As the Data Protection Officer/CISO at Thoropass, it’s my job to keep our company–and its employees–up to speed on the latest and most salient threats to our digital and data ecosystem.  Since Thoropass’s vision is to “Be the World’s Favorite Compliance and Audit Platform”, we need to improve our overall performance and assist in sustaining development initiatives. 

To accomplish this goal, we adopted a quality management system (QMS) based on the ISO 9001 standard.  In today’s cloud-based landscape, where enterprises navigate through an ever-evolving cyber ecosystem fraught with threats and vulnerabilities as well as ensuring these software-as-a-service products continue to meet customers’ expectations, the significance of implementing a quality management system (QMS) is an essential part of meeting this challenge.

Every day, we advise our customers to do their own due diligence for compliance- and security-related protocols, which sometimes includes exploring QMS. So when AWS asked us to do the same as part of achieving our Healthcare Competency badge, we knew it was time to walk the walk as a company.

Why a Quality Management System (QMS) is Important

First, understanding the nature of quality management systems is essential. A QMS serves as the framework through which an organization identifies, monitors, and improves its processes to enhance efficiency and productivity while maintaining stringent quality standards. By integrating QMS principles into the cybersecurity framework, organizations fortify their defenses against cyber threats, thereby minimizing the likelihood of breaches and data compromises.  These QMS principles include a focus on the customer, leadership, people engagement, process approach, improvement, decision-making (based on evidence), and relationship management.

Achieving a certified QMS throughout the entire company is pivotal for several reasons. It fosters a culture of quality consciousness, wherein every employee recognizes their role in upholding the organization’s reputation. From frontline staff to C-suite executives, each individual becomes an active participant in improving customer experience, bolstering the collective efficiency of the organization.

Second, a comprehensive QMS instills a deeper understanding of the organization’s mission, vision, values, and culture. Whether it’s establishing and managing processes, managing resources, analyzing or evaluating performance, or improving, learning, and innovating, effective quality management translates into tangible gains in productivity (and efficiency) while lowering costs.

Moreover, an effective QMS facilitates compliance with regulatory mandates and industry standards governing data protection and cybersecurity. In an era marked by stringent regulatory frameworks such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), adherence to compliance requirements is non-negotiable. By ensuring every employee is well-versed in QMS protocols, organizations increase their ability to meet customers’ (and regulators’) expectations with regulations and contractual obligations, mitigating the risk of penalties for non-compliance, loss of business, and reputational damage.

Furthermore, a QMS cultivates a culture of continuous improvement, wherein employees actively engage in refining existing processes to enhance efficiency and security. Through regular QMS training sessions, workshops, and simulations, organizations foster a dynamic learning environment where best practices are shared, lessons are learned from past incidents, and innovative solutions are developed to address emerging threats as well as find new opportunities to expand into new markets or attract new customers.

Additionally, a comprehensive QMS serves as a preemptive measure against insider threats, which pose a significant risk to organizational security. By educating employees on the approved QMS processes and the potential consequences of negligent or malicious actions taken against these processes, organizations can mitigate the insider threat landscape, safeguarding sensitive data and proprietary information from unauthorized access or exfiltration.

Furthermore, a QMS plays a pivotal role in enhancing incident response preparedness to meet customers’ expectations, ensuring employees are equipped with the requisite skills to respond swiftly and effectively to complaints or reports of cyber incidents. From identifying the signs of a potential breach to initiating incident response protocols and coordinating with relevant stakeholders, a well-trained workforce is instrumental in containing the impact of cyber incidents and minimizing downtime leading to an improved customer experience.

