Guide to ISO Certification and ISO Compliance

Published/Updated August 25, 2022

Introduction

The International Organization for Standardization (ISO) was established in 1947 to develop quality standards for businesses worldwide. Today, ISO members from 164 countries have produced some 22,700 requirements, specifications, guidelines, and characteristics governing quality assurance for nearly every type of business and technology.

Compliance with ISO standards is voluntary, as is ISO certification. But the organization and its standards are so highly regarded today that ISO certification has become the norm – a seal of approval that says, “This business cares about quality.” So not having the pertinent ISO certification could cost you business from customers.

There are other, perhaps less-tangible benefits of ISO conformance, too; among them:

  • Improved quality management
  • Better information security
  • A more environmentally sustainable business
  • Increased customer satisfaction
  • Improved occupational health and safety

Rigorously developed, these international standards are designed to assure that the materials and products businesses produce are safe to use and high quality. If you ignore ISO, you risk customer satisfaction, employee safety, and fines or litigation for your enterprise.

Which Set of Standards is Right for My Organization?

ISO has published hundreds of frameworks establishing standards in various sectors and industries, including service, environment and industry, technology, and health and medical. Every business will comply with different frameworks depending on its situation and sector.

Some ISO frameworks are particular. For example, ISO 34101-1:2019 sets standards for the cocoa bean industry; ISO/IEC 80079-34 governs manufacturing in explosive atmospheres.

Other ISO publications are more general. For example, ISO 14001 serves as a guide to developing an effective environmental management system, and can be helpful for any organization. ISO 9001 does the same for quality management systems.

How to Use This Guide

No single guide could discuss all the ISO frameworks. Instead, to help you understand ISO compliance, why it matters, and how to obtain ISO certification, this guide will focus on two of the most common ISO frameworks: ISO 9000/9001 for quality management and ISO 27001/27002 for managing information security.

Each section of this guide addresses a different aspect of ISO compliance by providing answers to some of the most common questions regarding the framework.

You can read the entire guide, or consult only the sections applicable to your organization’s needs. Or jump to the end to learn how to jump-start your compliance game with greater efficiency than the system you’re using now – especially if that system involves old-fashioned spreadsheets.

What Is ISO? Definition and Background

ISO stands for the International Organization for Standardization. Headquartered in Geneva, Switzerland, ISO comprises members from 164 nations who develop and produce publications that guide organizations of nearly every kind to achieve the highest quality standards in their processes and products.

ISO’s development began in 1946 when 65 delegates from 25 countries met in London to discuss the need for international standards and development. The following year, the organization had its first meeting of 67 technical committees or groups of experts, each focusing on a different subject.

The organization published its first standard, or “recommendation” in 1951 (to measure length for industrial manufacturing). Over time, ISO grew in membership and influence, becoming noted for its standards establishing an International System of Units (establishing the second as the official unit of time, for instance), governing freight and packaging, and environmental quality.

Although there are more than 22,700 ISO standards for different industries today (and counting), a few stand out as essential and influential:

  • The best-selling ISO 9000 family governs quality management systems (QMS). ISO 9001 is the only standard in this group eligible for certification.
  • ISO 14001 helps companies and organizations to identify and control their environmental impact.
  • The ISO 27000 family of information security standards, including ISO/IEC 27001, governs information security systems management (ISMS).

ISO Compliance vs. ISO Certification: What's the Difference?

The difference between ISO compliance and ISO certification comes down to audits.

ISO certification requires an external audit by an independent professional accredited by the Committee on Conformity Assessment (CASCO). Mere ISO compliance does not require this audit.

Both ISO compliance and ISO certification are voluntary; they aren’t regulations. Rather, they are recommendations. That said, some organizations, such as manufacturers, may require their third-party suppliers to be ISO-certified to assure the quality of their goods, services, and processes and the security of their information, systems, and networks.

The benefits of certification include international recognition, and in many industries, the ability to do business at all.

Some organizations – particularly smaller ones with smaller budgets – may opt-out of the cost and preparation time needed to pass the audit required for certification. They may decide that compliance is good enough, and forego the added expense of certification.

Two of the most popular ISO certifications include:

  • ISO 9001:2015, the international standard for quality management systems (QMS). This standard promotes a process approach to management, examining more than 20 processes.
  • ISO 27001:2013 is the international standard for information security management systems (ISMS).

