How important is information security in quality management systems?
Well, the short answer is that for many organizations, it’s increasingly becoming more and more important.
“As organizations come to rely more heavily on information technology, the security of that information is becoming a vital component of a quality management system”.
The adoption of information technology and all the opportunities and risks that brings has brought the topic of security to the forefront. Basically, we want our information to:
• Only be accessed by the right people (Confidentiality)
• Be correct and only subject to change by authorised people or processes (Integrity)
• Be available to read and use whenever we want (Availability).
These 3 principles are often referred to by the acronym CIA (yes, there’s a joke in there somewhere) – standing for Confidentiality, Integrity and Availability. The CIA principles form the basis of information security.
Organizations are increasingly looking to implement an ISMS (Information Security Management System) based on the requirements of ISO27001. Even when that is not the case, our increasing reliance on information technology means the security of that information is becoming an important consideration for other management systems – such as those for ISO9001 Quality.
So, let’s take a look at some areas of an ISO9001 quality management system where information security might need to be considered:
The first clause in ISO9001 that specifies requirements is clause 4, which refers to the Context of the Organization. In general terms, your QMS should be relevant to the context of your organization. At that point, the scope of your QMS may be determined, and you can establish the necessary operational and support processes.
The following illustrates just some areas of that ISO9001 clause where information security might be considered.
Clause 4.1 Understanding the organization and its context
To understand that context, you must consider and monitor the internal and external factors that may affect your provision of products and services to your customers.
Although the standard is not prescriptive in this regard, understanding the external context is often achieved by some form of PESTEL analysis (Considering Political, Economic, Social, Technological, Environmental, and Legal factors).
To gauge the relevance of information security to quality management, consider how a breach of information security may affect such matters as confidentiality, service delivery, intellectual property rights, or reputation.
For example, although Information Security covers a much wider base, there is a lot in the news these days about ‘Cyber Security’ – relating to internet security. Cyber attacks might include:
• DDOS (Distributed denial of service)
• Spear phishing
• Malware or spyware
• Social Engineering
Some of these attacks could certainly lead to an impact on quality, and may present an existential threat to your business.
Clause 4.2 Understanding the needs and expectations of interested parties The relevant needs and expectations of those customers and other interested parties must be understood.
Consider the legal, regulatory, and contractual obligations relating to information security requirements e.g.
• National Privacy legislation
• GDPR (Europe)
• Certification to ISO27001, CSA Star and/or other standards may be a contractual obligation
Customer requirement for / or acceptance of online service delivery may create an opportunity to reduce service delivery costs, but may also bring new risks relating to information security.
Clause 4.3 Determining the scope of the quality management system
Information security considerations may affect the boundaries and applicability of the quality management system.
Clause 4.4 The quality management system and its processes
This clause includes some quite specific requirements for the definition and management of processes.
Information security may be considered in any aspect of process planning. For example:
• Considering the risks of loss of data integrity during a process and how that may affect quality of output from that process.
• Considering the risks of a breach of confidentiality during a process
• Planning security monitoring to detect a possible issue
• Planning information security awareness and training as a control measure
• Obtaining resources such as security software to prevent certain issue from occurring
We will look at the growing importance of information security to other clauses of ISO9001 in later blogs.