Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Executive Summary
Introduction
In today’s global economy, organisations must comply
with the requirements of an increasing number of
national and international laws and regulations.
However, in managing compliance with legal and
regulatory requirements, organisations must identify
and address risks in complying with numerous laws and
regulations, such as increasing duplication of time, effort
and cost, to the extent that is achievable without the
costs outweighing the benefits.
International standards such as ISO 9001 enable organisations to meet multiple overlapping legislative
and regulatory requirements by providing the framework for a formal management system. However,
having identifying the common requirements for regulatory compliance, organisations may need to
conform with more than one management system to comply with the laws and regulations with which
organisations must comply.
Q-Pulse is a registered trademark of Gael Products Ltd. All rights reserved worldwide. Copyright © 2012 Gael Products Ltd. QPM-35
Page 2 of 10
Integrating ISO 9001 and ISO 27001 to Enhance Regulatory Compliance White Paper
For ISO 9001-certified organisations competing in a global marketplace, maintaining and improving
the quality of processes is no longer enough in meeting and exceeding the requirements of the
customer: organisations must also maintain and improve the confidentiality, integrity and availability of
the information on which people, technologies and processes depend.
In today’s global economy, the drive to implement information security controls and/or certification
to ISO 27001 continues: with security breaches remaining at historically high levels, a combination
of failings between people, processes and technologies cost businesses in the UK alone billions of
pounds in the last year. (Source: Information Security Breaches Survey 2012)
The inefficient and ineffective management of information security increasingly exposes business
to threats, from viruses and unauthorised access to inappropriate use and theft: 93% of large
organisations surveyed recently had been the victims of a security breach in the last year, with 76% of
small businesses suffering the same fate. (Source: Information Security Breaches Survey 2012)
With organisations required to comply with an increasing number of national and international laws
and regulations, the penalties for failing to do so are also increasing: the world’s second-largest
banking and financial services group was recently fined more than £3 million for exposing customers
to risk, following the loss of media on which details of almost 200,000 customers were stored.
For organisations competing in a global marketplace, meeting and exceeding customer expectations
is increasingly important in achieving a competitive advantage. Organisations that store confidential
customer details can meet and exceed present and future customer expectations and safeguard the
security of customer information by extending their existing quality management system (QMS) to
encompass the requirements of an information security management system (ISMS).
Q-Pulse is a registered trademark of Gael Products Ltd. All rights reserved worldwide. Copyright © 2012 Gael Products Ltd. QPM-35
Page 3 of 10
Integrating ISO 9001 and ISO 27001 to Enhance Regulatory Compliance White Paper
In addition, by providing systems and controls for managing information security, ISO 27001 enables
organisations to harmonise multiple compliance activities and management systems; the alignment of
clauses between ISO 27001 and ISO 9001, such as document management requirements, enables
organisations to develop a management system that can harmonise the compliance activities of both
management standards and that can also be externally certified to both.
For organisations that already have a certified QMS in place, the ISMS can be integrated with the
existing QMS, as the numbering systems and document management requirements of both ISO 9001
and ISO 27001 have been designed to enable organisations to develop management systems that
integrate the requirements of both standards: for example, clauses 4.3, 4.3.2 and 4.3.3 of ISO 27001,
which specify systems and controls for documentation, document control and records respectively, can
be met by extending the documentation control requirements of the existing ISO 9001 QMS.
Organisations can provide assurances to both the business and its partners that information security
is protected, as well as removing barriers to trade, and offering competitive advantage in markets in
which legislative and regulatory requirements relate to the protection of information security.
By extending an existing QMS to encompass the requirements of an ISMS, organisations can achieve
compliance to an internationally-recognised standard, which also enables compliance with several
regional legal and regulatory requirements. In addition, organisations can demonstrate the increased
security in place around their information to internal and external auditors, as well as their customers,
enhancing the QMS by meeting and exceeding customer expectations to achieve and retain customer
satisfaction.
