During the last year at Certification International Bulgaria, we have seen many companies moving towards the integration of their existing management systems, particularly ISO 9001:2008 and ISO 27001:2005. This is a welcomed opportunity as Certification International has the ability to provide integrated audits covering quality and information security.
The process of integration usually leads to a reduction in audit time compared to the time required to carry out two separate audits and the organisation being audited only needs to arrange a single visit from Certification International personnel and auditors.
ISO 27001 can be integrated with an existing QMS (Quality Management System) or with a functioning ISMS (Information Security Management System). The questions that follow are “what are the similarities between ISO 9001 and ISO 27001?” and “what are the main requirements of the two standards which allow for integration?” The answers may help organisations prepare for integrated audits.
Both QMS and ISMS have similar sets of requirements. The theory developed by William Deming – an American statistician – provides the philosophy of all management systems based on the Plan-Do-Check-Act cycle. The ‘plan’ phase represents the process of designing a management system and planning what is needed to achieve it. The ‘do’ phase is the process of implementing the system and measuring its performance. The ‘check’ phase is the assessment of measurements and reporting results to decision makers. And the ‘act’ phase is where decisions are made depending on what needs changing for improvement.
Although this cycle was invented for quality management, it was further established as the foundation for all other management systems including information security (ISO/IEC 27001), environment (ISO 14001), health and safety (OHSAS 18001) and business continuity (BS 25999-2).
Below are some of elements which are required for the implementation of both QMS and ISMS.
• Defining objectives and tracking whether they have been achieved. Although different objectives relating to quality compared to information security are expected to be defined by the organisation, the mechanism itself for defining and tracking them is similar.
• Document management. The general document management requirements for both QMS and ISMS are similar although there are some additional requirements relating to ISMS.
• Management review. The requirements for management review are similar for both management systems. Any experience in holding management reviews for quality or information security will be helpful for holding a management review of the integrated system.
• Internal audit. The same procedures can be used for both QMS and ISMS as the standards set the same general requirements for conducting internal audits.
• Corrective and preventive actions. The same procedures for corrective and preventive actions can be used both for QMS and ISMS.
• Human resources management. Although there are some additional requirements regarding information security issues, this part of the system also allows for integration.
In conclusion, we can summarise that if there is either a well functioning QMS or ISMS within the organisation, it will be easier to implement and integrate another standard into the already existing system. But when deciding to undertake an audit for a QMS or ISMS standard, companies should consider integrating the other from the start.
Contributed by: Zdravka Petrova