ISO 9001, Risk Based Thinking, and Cybersecurity: A Case Study

Case Study: ISO 9001 and the E-Plan Cutover

This case study relates to two companies after an acquisition. The first company, Aardvark, acquired Cheap and Easy Supply (CES). These two companies formed a new company called ACES. After the acquisition, they wanted to standardize their processes across both of the previous companies sites. Standardization proved to be more difficult than first anticipated.

Before the acquisition, CES had a home-grown system called E-Plan to manage the factory. It was perfectly suited for everything CES needed it for but it would be tough for it to handle Aardvark’s processes.  Further complicating things, only two people knew the inner workings of  E-Plan, as the developer of E-Plan had retired. While E-Plan had worked fine for CES, this information made it seem that using E-Plan for ACES may not be the best choice.

Convinced that Aardvark’s commercial system was the best way to reduce risks to hacking, information security, and system down-time, Aardvark’s IT group persuaded management to move CES onto Aardvark’s commercial system. Several good developers were on contract who could add whatever CES needed to the system to run their factory, this enabled them to run the project from Aardvark’s offices and meet frequently via Skype with the CES team to get ready for cutover. With assurance from Aardvark’s IT group, management moved forward with the merge.

Boxes image.jpg

Can you see it coming?

When cutover day came it was utter chaos for CES. Even though tests had been run and managers had signed off on plans, CES was shut down for two full weeks because of all the problems. In the midst of this chaos, they had also just taken on a new major account. As orders rushed in, they had no way to push them through the factory.  When the chaos subsided, CES gradually limped back to life; but it was tougher than anyone had imagined.

The next CB surveillance audit for CES took place 9 months later. Under the new Aardvark commercial system, it seemed like a totally different company to the auditors. Below is a list of some of the setbacks that the merge of Aardvark’s commercial system caused:

  • OTD: On time delivery dropped to 75% versus a previous rate of 95% or better.

  • Inventory: Parts were jammed into every available space. Simply finding what was needed for an order caused big delays – not to mention the potential for mixed product and/or damaged products.

  • Decisions: Managers had only a fraction of the visibility they used to have of operations. This caused decisions to be slow and often based on best guesses.

  • Costs: Forced overtime led to turnover which added costs for recruiting and training replacements. Expedited orders added even more unexpected costs. Warranty costs were projected to go up in the coming months as well.

The CB’s audit report had vastly changed from previous years. The usual two or three minor documentation issues were replaced with a string of major and minor non-conformities related to project planning, inventory management, failure to meet many objectives (and no firm recovery plan), and poor handling of customer complaints.

These nonconformities put ACES ISO 9001 certification at risk. No one had expected what seemed like a simple IT project  to cause so much damage. What could the Quality group have even done to avoid this chaos? It was clearly an IT project that went wrong and IT wasn’t even in the certification audit! The Quality Manager blamed Aardvark’s IT department and yet IT didn’t have a stake in the factory’s success.

What can we learn from the problems at ACES?

Think about what ISO 9001:2015 asks of your business. Among other things, you are to consider risks in making changes (6.3). That means all kinds of changes, not just changes to products or production methods.

When Quality professionals guide our colleagues to look at risks, we can’t just stop with the factory, products, services, and suppliers. We have to broaden the list of issues to include, among other things, the availability, confidentiality, and integrity of the data and computer systems we rely on every day. 

This case study shows that ACES pushed an IT project along without fully considering risks and contingency plans as required in Clause 6 of ISO 9001:2015. Fully using the requirements of ISO 9001 could have prevented lots of problems that ended up impacting customers. 


Most management systems that I’m familiar with leave all things computer-related to the IT folks and completely leave IT out of the ISO 9001 certificate. As the ACES case shows, serving our customers on time and on budget depends on having the information we need, when and where we need it. Even if IT is outside the ISO 9001 certified system, the QMS needs to consider the risks related to data availability and cybersecurity

Although ISO 9001 doesn’t say you have to consider cybersecurity, that should be a risk that you consider when looking at your business overall. While ACES was shut down by poor project execution in the case study, it could have just as easily been a matter of data loss or a security breach that had the same impact on customers.

While ISO 9001 isn’t the answer for a lot of what goes on in IT, a related standard called ISO 27001 should already be on the radar of your IT professionals. Quality professionals can and should be instrumental in leading the organization to adopt this standard as part of the overall risk identification and mitigation process, or at least to consider some of its important requirements. 

Whether you’re in Quality, IT, or another area of management, you should be asking this question:

How has your company considered risks to your information and the systems that process it?


The DESARA Group supports clients to implement and use standards like ISO 9001 and ISO 27001 to achieve business goals. We offer training, internal audit services, and implementation consulting. Watch for our webinars and articles to learn more about key concepts that can help your business.  Contact Us!