The pros and cons of ISO certification vs. ISO compliance include:

  1. EXPENSE

    • Compliance. By choosing compliance only, your organizations can forego costs associated with third-party ISO certification audits, which take place every three years; as well as registration and off-year “surveillance” audits. You also avoid paying the fees for continuous improvements to your QMS or ISMS. On the other hand, organizations that opt out of certification may lose business and revenue.
    • Certification. Third-party certification audits, registration, and surveillance audits can be costly. Since audits tend to be priced according to the number of employees, however, smaller businesses won’t pay as much for them as larger ones.
  2. TIME

    • Compliance. Depending on the ISO standard and the size and complexity of your organization, ISO compliance can take a few months to several years.
    • Certification. Achieving ISO certification requires the same processes as compliance, plus added time to prepare for and pass an audit. For ISO 27001, the audit is quite lengthy, taking place in two stages.
  3. MARKETING

    • Compliance. Organizations that are merely compliant have the satisfaction of knowing they meet the relevant standards but lack the marketing clout that certified companies possess.
    • Certification. Those achieving a coveted ISO certification can trumpet their status on their website and in other marketing materials, claiming an edge over uncertified competitors.
  4. MAINTENANCE

    • Compliance. Enterprises can achieve compliance with an ISO standard and move on to other tasks without demonstrating ongoing compliance or passing yearly surveillance audits.
    • Certification. Certification requires passing a re-certification audit every three years, while annual, less-intensive surveillance audits assure that you continue to meet the relevant ISO standards and strive for continual improvement in your enterprise’s processes.

What Are the Different Types of ISO Standards?

There are more than 22,600 different types of ISO standards for many industries. Some of the most common are:

  • ISO 9001:2015, the standard for general organizational Quality Management Systems (QMS), including vendor management. ISO also has QMS standards for specific industries.
  • ISO 27001:2013, the standard for Information Security Management Systems (ISMS).
  • ISO 14001:2015, the standard for Environmental Management Systems.

These standards can apply to any organization, large or small.

Many other ISO standards were written for a particular industry. For example, shipping, manufacturing, medical, technology, and rail, even cocoa bean production: These industries and others have their specific ISO standards.

ISO standards include:

Quality

  • ISO 10004:2012 Customer satisfaction
  • ISO 10006:2017 Projects
  • ISO 13485:2016 Medical devices
  • ISO/TS 16949:2009 Automotive
  • ISO 17582:2014 Electoral organizations
  • ISO 18091 Local government
  • ISO 19443:2018 Nuclear energy
  • ISO 20001 Educational organizations
  • ISO/TS 22163:2017 Business management system requirements for rail organizations
  • ISO/TS 29001 Petroleum, petrochemical, and natural gas industries
  • ISO/IEC 90003 Software engineering

Industry

  • ISO 14298:2013 Graphic technology – Management of security printing processes
  • ISO 15378:2017 Primary packaging materials for medicinal products
  • ISO 16000-40 Indoor air
  • ISO 34101-1 Sustainable and traceable cocoa

Environment and energy

  • ISO 14002-1 Environmental management systems-a guide for applying the 14001 framework
  • ISO 14004:2016 Environmental management systems-General guidelines on implementation
  • ISO 14005:2010 Environmental management systems-guidelines for phased implementation
  • ISO 14006:2011 Environmental management systems-Guidelines for incorporating ecodesign
  • ISO 14009 Environmental management systems-guidelines for incorporating redesign of products and components to improve material circulation
  • ISO 50001:2018 Energy management systems
  • ISO 50004:2014 Energy management systems-guidelines for implementation, maintenance, and improvement

Services

  • ISO 21101:2014 Adventure tourism safety management
  • ISO 21404:2018 Tourism and related services: Sustainability management system for accommodation establishments
  • ISO 24526 Water efficiency
  • ISO 20121:2012 Event sustainability
  • ISO/IEC 20000-1: 2011 Information technology-service management

General management

  • ISO 19600:2014 Compliance management systems
  • ISO 26000 Social responsibility
  • ISO 30301:2011 Information and documentation
  • ISO 30401 Human resource
  • ISO 31000 Risk management
  • ISO 37001:2016 Anti-bribery
  • ISO 37002 Whistleblowing
  • ISO 37101:2016 Sustainable development in communities
  • ISO 37301 Compliance management
  • ISO 41001 Facility management
  • ISO 44001:2017 Collaborative business relationship management
  • ISO 44002 Guidelines on the implementation of ISO 44001
  • ISO 55001:2014 Asset management
  • ISO 55002:2014 Guidelines for the application of ISO 55001
  • ISO 56002 Innovation management

Safety and security

  • ISO 22000 Food safety management systems
  • ISO 22004:2014 Guidance on the application of ISO 22000
  • ISO 10377:2013 Consumer product safety
  • ISO 10393:2013 Consumer product recall
  • ISO 18788:2015 Private security operations
  • ISO 22301:2012 Societal security-Business continuity management systems
  • ISO 24518:2015 Crisis management of water utilities
  • ISO 28007-1:2015 Ships and marine technology
  • ISO 29001:2012 Road traffic safety
  • ISO/DIS 45001 Occupational health and safety
  • ISO/IEC 80079-34:2011 Explosive atmospheres
  • ISO/NP 35001 Laboratory biorisk
  • ISO/TS 34700:2016 Animal welfare management

Information technology

  • ISO/IEC 20000-1 Service management Part 1
  • ISO/IEC 20000-2 Service management Part 2
  • ISO/IEC 27003:2017 Security techniques
  • ISO/IEC 20000-1 Enhancement to ISO/IEC 27001 for privacy management
  • ISO/IEC 27010:2015 Information security management for inter-sector and inter-organizational communications
  • ISO/IEC 27013:2015 Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1
  • ISO/IEC 90003:2014 Software engineering
  • ISO/IEC DIS 19770-1 IT asset management

What Are ISO Frameworks and Controls?

