Having a unified ISO 2001, ISO 9001 and ISO 27001, Framework UCF

ISO standards are the fastest-growing standards in the world, and I see many companies have a need for information security with the increased use of information technology domains, including cybersecurity and secure clouds, etc. If you already have one of those giant three, for instance implemented ISO 9001 and want to implement ISO 2001 and or ISO 27001, or you plan to implement all three standards at once, the best approach is to create a unified Management System (IMS) that will meet the requirements of both other standards as well, so that you don't end up having separated management system e.g GMS and ITSM, but better having a UMS a unified management system instead.

By adopting a holistic approach to managing quality and information security, organizations can integrate the processes common to both ISO 9001, iso 2001 and ISO 27001, such as documented information control, Internal audits, management review, Control of Nonconformance, continual improvement and corrective action. It's fair to state that, having a unified approach, consolidating efforts and resources towards the compliance with those three and or even two of them at a time, will definitely save time, and comes in full alignment with the continual improvement principle , that is a genuine part of each standard compliance mandate.

All possible management systems that are essentially based on ISO standards have lots of commonality since they all follow the very well know Deming principle PDCA which is plan, do , check and act. That principle and all its technical and administrative controls entailed, enable organizations to have a kind of a unified ISO standards for instance ISO 2001, ISO 9001, ISO 14001, ISO 27001,, ISO 22301, etc. In the case of ISO 27001, iso 9001 and ISO 20000, this kind of conciliation following a unified approach can follow the PDCA, and more all various controls and business process could be seen from a panoramic view to make it easier and consists to implement instead of doing each one in silo away and indecent form the others.

adopting and performing a unified approach will significantly appreciated by the implementation team on the ground, may be fewer lead implementers will be essentially required to accomplish such an eminent task. It will also decrease the effort of maintaining the system and achieving continual compliance with both standards. The big plus will be it can save you money as unified standards as audited as one which means Certification bodies will have to visit your site less often each year resulting in lower assessment costs.

The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

In order to successfully unify the various standards under one umbrella, it would be rightfully wide to adopt and implement a Unified Compliance Framework known as a UCF.

The UCF makes compliance easier by identifying the "harmonized" Common Controls across authority documents. It harmonizes the Common Controls by showing you where the various regulations overlap in order to eliminate duplicating your efforts. This also creates the smallest list of Common Controls possible to meet your compliance requirements.

The UCF's architecture was specifically designed for the delivery of the information necessary to establish governance methodologies. That is what separates the UCF from all other models and GRC architectures—its information architecture was built on the solid ground of reality and the real world delivery of governance information

ISO/IEC 2001:2018 Information Technology Service

ISO/IEC 20000-1:2011 can be used by: an organization seeking services from service providers and requiring assurance that their service requirements will be fulfilled; an organization that requires a consistent approach by all its service providers, including those in a supply chain;

ISO/IEC 20000-1:2018 can be used by:

• an organization seeking services from service providers and requiring assurance that their service requirements will be fulfilled;
• an organization that requires a consistent approach by all its service providers, including those in a supply chain;
• a service provider that serves to demonstrate its capability for the design, transition, delivery and improvement of services that fulfil service requirements;
• a service provider to monitor, measure and review its service management processes and services;
• a service provider to improve the design, transition, delivery and improvement of services through the effective implementation and operation of the SMS;
• an assessor or auditor as the criteria for a conformity assessment of a service provider's SMS to the requirements in ISO/IEC 20000-1:2018

ITSM Information technology Service management systems

SO/IEC 20000 is the first international standard for IT service management (ITSM). IT service management (ITSM) is a discipline for managing information technology (IT) systems, from the customer’s perspective of IT’s contribution to the business. ITSM stands in deliberate contrast to technology-centred approaches to IT management and business interaction.

ISO 20000 describes an integrated set of management processes for the effective delivery of services to the business and its customers, and also defines a set of controls against which an organization can be assessed for effective service management, with the aim of developing and delivering high quality technology services.

