For the second consecutive year, ISO Survey, the publication of the International Organization for Standardization (ISO), gathers in its 2007 edition the statistics on the number of ISO / IEC 27001: 2005 certificates worldwide.
It is noteworthy that ISO Survey has been published since 1993, but, as we say, only for two years includes data on the certification in ISO 27001: 2005 Information technology - Security techniques - Information Security Management Systems - Requirements.
This inclusion is nothing more than a reflection of a notable advance in the degree of implementation worldwide by the standard that sets the requirements for an Information Security Management System (ISMS). The importance that the ISO 27001 certification has for Organizations when it comes to improving their processes and results, and the competitive advantage it represents over companies that have not yet taken the step, is now invaluable.
Such progress is not comparable to that of the two “classics” of the ISO Survey: ISO 9001 and ISO 14001, well-known Quality and Environmental management standards, respectively. Although it is common to find Quality and Environmental management systems coexisting in a single Integrated Management System (SGI), it is not so much (although it is increasingly so) to see a Quality Management System integrated with an ISMS.
And going even further, there are already companies that, having an Integrated Quality and Environmental Management System, are considering what we could call "total integration": an Integrated Management System for Quality, Environment and Information Security.
Today we are not going to discuss the integrated implementation of the three standards in a single system, but rather the extension of an existing Quality Management system to comply with ISO 27001, or in other words, the creation of an Integrated Management System of Quality and Information Security (hereinafter, SGI).
We will begin by saying, although it is well known, that the integration of both systems is facilitated by the fact that both 9001 and 27001 are based on the Deming cycle or PDCA model (Plan, Do, Check, Act) applied to the processes of the System itself. Likewise, both standards regulate the requirements of a system that is oriented to the business processes of each Organization.
ISO / IEC 27001 itself clarifies that if an organization has 9001 or 14001 implemented, "it is preferable to meet the requirements of this international standard within the existing management system."
Let's see to what extent the recommendation of the Standard is true or not. Although there may be certain Organizations in which, for specific reasons, it is preferred to carry Quality management separately from Information Security management, there is no doubt that following the aforementioned recommendation can provide us with innumerable advantages (and save us some work too). Among these advantages, undoubtedly the most valued by companies are avoiding unnecessary duplication and improving efficiency throughout the Organization, with the consequent cost savings involved.
Hands-on: a brief approach
The first thing that we will realize when starting to integrate both systems is the enormous coincidences in everything related to what the Management System itself is: general requirements, documentation requirements, responsibility of the Directorate, management resources, internal audits, review by Management and improvement of the System.
- The first step will be, of course, to modify the scope document of our Quality System, which will now also include those business processes that we want to certify under ISO 27001 because Information Security has special importance in them. The new scope does not have to coincide with the one already established for Quality, and the normal thing is that they do not coincide, although this depends on each Organization and fundamentally on the breadth of its corporate purpose. Next, we must modify our Quality Policy Statement, extending it to Information Security and the specific security objectives that we set ourselves as an Organization. The next thing will be to take advantage of the organizational structure that we have in our Quality System, so that it also manages Information Security.It is already becoming common for Organizations to have Quality and Safety Managers and / or Committees.
Finally, we will focus on those Quality procedures whose object and scope we are going to expand to meet the requirements shared by 9001 and 27001 in a unified way:
- Control of Records and Documentation. Responsibility and Review of the System by Management. Management of Non-Conformities, Preventive Actions and Corrective Actions. Internal Audit and Continuous Improvement of the System.
Other advantages of integration: unified management of legal and regulatory compliance
We do not want to end this approach to Integrated Quality and Safety Systems without mentioning another indisputable advantage that our SGI will provide us. It is none other than being able to centrally manage the numerous legal and regulatory requirements that Organizations have to comply with today.
Specifically in Spain, the clearest case is that of the Organic Law on Data Protection and its "new" Development Regulations, without forgetting the Law on Information Society Services and Electronic Commerce. Complying with these three regulatory bodies requires the provision of resources and the implementation of a certain organizational structure in order to carry out compliance, constantly and permanently. Only in this way will we be safe from unpleasant surprises, usually in the form of high financial penalties. Beyond the aforementioned standards, the SGI will allow us to comply with regulations such as Sarbanes Oxley, Basel II, etc.
And all this, from a single Management System. Interesting, right?.
Contributed by: Elena Ortega de Nicolás