The International Organization for Standardization (ISO) has developed a variety of frameworks designed to help organizations better manage their business in areas including:

  • Quality
  • Safety
  • IT security
  • Environmental impacts
  • Assets
  • Business risk

Framework vs. Standard

A framework is defined as a basic structure underlying a system, concept, or text. In business, frameworks provide a structure for organizations to improve their processes or operations. Frameworks are typically general rather than prescriptive. They tell what to do, but not how.

Most business and IT frameworks serve to mitigate risks and support internal controls. These processes, however, must also accommodate risk measures, financial reporting, and revenue performance.

There are various types of frameworks:

  • Quality frameworks provide a structure for designing, establishing, and maintaining quality management systems.
  • Control frameworks are sets of fundamental controls aimed at preventing financial or information loss.
  • Program frameworks help build, assess, improve, and maintain programs.
  • Risk frameworks guide through the process steps necessary to manage risk and reduce risk levels successfully.
  • Cybersecurity or information security frameworks are designed to help reduce exposure to cyberattacks.

Standards, on the other hand, are governance best practices used by various companies. Standard may include guidelines, regulations, frameworks, models, processes, and internal controls for managing business and IT functions.

Standards define mandatory requirements for business and IT audit and assurance. They inform audit and assurance professionals of the minimum acceptable performance level required to meet professional responsibilities, and direct how to meet these requirements.

The International Organization for Standardization creates and publishes international standards, defined as “documents that provide requirements, specifications, guidelines or characteristics that can be used consistently to ensure that materials, products, processes, and services are fit for their purpose.”

Because ISO strives to standardize business processes and procedures worldwide, it has published more than 22,700 standards. For instance, the ISO 9001 standard contains guidelines for establishing and maintaining a quality management system (QMS).

The ISO/IEC 27000 family of standards is designed to help organizations manage the security of assets including financial information, intellectual property, employee details or information entrusted to you by third parties. ISO sets standards by which to manage information security management systems (ISMS). This ISO 27000 family includes:

  • ISO 27000: Information security management systems overview and vocabulary
  • ISO 27001: Information security management systems requirements
  • ISO 27002: Guidance on applying the ISO 27001 controls
  • ISO 27005: Conducting an information security risk assessment
  • ISO 27015: Information security management for financial services
  • ISO 27017: Cloud services information security controls
  • ISO 27031: Information and communication technology readiness for business continuity
  • ISO 27032: Cybersecurity best practices

Many frameworks and standards specify “controls,” or countermeasures or safeguards to minimize organizational risk. For example, ISO 27001 includes controls to help protect the confidentiality, integrity, and availability of data in an information security management system.

What Are Quality Management Principles?

Quality Management Principles (QMPs) form the basis of ISO 9000 and 9001 and other quality management standards developed by the International Organization for Standardization (ISO). These principles can help manage a quality management system (QMS).

The Seven Quality Management Principles

  1. Customer focus. The primary focus of quality management is to meet customer requirements and strive to exceed customer expectations.
  2. Leadership. Leaders at all levels establish unity of purpose and direction and create the conditions in which people are engaged in achieving the organization’s quality objectives.
  3. Engagement of people. Competent, empowered, and engaged people at all levels throughout the organization must enhance its capability to create and deliver value.
  4. Process approach. Consistent and predictable results are achieved more efficiently when activities are understood and managed as interrelated processes that function as a coherent system.
  5. Continuous improvement. Successful organizations have an ongoing focus on improvement.
  6. Evidence-based decision making. Decisions based on analyzing and evaluating data and information are more likely to produce desired results.
  7. Relationship management. For sustained success, an organization manages its relationships with stakeholders, such as customers and suppliers.

Why Is ISO Certification Important?

For many organizations, achieving ISO certification demonstrates that they have met ISO standards and are committed to ongoing, continuous compliance with the international business standard or standards relevant to them.

