ISO 9001 – A Key to Cybersecurity? (Part 2)



iso-tech.jpgA few weeks ago, we posted a blog dissecting the various requirements of ISO 9001:2015 related to the “control of documented information” and addressed how cyberattacks can affect customers, management, employees and even regulatory compliance. Now that the value of information security has been established, we’ll discuss how to incorporate safe cybersecurity practices to further support your organization’s controls of documented information.

Following the Cybersecurity Framework established by the National Institution of Standards & Technology (NIST), there are five main steps to understanding and managing cyber risks:

  1. Identify the information that must be secured. This includes intellectual property owned by both the organization and its customers, such as math data files, drawings, product and process specifications, as well as business development, personnel and financial data. Broken down further, this step requires organizations to:
    • Inventory the information along with where it resides, whether it is on hardware such as desktop computers, servers, mobile devices and portable data storage devices, or software. Consider where and how all information is accessible, especially with the recent increase in remote working (and associated increase in cyber risk).
    • Account for all threats and vulnerabilities to the information. Common threats include ransomware, where data is held “hostage” for a price, phishing emails, which use seemingly benign emails to steal information, or other attacks such as malware, viruses/worms, etc. Vulnerabilities are weaknesses in assets which may be exploited. An example might be allowing employees to use USB drives to access work documents from multiple computers, providing an open door to viruses.
    • Perform a risk assessment. If the organization allows email access to many employees, for example, then phishing/spear-phishing attacks become a higher risk. The PC that still runs on Windows XP may be vulnerable to exploitation because that operating system is no longer supported by Microsoft.
  2. Protect the identified information. The most common contributor to a successful data breach is human error. The recent move towards working from home has opened Pandora’s Box, with a significant increase in breaches due to ineffective security at remote locations. To better protect against such breaches, companies need to establish and enforce safe cybersecurity protocols among all workers – whether they’re in the facility or remote – by regularly changing user credentials (especially passwords) or using multi-factor authentication or finger/face scanning for logging in. Organizations also must determine if they have the policies and procedures in place, and the technical resources available, to ensure applications and operating systems are kept up to date. If the organization has an internal server and the drive is partitioned, each may be set up with different permissions to write, read and delete files for stronger protection.
  3. Detect breaches or attacks. MS Windows Defender or Microsoft Azure provide ways to detect so-called anomalies in the data exchanged between your organization and the outside world. While it may not be possible to prevent a cyberattack, being aware of the threats as they occur can assist in building better defenses in the future. Keeping employees aware of the latest spear-phishing attacks is critical.
  4. Respond to threats accordingly. How and when a company responds to a data breach is crucial to the well-being of the organization. For example, careful consideration should be given to your response to a ransom attack. In some jurisdictions, paying a ransom (in cryptocurrency) can be a criminal offense in itself. Communicate with law enforcement/regulatory authorities, employees, suppliers and customers to ensure the situation is resolved swiftly and without causing further harm.
  5. Recover from the attack. If a breach does occur, making these preparations ahead of time can pay off in a big way – in both time and money. Having access to a backup of all affected data can help significantly. Saving duplicates of robust and timely information could eliminate the need to respond to a ransom demand. Shutting down your system, cleaning the affected threat and then backing up your data with minimal loss of availability can be achieved with the right approach and a strong recovery plan.

For many small to medium-sized organizations, it may be beneficial – and optimal – to engage the services of a Data Security Specialist to manage these aspects. For assistance with getting started, The Center can help. Contact our cybersecurity experts at or visit to learn more about how we can support your quality and cybersecurity needs.

Nichols_A.jpgAndy Nichols, Quality Program Manager

To The Center’s clients, Andy Nichols, CQP MCQI, brings 40 years of expertise in a wide variety of roles and industries, with a particular focus on quality management systems in manufacturing organizations. Prior to joining the Michigan Manufacturing Technology Center, he was the East Coast Regional Sales Manager for NQA, a “Top 5” Global Certification Body, responsible for significant sales growth in a highly competitive marketplace. He has authored two books, “Exploding the Myths Surrounding ISO 9000 – A Practical Implementation Guide” (published by ITG in April 2013) and “A Guide to Effective Internal Management Systems Audits" (published May 2014).


Since 1991, the Michigan Manufacturing Technology Center has assisted Michigan’s small and medium-sized businesses to successfully compete and grow. Through personalized services designed to meet the needs of clients, we develop more effective business leaders, drive product and process innovation, promote company-wide operational excellence and foster creative strategies for business growth and greater profitability. Find us at


Categories: cybersecurity, Quality Management