ISO 9001 – A Key to Cybersecurity for Manufacturing Companies? (Part 1)

Subscribe To Our Newsletter

Home / Blog / ISO 9001 – A Key to Cybersecurity for Manufacturing Companies? (Part 1)

by | Dec 8, 2020

By MEP National Network Partner Andy Nichols, Michigan Manufacturing Technology Center

illustration - man holding technology with label ISO 9001

Not a day goes by without our news feeds sharing details of yet another cybersecurity breach.

It seems large businesses tend to be the main victims, with Target, Equifax, Marriott and even the UK’s National Health System patient data recently being affected by cyberattacks.

However, we rarely learn about the impact of information security attacks made on small to medium-sized businesses — the typical size of a Rhode Island manufacturer. This is partly because they aren’t given as much prominence in the media yet attacks against these smaller companies can and do happen, often with disastrous consequences.

In fact, FEMA concluded that between 40 and 60% of small businesses fail within a year of any type of disaster – including cyberattacks – unless some type of continuity/resiliency plan is put in place.

These business failures occur not only from the penalties of paying the ransom, but from the “hidden” costs associated with losing access to information regarding sales pipelines, accounts payable/receivable, as well as intellectual property. A simple “hack” could even change an organization’s bank account details and divert customer payments somewhere else.

So, what is needed to protect small and medium-sized manufacturing companies from such an attack? How can an business become “cyber-resilient”?  

In very basic terms, what’s needed is an approach to cybersecurity that seeks to reduce the risks of such attacks on business.

While many might not realize it, if a manufacturer already has an ISO 9001:2015-compliant QMS, that can be used as a platform on which to base an effective cybersecurity program. Although the standard places a focus on products, several concepts used throughout ISO 9001:2015, such as “risk,” “planning” and “documented information” can clearly be applied to information protection as well.

REDEFINING “CIA” IN QUALITY & CYBERSECURITY

CIA Triad - Information Security - Polaris Manufacturing Extension PartnershipThe requirements for information, either maintained or retained, are mentioned some 38 times throughout ISO 9001. When analyzed, these references can be categorized according to the acronym “CIA,” as follows:

  • Confidentiality – Information which is proprietary to you and/or your customer(s)
  • Integrity – Information which is the “go-to” or master document for reference in running the organization
  • Availability – Information which contains data on results of the above

Upon closer consideration, it is easy to see that all of the requirements of ISO 9001:2015 – from documenting internal and external issues to process controls and management reviews – contain a great deal of information that should not be available outside of the organization, especially to competitors, customers, or worse, their competition.

How would this “tribal knowledge” captured when creating the QMS – often in process work instructions and procedures – be recreated if held for ransom? What if a major customer’s “hush-hush” game-changing product specifications and drawings were stolen from your servers? Such breaches could have catastrophic implications for smaller companies.

Some may argue not all the information gathered is that “sensitive” – for example, the calibration data from 200 items of measuring equipment. Still, if this information is deleted from the hard drive of a computer in a Quality Control Lab, it is going to cost a significant amount of time and money to rebuild that from paper records (if they are even available).

Having established the value of protecting your information, what next steps should be taken? In part 2 of this blog series, we’ll lay out the five steps needed to identify and implement a simple framework of actions to establish the controls needed for effective information security.


Andy Nichols, CQP MCQI, brings 40 years of expertise in a wide variety of roles and industries, with a particular focus on quality management systems in manufacturing organizations. Prior to joining Polaris MEP’s “sister” center, the Michigan Manufacturing Technology Center, he was the East Coast Regional Sales Manager for NQA, a “Top 5” Global Certification Body. He has authored two books, “Exploding the Myths Surrounding ISO 9000 – A Practical Implementation Guide” and “A Guide to Effective Internal Management Systems Audits.”

This post was originally published by the Michigan Manufacturing Technology Center: https://www.the-center.org/Blog/October-2020/ISO-9001-%E2%80%93-A-Key-to-Cybersecurity-(Part-1).

Subscribe to Our Blog

Receive up to date advice from manufacturing experts, news, and more!