Those of you who follow events in the standards world (and why wouldn’t you?) will remember that a big event happened back in 2015; the new version of the best-selling ISO9001 standard was published by the ISO.
This was long awaited, since the previous version was back in 2008 and much had changed since then. For those that are not aware, ISO9001 is the original general quality standard that really gave rise to most of the other management system standards such as ISO/IEC 27001, ISO 23301 and ISO/IEC 20000. And it’s been popular, with over one million organizations certified worldwide.
So at the time we wondered how the new ISO9001 fitted in with these other standards and what benefit there was to adopting it in addition to the others. Not only that, but how easy was it to create and run a combined management system that meets the requirements of two (or more) standards?
We decided the only way to really find out was to do it. So we purchased a copy of the new ISO9001 standard and started to go through it with a view to adding it to our existing ISO/IEC 27001 certification. Our existing certification was with Alcumus ISOQAR so we decided to go with BSI for ISO 9001, partly to get the benefit of wider experience. We became successfully certified in 2016 and we’ve been running a combined management system ever since. This means we feel able to give you a few impressions from our experience on this subject.
The first thing to say is that if you know ISO/IEC 27001:2013 or ISO22301:2012 you’ll certainly recognize the layout and much of the content of the new ISO9001 standard. And that’s deliberate on ISO’s part. Since 2012 they have been updating the management system family of standards to use common headings and wording on the basis that a management system is a management system, whether you’re dealing with information security, IT service management or general business operations. Yes, the subject-specific content of each standard will be different, but the principles of meeting customer requirements, planning and design, management review, internal audit and improvement are the same. So they defined a “standard for the standards” which is variously known as the “Higher Level Structure” or “Annex SL” and now “Annex L” (see our earlier blog on this) and starting using it from the launch of ISO22301 back in 2012. So the headings and much of the content are exactly the same between ISO9001 and ISO/IEC 27001.
So from our experience, does this really make it easier to adapt an Information Security Management System (ISMS) to become a more general management system that complies with ISO9001? In a word, Yes! Ok, you have to tweak a few documents to make them apply not just to information security (we have generally replaced the term “ISMS” with “management system”) but the processes and procedures we have in place to manage our information security have proven to be just as applicable to the management of the business and its quality as we had hoped. This is good news for simplicity and good news for the amount of time we had to spend on combining the management systems.
But let’s not forget that ISO9001 is still a different standard with its own specific requirements; you can’t just change a few words in your ISMS and say “ok, that’s ISO9001 done”. This is where the benefits of the ISO9001 standard start to come through, both on their own and in the way it enhances our existing ISO/IEC 27001 procedures and controls. ISO9001 is about understanding the business and the processes it uses to achieve what it does, whether that’s making products or delivering services, or both. The exercise of defining our business processes and the more detailed procedures that support them has been very useful already in spotting things we can do better, tasks we can automate or avoid the need to do completely, and areas we can safely outsource. This analysis helps to further improve our security too, because the better you understand a process, the more effectively you can secure it.
If you’re an organization that already has a management system certification like ISO/IEC 27001 or ISO 14001 and you’re thinking about adopting ISO9001 as well, our advice would be to go for it. Alternatively, if you already have ISO9001 and you’re thinking about going for ISO/IEC 27001 or ISO 22301 or ISO 14001 (or any of the others) certification then there are real benefits in starting to think about how you can adapt your ISO9001 management system to cater for other areas now, well before your customers or regulators tell you that you have to.
We’re now planning to combine our certifications under BSI so we’ll let you know in further blog posts how we’re getting on with that process.