By adopting a holistic approach to managing quality and information security, organisations can
integrate the processes common to both ISO 9001 and ISO 27001, such as document and record
control, corrective and preventive action, audits and management review.
With a management system that integrates a holistic approach to compliance with international best
practice, organisations can demonstrate compliance with both standards to customers, certification
bodies and regulatory authorities. In addition, by integrating the management of quality and
information security, organisations can demonstrate both the quality and security of their quality and
information security processes, as well as achieve significant competitive advantage.
Solutions that enable the adoption of an integrated approach to compliance management enable
radical reductions in the time required to achieve certification to standards, and dramatically decrease
the duplication of effort in satisfying legal and regulatory requirements. By putting an integrated
compliance management solution into place, organisations can achieve compliance with ISO 9001
and ISO 27001 and enhance the maintenance and improvement of quality and information security.
Q-Pulse is a registered trademark of Gael Products Ltd. All rights reserved worldwide. Copyright © 2012 Gael Products Ltd. QPM-35
Page 4 of 10
Integrating ISO 9001 and ISO 27001 to Enhance Regulatory Compliance White Paper
However, managing multiple on-going compliance activities can result in increased exposure to
risk, increased duplication of effort and increased compliance and operational costs. In addition,
segregating compliance activities reduces ROI and increases costs associated with exposure to risk
as well as compliance with future legal and regulatory requirements.
By putting a comprehensive management system in place that demonstrates best practice in both
quality and information security management, adopting a holistic approach to compliance can reduce
the duplication of effort that multiple on-going compliance activities can incur, as well as to more
closely integrate compliance activities to reduce gaps between systems and controls.
Integrating compliance management systems enables effective risk and cost management while
enabling continual improvement. By reducing operational risks and reducing duplication, integration
enables the reduction of compliance and operational costs, as well as enabling future requirements to
be met with reduced costs. In addition, by leveraging value from a project that is perceived as a cost,
integration enables ROI that considers costs associated with compliance and potential risks.
This approach also provides a foundation for extending the management system further to encompass
additional standards, such as ISO 20000, as well as enabling organisations to build towards corporate
governance. Implementing best practice also demonstrates compliant systems and controls to
certification bodies and regulatory authorities, and assures customers of both the quality of processes
and the security of information; in addition, it provides an extended system in which all information
critical to business can be continually analysed to improve quality and security throughout the
organisation.
Q-Pulse is a registered trademark of Gael Products Ltd. All rights reserved worldwide. Copyright © 2012 Gael Products Ltd. QPM-35
Page 5 of 10
Integrating ISO 9001 and ISO 27001 to Enhance Regulatory Compliance White Paper
For organisations seeking compliance with more than one management standard, satisfying multiple
legal and regulatory requirements is of paramount importance. With an integrated solution, compliance
with ISO 9001 and ISO 27001 can be achieved, as well as enhancing the maintenance and
improvement of quality and information security.
With Q-Pulse from Gael, your business can integrate compliance-related processes and activities
through a streamlined, standardised framework in order to comply with an increasing number of legal
and regulatory requirements and adopt an integrated approach to compliance management.
From documenting and distributing policies and procedures to identifying opportunities for continuous
improvement, Q-Pulse enables you to radically reduce the time required to achieve certification
to standards, and dramatically decrease the duplication of effort in satisfying legal and regulatory
requirements.
And by adopting a holistic approach to compliance management throughout the enterprise with
Q-Pulse, your business can drive long-term stability and growth and firmly anchor compliance in the
corporate culture, beyond meeting minimum legal standards to present opportunities for further growth
and improvement.
Q-Pulse is a registered trademark of Gael Products Ltd. All rights reserved worldwide. Copyright © 2012 Gael Products Ltd. QPM-35
Page 6 of 10
Integrating ISO 9001 and ISO 27001 to Enhance Regulatory Compliance White Paper
By extending its compliance systems to stakeholders and participants throughout the enterprise,
your business can ensure management and staff understand their role in maintaining legal and
regulatory compliance and in actively participating in controlling and minimising risk.
