Getting certified to one or more ISO Management System Standards can be a confusing and overwhelming process, especially if this is a brand new concept for you. What exactly are the ISO Management System Standards, and why are they important for a business? Most importantly, how can a business actually get certified to an ISO Standard?

We get it, the whole ISO world sounds complex, and can seem a bit confronting. But let’s start from the beginning, and clarify all these big questions.

What is ISO?

The International Organisation of Standardisation (ISO) is an independent, global body, made up of an extensive network of individuals that specialise in different areas. ISO is a non-governmental organisation that forms a bridge between the public and private sectors. Initially founded in Geneva, Switzerland, its memberships now extend to more than 160 countries.

ISO develops standards to ensure the quality, safety, sustainability and efficacy of products, services and systems. As technology and new markets continue to rapidly develop, new ISO Standards are drafted and implemented by ISO members globally. This ensures that businesses of all size, type and nature can benefit from International Standards.

What are ISO Standards, and how are they developed?

Essentially, an ISO Standard is an internationally proven and recognised way for a business to run its operations aligned with a particular discipline and objective. But how are ISO Standards developed?

ISO Standards are only developed once there is an identified industry need for standardisation. Experts begin working to prepare a draft, including its scope, key definitions and content. The draft is then shared with all ISO National members for review, where the approval process begins in various stages. Once all ISO members are satisfied with the standard, it will be published and available for the public to use, and in some cases, for business to work towards its Certification to that Standard when applicable.

All ISO Standards are then reviewed approximately every five years by the relevant ISO member bodies. This could result in confirmation, revision (resulting in a new updated version published), or complete withdrawal of the standard.

What are the main ISO Management System Standards?

There are over 24,000 ISO Standards available, each one developed to address different aspects or challenges that affect organisations globally. The standards serve as a framework to manage a variety of technical topics and processes throughout a business and achieve set goals and industry requirements.

The most widely-adopted ISO Management System Standards are:

ISO 9001:2015, ISO 45001:2018, ISO 14001:2015 and ISO 27001:2013.

Let’s briefly have a look at each of these standards:

Business needs – Which ISO Standard is recommended?

It can be challenging to know exactly which ISO Management System Standard a business needs, as not all businesses will require the same ISO Standards.

Some businesses will need to be certified as part of contractual or regulatory requirements. This could be imposed by a client, a regulatory body, or for a government tender. In these cases, it’s easy to know which standards a business needs certification to – simply confirm with the appropriate interested party (it could be provided on a document from the requesting party, listing the standards).

If a business needs certification for any other reason, such as business improvement in particular areas, it will then be a different process. The business will need to analyse each standard, and figure out the most suitable and beneficial one for their particular industry to meet the desired objectives. Reading and understanding the actual standards you are interested in will help you understand more to make such a decision.

How can ISO Standards actually help a business?

Not only will the implementation of an ISO Management System Standard benefit a business, but the actual Certification itself will also provide businesses with a number of benefits, including:

How to become Certified to one or more ISO Standards

Once a business decides which ISO Management System Standards to go with, the journey to achieving certification begins.

The entire Certification process can be summarised as follows:

The business will need to define the standards required, and then purchase a copy of the chosen ISO Standards (this is an actual licensed document developed by ISO that you purchase, which contains all the requirements).

If the business already has a variety of things in place that could be used for meeting the requirements (such as established processes and policies), a gap analysis could be performed. This will determine what still needs to be done, to then plan the next steps.

The business will then need to develop all documentation required to meet the requirements of the chosen ISO Standard(s). This documentation is what the Standards refer to as a Management System, and could include business processes, policies, and software or templates to capture records, etc.

Once the documentation is developed, reviewed and published (live and ready for use), the next step is implementation.

Implementing the Management System means actually putting the system into practice. This involves coaching the team on how to use it, following the new processes, populating forms, saving records, and making sure it’s fully embedded in the day-to-day business activities.

Once the system is implemented, the business will need to conduct an Internal Audit and a Management Review, to define the strategy moving forward for the monitoring of the effectiveness of its Management System.

