ISO 27001:2013 is the international standard that describes best practice for an Information Security Management System (ISMS). The standard takes a risk-based approach to information security, requiring organisations to identify threats to their company and then adopt appropriate controls across their business to tackle them.
Any organisation which gathers and stores sensitive customer data, is a supplier to an organisation who does, or wishes to ensure their own data is managed and secured in a comprehensive way; may want or need to obtain the standard.
The provisions of ISO 27001 are not just relevant for IT companies or departments, therefore. Instead, they set the standard for the way every employee operates (and is allowed to operate) as they handle data and information collected, stored or generated by their organisation.
The ISO 9001 standard specifies the requirements for an organisation to demonstrate they have a quality management system in place and can consistently provide quality products and services which meet customer needs and regulatory requirements.
Like 27001 there is a burden on the organisation for this management system to be auditable by regulators to prove compliance.
Increasingly, high tech companies seeking ISO 9001 as they develop cutting edge products and components that gather or otherwise process end-user data, are finding they also need ISO 27001 to win business and go to market.
ISO 9001: 2015 - How to apply risk-based thinking to quality processes [Part 1]
Although Information Management and Quality Management clearly have separate and distinct objectives, the system requirements that ISO 27001 and ISO 9001 specify for each, have certain commonalities.
This means the software and other tools you deploy to help set up and maintain the required approaches, processes and procedures for one system can have obvious applications for both.
Obviously, this is not the whole story - the two systems exist for different reasons so both have unique requirements to observe. For example, ISO 27001 demands the use of controls from ISO 27002 to support its ISMS, with an accompanying statement of applicability.
However, both standards share a fundamental requirement for the management and control of documentation, to govern the capture and observation of every process and procedure that ensures the quality of products being produced and the security of information being held by the company.
The way this documentation is handled is also fundamental to the commitment to the continuous improvement of processes which both systems enshrine.
Formal, digital Document Management Systems (DMS) accessible to approved stakeholders, locked for editing, with an auditable change history, can make it much easier for companies to assess and track the progress they are making in operational improvements.
At the same time, the way a DMS can be used to gather feedback on changes to processes, then seek approval and ‘publish’ when agreed, can impose the suggested Plan, Do, Check, Act cycle for all the procedures that govern quality and security within an organisation.
In this way a good DMS can become a central repository for the organisational knowledge concerning every element of quality and security, plus offer a set of tools that can control access and editing privileges over every piece of data and information that your business needs to store.
The right DMS can thus form the central spine of an integrated Quality and Information Management System, making the procedures and processes that govern them both visible and auditable to regulators.
In turn, this can improve organisational performance, reduce the risk of fines or business failure and increase customer satisfaction overall.