9001:2015 update makes it much more attractive to business. So whatever role individuals play, there is potential to embrace this approach to quality management as a core to business improvement. It can only enhance your existing practices and complement your approach to managing cybersecurity and information risks.
Organizations certified with the previous version of ISO 9001 have until September 2018 to transition to the revised ISO 9001:2015 version. For more information on ISO 9001:2015, visit ASQ Quality Management Standards.
About the Author
John DiMaria; CSSBB, HISP, MHISP, AMBCI, CERP is the Global Product Champion for Information Security and Business Continuity for BSI Group. He has 30 years of successful experience in Standards and Management System Development, including Quality Assurance, EMS, Information Systems, ISMS and Business Continuity. John was one of the key innovators of CSA STAR Certification for cloud providers, a contributing author of the American Bar Association’s Cybersecurity Handbook and a working group member and key contributor to the NIST Cybersecurity Framework. More info at www.bsigroup.com