In the age of digitization, it is valuable information that must be preserved or protected above all. For companies, this means that alongside data protection, information security is an absolute must. The good news is: companies that have a certified quality management system in accordance with ISO 9001 have already created a good basis for the step-by-step introduction of fully comprehensive information security.
CONTENT
The topic of information security is not new. The dangers threatening the extensive information landscape in organizations have long been known. According to the April 2019 BSI "Cyber Security Survey," 43% of large companies reported being affected by cyber security incidents in 2018.
For small and medium-sized enterprises, the figure was 26%. And according to the "Situation Report on IT Security in Germany 2021" from the German Federal Office for Information Security (BSI), cases of cybercrime have once again increased significantly. In the reporting period from June 1, 2020, to May 31, 2021, not only was there an increase of a good 22 percent in new malware variants (around 144 million), but the quality of the attacks also continued to rise considerably. In the process, many perpetrators exploited the Corona distress of many companies and people.
However, the security of confidential company information is still neglected. There is often a lack of caution and forethought when processing and storing information. Awareness of the consequences of data theft and its like is also far from sufficiently developed everywhere. In some places, companies are also reluctant to invest the time and effort required to effectively protect their sensitive information.
But the effort required for data security doesn't have to be that great. The good news is that many companies do not have to implement a comprehensive information security management system in one fell swoop. For critical infrastructures (CRITIS), on the other hand, this is required by the German IT Security Act.
A step-by-step approach is also conceivable. This means that the first step, at least in companies that have a quality management (QM) system in accordance with ISO 9001, can be an update of the required risk-based approach - but already with a view to the corresponding requirements of the important information security standard ISO 27001.
ISO 27001 vs. ISO 9001: Where are the connections? First, it must be noted that the ISO 9001 quality management standard does require a risk-based approach across the board. However, the implementation of this management system requirement is largely up to your organization. For example, quality management does not require a separate process for risk assessment, but this is unquestionably too little with regard to information security. Nevertheless:
Risk assessment for quality management issues can easily be extended to include information security.
To do this, it is helpful to look at the requirements for identifying and dealing with security risks of ISO 27001 for an information security management system (ISMS). Most aspects can be implemented by users of a quality management system with reasonable effort - as a first step on the way to holistic information security, mind you.
Both international standards, ISO 27001 for information security and ISO 9001 for quality management, deal with the relevant topics in Chapter 6.1 "Measures for dealing with risks and opportunities". In essence, the aim is to ensure three essential aspects in the management system:
With respect to information security, these are primarily the three essential protection goals:
The ISMS standard ISO 27001 specifies the following requirements (section 6.1.1):
The next subchapter (6.1.2) of ISO 27001 requires the establishment and application of an information security risk assessment process. This process must establish and maintain information security risk criteria. This includes, in particular, the criteria for risk acceptance and the performance of information security risk assessments.
Further, the process must ensure that "repeated information security risk assessments produce consistent, valid and comparable results," as the ISMS standard states. The following sub-items might be significant with a first step in mind:
The requirements in 6.1.3 call for establishing and applying a process to address the information security risk in order to achieve the following:
What effort do you need to expect to have your information security management system certified to ISO 27001? Find out.
Annex A of the well-known management system standard ISO/IEC 27001 has an explicit normative character. It can be understood as a kind of checklist containing targets (controls) and measures. You can use this guide to ensure that no essential points for dealing with security risks have been overlooked. However, it does not claim to be exhaustive.
ISO 27001 thus requires two separate processes for assessing and dealing with information security risks. For the first step, however, these could be combined into one process that specifically expands the risk assessment of quality management along the aforementioned requirements to include the aspect of information security. The two standards thus provide a good basis for implementing protective measures for data protection and IT security.
ISO/IEC 27001:2013 - Information technology - Security techniques - Information security management systems - Requirements.
ISO 9001:2015 - Quality management systems - Requirements.
Both standards are available from the ISO website.
ISO 27001 vs. ISO 9001: How in-depth the aforementioned process ultimately addresses each requirement depends directly on the complexity of your organization's information landscape and the data that requires protection. Either way, it is advisable to have its effectiveness verified in an external audit. This is advisable, for example, in the course of a certification audit of your quality management system in accordance with ISO 9001, which is planned anyway.
In the balancing act between dynamics and stability, certified management systems are becoming more and more important - a development that DQS feels in a positive way. Because successful companies and organizations use the findings from our audits to continuously improve their results. And they use our globally recognized certificates as objective proof of their quality capability. This creates trust - both internally and externally to your organization.
DQS issued Germany's first certificate for quality management in 1986. The first audit in August 1986 was based on a draft of the standard. In 1991, DQS received its first accreditation for ISO 9001/2/3 by the then TGA Trägergemeinschaft für Akkreditierung GmbH (today: DAkkS). Accreditation for information security certification according to the British standard BS 7799-2 followed in 2000.
Our texts and brochures are written exclusively by our standards experts or auditors with many years of experience. If you have any questions to the author about contents or our services, please feel free to contact us.
Expert and project manager for information security, BSI-KritisV and data protection at DQS. In addition, long-standing auditor for quality and environmental management.
