Implementation of integrated ISO 9001 and ISO 27001 standards
Implementation of integrated ISO 9001 and ISO 27001 standards in a financial organisation
Industry: Financial sector
Objectives, executive summary
The aim of the project was the full implementation of the ISO 9001 quality management system for a public sector organisation in the financial sector in Hungary and the implementation of a version change of the existing ISO 27001 information security management system. Our task was to review our client's systems, update its regulatory environment and support the start-up of the new management systems, successfully preparing for the audit. At the end of the project, the Client received a positive assessment in both international standard audits.
Client background and environment
The client is a prominent public sector organisation in the domestic financial sector that regularly implements international standards, regulations and best practices to improve its organisational performance. A natural next step in this strategy of focusing on internal development was the implementation of a quality management system based on international standards (ISO 9001) and the revision and update of the existing ISO 27001-based information management system, which was due to a version change of the standard. The client's management received full ISO 9001 and ISO 27001 training at the start of the project, demonstrating their commitment to the systems.
Objectives, tasks
- Establishment of a process-based quality management system in accordance with the requirements of ISO 9001 (MSZ EN ISO 9001:2015), support for the start of operations and successful completion of the audit.
- Review and upgrade the existing ISO 27001 based information security system to the new requirements of the standard (ISO/IEC 27001:2023), support the start of operations and successfully complete the audit.
Challenges, difficulties
- Due to the small size of the organisation, the client's colleagues had limited time to devote to the development of the systems.
- For a large part of the organisation's staff, the concepts and requirements of ISO 9001 and ISO 27001 were a new challenge.
- The organisation operates in a highly regulated environment, with numerous legal and internal requirements that the new management systems had to comply with. In this highly regulated environment, it was a challenge to ensure that they were effective, easy to operate and practical, while at the same time ensuring that they passed audit.
Implementation of the task
The project was based on a pre-scheduled, well-structured project management approach, with a project lifecycle that could be broken down into clearly defined phases with well-defined milestones and deliverables. Client ownership and active participation enabled the project to meet all external and internal deadlines.
In the first, survey phase, the current processes and documentation of the organisation were examined and compared with the requirements of ISO 9001 and ISO 27001. During interviews and site visits, areas for improvement were identified and existing gaps were assessed.
In the second phase, a quality management system was developed and processes were regulated in accordance with the requirements of ISO 9001:2015. Following the design of the system, the necessary documentation was prepared and the regulatory framework was finalised and approved. Also the section was responsible for updating the existing information security management system based on the results of the survey. The existing ISO 27001 system documentation and processes were adapted to the updated requirements of the standard. The policies and procedures were revised as necessary and the updated system was approved. The simultaneous development and updating of the two standard systems provided an opportunity to exploit synergies between the processes, but great care had to be taken to ensure that the systems were not over-complicated, remained simple to use and provided a viable operation.
In the third, implementation phase, we provided training to designated staff on the newly developed systems, monitored the implementation of the new processes and started to collect documented information. We organised and carried out the internal audits required by the standards to ensure that the systems were suitable for certification.
In the final, fourth phase, the final smoothing and review of the implemented systems was carried out. Preventive and corrective actions were developed and documentation for certification audits was finalised.
Results
The project successfully implemented the ISO 9001 quality management system and upgraded the existing ISO 27001 system. Both systems comply with the relevant international standards and both systems have received a positive certification decision. The training of the contracting staff ensured that the systems were integrated into day-to-day operations and that the organisation was well prepared for the next audit phase.
Designabc