Customers are becoming ever more sophisticated, better informed and their expectations are continuously growing. For any business, the only way to keep ahead is to provide a better level of service than the competition. But how can you demonstrate this to your customers?

One way is to consider implementing an IT Service Management system that meets the requirements of an internationally recognized standard — ISO 20000. Choosing this approach means that you can apply for an independent certification body to assess the system and confirm that your IT Service Management is effective and uses best practice principles.

ISO27001-2013

ISO 27001 is an international standard published by the International Standardization Organization (ISO), and it describes how to manage information security in a company. The latest revision of this standard was published in 2013, and its full title is now ISO/IEC 27001:2013. The first revision of the standard was published in 2005, and it was developed based on the British standard BS 7799-2.

ISO 27001 can be implemented in any kind of organization, profit or non-profit, private or state-owned, small or large. It was written by the world’s best experts in the field of information security and provides a methodology for the implementation of information security management in an organization. It also enables companies to become certified, which means that an independent certification body has confirmed that an organization has implemented information security compliance with ISO 27001.

There is no doubt that, ISO 27001 has become the most popular information security standard worldwide and many companies have certified against it and ISO 27001 certification demonstrates to existing and potential customers that an organization has identified and implemented best-practice information security processes. ISO 27001 is the only auditable international standard that defines the requirements of an ISMS (information security management system)., some still argue that NIST could do the job, but it has been proved not.

Information Security Management System ISMS

An information security management system (ISMS) is a set of policies, procedures and systems that manage information risks, such as cyber-attacks, hacks, data leaks or theft.

ISO/IEC 27001 based Information Security Management

What ISMS framework entails:

• Protects information assets
• Achieves its goals using a combination of strategy and tactics:
• Risk assessment and treatment
• CIA (Confidentiality, Integrity, Availability)
• Incident handling, management, and avoidance
• Securing people, processes, and technology
• Protects information against various threats
• Reduces risks and improves business continuity
• Reduces financial losses and other impacts
• Optimizes return on investments
• Creates opportunities to do business safely
• Maintains privacy and compliance

Some of the benefits that any organization could gain out of the adoption of a strategic ISMS supported and endorsed by the Senior leadership

• Support an organization to implement an Information Security Management System that complies with ISO/IEC 27001
• Understand the Information Security Management System implementation process
• Provide continual prevention and assessments of threats within your organization
• Higher chances of being distinguished or hired in an Information Security market place.
• Help to understand the risk management process, controls, and compliance obligations
• Acquired the necessary expertise to manage a team to implement an ISMS
• Provide the ability to support organizations in the continual improvement process of their Information Security Management System
• Provide the necessary skills to audit an organization’s Information Security Management System.

Insight into the ISO 27001 activities

The focus of ISO 27001 is to protect the confidentiality, integrity, and availability of the information in a company. This is done by finding out what potential problems could happen to the information (i.e., risk assessment), and then defining what needs to be done to prevent such problems from happening (i.e., risk mitigation or risk treatment). Therefore, the main philosophy of ISO 27001 is based on managing risks: find out where the risks are, and then systematically treat them.

The safeguards (or controls) that are to be implemented are usually in the form of policies, procedures and technical implementation (e.g., software and equipment). However, in most cases, companies already have all the hardware and software in place, but they are using them in an unsecured way – therefore, the majority of the ISO 27001 implementation will be about setting the organizational rules (i.e., writing documents) that are needed in order to prevent security breaches.

Since such implementation will require multiple policies, procedures, people, assets, etc. to be managed, ISO 27001 has described how to fit all these elements together in the information security management system (ISMS).

Moving forward to the Quality management standard ISO 9001-2015

ISO 9001:2015 is an internationally recognized standard for creating, implementing and maintaining a Quality Management System for any company. It is intended to be used by organizations of any size or industry and can be used by any company. As an international standard, it is recognized as the basis for any company to create a system to ensure customer satisfaction and improvement, and as such, many companies demand this as the minimum requirement for an organization to be a supplier.

