Integration of ISO 27001:2022 ISMS into an ISO QMS
ISO integration (sometimes referred to as an “integrated management system”) occurs when an organization combines or merges components of multiple ISO standards. This activity has become more common as the number of management systems and International Standards has risen. Integration is also facilitated through the desire of organizations to improve performance across a wide range of business activities.
An organization integrating the ISMS and QMS standards will find that some requirements are identical, some are similar, and others are unique to each standard. Requirements that are identical or similar can be integrated (or combined) to achieve efficiency.
A common example is Management Review. Both ISMS and QMS require Management Review. Some of the mandatory inputs and outputs are identical or similar. An organization could choose to write two separate procedures; one for ISMS Management Review and one for QMS Management Review. However, by efficient integration, an organization writes only one procedure that captures ISMS and QMS Management Review requirements, including listing identical requirements only once.
Understanding the Two Management Systems
ISO 27001 is a set of requirements for an Information Security Management System (“ISMS”). Likewise, ISO 9001 is a set of requirements for a Quality Management System (“QMS”). Other Quality Management Systems, such as AS9100, AS9110, AS9120, ISO 13485, and IATF 16949, are based off the ISO 9001 QMS with additional requirements specific to the industry (“QMS9”).
When effectively implemented, an ISMS provides customers, employees, and key interested parties with assurance that data and information entrusted to an organization is safely managed. Personal data (such as PII) will be encrypted and protected. If data is transmitted, it will be moved by secured means to prevent access by hackers or data thieves.
When effectively implemented, a QMS provides customers, employees, and key interested parties with assurance that quality is planned and applied to designing, manufacturing, and delivering products and services, and that the customer is the focus of business activities (customer requirements, customer feedback, and customer focus).
Both ISO 27001 and any QMS9 have transitioned to the current ISO International Standard layout, Annex L. Both standards have similar clauses which contain requirements which may be subject to audit in order to attain certification.
The common layout / clauses include:
Table 1 – Common Layout / Clauses
|1||Scope||Clause 1 is not subject to audit.|
|2||Normative References||Clause 2 is not subject to audit.|
|3||Terms and Definitions||Clause 3 is not subject to audit.|
|4||Context of the Organization||Clause 4 requirements are subject to audit.|
|5||Leadership||Clause 5 requirements are subject to audit.|
|6||Planning||Clause 6 requirements are subject to audit.|
|7||Support||Clause 7 requirements are subject to audit.|
|8||Operation||Clause 8 requirements are subject to audit.|
|9||Performance Evaluation||Clause 9 requirements are subject to audit.|
|10||Improvement||Clause 10 requirements are subject to audit.|
While the clauses and their titles are identical, the requirements in each clause may, or may not, be identical or similar.
Appendices (the Annex)
Both ISO 27001 and QMS9 systems have appendices, which are identified in ISO terminology as an “Annex.” Unlike the clauses, the annex of each standard is different. The two tables below identify the annex sections of each standard.
Table 2 – ISMS Annex
|A||Information Security Controls Reference||This annex is subject to audit.|
Table 3 – QMS9 Annex
|A||Clarification of New Structure, Terminology, and Concepts||This annex is not subject to audit.|
|B||Other International Standards on Quality Management and Quality Management Systems Developed by ISO/TC 176||This annex is not subject to audit.|
ISMS Annex A
As noted above, a critical distinction between ISMS and QMS9 is that ISMS Annex A contains requirements (controls) that are subject to audit. This is different from QMS9. If you are an existing QMS9 organization that is integrating ISMS, ensure you do not overlook ISMS Annex A.
Notable Differences in ISMS
Statement of Applicability – The Statement of Applicability (SoA) is a unique document. It is primarily applicable to Information Security (IS) and Information Technology (IT) business environments, and is required for ISO 27001:2022.
Risk Management – Risk management is a fundamental process required by ISO 27001. ISMS Section 6 addresses planning a risk management process (risks and opportunities, risk assessment, risk treatment, and information security risk management). ISMS Section 8 addresses implementation of risk management planning, including risk assessment activities, risk treatment, and risk reporting.
Risk planning is addressed in QMS9 systems. However, it is only addressed in QMS9 Section 6, not in Section 8. For QMS9, an organization only needs to consider risk issues when planning its QMS9. There is no requirement for execution of risk assessment, risk treatment, risk reporting, etc.
Benefits of Integration
By integrating ISMS and QMS9, organizations offer assurance to customers and key parties that quality is integrated into processes, including the importance of securing data and information in an age of ever-growing cybersecurity concerns. Benefits of integration can include:
- Holistic management system approach, including integrated processes, streamlined use of resource, and reduced administrative burdens.
- Security and quality, evidenced by simultaneous certification of security management and quality management activities.
- Increased marketability, including confidence from existing and potential customers that your organization can protect data, reduce risks, and deliver quality in products and services.
An organization that properly implements this integration should be able to establish an effective, integrated ISMS-QMS system. However, this does not guarantee your organization will achieve QMS9 certification or ISMS certification. Certification depends upon multiple variables, including such essential activities as committed leadership, review (including Management Review), analysis (including possibly statistical analysis), continual improvement, and effective internal auditing.
Other Key Processes
Below are several additional processes that are somewhat unique to ISO 27001 and therefore not commonly found in an existing QMS9 system.
IS / IT Policy
P-602 (IS / IT Policy) provides standard Information Security (IS) and Information Technology (IT) policies and processes applicable to ISO 27001. Many of the provisions in P-602 help fulfill and address controls in the Statement of Applicability (SoA).
If your organization has an established IT department with existing processes, your IT professionals should review the IS / IT Policy document to ensure either (1) existing processes conform to the IS / IT Policy document, or (2) the IS / IT Policy document is amended to conform to your existing processes. If you alter the IS / IT Policy document, consider possible impacts (including how you will respond to SoA requirements).
Data Classification (P-801) establishes a system of classification for your electronic data and documentation. If your organization has an established data classification process, review the Data Classification document and determine whether you need to amend the document to conform to your existing classification scheme. If you alter the Data Classification document, consider possible impacts (including how you will respond to and fulfill SoA requirements).
Measurement and Analysis
A Measurement and Analysis (M&A) procedure is provided (P-901). Implementing the processes defined in the M&A procedure will ensure you meet and fulfill ISO 27001 requirements.
It is highly likely that an existing QMS organization has M&A activities, measures, and reporting. It is possible an existing QMS organization uses KPIs. If so, integrate the ISMS KPIs into your existing QMS M&A program.
An organization is free use P-901 and add measures to the KPI Template
It is important to note that information may be considered a type of asset in ISO 27001. If this is applicable to your organization, use F-600 to identify and track information assets.
It is not uncommon for an existing QMS organization to track assets. However, QMS organizations typically track production assets, such as production equipment, parts in inventory, calibrated equipment, etc. ISMS requires tracking of information related assets. An information related asset may vary from organization to organization. Examples may include laptops, pads, phones (endpoint devices), servers, switches, etc.
If your existing QMS tracks assets, consider adding information related assets to your existing process. If not, implement asset tracking with the assistance of F-600.