ISO 9001 Risk Management and Cybersecurity

ISO 9001 Risk Management and Cybersecurity

Andrew Nichols, Quality Programme Manager at Michigan Manufacturing Technology Center, argues that data breaches can be disastrous for small and medium-sized enterprises (SMEs). It’s time for quality managers to look at how their management systems can help protect their business. 

Cybersecurity breaches often make the news headlines, especially as large organisations tend to be the main victims – BA, Equifax, Marriott and NHS patient data have all been subject to cyberattacks recently. We rarely learn about the impact of information security attacks on small and medium-sized businesses, though, partly because they aren’t given as much prominence in the media. Attacks against these smaller companies can and do happen, however – often with disastrous consequences.

The USA’s Federal Emergency Management Agency (FEMA) concluded that between 40% and 60% of small businesses fail within a year of any type of disaster – including cyberattack – unless some type of continuity or resiliency plan is put in place. These business failures occur not only because of the penalties of paying the ransom, but from the hidden costs associated with losing access to information regarding sales pipelines, accounts payable/receivable, and intellectual property. A simple ‘hack’ could even change an organisation’s bank account details and divert customer payments elsewhere.

So, what is needed to protect small and medium-sized businesses from such an attack? How can an organisation become cyber resilient? Could we, as quality professionals, add cybersecurity to our portfolio of competencies – or simply extend the need for control of information in our Quality Management Systems (QMS) to include security?

Risk Management and cybersecurity

In very basic terms, what’s needed is an approach to cybersecurity that seeks to reduce the risks of such attacks on business. Many might not realise that an ISO 9001:2015-compliant QMS can be used as a platform on which to base an effective cybersecurity programme. Although the standard places a focus on products, several concepts used throughout ISO 9001:2015 – such as risk, planning and documented information – can clearly be applied to information protection, too.

The requirements for information, either maintained or retained, are mentioned 38 times throughout ISO 9001. When analysed, these references can be categorised according to the acronym CIA, as follows:

  • Confidentiality – information that is proprietary to you and/or your customer(s).
  • Integrity – information that is the ‘go to’ or master document for reference in running the organisation.
  • Availability – information that contains data on results of the above.

On closer consideration, it is easy to see that all the requirements of ISO 9001:2015 – from documenting internal and external issues to process controls and management reviews – contain a great deal of information that should not be available outside of the organisation, especially to competitors, customers or, worse, their competition.

How would this ‘tribal knowledge’, captured when creating the QMS – often in process work instructions and procedures – be recreated if held for ransom? What if a major customer’s ‘hush hush’ game-changing product specifications and drawings were stolen from your servers? Such breaches could have catastrophic implications for smaller companies.

Some may argue not all information gathered is that sensitive – for example, the calibration data from 300 items of measuring equipment. Still, if this information is deleted from the hard drive of a computer in a quality control lab, it will take a considerable amount of time and money to rebuild it from paper records (if these are even available).

Five steps to cyber-resilience

The UK Government’s National Cyber Security Centre ( suggests there are five key steps to understanding and managing cyber risks:

  1. Backing up your data, which is related to the ‘retained documented information’ requirements.
  2. Protecting your organisation from malware.
  3. Keeping your smartphones (and tablets) safe, especially when many are now working from home and could be using unsecured networks.
  4. Using passwords to protect your data; try two-factor authentication if available on devices and using ‘three random word’ passwords.
  5. Avoiding phishing attacks by educating everyone to recognise such attacks and to report them.

In many cases, the need for quality-related information and defined methods of control can be simply extended to consider the (few) extra steps needed to ensure cybersecurity of that information.

Classification of information, access authority, responsibilities for control, education and awareness of risks, and disposition of information once it is determined to be at the end of its useful life are all closely related to considerations that quality professionals build into management systems. Isn’t it a logical extension of these features that we also make provision for a few extra controls to ensure our organisation’s resilience in the event of a cybersecurity attack?

Of course, once established, the controls could and should extend to other non-quality-related areas – such as finance, HR information and the General Data Protection Regulation (GDPR) – through the application of robust policies, procedures and classification, and the definition of responsibilities and authorities.

Attribute to original publisher/ publishing organization: Andrew Nichols, Quality Programme Manager at Michigan Manufacturing Technology Center,