ISO is an abbreviation heard about a lot in the security and technology field, but do you know what it really means? Today I’m on a mission to find out all I can about ISO, from our resident expert, Barry.
Hi Barry. Since you’re the ISO expert, and I really don’t know a lot about it, let’s start with the basics.
What is ISO anyway?
Hi Lucie, more than happy to oblige.
ISO is short for International Standards Organisation, who are based in Geneva. This organisation has created a set of standards against which businesses can be assessed for compliance, in order to display to the outside world that their processes, policies and management systems are comparable to those of other companies that may operate in very different industries.
There are many different standards, each covering distinctive areas such as Quality Management, Information Security, Environmental, and Health and Safety to name a few. Each of those standards contains a list of mostly common-sense items that an organisation should already be doing to manage and control itself in the specific area.
By having this ISO certification, does it force us to do things in a set way?
The standards are not prescriptive, meaning that they don’t dictate how a business must do the things required. It is also the business that decides what its processes are, so each business could comply in vastly different ways – for example, one business may decide to control documents using versioning in Sharepoint, whilst another may have a single printed copy of everything current in a folder with a paper trail of change records.
So long as there is clear evidence of control, you are considered compliant in that aspect!
How did we get it?
We initially spent almost a year gearing up. This involved setting up control systems, processes and policies, setting and measuring KPIs, reviewing what we’d done by internal audit and constantly questioning and adjusting ourselves with an ever-present ethos of continual improvement.
Once we’d got to a point where we believed we were ready, two separate multi-day visits with an external auditor from a registered body were arranged. The first was to ensure that all the relevant framework points had been set up and were in use for at least several months.
This generated a report containing a list of things that needed to be corrected before the second visit, which consisted of a review of those corrective actions along with an interview to assess leadership and board level commitment to the standards.
How do we keep it?
The standards are awarded for a three-year period, with two annual surveillance audits conducted by the external auditors. These are carried out between the next full recertification, usually as a three-day exercise on or before the anniversary date each year.
Are the audits difficult?
As in any situation where you expose yourself to external scrutiny, build-up can be stressful because as people are involved in day-to-day business operations, human nature can introduce errors and departures from defined processes.
This can be mitigated somewhat by carrying out regular internal audits, making sure we are doing what we’ve said we would, ensuring relevant records are being kept and that staff awareness training is being conducted.
Corrective actions from the last audit are assessed, internal audits reviewed, top level management is interviewed and deskside spot checks on process-following are carried out, with any new or uncorrected non-conformances identified for correction by the next audit.
The external audit therefore ensures we are still doing what we said we would, and highlight areas that could be improved or haven’t been completed.
At the end of the three years, a further full external audit is done, including all parts of the standards.
What do the numbers 9001 and 27001 mean?
ISO 9001 is the Quality Management standard; it sets out the requirements needed for any business to show that their policies, procedures and document management systems are of a similar standard to any other business with the same accreditation.
The current version is 9001:2015 which means it was last fully updated by ISO in that year.
ISO 27001 is the standard relating to Information Security. It contains a list of over 100 items a business needs to consider, relating to physical controls, data confidentiality, integrity and availability, and requires a security policy as well as risk treatment and measurement.
Having ISO 27001 is a good indicator that a business takes Information Security seriously. Whilst not necessary, also implies that a business is in full compliance with all legislation, including GDPR, with relation to data handling.
The current version is 27001:2013 and it is due to be updated next year to cater for the recent introduction of home working and cloud service provision.
Why choose a business that is ISO certified instead of one that isn’t?
SMS firmly believe that having both ISO 9001 and 27001 allows our customers to see that we are committed to both the quality and security of the services we provide, which in a business sector where price is no longer considered a differentiator, having ISO can make a big difference. We are proud of putting in the work to achieve and uphold this certification, and feel it accurately reflects our serious commitment to data protection.