By reviewing training needs against policy requirements and person specifications, your
business can make sure that all staff have the relevant expertise and experience in order to
contribute to its understanding of its operations, and to actively participate in controlling and
minimising risk.
And with the ability to automatically identify all staff impacted by changes to compliance-related
documents, you can schedule relevant procedure-based training, to develop and encourage
adherence to best practice that is consistent with your existing corporate culture.
4. Verify compliance
Verify compliance of your policies and procedures through regular internal audit and
demonstrate adherence to legislation.
And by centrally managing all external, internal and third-party audits, you can measure
ongoing compliance-related performance to deliver assurance over the business’ key risks
and demonstrate legal and regulatory compliance to customers, regulatory authorities and
certification bodies.
By extending its reporting system throughout the enterprise, your business can ensure that all
management and staff can report compliance-related issues, non-conformances and complaints
through a standardised framework that improves subsequent investigation and analysis.
And by centrally managing all corrective action plans, you can automatically notify all
stakeholders and participants of upcoming and overdue compliance-related actions in order to
ensure compliance with all legal and regulatory requirements, to accelerate time to completion
and prevent recurrence.
Q-Pulse is a registered trademark of Gael Products Ltd. All rights reserved worldwide. Copyright © 2012 Gael Products Ltd. QPM-35
Page 7 of 10
Integrating ISO 9001 and ISO 27001 to Enhance Regulatory Compliance White Paper
By analysing all compliance-related information across the enterprise, your business can
identify root causes and trends to ensure that compliance-related policies and procedures meet
and exceed legal and regulatory requirements through regular internal and external evaluation.
And by learning from issues, non-conformances and complaints across the enterprise, your
business can identify opportunities to improve its compliance systems in order to contribute
to the continuous improvement of compliance, to control and minimise key risks and to create
greater business value.
By improving the visibility and control of its compliance-related information and systems, your
business can encourage all management and staff to contribute to a shared understanding of its
operations, in order to reduce business risk and take advantage of growth opportunities.
And by putting a foundation in place for stability and growth, your business can build a corporate
culture that encourages adherence to internationally-recognised best practice, and which
contributes significantly to the continual improvement of legal and regulatory compliance across
the enterprise.
Q-Pulse is a registered trademark of Gael Products Ltd. All rights reserved worldwide. Copyright © 2012 Gael Products Ltd. QPM-35
Page 8 of 10
Integrating ISO 9001 and ISO 27001 to Enhance Regulatory Compliance White Paper
Conclusion
In today’s global economy, organisations must comply with the requirements of an increasing number
of national and international laws and regulations. International standards such as ISO 9001 enable
organisations to meet multiple overlapping legislative and regulatory requirements by providing the
framework for a formal management system.
With a solution that integrates compliance management with document and process management,
organisations can put effective systems and controls in place to:
▪▪ automate their compliance activities to reduce the time, effort and cost spent extending their
existing quality management system
▪▪ encourage interaction throughout the organisation to enhance ownership of the ISMS, and
▪▪ streamline their certification activities to establish a foundation for corporate governance
Q-Pulse is a registered trademark of Gael Products Ltd. All rights reserved worldwide. Copyright © 2012 Gael Products Ltd. QPM-35
Page 9 of 10
Integrating ISO 9001 and ISO 27001 to
Enhance Regulatory Compliance
For more information contact us now at
info@gaelquality.com
Gael Ltd.
Orion House,
S.E. Technology Park,
East Kilbride,
Scotland G75 0RD
t: +44(0)1355 593400
f: +44(0)1355 579191
e: info@gaelquality.com
w: www.gaelquality.com
Q-Pulse is a registered trademark of Gael Products Ltd. All rights reserved worldwide. Copyright © 2012 Gael Products Ltd. QPM-101