Because we are auditing your processes, as well as having a certification body audit them, your customers themselves do not need to audit your company. It is because of this that ISO 9001 has become a necessity for many companies to compete in the market.

In addition, your customers will be reassured that you have established a Quality Management System based on the seven quality management principles of ISO 9001. 

In fact, ISO 9001 is such a basic and influential standard that it is used as the basis when industry groups want to add specific industry requirements, thus creating their own industry standard. 

Quality Management System

The Quality Management System, which is often referred to as a QMS, is a collection of policies, processes, documented procedures, and records. This collection of documentation defines the set of internal rules that will govern how your company creates and delivers your product or service to your customers.

The QMS must be tailored to the needs of your company and the product or service you provide, but the ISO 9001 standard provides a set of guidelines to help make sure that you do not miss any important elements that a QMS needs to be successful.

How the standard ISO 9001-2015 is structured.

The ISO 9001 structure is split into ten sections. The first three are introductory, with the last seven containing the requirements for the Quality Management System. main pillars of the standard are grouped under the below sections :

Leadership

 The leadership requirements cover the need for top management to be instrumental in the implementation of the QMS. Senior management needs to demonstrate commitment to the QMS by ensuring customer focus, defining and communicating the quality policy and assigning roles and responsibilities throughout the organization.

Planning 

Senior leadership/Management should engage and endorse the plan for the ongoing function of the QMS. Risks and opportunities of the QMS in the organization should be regularly evaluated, and quality objectives for improvement need to be identified and plans made to realize and achieve these objectives.

Support 

This specific section concerns with the management of all resources for the QMS, covering the necessity to control all resources, including human resources, buildings and infrastructure, the working environment, monitoring, and measurement resources and organizational knowledge. The section also includes requirements around competence, awareness, communication and controlling documented information (the documents and records required for your processes).

Operation

 The operation requirements deal with all aspects of the planning and creation of the product or service. This section includes requirements on planning, product requirements review, design, controlling external providers, creating and releasing the product or service and controlling nonconforming process outputs.

Performance evaluation 

This includes the requirements needed to make sure that you can monitor whether your QMS is functioning well. It also includes monitoring and measuring your processes, assessing customer satisfaction, internal audits, and ongoing management review of the QMS.

Improvement 

This last section includes the requirements needed to make your QMS better over time. This includes the need to assess process nonconformity and taking corrective actions for processes

Why a unified ISO 2001, ISO 9001 and ISO 27001 works

The management of data in terms, how it is used but also how it is protected are now becoming key areas of concern for businesses.

For many organizations that already implement ISO 9001 and are now choosing to implement ISO 27001, the challenge for them is how do we make this all work in sync?

A common practice we see with organizations is they treat both management systems as separate projects but in fact, the best way to implement these standards is to integrate them as one system which will meet all the requirements.

By implementing an integrated approach your implementation team will save time and use fewer resources. It will also decrease the effort of maintaining the system and achieving continual compliance with both standards.

The best advantage that we could gain by adopting a unified standards, that the company will be audited as one unit, SOA will be a full list of controls that falls within each standard, but all consolidated and listed against their status in one document, this again will accordingly subject to less internal and external audit activities therefore, Certifying bodies find it easier, less hectic and with less site visits the mission will be accomplished, not to mention less cost in-cured .

No Duplication neither repetition

Traditionally ISO 9001 (Quality) and ISO 14001 (Environmental) have been the more popular integrated standard, ISO 9001 and ISO 27001 actually have many similar traits and can be fully integrated.

Both standards focus on the internal/external issues relevant to the company, but from different perspectives. Both standards follow the Annex SL structure which means there are similarities in what the documentation and procedures required to effectively implement the system.

