Secure Your Business

Case Study Security/Quality:
„Best marks“ for iso 27001/9001 integration


  • synergies due to similar structures

  • 30 per cent less expenditure for combined certification

  • about 20 per cent saving at ongoing operation

At first sight, information security and quality management are two pairs of shoes. In practice, however, they grow together and form a harmonious unit: Customer satisfaction, the top quality objective, increasingly depends on IT availability and data security, and this is supported by ISO 27001. On the other hand, corporate goals acc. to ISO 9001 help to implement information security in a well-aimed manner. Thanks to an integrated approach, ISO 27001 can efficiently be integrated in existing QM systems or implemented in combination with QM systems. Thus EDVG experienced a successful “Pas de Deux” when introducing the two standards within

no more than eight months – and saved about 30 per cent of time and costs. 




  • Customer satisfaction is the best advertisement 

More than 4,200 companies are certified acc. to ISO 9001:2008 for quality management (QM). Depending on market and legal requirements, many are increasingly obliged to deal with information security (IS). In this respect, integration of the management systems offers real opportunities. Furthermore, the integrated approach even is interesting for companies that have not used any process management up to now. The ISO Standards for quality (ISO 9001), environment (ISO 14000), information security (ISO 27001) and IT service management (ISO 20000) have similar structures and process approaches. “This yields synergies that pay off:

In practice, an integrated management system at ongoing operation saves about 20 to 30 per

cent of expenditure for system optimization, reviews and audits,” explains Dr. Peter Soudat,

auditor of the Certification Body CIS. 

  • Upbeat full of verve: eight months for two standards

An illustrative example of successful IS/QM integration is EDVG Elektronische Datenverarbeitung GmbH (Electronic Data Processing Ltd.). This company implemented both ISO 9001 and ISO 27001 in no more than eight months and optimally prepared for certification by means of a Stage Review, system improvement and a Stage-One Audit within additional three months. Up to then, the EDP provider had not defined any business processes conforming to ISO. However, the committed process management had made experience in the field of process modelling. In addition, a consultant was employed. “ISO 9001 and ISO 27001 have identical elements relating to the structure. With us, Reviews, Body Meetings, Surveillance and Recertification Audits are conducted in an integrated manner,” explains Dr. Gustav Jung, Quality Manager at EDVG. The combined Certification Audit at the whole EDVG with 85 employees, which was conducted by CIS and Quality Austria, took four days. If there had been single certifications, about three days would have been necessary for each standard. “Saving costs by 30 per cent for certification alone and almost 20 per cent for the overall implementation phase of the two standards because the workload was reduced,” stresses Dr. Gustav Jung satisfiedly.

  • In unison: similar structures of ISO 9001 and ISO 27001

If the standards for information security and quality management are compared, the two are based on continual improvement according to Plan-Do-Check-Act. Furthermore, they are alike in their structures as is shown in the Mapping Table in Annex C, ISO 27001: In the two standards, the process approach and scope are followed by definitions, system requirements and documentation as well as management responsibility. In both cases, the structure is closed by internal audits, management review and system improvement. On these interfaces, valuable synergies are created. For example, ISO 9001 requires management of nonconforming product. This corresponds to the 27001 requirement for incident management for eliminating IT failures.

  • A strong duo: Differences supplement each other 

“The differences between the standards usefully supplement each other, which decisively contributes to increasing business success,” explains CIS Auditor Dr. Peter Soudat. “IS secures the company’s potential. QM creates it.” For example, ISO 9001 requires the definition of corporate goals, customer focus and measurability of the extent to which the objectives and targets are fulfilled. These three issues are not in the centre of interest of ISO 27001. In return, this standard attaches utmost importance to risk management for maintaining business continuity and offers a detailed implementation aid in the supplementary standard ISO 27005. As compared to this, ISO 9001 only refers to the work environment generically.

At EDVG, the integrated approach was already implemented in the project team consisting

of three persons, who were charged with project management, quality management and information security – top management is responsible for the overall system. “To get to the point, we had two main directions: On the one hand, we aimed at defining, documenting and optimizing all the processes in conformity to ISO. On the other hand, we wanted to anchor these terms and concepts in the employees’ heads,” summarizes EDVG Project Manager Mag. Alfons Ankerl. It already was when defining the corporate goals according to ISO 9001 that the value created by integration became quite obvious: “For us, it was an advantage to be able to align our ISMS to

a corporate goal – being a competent and recognized IT service provider for our customers. Thus information security positions itself as a central business enabler,” reports Mag. Rudolf Kanov, Information Security Manager of EDVG. Furthermore, our communicating the objectives and targets to our employees effectively boosted our employees’ motivation for our ongoing operations. “Wherever there are visions, power to achieve these visions will be born.” This is the conviction

of Mag. Rudolf Kanov.

  • “Pas de Deux” as for policies, documentation and resource management

At EDVG, quality management acts as an umbrella system while information security specifies

the related IS goals. When creating the policies, the procedure was similar. The structure of quality policy with the scope, management commitment, responsibilities and improvement process served as a base scaffold for security policy. Even in documentation, the circle is closed: According to ISO 9001, documentation guidelines regulate what documents are to be filed where and by whom and how long they are to be retained. By means of classification according to ISO 27001, EDVG could consolidate these requirements by additionally taking information security into account. For such “information turntables” as workstations, e-mail, fax or phone, policies enabling top protection were elaborated. “As EDVG administers millions of personal data for member organizations, data security is a business critical success factor“, stresses Gustav Jung. “Information security according to ISO 27001 enhances the business value of our services.“

Still another important synergy was created by the employee meetings required by ISO 9001.

“We have turned employee meetings into a powerful tool – in this personal atmosphere, we additionally impart security awareness, identify opportunities for development and inquire the training needs,” reports Gustav Jung. In the two standards, training and awareness are allocated

to resource management.

  • Impulse: using risk analysis to get to new business fields

EDVG generated impulses for new business fields by introducing risk management. The normative systematics helped to identify strong and weak points in a structured manner. “Risk is not negative. It only is negative not to know it,” says Gustav Jung. The results furnished a solid base for planning actions and also were implemented in a visionary manner. Risks became opportunities – say: new business fields with superior performance. Since then, service agreements for high security and high availability have been offered proactively.

  • Grande Finale with ISO 20000

On the whole, the EDVG Team was so satisfied with the interplay between quality management and information security that IT service management also was standardized right after this. The verve resulting from successful certification was used for consistent further development of the company in the next step. In no more than seven months, the ISO 20000 Standard for IT Service Management was implemented, integrated in a proven manner and concluded with the third certification in September 2009. By now Gustav Jung is convinced of the following: “In retrospect, we might also have implemented ISO 20000 when implementing ISO 9001/27001. As the structure of the standards is similar, an integrated approach almost is already pre-programmed. In fact, the resulting synergies should be utilized by all companies.”

CIS - Certification & Information Security Services T +421 55 677 0156 office.sk@cis-cert.com Imprint