Internal Audits are a requirement of the main ISO Management System Standards. An Internal Audit is a full review of the management system to ensure that it has met all of the ISO Standard requirements, as well as the organisation’s own requirements, before going for certification. The ISO Standards require that an auditor has to be deemed competent to conduct these internal audits. Therefore, if a business does not engage an external auditor, and decides to use its internal resources (employees) to conduct these Internal Audits, they have to make sure these people are trained and qualified to do so.

Our Management Systems Internal Auditor training is a practical eLearning course that teaches how to conduct effective Internal Audits in accordance with the core ISO Management System Standards. In addition to a Certificate of Completion, included in the course is also a competency assessment (and Verification of Competency Certificate) that will demonstrate that your are qualified to conduct internal audits.

When the business is ready for certification, they will need to be audited by an Accredited Conformity Assessment Body (CAB) – also known as Certification Body. A CAB is an organisation that is accredited to conduct audits of businesses’ Management Systems and issue internationally recognised Certifications to the ISO Standards.

The Certification Audits are split into two stages:

If all business activities prove to conform according to the requirements, the CAB will issue the Certification(s) to the audited business.

Note: The Certification Audit is also commonly referred to as a Third Party Audit.

After the business has achieved Certification(s), the 3-year certification cycle begins. During this period, the Certification Body will return to conduct yearly Surveillance Audits to verify that the Business Management System is still meeting the ISO Standard(s) requirements, as well as their own operational requirements.

Note: The business is also required to conduct Internal Audits each year. With our Internal Auditor training, your team can become qualified to conduct these.

Download a summary of the entire Certification process below!

Get your FREE Certification Process Diagram today!

Now that you know what it means to be certified to an ISO Management System Standard, it’s time to decide what your next step is and your role in this journey. Are you assisting a business in achieving certification? Is it for your own business?

The post What Exactly is Certification to ISO Standards? appeared first on ICExperts Academy.

In a hyper-connected digital world, the threat of data breaches and cyber attacks has become incontestable. According to the Australian Cyber Security Centre’s latest report, one cybercrime is reported in Australia every eight minutes, a 13% increase from the previous year. Self-reported losses total more than $33 billion, but the actual figure is likely higher due to under-reporting.

Consumers are increasingly concerned with how companies use and store their data. At the same time, businesses struggle to find effective ways to protect private information and sensitive data, an even more significant concern as more people are working remotely and challenging information security best practices. As cybercriminals become more sophisticated, many specialists say that it’s not a case of if but when a cyber attack or a data breach will occur. How, then, can a business protect its data?

The easy answer seems to be to invest in a good anti-virus software or some other type of privacy protection tool. However, software may not be enough without promoting a culture of information security within the organisation, and that’s why the Information Security Management System (ISMS) Standard, ISO 27001:2013, has become such a popular framework in the past few years.

Whether a company offers technology-based solutions to clients, or if the products and services are technology-light or non-existent, they are likely to deal with personal information from consumers and other stakeholders, as well as commercially sensitive information. Hence, implementing a Management System for Information Security will benefit organisations in any industry.

Continue reading to learn more about ISO 27001:2013 and have the most common questions about this standard answered.

What is ISO 27001:2013?

By definition, the ISO 27001:2013 Standard specifies the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS) within the organisation’s context. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the business.

Similar to other ISO Management System Standards, the requirements outlined in the document are generic and applicable to organisations of all types, sizes and industries.

The core aspects of ISO 27001:2013 are:

These aspects must be maintained by applying a risk management process, giving confidence to interested parties that risks are adequately managed.

If you’re new to ISO Management Systems, you may expect the standard to provide strictly technical guidelines for the Information Security Management System. However, rather than specifying software requirements, ISO 27001:2013 is a framework for a strategic approach to Information Security. This will become more evident as we go through the standard’s benefits and overarching clauses below.

What are the benefits of ISO 27001:2013?

Information Security is an essential component to the successful operation of any business in an increasingly connected world. By ensuring data and confidential information is protected, implementing and achieving certification to ISO 27001:2013 will help businesses:

What are the ISO 27001:2013 Information Security Management System requirements?

The ISO 27001:2013 standard comprises 11 clauses (0 to 10), as detailed below:

Clause 4: Context of the organisation – This requires an organisation to understand the needs and expectations of interested parties and determine the scope of the organisation’s Information Security Management System. It is crucial to clarify what areas of the business are covered by the ISMS. It also comprises how the organisation implements, maintains and continually improves the Information Security Management System.

