Home Resources Blog October 2016

Managing Cyber Risk alongside your ISO 9001 or ISO 14001 System

14 October 2016
This article explains how easy it might be to address ISO 27001 certification alongside existing ISO 9001 or ISO 14001 certification, making the most of your organization’s investment in security.

You’ve read the cyber security headlines spreading fear, uncertainty and doubt, but have you thought about how easy it might be to address it while making the most of your organization’s investment in security by using an existing ISO 9001 (quality) or ISO 14001 (environmental) conforming management system?
The much-referenced ‘Annex SL’ – more penetrably described as “high-level structure, identical core text and common terms and definitions” – means that adding in a new discipline such as cyber or information security to an existing ISO management system is easier than ever. Even addressing two (or more?) standards from a cold start can be a lot less painful than you might expect.
The single management system approach that ISO standards now provide means that more organizations recognise the benefits of implementing more than one management system in a single solution. These benefits include exposing conflicting business objectives, avoiding the duplication of documentation, reducing overall risks, creating a formalised system (not necessarily with lots of documents!) out of informal processes, and enabling the organization to focus on achieving its objectives.
Organizations already certified to ISO 9001 or ISO 14001, and concerned about the ongoing and evolving threats of cyber-crime, may see ISO 27001 certification as a logical and straightforward step to bolster their defenses.

The benefits of an integrated management system (IMS)

An IMS allows organizations to combine all the related components of a business into one system that addresses all of the relevant requirements. By implementing an IMS, your organization can save costs, resources, time and – most importantly – the effort of undergoing separate audits for each standard. Once the management system is integrated, many accredited certification bodies, such as NQA, may be able to audit all aspects of your management system at the same time, reducing fees and disruption.   
Moreover, the integrated management system provides your organization with a consistent management process, a common approach to comparing risks within different departments, and training, support and awareness programmes to match the needs of your organization and employees across a number of disciplines.

Integrating ISO 27001 with ISO 9001 and ISO 14001 management systems

Having a comprehensive quality or environmental management system in place can provide your organization with a good foundation for information security management. Organizations with a management system in place already will have many of the disciplines and approaches that ISO 27001 requires already in place, including staff that are familiar with the ideas behind management systems.
Historically, ISO 9001 quality management systems and ISO 14001 environmental management systems have often been combined to produce an IMS. With information security and data protection becoming an increasing concern worldwide, the international best-practice information security standard, ISO/IEC 27001:2013, has become a priority and has proven to be crucial for organizations that need to demonstrate their commitment to data and information security. We are increasingly finding clients approaching ISO 27001 as one of the standards to be integrated, if not the first to be adopted.
ISO 27001 certification provides stakeholders, partners and clients with assurance that the organization is taking its information security obligations seriously. Given the importance with which many organizations and consumers view information security, this certification can help the organization build new business opportunities and gain competitive advantages. 

The cost of ISO 27001 certification

Most organizations argue that implementing an ISO 27001-compliant ISMS can be costly in terms of resources and time, but a new report published by IT Governance reveals that the average cost of implementing an ISO 27001 - compliant ISMS is between £5,000 and £20,000, excluding certification fees and, in most cases, this is where the organization doesn’t already have a QMS or EMS.
The report, which surveyed 250 organizations worldwide, states that 40% have implemented 40% are implementing and 20% are looking to implement ISO 27001.
ISO 27001 is affordable even for SMEs and consultancy support options help to take away the pain and prepare you for certification.
Alan Calder, the founder and chief executive officer of IT Governance, said:
“There is a common perception that the costs associated with an ISO 27001 implementation project are not justified for small businesses, or that they simply do not have a budget for information security. Our research indicates the contrary, and shows that ISO 27001 is totally within reach for small businesses when implemented in an intelligent manner”.

The duration of an ISO 27001 certification project

Although the duration of an ISO 27001 certification project can vary depending on the size of the organization, the scope of the project, and the expertise and resources available, the median timescale is reported to be 6-12 months, according to more than half of the respondents to the ISO 27001 Global Survey. In our experience, many clients can achieve certification faster than this with the right support and commitment.
Organizations looking to achieve certification to a deadline can take advantage of FastTrack consultancy services. These include the information security assessment, the completion of ISMS documentation, staff training and security awareness, the review meeting and internal audit, and integration with other management systems such as ISO 9001 and ISO 14001.
Moreover, integrating ISO 27001 with other management systems can help your organization identify risks and create a solid and efficient management system that can save time and resources.
unparalleled support and advice, tailored to meet any organisation’s specific needs or budget. 

This article has been authored by Mihaela Jucan  at IT Governance Ltd for use on the NQA Certification Ltd website. IT Governance Ltd is listed as a trusted and valued consultancy organization on NQA’s Associate Consultant Register. To find out more please click here.