• Mitigating Risk by Protecting your Data and Information


Mitigating Risk by Protecting your Data and Information


Cristian Dragnef, Lead Auditor, BSI, Herndon, VA, USA

Co-Presenter: Katie Warlick; Business Development Management; BSI Group, Herndon, VA, USA


High Risk Audits, Improved Audit Tools, Process Auditing, Risk-Based Thinking





The revised version of ISO 9001, and corresponding industry-related standards like the AS9100-series and IATF 16949, ensured that risk and quality are woven throughout the management system and the organization. Today, one of the greatest risks organizations face is a cyber-attack. Data breaches and unauthorized access can jeopardize not only the quality of the product, but the proprietary intellectual property that makes the product unique. With GDPR and the other privacy protection regulations now in place, failure to recognize or report a breach can also be financially catastrophic.

With ISO’s new High-Level Structure, incorporating an information security framework within the quality management system has never been easier, nor more necessary.

The common structure, facilitates integrating information security with the quality management system and enables the organization to increase compliance. This holistic approach allows for greater flexibility to meet increasing regulatory and legislative requirements.

Applying a robust system to managing information can protect an organization and reduce risk. ISO/IEC 27001 provides the framework necessary to protect product quality and can offer additional business benefits. Recent surveys reveal that of those who have adopted the ISO/IEC 27001 framework:

  • 80% have advised it inspires trust in their business
  • 75% believe it reduces business risk
  • 71% believe it protects their business

An integrated system reduces the duplication of efforts and streamlines common processes such as documentation and record control, internal audits, management review, control of non-conformances and the management of corrective action.

Certification to both ISO 9001 and ISO/IEC 27001 requires commitment and involvement from the organization’s leadership team. Top management are responsible for the system’s effectiveness and for making sure the whole organization understands how they contribute. Creating a culture where the importance of information security and quality are promoted and embraced avoids confusion and provides clarity.

ISO/IEC 27001 and ISO 9001 both help organizations to identify and manage risks relevant to their management system and continually evaluates its effectiveness. This is particularly important when technology is constantly changing and new threats can arise suddenly.

Achieving certification to both ISO 9001 and ISO/IEC 27001 demonstrates that an organization has taken the necessary steps to safeguard the quality of their product and the data that makes it possible. It shows “due diligence” and a “standard of care” which creates trust with customers, investors and other stakeholders.