Those of you who follow events in the standards world cannot fail to have noticed that a big event has happened recently; the 2015 version of the best-selling ISO9001 standard has been published by the ISO.
This has been long awaited, since the last version was back in 2008 and much has changed since then. For those that are not aware, ISO9001 is the original general quality standard that really gave rise to most of the other management system standards such as ISO/IEC 27001, ISO 23301 and ISO/IEC 20000. And it’s been popular, with over one million organizations certified worldwide.
So we wondered how the new ISO9001 fits in with these other standards and what benefit there is to adopting it in addition to the others. Not only that, but how easy would it be to create and run a combined management system that meets the requirements of two (or more) standards?
We decided the only way to really find out is to do it. So we purchased a copy of the new ISO9001 standard and started to go through it with a view to adding it to our existing ISO/IEC 27001 certification. Now we haven’t finished yet, and we’re still some way from certification (first combined internal audit tomorrow…) but we can give you our first impressions and experience on this subject.
The first thing to say is that if you know ISO/IEC 27001:2013 or ISO22301:2012 you’ll certainly recognize the layout and much of the content of the new ISO9001 standard. And that’s deliberate on ISO’s part. For a while now they have been updating the management system family of standards to use common headings and wording on the basis that a management system is a management system, whether you’re dealing with information security, IT service management or general business operations. Yes, the subject-specific content of each standard will be different, but the principles of meeting customer requirements, planning and design, management review, internal audit and improvement are the same. So they defined a “standard for the standards” which is variously known as the “Higher Level Structure” or “Annex SL” (see our earlier blog on this) and starting using it from the launch of ISO22301 back in 2012. So the headings and much of the content are exactly the same between ISO9001 and ISO/IEC 27001.
So from our experience, does this really make it easier to adapt an Information Security Management System (ISMS) to become a more general management system that complies with ISO9001? In a word, Yes! Ok, you have to tweak a few documents to make them apply not just to information security (we have generally replaced the term “ISMS” with “management system”) but the processes and procedures we have in place to manage our information security have proven to be just as applicable to the management of the business and its quality as we had hoped. This is good news for simplicity and good news for the amount of time we had to spend on combining the management systems.
But let’s not forget that ISO9001 is still a different standard with its own specific requirements; you can’t just change a few words in your ISMS and say “ok, that’s ISO9001 done”. This is where the benefits of the ISO9001 standard start to come through, both on their own and in the way it enhances our existing ISO/IEC 27001 procedures and controls. ISO9001 is about understanding the business and the processes it uses to achieve what it does, whether that’s making products or delivering services, or both. The exercise of defining our business processes and the more detailed procedures that support them has been very useful already in spotting things we can do better, tasks we can automate or avoid the need to do completely, and areas we can safely outsource. This analysis helps to further improve our security too, because the better you understand a process, the more effectively you can secure it.
If you’re an organization that already has ISO/IEC 27001 or ISO 22301 (possibly less so ISO/IEC 20000 but that will come in time…) and you’re thinking about adopting the new ISO9001, our advice would be to go for it. Alternatively, if you already have ISO9001:2008 and you’re thinking about going for ISO/IEC 27001 or ISO 22301 certification then there are real benefits in starting to adapt your ISO9001 management system to the new format now, well before your auditor tells you that you have to.
We’ll let you know in further blog posts how we’re getting on. (Update – We made it! – see our later blog)