Home Resources Blog August 2015

ISO 9001 Certified, But Is Your “Documented Information” Secure?

12 August 2015
ISO 9001:2015 has put an interesting twist on the need for documentation, but it won’t protect the information you document. Breaches happen because employees don’t know how to handle info correctly and others gain access to it. 
The soon-to-be-released ISO 9001:2015 has put an interesting twist on the need for documentation. In the past, it’s commonly held that complying with ISO 9001 means “Say what you do (document it) do what you say”. As a consequence, a lot of what people do to run the organisation is written down and not in their heads any longer. Binders of procedures, work instructions and records have been created. That may be sufficient to be compliant with ISO 9001, but it won’t protect you from the ever-increasing threats posed by unsecured information.

Customers’ highly sensitive specifications for their new products, your organisation’s innovative new product development files, proprietary process control parameters, your supplier requirements, peoples’ training needs etc. have been committed to paper or electronic files as part of implementing a Quality Management System; often in the belief that “doing ISO” would allow the organisation to continue to function if no-one turned up for work because they all won the lottery, or got sick eating at the same restaurant!

Furthermore, records of actual performance – product, process and customers’ feedback - have to be retained to show requirements or goals have been met (or not), leading to improved performance and customer satisfaction. Potentially, there’s a lot of interest here for others to discover about your organisation or what you’ve been doing for your customers...

The current “Final Draft” of ISO 9001 uses the terms “documented information” which should be maintained or retained and these terms can be used interchangeably with the types of documentation described above. Of course, ISO 9001 also requires – as it always has – these documents to be “controlled”. This usually means “reviewed, approved, made available at points of use” and carefully gathered up and filed, in the case of records.

But what of that customer drawing, left lying out on the desk? The company’s “make or break” innovative product specifications which are sitting on a desk in the sales office? Yes, they were both “controlled” according to the “ISO procedures”, but it didn’t stop someone sneaking a look and taking a photo with their smart phone. Compliance to ISO 9001 requirements doesn’t take care of those situations. Do you run a similar risk of inadvertently sharing what shouldn’t be shared?

Luckily, there is an ISO management systems standard which can help! ISO 27001 describes a set of requirements for a management system specifically for “Information Security” also known as an “ISMS”.

‘..information breaches generally happen because employees don’t know how to handle sensitive information correctly and another party gains access to it. That’s what ISO 27001 helps with.’

Every day we read about information “hacks” or breaches – whether it’s a supermarket or a mobile phone provider – and it would be easy to dismiss information security as an “IT department” issue. In fact, those people frequently have controls in place: Firewalls, anti-virus software, back-up methods etc. The information breaches generally happen because employees don’t know how to handle sensitive information correctly and another party gains access to it. That’s what ISO 27001 helps with.

ISO 27001 requirements define the management system – and typical controls - for organisations to identify which potential incidents could happen to them (ie, risks), and then define methods which can change employee behaviors, in order to prevent breaches occurring. Any organisation handling sensitive information, no matter if it is for-profit or non-profit, a small business or large corporation, government or a privately held entity, it can benefit from implementing an Information Security Management System, which complies with ISO 27001.

In many respects, the requirements of an ISO 27001 compliant management system are also those of an ISO 9001 compliant quality management system, so taking steps to adopt ISO 27001 isn’t as daunting as it might be thought. Much of the “management” requirements, such as those listed below are almost “cut and pasted” right from ISO 9001:
  • Management Review
  • Internal Audits
  • Corrective Actions
  • Document control
  • Record control.
The integration of the information security controls (found in “Annex A” of ISO 27001) can be selected, based on the identified risks and then built right into the existing ISO 9001 QMS framework – without much additional burden.

It would be easy to sit back and imagine that only “IT” organisations need to implement ISO 27001. There are even whole industry sectors we’ve seen in the news which seem particularly vulnerable to data security breaches:
  • Banks
  • Telecomms companies
  • Entertainment Companies
  • Retail Stores.
In reality, many organisations – often those which are much smaller – can be the victims of a breach of information security. The lack of even basic security controls could lead to loss of market share of key (bigger) customers, through product documents and data being obtained by competitors.

Got a “clean desk” policy for when your people are handling your own new product development files? What would prevent an outsider wandering in the receiving/shipping dock doors, on second shift and seeing that customer prototype being assembled? How confident are you that your personnel know how to prevent making sensitive information available – however unintended it was?

Clearly, your organisation’s name may not become headline news about a data breach. However, the effects on your organisation can be as devastating. It might be worthwhile to have some form of risk assessment performed, by a professional who understands information security – and, crucially, how ISO 27001 is implemented within your ISO 9001 QMS.

Download your free Information Security ‘Best Practice’ Guide.