By Paul Raines, UN Development Programme, a 2014 CSO40 award recipient
At the CSO40 conference next week, I’ll be speaking on ISO 9001 and its application to information security. Pretty boring topic, huh? If I just had the legs and voice of Tina Turner, I think I could really get people to sit up and take notice -- albeit for the wrong reasons. But she's onto the right question: What's ISO 9001, an international standard of quality management, got to do with information security anyway?
For starters, ISO 9001 can be applied to any organization regardless of its vertical industry or position within that industry. That's because its focus is on producing quality services and products that satisfy client expectations regardless of what those particular services or products might be. Thus, I suppose it would be possible for a prostitution ring (only in those countries or jurisdictions where it is legal, of course) to be become ISO 9001 certified as long as they had documented their procedures, tracked that their services met client expectations and that their organization could show that it was effective in meeting its goals. Just how ISO certification would factor into their marketing is left to the imagination of the reader.
Now, mind you, I'm not saying that a security group is like a prostitution ring (although there are some rare days where I might feel that way) but things like quality products and services, client satisfaction and unit effectiveness are things that a CISO should be concerned about. We, after all, are always being beat up because we don't seem to understand the customer's needs or understand the business needs.
Being ISO 9001 certified would be an indicator that client satisfaction was a clear priority. But be careful how you define the term "customer" here. Enforcing security is usually not synonymous with popularity—who ever heard of the hall monitor being elected class president? Thus, if the rules say you must have a password and "the customer" says no, that doesn't mean that the customer is always right and you waive the password requirement. Rather, the CISO must look at the organization’s executive management as their customer. In that context, customer satisfaction can be tracked through support of corporate security policies, security initiatives and the protection of the confidentiality, integrity and availability of the organization’s data.
A second reason for considering ISO 9001 is that it really isn't that difficult to achieve if an organization is already following ISO 27001. Here's a nerdy trivia question (I'll give you a moment to put on your thick, black-framed birth control glasses): what does Annex C at the back of the ISO 27001 standard show? Bing! Time's up. It shows the various provisions of the ISO 27001 standard and how they relate to and satisfy the corresponding provisions of ISO 9001. Thus, for example, both standards have sections dealing with things like management systems, documentation requirements, management commitment, resource management, audits, management reviews, continuous improvement and corrective/preventive actions. In fact, I would estimate that if an organization is already ISO 27001 certified, then they are already 75% compliant with ISO 9001. So, with just a little bit of extra effort you get two for the price of one.
Sure, you may say, but what is that "little bit of extra effort?" I'm glad you asked because that's my final point here. The extra effort entails documenting your procedures, defining what important records need to be preserved, tracking client satisfaction and gathering metrics to demonstrate unit effectiveness. These are all useful things for a CISO to have and cherish—especially since they may save your career.
In summary, I bet Tina Turner would sound great belting out the lyrics of why ISO 9001 has a lot to do with information security and is not just a second hand standard.
Paul Raines is the Chief Information Security Officer for the United Nations Development Programme. In that capacity he is responsible for the information security and disaster recovery planning for the organization’s 177 locations around the world.
The United Nations Development Programme is a 2014 recipient of the CSO40 award, presented to 40 organizations for their security projects and initiatives that demonstrate outstanding business value and thought leadership. CSO40 winning organizations will be recognized—and many will be presenting their projects—at the CSO40 Security Confab + Awards event, to be hosted by CSO March 31-April 2. The UN Development Programme will be presenting on April 2.
This article is published as part of the IDG Contributor Network. Want to Join?