This is the first of a new QualityInsider column that will discuss new practices, processes, tools, and lessons learned in what I think is the future of quality—risk management. I’ll feature quality and other professionals who use quality and risk in supply management, auditing, health care, security, and other fields. This month I focus on cyber security and ISO 27001 with an interview of cyber-security expert Ed Perkins.
Greg Hutchins: Can you tell us a little about who you are and what you do?
Ed Perkins: I’m a computer engineer. I have two master’s degrees, one in electrical engineering and one in computer science. I presently work on cyber security and cyber assurance projects for Homeland Security.
Hutchins: How does this fit into quality?
Perkins: I provide IT quality assurance and control. I use quality standards such as ISO 27001 to ensure the requisite level of assurance and control. From my point of view, information security is the most critical challenge our government, companies, and even we as individuals face today.
Hutchins: Pretty strong language. Can you elaborate?
Perkins: OK. Let me give you a few examples of each. Access to and the control of critical information is a Homeland Security issue. Intellectual property such as patents and design information are the core asset of a company. And, personal information is very critical to us individually, because a hacker can strip a person’s assets through electronic deception. So you can see that information security, data quality, and data integrity affect our nation, companies, and all of us individuals.
Hutchins: Good points. You mentioned ISO 27001. Tell me why it’s so critical.
Perkins: ISO 27001 is the specification for an ISMS, an information security management system. ISO 27001 is like ISO 9001, the famous quality management system (QMS). ISO 27001 is poised for explosive growth. A little background may help. ISO 27001 was first published in October 2005, essentially replacing BS 7799-2, which was a compilation of best IT security practices. As the need for a global IT security emerged, the BS standard matured to ISO 27001 and into an information security management system.
Hutchins: Let’s see if I get this right. ISO 9001 is a QMS and ISO 14001 is an environmental management system (EMS). Is ISO 27001 similar to these?
Perkins: Exactly. All ISO standards management systems share common processes and objectives. There’s an accreditor and registrars. ISO 27001 is harmonized with other standards, and companies can get registered to ISO 27001 much like other ISO management systems. For example, the standard is basically a model for planning, implementing, monitoring, and improving an ISMS, much like the Deming’s plan-do-check-act cycle that we are familiar with in quality. Another important feature of all the ISO management system standards is the process model. The process approach is a great visual model for understanding, auditing, correcting, and improving the management, interactions, and outcomes of a process.
Hutchins: What do you think is the future of ISO 27001?
Perkins: I think that ISO 27001 will do for information security management what ISO 9001 did for quality management. The difference is that ISO 27001 will see faster growth in the United States than ISO 9001. Why? ISO 9001 was a QMS that was adopted by companies. Information security is a personal issue. Let’s only look at one area: Identify theft. The cost of identify theft is $48 billion for business and more than $5 billion for consumers. That doesn’t include the cost of lost time and emotional frustration. Identify theft affects all of us.
Hutchins: Can you give me a personal example of how it’s growing in the United States?
Perkins: You bet. Most states are passing identity theft legislation because of pandemic personal information thefts. For example, Oregon recently passed SB 583 or Oregon’s Consumer Theft Protection Act. The Act requires Oregon government and all private businesses to protect and safeguard personal information such as social security numbers and credit card information. No one knows how many companies will have to comply, but we’re guessing tens of thousands. The statute doesn’t require a company to follow a specific standard. But guess what we’re recommending to our clients?—ISO 27001 best practices. There are going to be many more companies complying with ISO 27001 than comply with ISO 9001.
Hutchins: This is fantastic. Do the feds and other states have comparable requirements?
Perkins: You bet. California has a similar theft protection act. And the feds have the Gramm-Leach-Bliley Act and the Heath Insurance Portability and Accountability Act. In the absence of specific information security standards, we suggest that companies adopt ISO 27001.
Hutchins: Give us an example how to develop an ISMS.
Perkins: OK. The important point is that an ISMS has to be tailored to a specific company, type of information, resources, processes, and requirements. So, the first thing to do is to define information security policies, procedures, and the scope of the ISMS. Then, the host company or a second party conducts an information risk assessment, develops processes to mitigate an information breach, and ensures that sensitive information risks can be controlled.
Hutchins: As part of your professional practice, you focus on identify theft protection. How can a quality professional who isn’t an engineer use the standard?
Perkins: The statutory trend is crystal clear. Most companies, large and small, will have to develop policies and procedures to secure critical customer information. Most quality professionals can do this and they don’t have to be engineers. They already do this with ISO 9001 policies and procedures. As well, quality professionals can learn how to conduct a risk assessment and evaluate controls. A specialized cyber security audit may require an engineer and security professional.
Hutchins: Thank you Ed. It’s another data point that we’ve been stressing: The future of quality management is risk management.
Add new comment