White Paper

Integrating ISO 9001 and ISO 27001 to Enhance

Regulatory Compliance

Executive Summary

For organisations seeking compliance with more than one

management standard, satisfying multiple legal and regulatory
requirements is a challenge. Increased time and effort, the
duplication of effort and increased resource expenditure are only
some of the consequences of segregating the management of
compliance actions and activities.

Solutions that enable the adoption of a holistic approach to

compliance management enable radical reductions in the time
required to achieve certification to standards, and dramatically
decrease the duplication of effort in satisfying legal and regulatory
requirements. By adopting an integrated approach to compliance
management, compliance with standards, including ISO 9001
and ISO 27001, can be achieved, as well as enhancing the
maintenance and improvement of quality and information security.

This paper examines the operational challenges faced by

organisations in extending an ISO 9001- certified quality
management system (QMS) to manage information security and
achieve certification to ISO 27001, and explores solutions that
enable an integrated approach to the management of compliance
with the legal and regulatory requirements of both ISO 9001 and
ISO 27001.
Integrating ISO 9001 and ISO 27001 to Enhance Regulatory Compliance White Paper

Introduction
In today’s global economy, organisations must comply
with the requirements of an increasing number of
national and international laws and regulations.
However, in managing compliance with legal and
regulatory requirements, organisations must identify
and address risks in complying with numerous laws and
regulations, such as increasing duplication of time, effort
and cost, to the extent that is achievable without the
costs outweighing the benefits.

With the penalties for failing to comply with laws and

regulations also increasing, achieving compliance
with legal and regulatory requirements is increasingly
important for organisations in reducing time and effort,
reducing the duplication of effort and reducing resource
expenditure. However, the lack of harmonisation at
national and international levels has resulted in multiple
overlapping legal and regulatory requirements.

International standards such as ISO 9001 enable organisations to meet multiple overlapping legislative
and regulatory requirements by providing the framework for a formal management system. However,
having identifying the common requirements for regulatory compliance, organisations may need to
conform with more than one management system to comply with the laws and regulations with which
organisations must comply.

By implementing a management system within a legislative and regulatory framework such as

ISO 9001, organisations can demonstrate compliance and reduce exposure to risk. In addition, by
extending an existing quality management system (QMS) to encompass the requirements of an
information security management system (ISMS), organisations can enhance their compliance and
achieve improvement throughout the organisation.

Extending an existing quality management system (QMS) to encompass the requirements of an

information security management system (ISMS) enables organisations to comply with an increasing
number of legal and regulatory requirements and enables the adoption of an integrated approach to
compliance management.

By reducing duplication between multiple standards, an integrated approach to compliance

management enables organisations to conform with more than one management system, lowering
costs, avoiding duplication and increasing effectiveness throughout the organisation.

Extending an existing quality management system to encompass the requirements of an information

security management system enables organisations to adopt an integrated approach to compliance
management. The need to manage multiple legal and regulatory requirements drives the adoption of
an integrated approach to compliance management: identifying and cost-effectively satisfying common
requirements for legislative and regulatory compliance.

By adopting an integrated approach to compliance management, organisations can assure customers,

certification bodies and regulatory authorities that systems and controls satisfy an increasing number
of legal and regulatory requirements, as well as demonstrate compliance with standards, including ISO
9001 and ISO 27001, to enhance both customer satisfaction and competitive advantage.

Q-Pulse is a registered trademark of Gael Products Ltd. All rights reserved worldwide. Copyright © 2012 Gael Products Ltd. QPM-35

Page 2 of 10
Integrating ISO 9001 and ISO 27001 to Enhance Regulatory Compliance White Paper

Extending a QMS to encompass the requirements of an ISMS

At national and international levels, the increasing number of legal and regulatory requirements with
which organisations must comply requires organisations to implement more than one management
system. By extending an existing quality management system (QMS), organisations can encompass
the requirements of an information security management system (ISMS) and avoid duplicating time,
effort and cost in its implementation.

For ISO 9001-certified organisations competing in a global marketplace, maintaining and improving
the quality of processes is no longer enough in meeting and exceeding the requirements of the
customer: organisations must also maintain and improve the confidentiality, integrity and availability of
the information on which people, technologies and processes depend.

In today’s global economy, the drive to implement information security controls and/or certification
to ISO 27001 continues: with security breaches remaining at historically high levels, a combination
of failings between people, processes and technologies cost businesses in the UK alone billions of
pounds in the last year. (Source: Information Security Breaches Survey 2012)

The inefficient and ineffective management of information security increasingly exposes business
to threats, from viruses and unauthorised access to inappropriate use and theft: 93% of large
organisations surveyed recently had been the victims of a security breach in the last year, with 76% of
small businesses suffering the same fate. (Source: Information Security Breaches Survey 2012)

With organisations required to comply with an increasing number of national and international laws
and regulations, the penalties for failing to do so are also increasing: the world’s second-largest
banking and financial services group was recently fined more than £3 million for exposing customers
to risk, following the loss of media on which details of almost 200,000 customers were stored.

