Ransomware, Quality and CPD

It is not for me to heap further woes on the NHS and recent news has to be taken in the context of the immense size and complexity of that organisation. The WannaCry attack has hit around  200,000 computers globally and covered organisations as diverse as Renault / Nissan and Deutsche Bahn, companies under a lot less scrutiny for how they spend their money than our National Health Service provider.

Information security is interwoven in the way we do business and, as in my earlier article, becomes, at least partially, under the remit of the quality professional. Just thinking about some of the areas in the news now and some of the specific requirements of ISO 9001:2015:

• 4.1 – Context of the organization. Any organization that manages information has to consider cyber criminals as ‘interested parties’ that can affect their ability to go about their business
• 4.4.1 – Processes. Where the organization operates processes that rely on information then any risks associated with use of data and with cyber-attacks have to be considered.
• 6.1 – Planning. In reviewing its external environment and the processes it operates the organisation should build appropriate plans into its quality management system – if it chooses to adopt a separate information security management system based on ISO 27001 then the QMS can simply refer out to it but the controls help deliver services that satisfy customer requirements.
• 7.1.3 – Infrastructure. One of the notes under this clause makes specific reference to hardware and software and this has to be provided and maintained.
• 7.5.3.1 b) – Control of documented information. The organization has to protect documented information.
• 7.5.3.2 b) – Control of documented information. The organization has to store and preserve documented information.
• 8.5.3 – Property belonging to customers or external providers. The organisation has to safeguard customer property including information.
  Even if we choose not to implement a comprehensive information security management system as responsible quality professionals we have to ensure that we satisfy the above requirements as a bare minimum.

As quality professionals we are committed to keeping our skill set up to date and to develop those skills by undertaking CPD and what better way to serve our organisations and, at the same time maintain our own professional standing, than by looking at information in the public domain about how to keep your personal and organisational information safe.

Here are a couple of suggested resources:

• The IIRSM cyber security mini site
• This article on the origins of the attack
• ISO / IEC 27001
• ISO / IEC 27001 Lead Auditor training
• Government Cyber Essentials documents

We should each have a plan to carry out CPD and keep our knowledge current. It should be a mixture of personal research and study, seminars and part and full time training. The first step is to follow the Deming cycle and ‘Plan’.

Paul Simpson
Bywater Associate
Providing consultancy and training on quality strategy and implementation.