Key areas of overlap to help you harmonize workstreams.

The compliance universe is ever-expanding. In addition to various information security requirements, often including ISO 27001, business partners are increasingly asking their SaaS vendors to align to ISO 9001, the international quality standard.

Companies may initially balk at this requirement. But if you have implemented or will implement an ISO 27001 program, can it help your SaaS company achieve ISO 9001 certification?

The answer is yes! Companies can actually save time by targeting the additional ISO 9001 requirements for each element below rather than starting anew when addressing these topics.

As we will explore in this blog, there are several areas of overlap where processes and documentation developed for ISO 27001 can help ease the process of ISO 9001 implementation. Specific areas to target when adding ISO 9001 are described for each common area.

For the purposes of this blog, we will assume that readers have already implemented an ISO 27001 program and are considering ISO 9001 implementation. For companies that have not already implemented ISO 27001, this may still be used as guidance on areas that should be addressed in tandem to avoid duplication of efforts.

Management System Elements

All ISO standards are structured as management systems. Clauses 4-10 of both ISO 9001 and ISO 27001 describe the Quality Management System and Information Security Management System requirements, respectively. The management system is used to govern all activities and processes within the particular discipline to ensure organizational objectives are met.

When conforming to multiple management systems, it is common to adopt an Integrated Management System (IMS) that addresses the management requirements of each distinct system. Multiple commonalities may be immediately identified between the standards, including:

  • Definition of organizational context, including internal and external factors affecting the organization (Clause 4);
  • Demonstration of management’s commitment to the success of the management system (Clause 5);
  • Risk assessment and strategic planning (Clause 6);
  • Internal audit, management review, and continual improvement (Clauses 9 and 10).

An IMS can address these common areas, thus avoiding the need to update and coordinate two documents when a change is made. In addition, governance structures such as the Information Risk Council or ISMS Steering Committee may be combined with a separate Quality Management Council to jointly govern both management systems, assuming there is reasonable overlap between the stakeholders for each.

Organizational Knowledge (ISO 9001 Clause 7.1.6 and ISO 27001 Annex A.12.1.1)

ISO 27001 Annex A.12.1.1 requires operating procedures to be documented and made available for all users who need them. ISO 9001 Clause 7.1.6 requires organizations to determine and document all knowledge necessary for the performance of processes. In both cases, the requirements are intended to:

  1. Avoid the accumulation of “organizational knowledge” that is known but not formally documented;
  2. Ensure consistency of processes.

Efforts to develop documented procedures to meet ISO 27001 requirements will help an organization establish a baseline for ISO 9001. To further mature procedures for ISO 9001 implementation, organizations should consider the completeness of the procedures library and whether all procedures supporting product quality have been documented.

Change Management (ISO 9001 Clauses 8.3, 8.6, and 8.7 and ISO 27001 Annex A.14.2)

A central element of both standards is appropriate change management processes. Although it requires control of the entire design and development process, the primary concern in ISO 9001 is clear definition of design requirements and verification of process outputs.

Clause 8.6 further specifies that products should not be released until conformity to requirements is verified. This is often done through build testing prior to deployment.

Clause 8.7 also requires nonconforming outputs, which can include software bugs, to be documented and resolved.

ISO 27001 contains detailed requirements for secure development, technical reviews, and security and acceptance testing. Thus, there is a great degree of overlap between the two standards.

To ensure ISO 9001 requirements are met, organizations should evaluate the clarity of product requirements prior to development, and subsequently verify these requirements at the end of the process. Specific review procedures should be defined, and results of the reviews documented.

Vendor Management (ISO 9001 Clause 8.4 and ISO 27001 Annex A.15)

Both standards contain detailed guidance on the control of outsourced suppliers. The specifics of each adhere closely to the goal of each standard. That is, the ISO 9001 requirements address ensuring quality of service, while ISO 27001 addresses information security requirements for suppliers.

ISO 9001 requirements include evaluating vendor quality prior to vendor selection, defining and communicating requirements for vendor outputs, establishing controls to ensure vendors meet organizational quality requirements, and performing ongoing quality reviews over vendors.

An ISO 27001 supplier management program will give organizations the basic tools needed to implement the requirements of ISO 9001, such as initial and ongoing vendor due diligence. To meet the ISO 9001 standard, these processes should specifically include consideration of the vendor’s performance against organizational quality requirements.

In addition, standards for quality and for service acceptance should be clearly detailed in vendor contracts. Internal processes should also define criteria for review prior to acceptance.

Conclusion

While implementation of an ISO 9001 Quality Management System should not be underestimated, the items described above are areas where previous ISO 27001 efforts can enable implementation of a QMS.

Curious about ISO 9001 and ISO 27001? Contact us here for more information.