Published on: August 30, 2022
On 25 October 2022, a new version of ISO 27001 was published – ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems. Learn more about the standard update in this blog article.
Getting certified to one or more ISO Management System Standards can be a confusing and overwhelming process, especially if this is a brand new concept for you. What exactly are the ISO Management System Standards, and why are they important for a business? Most importantly, how can a business actually get certified to an ISO Standard?
We get it, the whole ISO world sounds complex, and can seem a bit confronting. But let’s start from the beginning, and clarify all these big questions.
The International Organisation of Standardisation (ISO) is an independent, global body, made up of an extensive network of individuals that specialise in different areas. ISO is a non-governmental organisation that forms a bridge between the public and private sectors. Initially founded in Geneva, Switzerland, its memberships now extend to more than 160 countries.
ISO develops standards to ensure the quality, safety, sustainability and efficacy of products, services and systems. As technology and new markets continue to rapidly develop, new ISO Standards are drafted and implemented by ISO members globally. This ensures that businesses of all size, type and nature can benefit from International Standards.
It’s important to note that ISO does not actually certify businesses to ISO Management System Standards. Businesses are certified by an Accredited Conformity Assessment Body (CAB).
Essentially, an ISO Standard is an internationally proven and recognised way for a business to run its operations aligned with a particular discipline and objective. But how are ISO Standards developed?
ISO Standards are only developed once there is an identified industry need for standardisation. Experts begin working to prepare a draft, including its scope, key definitions and content. The draft is then shared with all ISO National members for review, where the approval process begins in various stages. Once all ISO members are satisfied with the standard, it will be published and available for the public to use, and in some cases, for business to work towards its Certification to that Standard when applicable.
All ISO Standards are then reviewed approximately every five years by the relevant ISO member bodies. This could result in confirmation, revision (resulting in a new updated version published), or complete withdrawal of the standard.
There are over 24,000 ISO Standards available, each one developed to address different aspects or challenges that affect organisations globally. The standards serve as a framework to manage a variety of technical topics and processes throughout a business and achieve set goals and industry requirements.
The most widely-adopted ISO Management System Standards are:
ISO 9001:2015, ISO 45001:2018, ISO 14001:2015 and ISO 27001:2013.
Let’s briefly have a look at each of these standards:
It can be challenging to know exactly which ISO Management System Standard a business needs, as not all businesses will require the same ISO Standards.
Some businesses will need to be certified as part of contractual or regulatory requirements. This could be imposed by a client, a regulatory body, or for a government tender. In these cases, it’s easy to know which standards a business needs certification to – simply confirm with the appropriate interested party (it could be provided on a document from the requesting party, listing the standards).
If a business needs certification for any other reason, such as business improvement in particular areas, it will then be a different process. The business will need to analyse each standard, and figure out the most suitable and beneficial one for their particular industry to meet the desired objectives. Reading and understanding the actual standards you are interested in will help you understand more to make such a decision.
Not only will the implementation of an ISO Management System Standard benefit a business, but the actual Certification itself will also provide businesses with a number of benefits, including:
Once a business decides which ISO Management System Standards to go with, the journey to achieving certification begins.
The business will need to define the standards required, and then purchase a copy of the chosen ISO Standards (this is an actual licensed document developed by ISO that you purchase, which contains all the requirements).
If the business already has a variety of things in place that could be used for meeting the requirements (such as established processes and policies), a gap analysis could be performed. This will determine what still needs to be done, to then plan the next steps.
The business will then need to develop all documentation required to meet the requirements of the chosen ISO Standard(s). This documentation is what the Standards refer to as a Management System, and could include business processes, policies, and software or templates to capture records, etc.
Once the documentation is developed, reviewed and published (live and ready for use), the next step is implementation.
Implementing the Management System means actually putting the system into practice. This involves coaching the team on how to use it, following the new processes, populating forms, saving records, and making sure it’s fully embedded in the day-to-day business activities.
Once the system is implemented, the business will need to conduct an Internal Audit and a Management Review, to define the strategy moving forward for the monitoring of the effectiveness of its Management System.
Internal Audits are a requirement of the main ISO Management System Standards. An Internal Audit is a full review of the management system to ensure that it has met all of the ISO Standard requirements, as well as the organisation’s own requirements, before going for certification. The ISO Standards require that an auditor has to be deemed competent to conduct these internal audits. Therefore, if a business does not engage an external auditor, and decides to use its internal resources (employees) to conduct these Internal Audits, they have to make sure these people are trained and qualified to do so.
Our Management Systems Internal Auditor training is a practical eLearning course that teaches how to conduct effective Internal Audits in accordance with the core ISO Management System Standards. In addition to a Certificate of Completion, included in the course is also a competency assessment (and Verification of Competency Certificate) that will demonstrate that your are qualified to conduct internal audits.
Some businesses choose to get an ISO consultant to help them during the preparation process, as it can be an overwhelming task. Find out more about our consulting services here.
When the business is ready for certification, they will need to be audited by an Accredited Conformity Assessment Body (CAB) – also known as Certification Body. A CAB is an organisation that is accredited to conduct audits of businesses’ Management Systems and issue internationally recognised Certifications to the ISO Standards.
The Certification Audits are split into two stages:
If all business activities prove to conform according to the requirements, the CAB will issue the Certification(s) to the audited business.
Note: The Certification Audit is also commonly referred to as a Third Party Audit.
After the business has achieved Certification(s), the 3-year certification cycle begins. During this period, the Certification Body will return to conduct yearly Surveillance Audits to verify that the Business Management System is still meeting the ISO Standard(s) requirements, as well as their own operational requirements.
Note: The business is also required to conduct Internal Audits each year. With our Internal Auditor training, your team can become qualified to conduct these.
Download a summary of the entire Certification process below!
Now that you know what it means to be certified to an ISO Management System Standard, it’s time to decide what your next step is and your role in this journey. Are you assisting a business in achieving certification? Is it for your own business?
Brooke has a strong passion for marketing and is responsible for all our communication with our audience. She creates the content you see on our social media channels, and also works on the content on our website and blogs.
All information on this blog site is for informational purposes only. As this information is based on our professional experience, opinion, and knowledge, we make no representations as to the suitability of this information for your individual business circumstances. Especiality Pty Ltd trading as ICExperts Academy and all related businesses and brands will not be liable for any errors, omissions, legal disputes or any damage arising from its display or use. All information is provided as is, with no warranties and confers no rights.
We will not be responsible for any material that is found at the end of links that we may post on this blog site. The advice, ideas, and strategies should never be used without first assessing your own personal business situation or seeking professional and/or legal advice. Information may also change from time to time to suit industry and business needs, requirements and trends.
Once subscribed, you’ll receive regular updates about ICExperts Academy and monthly blog posts straight to your inbox.
We respect your privacy. Easily unsubscribe at anytime.