In today’s world where humans produce 2.5 quintillion bytes of data daily (that’s a million trillion!), the average data breach costs $3.86 million, and companies can face data privacy-related fines north of $800 million, records and information management (RIM) is getting more time in the spotlight.
Most RIM practitioners can build a strong case for a good records management and retention policy – it can help avoid litigation, save on discovery costs, and limit the impact of a data breach. But what about using RIM as a way to elevate your company in the eyes of customers? One way to achieve this is through obtaining advanced certifications developed by the Industry Standards Organization (ISO).
The ISO develops “families” of internationally recognized standards companies can use to develop and certify their business processes. Two ISO standards that rely heavily on RIM are the ISO 9000 family on quality management and the ISO/IEC 27000 family on information security management. Both have stringent document information requirements.
Let’s start with the ISO 9001 Certification
ISO 9001, one of the more well-known ISO standards, is the only standard in the ISO 9000 family to which a company can be certified. This certification is available to any organization, regardless of size or industry, and is based on quality management principles like having a strong customer focus, top-tier management, and a business plan showing an approach and process for continual improvement. Currently, there are over one million companies in over 170 countries that have achieved the ISO 9001 certification. Certification can be one of the most effective ways to alert consumers that your quality management system is consistent and products and services are good-quality. This in turn brings business. So, to the millions of companies not yet 9001 certified, you may be wondering how to achieve such certification and how RIM plays into this process.
Achieving ISO 9001 Certification
To earn ISO 9001 certification, you must implement an ISO 9001 quality management system. Once you feel ready, you may select an external registrar to audit the performance of your organization. Upon earning a passing review, the registrar will issue the ISO 9001 certificate, which is good for three years.  Now, here’s where having a strong RIM program is beneficial, if not essential.
A Strong RIM Program Is Key to ISO 9001 Certification
For the audit, your organization will need to create, maintain, and retain certain documents to show, on paper, how its quality management system follows the ISO 9001 standards. These records must adhere to the documented information requirements of ISO 9001 clause 7.5 which outlines the following document types you must maintain:
- The scope of the quality management system (clause 4.3).
- Documented information necessary to support the operation of processes (clause 4.4). Examples include organization charts, process maps, process flow charts and/or process descriptions, procedures, work and/or test instructions, specifications, documents containing internal communications, production schedules, approved supplier lists, test, and inspection plans, quality plans, quality manuals, strategic plans, and forms.
- The quality policy (clause 5). The quality objectives (clause 6.2).
Clause 7.5 also identifies the following document types that you must retain:
- Documented information to the extent necessary to have confidence that the processes are being carried out as planned (clause 4.4).
- Evidence of fitness for purpose of monitoring and measuring resources (clause 184.108.40.206).
- Evidence of the basis used for calibration of the monitoring and measurement resources (when no international or national standards exist) (clause 220.127.116.11).
- Evidence of competence of person(s) doing work under the control of the organization that affects the performance and effectiveness of the QMS (clause 7.2).
- Results of the review and new requirements for the products and services (clause 8.2.3).
- Records needed to demonstrate that design and development requirements have been met (clause 8.3.2).
- Records on design and development inputs (clause 8.3.3).
- Records of the activities of design and development controls (clause 8.3.4).
- Records of design and development outputs (clause 8.3.5).
- Design and development changes, including the results of the review and the authorization of the changes and necessary actions (clause 8.3.6).
- Records of the evaluation, selection, monitoring of performance, and re‐evaluation of external providers and any and actions arising from these activities (clause 8.4.1).
That is a lot of information!
So, What is the Best Way to Manage and Retain All of These Records and Documented Information?
The first step is to figure out what you have, where it’s all located, and how it should be organized. Then, catalog it in a retention schedule so you can be sure you’re retaining the necessary records for your future ISO audits. You also must track the location and retention of the documents required by Clause 7.5 in a records management system and dispose of unnecessary information (since we know too much information can be a liability). Sounds simple enough, right?
Alternatively, you can reach out to Zasio. Our team of in-house consultants can review your records to identify what you have, develop a retention schedule for you, and deliver it in Versatile Retention, our leading retention management solution. Once you have your retention schedule, you can easily apply it to your physical and electronic records using one of Zasio’s Versatile records management solutions. Then, when it’s time for your ISO 9001 audit, your information will be at your fingertips, helping ensure your company aces the documented information requirement.
Now Let’s Jump to the ISO/IEC 27001 Certification
While ISO 9001 concerns quality management systems, ISO 27001 is all about information security management systems (ISMS). But similar to ISO 9001, companies must build a system and show how the system was established, implemented, and the processes for maintaining and continually improving it.
The ISO 27001 standard not only ensures an organization has an ISMS, but through its requirements, it also certifies that companies are compliant with applicable laws and regulations. Information security concerns every organization, so keeping up with ISO 27001 requirements is a great way to help stay compliant with current regulations. Further, should you ever face an information security incident, ISO 27001 certification can help demonstrate due diligence regarding regulatory compliance.
What Kind of Information Security Requirements are in the ISO 27001 Standard?
Information security requirements may vary depending on your industry but in general, the information security requirements you can expect to see include:
- A.18.1.1. – Identification of Applicable Legislation and Contractual Requirements.
- A.18.1.2 – Intellectual Property Rights.
- A.18.1.3 – Protection of Records.
- A.18.1.4 – Privacy and Protection of Personally Identifiable Information (PII).
- A.18.1.5 – Regulation of Cryptographic Controls.
The ISO 27001 Audit Process
So how do you prove ISO 27001 compliance during a certification audit? ISO/IEC 27001:2013 (the most recent revision) has a documented information clause that is very similar to ISO 9001’s clause 7.5. Accordingly, clause 7.5’s process for document retention applies here as well.
Becoming ISO 9000 certified for quality management or ISO 27001 certified for information security is a great way to ensure your company is performing to the highest level of standards and regulatory compliance. It also shows customers your company is a trusted business partner. Plus, it’s a perfect excuse to review your company’s information and strengthen your RIM program which provides more benefits than just ISO certification. Just about all cybersecurity frameworks—such as NIST, CSA-CCM, SOC 2 Type II, and COBIT—require records retention, so a strong RIM program will help your organization achieve maturity in those standards, as well.
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.