In the age of digitization, it is valuable information that must be preserved or protected above all. For companies, this means that alongside data protection, information security is an absolute must. The good news is: companies that have a certified quality management system in accordance with ISO 9001 have already created a good basis for the step-by-step introduction of fully comprehensive information security.


The topic of information security is not new. The dangers threatening the extensive information landscape in organizations have long been known. According to the April 2019 BSI "Cyber Security Survey," 43% of large companies reported being affected by cyber security incidents in 2018.

For small and medium-sized enterprises, the figure was 26%. And according to the "Situation Report on IT Security in Germany 2021" from the German Federal Office for Information Security (BSI), cases of cybercrime have once again increased significantly. In the reporting period from June 1, 2020, to May 31, 2021, not only was there an increase of a good 22 percent in new malware variants (around 144 million), but the quality of the attacks also continued to rise considerably. In the process, many perpetrators exploited the Corona distress of many companies and people.

However, the security of confidential company information is still neglected. There is often a lack of caution and forethought when processing and storing information. Awareness of the consequences of data theft and its like is also far from sufficiently developed everywhere. In some places, companies are also reluctant to invest the time and effort required to effectively protect their sensitive information.

Step by step to more information security

But the effort required for data security doesn't have to be that great. The good news is that many companies do not have to implement a comprehensive information security management system in one fell swoop. For critical infrastructures (CRITIS), on the other hand, this is required by the German IT Security Act.

A step-by-step approach is also conceivable. This means that the first step, at least in companies that have a quality management (QM) system in accordance with ISO 9001, can be an update of the required risk-based approach - but already with a view to the corresponding requirements of the important information security standard ISO 27001.

Information security and quality management

ISO 27001 vs. ISO 9001: Where are the connections? First, it must be noted that the ISO 9001 quality management standard does require a risk-based approach across the board. However, the implementation of this management system requirement is largely up to your organization. For example, quality management does not require a separate process for risk assessment, but this is unquestionably too little with regard to information security. Nevertheless:

Risk assessment for quality management issues can easily be extended to include information security.

To do this, it is helpful to look at the requirements for identifying and dealing with security risks of ISO 27001 for an information security management system (ISMS). Most aspects can be implemented by users of a quality management system with reasonable effort - as a first step on the way to holistic information security, mind you.

Information security - risks and opportunities

Both international standards, ISO 27001 for information security and ISO 9001 for quality management, deal with the relevant topics in Chapter 6.1 "Measures for dealing with risks and opportunities". In essence, the aim is to ensure three essential aspects in the management system:

  • Achieving your organization's intended results
  • Preventing or reducing undesirable effects
  • Achieving continuous improvement through compliance with certain standards

With respect to information security, these are primarily the three essential protection goals:

  • Loss of confidentiality
  • Integrity of information
  • Availability of information

The ISMS standard ISO 27001 specifies the following requirements (section 6.1.1):

  • Determining risks and opportunities
  • Planning measures to deal with the identified risks and opportunities
  • Plan how the measures will be integrated into the company processes and implemented

Identifying and dealing with risks

The next subchapter (6.1.2) of ISO 27001 requires the establishment and application of an information security risk assessment process. This process must establish and maintain information security risk criteria. This includes, in particular, the criteria for risk acceptance and the performance of information security risk assessments.

Further, the process must ensure that "repeated information security risk assessments produce consistent, valid and comparable results," as the ISMS standard states. The following sub-items might be significant with a first step in mind:

  • Identify the information security risks
  • Analyze the information security risks
  • Evaluate the information security risks

The requirements in 6.1.3 call for establishing and applying a process to address the information security risk in order to achieve the following:

  • Select appropriate options for addressing the security risk, with respect to the results of the risk assessment
  • Determine all actions necessary to implement the selected options for addressing the security risk
  • Compare the defined measures with the controls specified in Annex A of ISO 27001 (target actions)
  • Prepare an applicability statement with regard to the reasons for (not) including the controls from Annex A
  • Formulate a plan for the handling of security risks
  • Obtain approval and acceptance of this plan from the risk owners
informationssicherheit-standards-zwei schwarze seile laufen horizontal durch das bild und sind in der bildmitte zu einem kreuzknoten verknuepft

Certification according to ISO 27001

What effort do you need to expect to have your information security management system certified to ISO 27001? Find out.

Annex A of ISO 27001 offers guidance

Annex A of the well-known management system standard ISO/IEC 27001 has an explicit normative character. It can be understood as a kind of checklist containing targets (controls) and measures. You can use this guide to ensure that no essential points for dealing with security risks have been overlooked. However, it does not claim to be exhaustive.

Information security and quality management - what is the best approach?

ISO 27001 thus requires two separate processes for assessing and dealing with information security risks. For the first step, however, these could be combined into one process that specifically expands the risk assessment of quality management along the aforementioned requirements to include the aspect of information security. The two standards thus provide a good basis for implementing protective measures for data protection and IT security.

ISO/IEC 27001:2013 - Information technology - Security techniques - Information security management systems - Requirements.

ISO 9001:2015 - Quality management systems - Requirements.

Both standards are available from the ISO website.

ISO 27001 vs. ISO 9001: How in-depth the aforementioned process ultimately addresses each requirement depends directly on the complexity of your organization's information landscape and the data that requires protection. Either way, it is advisable to have its effectiveness verified in an external audit. This is advisable, for example, in the course of a certification audit of your quality management system in accordance with ISO 9001, which is planned anyway.

Information security meets quality management - what are the benefits?

  • A process that takes a fundamental look at information security risks can serve as a first, important step toward a holistic management system for information security in accordance with ISO/IEC 27001.
  • By implementing such a process, top management strengthens awareness of information and data security (data protection) at all levels.
  • With the targeted consideration of information security risks, a company has the opportunity to uncover the need for action and to take appropriate measures (oriented on ISO 27001, Appendix A).
  • The risk assessment extended to include information security, for example as part of quality management, strengthens a company's overall risk-based approach.
  • Both the financial and human resources required for implementation and effectiveness testing are manageable.

DQS: Simply leveraging Quality

In the balancing act between dynamics and stability, certified management systems are becoming more and more important - a development that DQS feels in a positive way. Because successful companies and organizations use the findings from our audits to continuously improve their results. And they use our globally recognized certificates as objective proof of their quality capability. This creates trust - both internally and externally to your organization.

DQS issued Germany's first certificate for quality management in 1986. The first audit in August 1986 was based on a draft of the standard. In 1991, DQS received its first accreditation for ISO 9001/2/3 by the then TGA Trägergemeinschaft für Akkreditierung GmbH (today: DAkkS). Accreditation for information security certification according to the British standard BS 7799-2 followed in 2000.

More than three decades of know-how

Our texts and brochures are written exclusively by our standards experts or auditors with many years of experience. If you have any questions to the author about contents or our services, please feel free to contact us.

Gert Krueger

Expert and project manager for information security, BSI-KritisV and data protection at DQS. In addition, long-standing auditor for quality and environmental management.