How to Implement an Effective Quality Management System
By: Wes Knight, Contributor
In today’s economy, with cost and inflation rising and margins and profits falling, companies are looking for any advantage they can find. Compliance is one avenue that some companies are taking advantage of, but many are overlooking. Going through a compliance assessment and maintaining that compliance can benefit a company in many ways. It can save the company money, and it can be used as a marketing tool.
Going through a quality management systems (QMS) certification can help a company establish conformance to documented standards and requirements. This process can often uncover duplicate efforts within the company that are causing unnecessary expenses and quality variations in the final products. These types of variations can cause problems for both customers and stakeholders. When your goal is to create a product or deliver a service with the high quality your customers expect, and with no unnecessary cost or delays, discovering and eliminating these problems can be a tremendous step forward.
Stay in Compliance
Your company is likely in an industry that has standardized requirements. You need to be able to prove that you are following these regulatory and compliance requirements. The automotive industry has TISAX; the U.S. Department of Defense has CMMC; the health industry has HIPAA and HITRUST; the credit card industry has PCI-DSS; and there are many others. If your company is not in one of these industries, then one of the ISO standards may be the best choice. It is becoming increasingly common for companies, particularly those looking for a new vendor, to ask for proof of compliance with one of these accepted standards.
As a Chief Information Security Officer (CISO) in both the government and private sector, evaluating the standards that a company complied with was a major consideration when we were choosing a new vendor. At a minimum, we knew that a vendor that did not have any certifications was going to cause our staff additional work. On the other hand, if a potential client sends you a list of 50 information security-related questions, instead of your staff having to do all that additional work, you may be able to submit your certifications to them and save both of you the additional time it takes to complete. Although this article is not specifically about security certifications, they are one factor to be considered.
Compliance with a certification standard can help protect your company’s brand reputation, as well as possibly protect the company and the executives from possible criminal or civil litigation in case of a security event. Depending upon the certification your company has, it can show you have performed your due diligence in protecting your client information, employee information and intellectual property.
Recently, the CISO of Uber was sentenced to jail after a security event revealed data to unauthorized individuals. Many of the certification standards require an effective incident and breach response, which must be documented and tested periodically. When your company experiences a security incident or breach (and it certainly is “when,” not “if”), your staff will be prepared to respond quickly and efficiently.
Know Your Policies
Compliance standards also require your company to have an effective process to review, update and implement policies. You also need a centralized repository where materials, policies, procedures and other documentation are stored. This helps with proper training for your employees, because they will always know where the policies are located.
Having a map of your organization’s policies to the certification regulations will assist you when working with the compliance auditor. When the auditor says, “Show me your policy related to this item,” you won’t have to spend time digging through all your policies to locate them. This type of preparation helps ensure a smooth audit process.
Having an accepted third-party certification can be a competitive advantage when trying to gain new business. I gave an example earlier regarding information security certifications, but management system certifications can also be an advantage. For many of the reasons we discussed here, customers are insisting that their vendors comply with one of the accepted standards. They should believe your company is concerned with being a well-run business that is stable and will protect their data appropriately. Effective incident and breach response; policy management and reporting; and regulatory and compliance management are all things that will help the client rest more easily.
Consequences of Non-Compliance
What are the consequences of not being compliant? You can suffer a loss of market share if your competitors are compliant, and you are not. You can incur personal and organizational fines. You also can incur personal liability or even incarceration for an extreme offense. You may have limited access to capital markets or limited ability to do business in specific jurisdictions. You can experience a loss of focus on business direction, because your workflows are not well-documented. Lastly, you can also have increased regulatory oversight.
Paige Needling, President and CEO of Needling Worldwide LLC, says, “Putting on your customer hat for a moment, ask yourself: Would you rather do business with an ISO 27001 compliant/certified company or a SOC 2 Type II-certified company or with a company that doesn’t take safeguarding your personal information seriously? I would bet a dollar to doughnuts that you are like me and would rather have your information secured instead of being sold to the highest bidder.”
Lastly, don’t do this by yourself. You need another set of eyes. You need someone with expertise in certification assessments who can guide you through which certification is best for you—and then walk you through the process—until you are ready for the certification. You didn’t proofread your own term papers in college, or at least I hope that you didn’t. So, don’t try to “proofread” your company’s policies and procedures.
About the Author:
Wes Knight is the CISO at Needling Worldwide, LLC. His expertise has been featured on the “Cyber Hub Engage Podcast” multiple times. He is an award-winning technology executive who has been quoted on ABC and published in the Atlanta Journal-Constitution, newswire.com, digitaljournal.com, eprnews.com as well as economywatch.com. He has been the recipient of many awards at the T.E.N. and ISE® Technology Conferences. Wes is the author of the upcoming book, How to Think Like a Billion Dollar CISO. To stay up on his latest tips, please connect with Wes on Linked In: www.linkedin.com/in/wes-knight
Share on Socials!
Sign up to receive our industry publications for FREE!