When integrating the two standards, you will reduce man-hours and resources.

By ensuring the implementation team have a clear understanding of both standards and understand where the standards overlap.

The implementation project should be based not only on the current state of your organization, in terms of compliance with the requirements of these two standards, but also on spotting shortcuts and low-hanging fruit.

Some of the most important places where you can speed up the implementation are the following common requirements of both standards.

1. Interested Parties and their Requirements 

The organization will have to determine interested parties and their requirements related to quality and information security. These requirements can be addressed with the same process, and an integrated list of interested parties can be created.

2. Responsibility and Authority to be identified 

The roles and responsibilities within the QMS and the ISMS are different, but again, they must be defined. This can be done in the same way.

3. Competence, Awareness, Communication, Control of System Documents and Records 

All these requirements are common not only for ISO 9001 and ISO 27001, but for other standards as well – and, they can be addressed in the same way and at the same time.

4. Internal Audit and Management Review 

Of course, the requirements to be audited and the review inputs and outputs are different, but the way the process is conducted is the same. Depending on the size and complexity of the company and its processes, internal audit or management review can be done at the same time or separately.

5. Both require systems for nonconformity and corrective actions 

The process of handling nonconformities and corrective actions can be the same for both standards, and there is no reason to separate them.

With all these common elements, it would seem logical to maintain one system for each common element. Keep in mind that although some requirements seem the same and can be covered with the same process, that doesn’t mean they will have the same results for both standards.

The focus of ISO 9001 is on quality products and services and customer satisfaction, while ISO 27001 is focused on information security; therefore, the results of the management review, as well as the inputs, will be different, and the same is with most of the above-mentioned common clauses.

Additional requirements of ISO 27001

The differences between the standards usefully supplement each other, which decisively contribute to increasing business success: information security secures the company’s potential, and quality management creates it. After addressing the common requirements of the standards, the company must deal with their differences that are mostly present in clauses 6 and 8. ISO 27001 adds the following into the IMS:

1. Information security risk assessment 

The organization needs to develop a methodology for the identification and evaluation of information security risks.

This process shouldn’t be mixed with addressing risks and opportunities in ISO 9001 since the second has far fewer requirements and applying the same methodology can be overwhelming and unproductive in ISO 9001.

2. Information security risk treatment 

This process doesn’t have a peer in ISO 9001, so it can be done independently. It basically requires the organization to apply one or more information security controls listed in Annex A of ISO 27001.

How to integrate ISO 9001 and ISO 27001

ISO 27001 is one of the fastest-growing standards in the world, and I see many companies have a need for information security with the increased use of information technology, clouds, etc. If you already have implemented ISO 9001and want to implement ISO 27001, or you plan to implement both standards at once, the best approach is to create an Integrated Management System (IMS) that will meet the requirements of both standards. This will save you a great amount of time in the implementation, and it will also decrease the effort of maintaining the system and achieving continual compliance with both standards.

Start with the common ground

The key to saving time and effort is good planning. Your implementation project should be based not only on the current state of your organization, in terms of compliance with the requirements of these two standards, but also on spotting shortcuts and low-hanging fruit. Some of the most important places where you can speed up the implementation are the following common requirements of both standards:

• Context of the Organization – Both standards require identification of internal and external issues relevant to the company, but from different perspectives. ISO 9001 focuses on quality, and ISO 27001 focuses on information security. 
• Interested Parties and their Requirements – The organization will have to determine interested parties and their requirements related to quality and information security. These requirements can be addressed with the same process, and an integrated list of interested parties can be created. 
• Responsibility and Authority to be identified – The roles and responsibilities within the QMS and the ISMS are different, but again, they must be defined. This can be done in the same way. 
• Competence, Awareness, Communication, Control of System Documents and Records – All these requirements are common not only for ISO 9001 and ISO 27001, but for other standards as well and, they can be addressed in the same way and at the same time.
• Internal Audit and Management Review – Of course, the requirements to be audited and the review inputs and outputs are different, but the way the process is conducted in the same. Depending on the size and complexity of the company and its processes, internal audit or management review can be done at the same time or separately.
• Both require systems for nonconformity and corrective actions – The process of handling nonconformities and corrective actions can be the same for both standards, and there is no reason to separate them.