QMS Training at Thoropass

As part of our requirements to establish a QMS, we provided training to every employee to include the following topic areas:

Introduction & Overview

Our training started by providing every employee an introduction to the QMS ISO 9001 standard and the reasons we believe implementing a QMS would benefit us at Thoropass.  These benefits include clearly stating our objectives and identifying new business opportunities by assessing our overall mission and defining our impact on our customers.  Our main goal is to improve our customer experience by placing our customers first and ensuring we consistently meet their needs and expectations.  To meet this goal, we will establish more efficient processes, comply with regulatory and contractual obligations, and identify/address our risks.  We plan to enhance our reputation, expand into new markets, and attract new customers.

Continued reading

What is a GRC? A Comprehensive Guide to Governance Risk and Compliance

Comprehensive Guide to Governance Risk and Compliance

Organizational Context

As a compliance-as-a-service and auditing service organization, we must consider several factors when determining our strategic direction.  We must abide by several regulatory requirements, implement industry best practices, comply with contractual obligations, consider economics (such as our geography, resources, and competitors), and other factors (such as technology, market, cultural, social, and environment).

Leadership Commitment

No program or project will be successful unless you obtain executive management support.  Our executive management is committed to providing the highest quality  to our customers.  We are committed to being customer focused by ensuring requirements are determined, understood, and met in a consistent manner.  We consider the following relevant factors:  our products and services; our people; our organizational knowledge and technology; our partners; our processes; our place of operations; and our pricing.

Planning, Support & Operations

Planning

When planning for the QMS, we determined our risks and opportunities.  We implemented a risk management treatment plan to take actions to address risks (or opportunities) such as avoiding risks, taking risks to pursue an opportunity, eliminating (or mitigating) the risk, changing the likelihood (or consequence) of the risk, sharing the risk, or accepting the risk after being fully informed of the impacts.

Support

We determine and provide the necessary resources and assess the competencies of our employees to ensure the effectiveness of our QMS.  To enhance our engagement with people, we develop a process to share knowledge, make use of people’s competencies, establish a skills qualification system (and career planning), continually review people’s level of satisfaction, provide mentoring/coaching opportunities, and promote team improvement activities.

We recognize our organizational knowledge as an intellectual asset and manage it as an essential element to our success.  We consider technology development to have a significant impact on our performance and processes related to our product/services, marketing, competitive advantage, agility, and interactions with interested parties (like our customers).

Operations

We plan, implement, and control processes needed to meet our product and service requirements.  We establish, implement, and maintain a design and development process appropriate to ensure the subsequent provision of our products and services.

Performance Evaluation

The selection of appropriate performance indicators and monitoring methods is critical for our effective measurement and analysis.  When using performance indicators, we:  inventory all processes; select performance indicators and monitoring methods for processes; measure, analyze, and evaluate performance; and we improve processes as needed.  We identify key performance indicators (KPIs), which are factors (subject to measurement) under our control and are critical to sustaining our success.

Audit & Continuous Improvement

We perform internal audits and conduct certification reviews to ensure our QMS is implemented and maintained in an effective manner.  Our executive management team reviews our QMS to ensure it continues to be suitable, adequate, effective, and aligned with our strategic direction.

We strive to improve our products and services by considering the results of analysis, evaluations, and outputs from our management reviews to determine our needs and any opportunities for improvement.  We ensure improvements are part of our culture by empowering people to participate in and contribute to our success, providing the necessary resources, establishing a recognition system, and engaging top management in improvement activities.

Conclusion

The imperative of achieving a comprehensive QMS across the entire company cannot be overstated. In an era marked by escalating cyber threats and regulatory scrutiny, organizations must prioritize quality education as a foundational pillar of their risk management strategy. 

By cultivating a culture of customer focus, instilling a deeper understanding of objectives, fostering compliance with regulatory and contractual mandates, and improving processes, organizations can enhance their defenses and mitigate the ever-present risks inherent in the digital landscape. As cyber adversaries continue to evolve and innovate, the proactive investment in a QMS remains a critical imperative for meeting expectations and preserving development initiatives in an increasingly competitive environment.

Get the Guide

Founder’s Guide to Security and Compliance

Take security one step further, find out which frameworks are best for your business.

Get the Guide