For organisations competing in a global marketplace, meeting and exceeding customer expectations
is increasingly important in achieving a competitive advantage. Organisations that store confidential
customer details can meet and exceed present and future customer expectations and safeguard the
security of customer information by extending their existing quality management system (QMS) to
encompass the requirements of an information security management system (ISMS).

ISO 27001 enables organisations to comply

with multiple overlapping legal and regulatory
requirements, such as US Sarbanes-Oxley
legislation, EU BASEL II regulations and UK FSA
requirements. ISO 27001 offers formal systems and
controls for managing information security around a
framework of best practice, enabling organisations
to demonstrate information security processes that
meet an international standard to certification bodies
and regulatory authorities, and to assure customers
of the confidentiality, integrity and availability of
information.

Regulatory compliance also enables organisations

to increase the ownership and transparency
of information security: 64% of US businesses
surveyed report that compliance improved security
at their organisation and 48% report that upper
management made security a higher business
priority as a result. (Source: CSI Computer Crime
and Security Survey 2010/2011)

Q-Pulse is a registered trademark of Gael Products Ltd. All rights reserved worldwide. Copyright © 2012 Gael Products Ltd. QPM-35

Page 3 of 10
Integrating ISO 9001 and ISO 27001 to Enhance Regulatory Compliance White Paper

In addition, by providing systems and controls for managing information security, ISO 27001 enables
organisations to harmonise multiple compliance activities and management systems; the alignment of
clauses between ISO 27001 and ISO 9001, such as document management requirements, enables
organisations to develop a management system that can harmonise the compliance activities of both
management standards and that can also be externally certified to both.

For organisations that already have a certified QMS in place, the ISMS can be integrated with the
existing QMS, as the numbering systems and document management requirements of both ISO 9001
and ISO 27001 have been designed to enable organisations to develop management systems that
integrate the requirements of both standards: for example, clauses 4.3, 4.3.2 and 4.3.3 of ISO 27001,
which specify systems and controls for documentation, document control and records respectively, can
be met by extending the documentation control requirements of the existing ISO 9001 QMS.

Organisations can provide assurances to both the business and its partners that information security
is protected, as well as removing barriers to trade, and offering competitive advantage in markets in
which legislative and regulatory requirements relate to the protection of information security.

By extending an existing QMS to encompass the requirements of an ISMS, organisations can achieve
compliance to an internationally-recognised standard, which also enables compliance with several
regional legal and regulatory requirements. In addition, organisations can demonstrate the increased
security in place around their information to internal and external auditors, as well as their customers,
enhancing the QMS by meeting and exceeding customer expectations to achieve and retain customer
satisfaction.

In extending an existing management system to encompass the requirements of an information

security management system, organisations can dramatically decrease duplication of effort as well as
short- and long-term one-off and on-going costs, and increase return on investment (ROI).

By adopting a holistic approach to managing quality and information security, organisations can
integrate the processes common to both ISO 9001 and ISO 27001, such as document and record
control, corrective and preventive action, audits and management review.

With a management system that integrates a holistic approach to compliance with international best
practice, organisations can demonstrate compliance with both standards to customers, certification
bodies and regulatory authorities. In addition, by integrating the management of quality and
information security, organisations can demonstrate both the quality and security of their quality and
information security processes, as well as achieve significant competitive advantage.

Solutions that enable the adoption of an integrated approach to compliance management enable
radical reductions in the time required to achieve certification to standards, and dramatically decrease
the duplication of effort in satisfying legal and regulatory requirements. By putting an integrated
compliance management solution into place, organisations can achieve compliance with ISO 9001
and ISO 27001 and enhance the maintenance and improvement of quality and information security.

Q-Pulse is a registered trademark of Gael Products Ltd. All rights reserved worldwide. Copyright © 2012 Gael Products Ltd. QPM-35

Page 4 of 10
Integrating ISO 9001 and ISO 27001 to Enhance Regulatory Compliance White Paper

Compliance Management Solutions in an Integrated Approach

Extending an ISO 9001-certified management system to encompass ISO 27001 enables organisations
to demonstrate compliance with numerous legal and regulatory requirements as well as to integrate a
holistic approach to compliance management with international best practice.

However, managing multiple on-going compliance activities can result in increased exposure to
risk, increased duplication of effort and increased compliance and operational costs. In addition,
segregating compliance activities reduces ROI and increases costs associated with exposure to risk
as well as compliance with future legal and regulatory requirements.