Clause 5: Leadership – Emphasises how top management should support and demonstrate commitment to the Information Security Management System, including establishing an Information Security Policy and ensuring roles, responsibilities, and authorities are clear within the information security context.

Clause 6: Planning – Requires an organisation to determine actions to address risks and opportunities to ensure the Information Security Management System can achieve goals such as preventing and reducing risks and promoting continual improvement. It also states the organisation shall implement measurable and relevant ways to evaluate the effectiveness of these actions. The organisation must keep documentation about their information security objectives and determine what will be done, project timelines, roles and responsibilities and how they will evaluate results.

Clause 7: Support – To support the establishment, implementation, maintenance and continual improvement of the Information Security Management System, the organisation must promote awareness through clear communication and provide employees with the necessary resources to create, update and control the ISMS.

Clause 8: Operation – To meet this requirement, the business must plan, implement and control information security processes. The organisation shall keep documented information to ensure that the processes have been carried out as planned. Performing an information security risk assessment and treatment plans are also mandatory.

Clause 9: Performance evaluation – The organisation needs to assess its information security performance and effectiveness, determining what needs to be monitored and measured, when, which methods will be used, and who will perform the ISMS evaluation and analysis. Internal audits are also requested within this clause, as well as top management action to review the Information Security Management System and ensure its continuing suitability, adequacy and effectiveness.

Clause 10: Improvement – Following up on the evaluation, the organisation shall continually improve the suitability, adequacy and effectiveness of the Information Security Management System by taking corrective action (and eliminating the causes) in case a nonconformity to the Standard or to business processes is identified.

Annex A is also an essential component of ISO 27001:2013. This second part of the Standard comprises a list of 114 controls, organised in 14 sections. These are used to support the implementation of ISO 27001:2013’s requirements as part of the risk management process. The controls to be implemented should be selected based on the risk treatment options that are decided on for the organisation’s risks that are identified (as a result of the Information Security Risk Assessment).

What is the ISO 27000 Family of Standards?

ISO 27001:2013 is part of a wider set of standards, the ISO 27000 series. Published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), the 27000 family comprises over a dozen Standards, as well as Guidelines, Specifications and Codes of Practice. Among them, there are six fundamental elements that will be a good starting point when implementing an Information Security Management System (ISMS):

Accredited Certification can be achieved to ISO 27001:2013.

A tender requirement or client contract may also determine that the organisation needs to implement one or more specific controls from codes of practices such as ISO 27017:2015 (contains additional cloud-based risk controls) and ISO 27018:2019 (guidelines to the protection of personally identifiable information). In these cases, the business can also ask the certification body to assess its ISMS against the requirements and get a “verification of conformity” (in conjunction with their Accredited Certification to ISO 27001:2013).

ISO 27002:2013 is a guidance document that supports the implementation of the requirements of ISO 27001:2013 Information Security Management Systems. The new version of this standard was published just recently, in February 2022. You can find out more about what changed here.

Where to start with implementing the requirements of the ISO 27001:2013 Standard?

Interpreting the requirements and matching them with the business’ context and needs can be an overwhelming task. Getting help from an ISO Management System Consultant can assist, resulting in a more effectively implemented system that will work for the business, and lower the risk of failing the Certification Audits. Regardless of whether an organisation will implement the standard by itself or with the help of a professional consultant, the business must have a copy of the Standard document so the team can get familiar with the requirements.

Elements such as the size of the organisation, complexity of its operations, and systems that are currently in place will impact costs and timeframes when implementing the Business Management System. After successfully doing so, the business can go for the Certification Audits with an Accredited Conformity Assessment Body (click here to read more about the certification process).

From a strategic planning perspective, the business can benefit from qualifying the team who will be conducting internal audits of the Business Management System, as this will be a requirement to achieve and maintain certification to ISO 27001:2013.

Check out our practical Management System Internal Auditor Training as an option to train your team to conduct effective Internal Audits in accordance with the main ISO Management System Standards, including ISO 27001:2013.

The post What is ISO 27001:2013? Understand the Information Security Standard appeared first on ICExperts Academy.