This is a guest article written by John Scott, Director of Bywater Training Ltd . The author’s views are entirely his own and may not reflect the views of IT Governance.
IT is critical to customer satisfaction
Management systems provide structure, a process approach and governance, and in the case of quality systems, they aim to deliver customer satisfaction. Given that virtually all the resources of an organisation – the controls that monitor it and pretty much all internal and external communication – are dependent on IT, it can be argued that IT is the single most critical factor a company has to manage to ensure it meets its commitments to customers.
Suppliers that achieve certification to internationally recognised standards, accepting regular third-party audits of their structure, processes and governance, give customers confidence that they will meet their commitments. Your customers will want to look carefully at your management systems to gain confidence that you will meet your commitments to them, and likewise, you should also be carefully looking at your supplier’s management systems so you can be confident they will meet the commitments they make to you.
Of the growing number of international standards, ISO 9001 (quality management systems) is the best known of these. Given how fundamental IT is to ensuring customer satisfaction, we should also get used to adding ISO 22301 (business continuity), ISO 27001 (information security) and ISO 38500 (corporate governance of IT) to this list of international standards we take seriously.
Rope bridges between the tall trees
IT departments work hard to ensure there is a robust technical infrastructure to support business operations. Yet too many are missing a trick by failing to engage with their colleagues and use their skills and experience to avoid incidents, such as the systems crash that crippled British Airways or the NHS cyber attack in May 2017.
Likewise, if IT infrastructure is the single most critical factor in terms of suppliers meeting customer commitments, do quality managers invest enough time in understanding this sophisticated world to make sure everything is done to protect the reputation of their business?
Can management systems really help?
IT managers might wonder how a business systems manager could help, particularly if that systems manager comes from a quality background and appears to know little about what the IT department does or the latest developments in information systems or security. However, recent examples from the BA systems crash and the NHS ransomware attack teach us lessons about the role that management systems have to play in supporting and deploying core information security knowledge to ensure process resilience across the business.
- In the case of BA, placing responsibility for a £150m disaster on a ‘lone wolf’ engineer’s error is disingenuous. System robustness for information security, disaster recovery and quality management relies on effective design, operation and testing. BA, as the operator, has to take accountability for data centre operation, supplier selection and security procedures for contractors attending core facilities.
- As for the two ransomware attacks on the NHS, both used the same security vulnerability identified by the US National Security Agency – a vulnerability easily resolved by downloading the latest security patches from Microsoft. The patch was issued long before WannaCry created havoc and was heavily promoted by information security professionals in May 2017. How was it, then, that organisations did not take this expert advice? All management system standards, such as ISO 27001 require organisations to assess risk and to look at available information about security breaches and ensure risks are mitigated and managed.
Protecting the business and demonstrating this to your customers
Ongoing compliance with internationally recognised standards is a leading indicator of performance that can be assessed by an external customer. The aim is to move the emphasis away from checking and inspecting deliverables to assessing the competency of an organisation to deliver in full, on time, to specification and on budget – before an order is placed.
There are two ways to achieve increased assurance of information systems security:
- The information security specialist can develop a rounded overview of how information security fits into a management systems framework through understanding the role of management systems standards, such as ISO 27001 and ISO 22301.
- Existing quality management systems specialists can gain an understanding of how ISO 27001 is structured and the necessary controls to put in place by integrating these requirements with an existing quality management system.
Bywater Training Ltd
Founded in 1982, Bywater continues to be a leading provider of management systems and other business improvement training. We predominately focus on training auditors in Management Systems covering a variety of International Standards.
John Scott (Director, Bywater)