Certifying the Quality and Information Security Management Systems of the NSO According to the International Standards ISO 9001, ISO 20252 and ISO 27001
Federico Segui
Quality Management, National Statistical Institute, Montevideo, Uruguay

In the last years, Quality Management and Information Security have been two of the most addressed topics at the strategic planning phase of the NSOs.

The Quality Management System (QMS) and Information Security Management System (ISMS) are complementary and they can be implemented into a unique integrated Management System. This is exposed in this paper as part of recent developments of the NSI of Uruguay.

Information Security is not only about confidentiality, but it is also about preserve integrity and availability of the information. Risk analysis is the core of the ISMS and it is also a very useful technique to plan and design new statistical operations. Risk management leads organizations to be more efficient maximizing opportunities and minimizing vulnerabilities.

NSI of Uruguay is the only statistical agency that obtained an ISO 20252 certificate. ISO 27001 certification is one of the NSI's goals for the next years.

ISO certification is not essential to implement QMS and/or ISMS successfully, but it guarantees that these Management Systems are properly implemented.

Implementation plan has involved issues like: Training on quality and information security, Risk Management, Self-assessment tools (DESAP), Quality indicators based on MERCOSUR SQI, Quality reports, Matrix of Quality Policy Deployment to explain how quality objectives will be reached, Balanced Scorecard, Business Process Management Systems, Processes analysis through process control charts of key process variables, Process documentation, Quality Plans, Quality Manuals, Metadata documentation (SDMX, DDI, Dublin Core), Measuring user satisfaction (user satisfaction surveys, user complains, user feedback), Internal quality audits and External certification audits.

“Handbook on how to implement ISO 20252:2006 in the NSI” is now our main reference to make the follow-up process easier.

The implementation of the QMS and ISMS could imply some problems. These issues and their possible solutions are detailed in this paper. Pros and cons of ISO certifications will be discussed during the meeting.

Keywords: Quality management system; Information security management system; Quality and information security certifications; ISO 20252, ISO 9001, ISO 27001 certifications

Biography: Mr. Federico Segui is Chief Information Security Officer and Head of the Quality Management Unit at the National Statistical Institute of Uruguay, where he has been working since 1995. His background is in Quality Management. He also has a degree in Computer Analysis and some postgrade diplomas in that field.

He is in charge of the documentation of statistical operations according to international standards like DDI and Dublin Core.

He is also responsible of the implementation and mainteinance of the Quality Management System and Information Security Management System at the NSI.

He has experience certifying Quality and Information Security Management Systems according to international standards ISO 9001, ISO 20252 and ISO 27001.

Mr. Segui is expert member of the MERCOSUR working group on “Total Quality in Statistics”.

He is author of many invited, special topics and contributed papers presented during the last four ISI World Statistics Congresses and other international seminars.