By putting a comprehensive management system in place that demonstrates best practice in both
quality and information security management, adopting a holistic approach to compliance can reduce
the duplication of effort that multiple on-going compliance activities can incur, as well as to more
closely integrate compliance activities to reduce gaps between systems and controls.

Integrating compliance management systems enables effective risk and cost management while
enabling continual improvement. By reducing operational risks and reducing duplication, integration
enables the reduction of compliance and operational costs, as well as enabling future requirements to
be met with reduced costs. In addition, by leveraging value from a project that is perceived as a cost,
integration enables ROI that considers costs associated with compliance and potential risks.

This approach also provides a foundation for extending the management system further to encompass
additional standards, such as ISO 20000, as well as enabling organisations to build towards corporate
governance. Implementing best practice also demonstrates compliant systems and controls to
certification bodies and regulatory authorities, and assures customers of both the quality of processes
and the security of information; in addition, it provides an extended system in which all information
critical to business can be continually analysed to improve quality and security throughout the
organisation.

By implementing an electronic solution to streamline

compliance activities, an integrated compliance
management solution enables organisations to reduce
the time, effort and cost spent certifying to ISO 27001,
and to establish a foundation for corporate governance.

By adopting a holistic approach to managing quality

and information security, organisations can integrate the
processes common to both ISO 9001 and ISO 27001,
such as document and record control, corrective and
preventive action, audits and management review.

With a solution that integrates compliance management

with document and process management, organisations
can put effective systems and controls in place to:
▪▪ automate their compliance activities to reduce the
time, effort and cost spent extending their existing
quality management system
▪▪ encourage interaction throughout the organisation
to enhance ownership of the ISMS, and
▪▪ streamline their certification activities to establish
a foundation for corporate governance.

Q-Pulse is a registered trademark of Gael Products Ltd. All rights reserved worldwide. Copyright © 2012 Gael Products Ltd. QPM-35

Page 5 of 10
Integrating ISO 9001 and ISO 27001 to Enhance Regulatory Compliance White Paper

Integrated compliance management – the Q-Pulse advantage

For organisations seeking compliance with more than one management standard, satisfying multiple
legal and regulatory requirements is of paramount importance. With an integrated solution, compliance
with ISO 9001 and ISO 27001 can be achieved, as well as enhancing the maintenance and
improvement of quality and information security.

With Q-Pulse from Gael, your business can integrate compliance-related processes and activities
through a streamlined, standardised framework in order to comply with an increasing number of legal
and regulatory requirements and adopt an integrated approach to compliance management.

From documenting and distributing policies and procedures to identifying opportunities for continuous
improvement, Q-Pulse enables you to radically reduce the time required to achieve certification
to standards, and dramatically decrease the duplication of effort in satisfying legal and regulatory
requirements.

And by adopting a holistic approach to compliance management throughout the enterprise with
Q-Pulse, your business can drive long-term stability and growth and firmly anchor compliance in the
corporate culture, beyond meeting minimum legal standards to present opportunities for further growth
and improvement.

7 Simple Steps to Compliance

The Q-Pulse Integrated Management Framework comprises 7 simple steps:

1. Define and document

Define and document the scope of your system, policies and procedures, all with appropriate
Document Control.

By automating the document control

process, your business can secure
greater buy-in from stakeholders
and participants to radically reduce
approval cycle times, and ensure that
all compliance-related documents and
records can be accurate, reliable and
continuously updated.
The Q-Pulse
And together with secure, centralised Integrated
access to the policies and procedures
that support your compliance systems, Management
your business can ensure that all Framework
management and staff can be aware of
and acknowledge their responsibilities
in complying with multiple legal and
regulatory requirements.

Q-Pulse is a registered trademark of Gael Products Ltd. All rights reserved worldwide. Copyright © 2012 Gael Products Ltd. QPM-35

Page 6 of 10
Integrating ISO 9001 and ISO 27001 to Enhance Regulatory Compliance White Paper

2. Publish and distribute

Publish and distribute your management system to all appropriate personnel, via secure web
access, including supply chain.

By extending its compliance systems to stakeholders and participants throughout the enterprise,
your business can ensure management and staff understand their role in maintaining legal and
regulatory compliance and in actively participating in controlling and minimising risk.

And by automatically notifying management and staff of overdue or upcoming compliance

actions, your business can significantly increase the visibility and control of its compliance
systems and achieve greater ownership and transparency of compliance-related information.

3. Train and develop staff

Create a framework to demonstrate staff competence and capability and therefore train and
develop staff.