With all of these common elements, it would seem logical to maintain one system for each common element. Keep in mind that although some requirements seem the same and can be covered with the same process, that doesn’t mean they will have the same results for both standards. The focus of ISO 9001 is on quality products and services and customer satisfaction, while ISO 27001 is focused on information security; therefore, the results of the management review, as well as the inputs, will be different, and the same is with most of the above-mentioned common clauses.

Additional requirements of ISO 27001

The differences between the standards usefully supplement each other, which decisively contribute to increasing business success: information security secures the company’s potential, and quality management creates it. After addressing the common requirements of the standards, the company must deal with their differences that are mostly present in clauses 6 and 8. ISO 27001 adds the following into the IMS:

• Information security risk assessment – The organization needs to develop a methodology for the identification and evaluation of information security risks. This process shouldn’t be mixed with addressing risks and opportunities in ISO 9001 since the second has far fewer requirements and applying the same methodology can be overwhelming and unproductive in ISO 9001. 
• Information security risk treatment – This process doesn’t have a peer in ISO 9001, so it can be done independently. It basically requires the organization to apply one or more information security controls listed in Annex A of ISO 27001. 

Do Integrating systems provide ROI

By integrating the two management systems, there are many synergies that allow for combined resources to save time (up to 30%) and money on maintaining and improving the management system.

With a holistic management system approach that embodies international best practices, organizations can demonstrate compliance with both the ISO 27001 and ISO 9001 standards to customers, certification bodies, and regulatory authorities.

In addition, by integrating the management of quality and information security, organizations can demonstrate both the quality and security of their processes, as well as achieve a significant competitive advantage through improved organizational performance, reduced risk, better customer satisfaction, and enhanced reputation and marketability.

Why is ISO 9001 a good idea for the organization?

With a holistic management system approach that embodies international best practices, organizations can demonstrate compliance with both the ISO 27001 and ISO 9001 standards to customers, certification bodies, and regulatory authorities. In addition, by integrating the management of quality and information security, organizations can demonstrate both the quality and security of their processes, as well as achieve significant competitive advantage through improved organizational performance, reduced risk, better customer satisfaction, and enhanced reputation and marketability.

The benefits of ISO 9001 cannot be overstated; companies large and small have used this standard to great effect, discovering and securing tremendous cost and efficiency savings. Here are just a few of these benefits:

Improve your image and credibility 

When customers see that you are certified by a recognized certification body, they will understand that you have implemented a system that is focused on meeting customer requirements and improvement. This improves their trust that you will deliver what you have promised.

Improve customer satisfaction 

One of the key principles of the ISO 9001 QMS is the focus on improving customer satisfaction by identifying and meeting customer requirements and needs. By improving satisfaction, you improve repeat customer business.

Fully integrated processes 

By using the process approach of ISO 9001, you not only look at the individual processes in your organization but also at the interactions of those processes. By doing this, you can more easily find areas for improvement and resource savings within your organization.

Use evidence-based decision making 

Ensuring that you are making decisions based on good evidence is key to the success of an ISO 9001 QMS. By ensuring that your decisions are based on good evidence, you can better target resources to the best effect to correct problems and improve your organizational efficiency and effectiveness.

Create a culture of continual improvement 

With continual improvement as the main output of the QMS, you can attain ever-increasing gains in savings of time, money and other resources. By making this the culture of your company, you can focus your workforce on improving the processes they are directly responsible for.

Engage your people 

Who better than the people working within a process to help find the best solutions for improving that process? By focusing your workforce on not only managing but also improving the processes, they will be more engaged in the outcome of the organization.