Overview

Secure and resilient systems are needed to protect an organization’s processes, data and daily operations. However, safeguarding an organization against cybersecurity threats, such as data breaches and ransomware, can be difficult. A combination of multiple systems and people is often needed to achieve effective information security. Even after an organization’s best efforts, failure can still occur if the company lacks visibility of company-wide efforts, and if its systems and strategies are not aligned to their organization. This case study provides an overview of the benefits that our client, a global systems integrator (GSI) and managed IT services provider (MSP) to organizations worldwide experienced as a result of implementing an Integrated Management System (IMS), based upon the requirements of ISO 9001:2015 quality and ISO/IEC 27001 information security management systems. The project encompassed multiple global locations, based in the United States and internationally.

Client Background

Prior to contacting The ISO 9001 Group, our client experienced a major cybersecurity attack that exposed our client’s data and imposed major threats against their operations. This ransomware attack shut their company down for 4 months, which resulted in a major loss of time, productivity and revenue. Ransomware is a type of malicious software, or malware, that encrypts an organization’s data on a computer making it unusable. The cybercriminal holds the organization’s data hostage until a ransom is paid, and if not paid, continues to withhold the data from the organization. The United States Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) received 2,474 complaints identified as ransomware in 2020 alone, which resulted in a loss of over $29.1 million.

After the acquisition of a company located overseas, it was discovered that employees were not working within their system because of a lack of monitoring.  Our client also discovered that their newly acquired company’s ISO 9001 certification with not valid because it was not issued by an accredited certification body. Due to a lack of documented best practices and oversight, their employees were operating outside of cybersecurity protocols. As a result of the major ransomware attack and other organizational challenges negatively impacting their operations, the company decided that immediate improvements needed to be made. The organization selected The ISO 9001 Group to design and guide the implementation of the ISO 9001 quality and ISO 27001 information security management systems in a 4-month timeframe.

Challenges

Prior to contacting The ISO 9001 Group, our client’s faced several organizational challenges including:

1. Lack of oversight and standardization among their United States and international sites;

2. Target of a ransomware attack that took 3-4 months to recover from;

3. Significant loss or revenue due to downtime from the cybersecurity attack;

4. Lack of knowledge and manpower to design and implement ISO 9001 and ISO 27001;

5. Short timeframe for their project.

Our Customized Solution

The scope of the project was to provide consulting, auditing and training services to design an Integrated Management System (IMS) based upon the requirements of ISO 9001:2015 (Quality) and ISO 27001:2013 (Information Security). Our consultant met with both the United States and international sites remotely to identify gaps between their current processes and ISO 9001 and ISO 27001. A technical writer then worked with the client to design centralized and integrated documentation required by ISO 9001 and ISO 27001.

Once the documentation was finalized, our consultant provided assistance with the proper implementation by providing training and meeting with the client on a routine basis to answer any questions or concerns. Upon completion of the implementation, our auditor conducted a precertification audit to verify the system was effectively implemented prior to certification. Our consultant also assisted with responding to any audit findings.

Project Challenges

During the implementation of their ISO 9001 and ISO 27001 integrated management system, our client experienced the following challenges:

• Overcoming resistance to change due to standardization,

• Implementing the information security controls required by ISO 27001, and

• Gaining buy-in for the ISO 9001 and ISO 27001 project from other departments.

Benefits

Upon successful implementation of their ISO 9001 and ISO 27001 IMS, our client has experienced the following benefits:

1. Reduction of cybersecurity risks and attacks,

2. Ability to systematically address cybersecurity gaps and concerns they have internally,

3. Increased involvement from top management,

4. Increased standardization in both quality and cybersecurity practices,

5. Improved collaboration and communication among sites, and

6. Ability to bid on projects that require cybersecurity controls.

Conclusion

By implementing internationally recognized management system standards, our client has enabled their organization to protect their information, as well as their client’s data. All types of businesses and organizations can benefit from implementing ISO 9001 and ISO 27001 management system standards. An integrated quality and information security management system helps improve operations and information security. If your organization is considering implementing ISO 9001 or ISO 27001, contact us today to learn how we can help.

Author

Victoria Ontiveros | Marketing Supervisor 

Victoria focuses on creating quality educational content that provides value to current and potential clients. By collaborating with members of leadership and sales, she is able to develop informative articles that answer common questions and connect with current trends. Victoria earned her Bachelor of Science in Sociology with an emphasis in communications from Texas A&M University.