ISO 9001 – A Key to Cybersecurity? (Part 1)



iso-tech.jpgNot a day goes by without our news feeds sharing details of yet another cybersecurity breach. It seems large businesses tend to be the main victims, with Target, Equifax, Marriott and even the UK’s National Health System patient data recently being affected by cyberattacks. However, we rarely learn about the impact of information security attacks made on small to medium-sized businesses, partly because they aren’t given as much prominence in the media. Yet, attacks against these smaller companies can and do happen, often with disastrous consequences.

In fact, FEMA concluded that between 40 and 60% of small businesses fail within a year of any type of disaster – including cyberattacks – unless some type of continuity/resiliency plan is put in place. These business failures occur not only from the penalties of paying the ransom, but from the “hidden” costs associated with losing access to information regarding sales pipelines, accounts payable/receivable, as well as intellectual property. A simple “hack” could even change an organization’s bank account details and divert customer payments somewhere else.

So, what is needed to protect small and medium-sized businesses from such an attack? How can an organization become “cyber-resilient”?  

In very basic terms, what’s needed is an approach to cybersecurity that seeks to reduce the risks of such attacks on business. While many might not realize it, if an organization already has an ISO 9001:2015-compliant QMS, that can be used as a platform on which to base an effective cybersecurity program. Although the standard places a focus on products, several concepts used throughout ISO 9001:2015, such as “risk,” “planning” and “documented information” can clearly be applied to information protection as well.

The requirements for information, either maintained or retained, are mentioned some 38 times throughout ISO 9001. When analyzed, these references can be categorized according to the acronym “CIA,” as follows:

  • Confidentiality – Information which is proprietary to you and/or your customer(s)
  • Integrity – Information which is the “go-to” or master document for reference in running the organization
  • Availability – Information which contains data on results of the above

Upon closer consideration, it is easy to see that all of the requirements of ISO 9001:2015 – from documenting internal and external issues to process controls and management reviews – contain a great deal of information that should not be available outside of the organization, especially to competitors, customers, or worse, their competition.

How would this “tribal knowledge” captured when creating the QMS – often in process work instructions and procedures – be recreated if held for ransom? What if a major customer’s “hush-hush” game-changing product specifications and drawings were stolen from your servers? Such breaches could have catastrophic implications for smaller companies.

Some may argue not all the information gathered is that “sensitive” – for example, the calibration data from 200 items of measuring equipment. Still, if this information is deleted from the hard drive of a computer in a Quality Control Lab, it is going to cost a significant amount of time and money to rebuild that from paper records (if they are even available).

Having established the value of protecting your information, what next steps should be taken? In a follow-up article coming soon, we’ll lay out the five steps needed to identify and implement a simple framework of actions to establish the controls needed for effective information security.

To learn more about how to use your QMS to drive cybersecurity programs, I invite you to virtually join me at the upcoming AIAG Quality Summit held October 21 through 22, where I will present a session entitled, “Your Quality System is the Key to Cybersecurity.” To register for this event now, click here


Nichols_A.jpgAndy Nichols, Quality Program Manager
To The Center’s clients, Andy Nichols, CQP MCQI, brings 40 years of expertise in a wide variety of roles and industries, with a particular focus on quality management systems in manufacturing organizations. Prior to joining the Michigan Manufacturing Technology Center, he was the East Coast Regional Sales Manager for NQA, a “Top 5” Global Certification Body, responsible for significant sales growth in a highly competitive marketplace. He has authored two books, “Exploding the Myths Surrounding ISO 9000 – A Practical Implementation Guide” (published by ITG in April 2013) and “A Guide to Effective Internal Management Systems Audits" (published May 2014).


Since 1991, the Michigan Manufacturing Technology Center has assisted Michigan’s small and medium-sized businesses to successfully compete and grow. Through personalized services designed to meet the needs of clients, we develop more effective business leaders, drive product and process innovation, promote company-wide operational excellence and foster creative strategies for business growth and greater profitability. Find us at

Categories: cybersecurity, Quality Management