ISO 27001 and ISO 9001 have been around for a long time and are very well known, whereas comparatively, BS 10008 is the new kid on the block and relatively few organisations comply with it and even fewer have certified with the British Standards Institute (BSI). However, as more organisations understand why this standard was introduced and how it benefits them, there is a significant upward trend in its adoption.
In order to understand the difference between BS 10008 and ISO 27001/ISO 9001 it is important to first understand what the acronym BS and abbreviation ISO refer to: BS stands for “British Standard” and ISO stands for “International Organisation for Standardisation” and not “International Standards Organisation” as some erroneously believe. With this knowledge some may determine that an ISO standard is more important than a British Standard, but that too would be an erroneous conclusion. A brief history of the British Standard sheds some light on this matter.
The British Standards Institute (BSI) is the world’s first standards body and is famous for its kitemark which was released in 1903. It was a key player in the formation of other standards bodies; namely the International Organisation for Standardisation in 1947 and CEN. BSI operates in 172 countries across all continents, so it is not an organisation whose standards are solely applicable in the UK. So, the work of the BSI and the importance of the standards that it creates is not to be undervalued. An ISO standard is created in collaboration with a group of experts from all over the world and since the applicable audience is broad, the standard is quite broad to allow for differences between countries. The British Standards can be quite focused as they only need to take into account the industry requirements of the UK. That said, BS standards are not so limitative so as to not to be applicable in other countries as they often are. In light of this, the real question is not that of greater importance between ISO and BS, but that of suitability of application.
THE STANDARDS EXPLAINED
ISO 27001 is an information management system which seeks to assure the confidentiality, integrity and availability of “information assets”, which includes electronic information but also includes any other information, in any format (including paper) around the whole organisation.
ISO 9001 is a quality management system which covers all areas of the business, facilities, equipment, people, training and services.
BS 10008 is a risk management and quality management system which seeks to evidence the quality and trustworthiness of electronic information by assuring its confidentiality, authenticity, integrity and availability. It applies to both scanned documents and “born” digital information. Its scope can be limited to particular information held in specified systems at the discretion of the organisation pursuing compliance.
Authenticity refers to the capture of the electronic information. It provides assurance that electronic information captured is a “true copy” of the paper document it originated from, or in the case of information that is entered electronically, for example by means of an e-form, it assures the information stored is the same as the information captured.
Integrity refers to the safeguarding of stored data and assures that the trustworthiness of the data is maintained through time and has withstood potential sources of corruption , for example, server migrations, system changes, malicious attacks, user blunders, etc.
Availability refers to the user being able to view the information they need when they need it.
WHEN DOES BS 10008 APPLY?
All three standards address issues of quality to some degree, so when would an organisation choose to apply BS 10008? The answer lies in considering the scope and target of an organisation’s objective.
As business processes are rapidly being digitised, ensuring that the quality and trustworthiness of electronic information can be demonstrated and evidenced is becoming more and more crucial. This is especially so in dispute resolutions, whether for business, compliance, legal or other purposes. Being able to produce electronic information as evidence, without it being disputed or being able to refute challenges successfully is becoming key to many organisations.
One could try to use ISO 27001 as a framework for this purpose, however, restricting the scope of compliance by excluding certain information assets is possible, but it may be a challenge to explain. Because of the breadth of this standard, it would be more onerous to achieve. It also does not seek to assure the authenticity of the information asset which is key when dealing with scanned documents.
As for ISO 9001, the quality of the electronic information could, theoretically, be included but it would not be possible to limit the scope to electronic information, so again it is too broad to achieve without considerable effort.
So that leaves us with BS 10008. BS 10008 is specifically defined for electronic information. It could be seen as a cross between ISO 27001 and ISO 9001. An appropriate application of BS 10008 would be where:
- Scanned documents are involved and authenticity is key in demonstrating trustworthiness and data quality;
- An organisation doesn’t wish to include all information assets throughout the whole business;
- An organisation wishes to limit the scope to certain electronic information held in certain systems;
- Compliance must be achieved relatively quickly – the ability to limit the scope will accelerate the accreditation process.
- Electronic information, including that “born digital”, is kept for several years and may be produced as evidence in a dispute
In summary, if an organisation is seeking to become either paperlight or paperless, they should give strong consideration to implementing BS 10008.
If you’d like more information on BS 10008 or any of the topics discussed above, please don’t hesitate to get in touch with me via firstname.lastname@example.org. Scandox are associate consultants of BSI.