By reviewing training needs against policy requirements and person specifications, your
business can make sure that all staff have the relevant expertise and experience in order to
contribute to its understanding of its operations, and to actively participate in controlling and
minimising risk.

And with the ability to automatically identify all staff impacted by changes to compliance-related
documents, you can schedule relevant procedure-based training, to develop and encourage
adherence to best practice that is consistent with your existing corporate culture.

4. Verify compliance
Verify compliance of your policies and procedures through regular internal audit and
demonstrate adherence to legislation.

By integrating all audit programmes within a streamlined, standardised framework, your

business can track and continuously monitor all compliance-related information across the
enterprise to reduce audit cycle times and to dramatically drive down compliance costs.

And by centrally managing all external, internal and third-party audits, you can measure
ongoing compliance-related performance to deliver assurance over the business’ key risks
and demonstrate legal and regulatory compliance to customers, regulatory authorities and
certification bodies.

5. Capture issues, non-conformances and complaints

Capture issues, non-conformances and complaints, create action plans and track through to
completion all within a single integrated system.

By extending its reporting system throughout the enterprise, your business can ensure that all
management and staff can report compliance-related issues, non-conformances and complaints
through a standardised framework that improves subsequent investigation and analysis.

And by centrally managing all corrective action plans, you can automatically notify all
stakeholders and participants of upcoming and overdue compliance-related actions in order to
ensure compliance with all legal and regulatory requirements, to accelerate time to completion
and prevent recurrence.

Q-Pulse is a registered trademark of Gael Products Ltd. All rights reserved worldwide. Copyright © 2012 Gael Products Ltd. QPM-35

Page 7 of 10
Integrating ISO 9001 and ISO 27001 to Enhance Regulatory Compliance White Paper

6. Analyse audits and issues

Analyse audits and issues, incidents, occurrences and audit findings and determine the root
cause with detailed graphical analysis.

By analysing all compliance-related information across the enterprise, your business can
identify root causes and trends to ensure that compliance-related policies and procedures meet
and exceed legal and regulatory requirements through regular internal and external evaluation.

And by learning from issues, non-conformances and complaints across the enterprise, your
business can identify opportunities to improve its compliance systems in order to contribute
to the continuous improvement of compliance, to control and minimise key risks and to create
greater business value.

7. Improve and grow

Improve and grow by identifying trends and concerns, highlighting costly repeat issues and
implementing improvement projects.

By improving the visibility and control of its compliance-related information and systems, your
business can encourage all management and staff to contribute to a shared understanding of its
operations, in order to reduce business risk and take advantage of growth opportunities.

And by putting a foundation in place for stability and growth, your business can build a corporate
culture that encourages adherence to internationally-recognised best practice, and which
contributes significantly to the continual improvement of legal and regulatory compliance across
the enterprise.

Q-Pulse is a registered trademark of Gael Products Ltd. All rights reserved worldwide. Copyright © 2012 Gael Products Ltd. QPM-35

Page 8 of 10
Integrating ISO 9001 and ISO 27001 to Enhance Regulatory Compliance White Paper

Conclusion
In today’s global economy, organisations must comply with the requirements of an increasing number
of national and international laws and regulations. International standards such as ISO 9001 enable
organisations to meet multiple overlapping legislative and regulatory requirements by providing the
framework for a formal management system.

Extending an existing quality management system (QMS) to encompass the requirements of an

information security management system (ISMS) enables organisations to comply with an increasing
number of legal and regulatory requirements and enables the adoption of an integrated approach to
compliance management.

For ISO 9001-certified organisations competing in a global marketplace, implementing an electronic

solution to streamline compliance activities, enables organisations to reduce the time, effort and cost
spent certifying to ISO 27001, and to establish a foundation for corporate governance.

With a solution that integrates compliance management with document and process management,
organisations can put effective systems and controls in place to:

▪▪ automate their compliance activities to reduce the time, effort and cost spent extending their
existing quality management system
▪▪ encourage interaction throughout the organisation to enhance ownership of the ISMS, and
▪▪ streamline their certification activities to establish a foundation for corporate governance

Q-Pulse is a registered trademark of Gael Products Ltd. All rights reserved worldwide. Copyright © 2012 Gael Products Ltd. QPM-35

Page 9 of 10
Integrating ISO 9001 and ISO 27001 to
Enhance Regulatory Compliance
For more information contact us now at
info@gaelquality.com

Gael Ltd.
Orion House,
S.E. Technology Park,
East Kilbride,
Scotland G75 0RD

t: +44(0)1355 593400
f: +44(0)1355 579191
e: info@gaelquality.com
w: www.gaelquality.com

Q-Pulse is a registered trademark of Gael Products Ltd. All rights reserved worldwide. Copyright © 2012 Gael Products Ltd. QPM-101