ISO certification, like compliance, is voluntary. Not every ISO standard is eligible for certification, and ISO itself doesn’t directly provide certifications. Certification must be issued by an independent, third-party auditor accredited by ISO’s Committee on Conformity Assessment (CASCO). The ISO website lists 10 standards available for certification:

  1. ISO 9001, a standard for general organizational quality management systems (QMS)
  2. ISO 14001, a guide to developing an effective environmental management system
  3. ISO/IEC 27001, information security management systems (ISMS)
  4. ISO 50001, energy management systems
  5. ISO 22000, food safety management systems
  6. ISO 13485, medical devices
  7. ISO 22301, business continuity management systems
  8. ISO 20000, information technology service management systems
  9. ISO 28000, security management systems
  10. ISO 39001, road traffic safety management systems

What Are the Benefits of ISO Certification?

The benefits are many, such as:

  • Increased credibility and international recognition
  • Potentially increased revenue and competitive advantage
  • Demonstration that the entity maintains a culture of security and assurance, to keep confidential information (and the exchange of information) secure
  • More efficient processes
  • Greater consistency of business operations
  • Enhanced customer satisfaction
  • Demonstrated commitment to minimizing risk exposure
  • Increased productivity
  • Better quality of goods and services offered
  • Increased protection of the company and its assets and shareholders
  • Ability to use certification to promote the business

Taking the steps necessary to achieve ISO certification can help your organization comply with other regulations.

Although industry and business compliance with ISO is widespread, not every organization pursues certification. Some opt out of what can be a costly and time-consuming certification process.

These organizations, however, may be losing some of the benefits that certification confers. Mere compliance, akin to self-assessment, does not compare to a “seal of approval” from an independent, accredited third-party auditor or assessor.

Does Your Company Need ISO Certification?

Certification that your company complies with International Organization for Standardization criteria is a matter of want, not need. For most industries, certification is voluntary. That said, some specific organizations do need to be certified to do business. To determine whether you are one of them, ask these questions:

  • Is ISO certification required for my industry or business? Different ISO standards apply to various industries, but rules vary among sectors. For example, ISO 9001 quality management system certification is required for automotive industry suppliers.
  • Are your competitors ISO certified? If they are but you aren’t, your business could suffer.
  • Do you conduct business internationally or wish to? ISO standards are international standards, highly respected around the globe.
  • Are your customers and clients concerned about data security and privacy? Attaining an ISO 27001 certification verifies that you are committed to protecting their confidential information.
  • Are you contractually obligated to maintain certification for an ISO standard or standards?

This list makes it easy to see why ISO certification is a must for many organizations. Although some organizations opt out of expensive certification audits and are content to reach ISO compliance, many others need certification to be competitive. It’s expected in their industry. Others have clients or customers who demand certification as a condition of doing business.

And even if you don’t need it, the many benefits of ISO certification – international recognition, customer confidence, robust processes, insightful third-party audits, proven commitment to maintaining the highest standards in your industry or sector – may convince you to pursue it anyway.

The International Standards Organization (ISO) embarked on the development of these standards in 1947 to establish consistency and quality of goods and services worldwide. Proving that you are committed to meeting ISO standards shows you as a member of an internationally respected group.

Which Industries Require ISO 9001 Certification?

To manage your business with common sense and satisfy consumers and other stakeholders, ISO 9001 offers a framework and set of principles. ISO 9001 certification lays the groundwork to provide an efficient good or service.

All quality management system (QMS) implementations and ISO 9001 audits share the same business goal: lower risk and raise quality. Various industries require ISO 9001 certification.

Construction

Quality, safety, time, and financial constraints are frequently pitted against one another in the construction sector. ISO standards hold businesses, stakeholders, and third-party investors accountable for meeting the international standards.

Engineering

All engineers must be accurate and uphold a reputation for reliability among prospective contractors. In addition, the success of engineers will depend on their ability to repeat and scale their performance to meet the needs of different clients and circumstances.

Technology Services

Businesses providing IT systems, cloud-based software, and digital support have rapidly increased with a surge in demand for tech-based services. Processes in the technology industry are continuously maturing to respond to increased demands. Those two forces drive demand for a tangible, demonstrable commitment to quality.

Community Services

Quality management systems are advantageous for community-focused activities. The tenets of ISO 9001, such as employee involvement and a methodical management style, are beneficial for exhibiting credibility.

Health

It is impossible to overestimate the healthcare sector’s role in the community; we all depend on high-quality and reliable services daily. So the commitment to quality that ISO 9001 demonstrates is hugely important here.

How Much Does ISO Certification Cost?

The cost of ISO certification depends on several factors, including the organization’s size, complexity, and maturity level. Organizations that are larger and more complex, or those with immature procedures and process documentation, typically face higher costs.

For example, estimates range from $3,100 for a small business (up to 25 employees) with a mature system; to $75,000 or more for a large enterprise (500-1,000 employees) with no system in place.

Factors to consider when drawing up your ISO certification budget include:

  • Internal resource costs. The internal team designated to oversee ISO compliance and certification will spend time away from their other duties performing ISO-related tasks, including:
    • Establishing or improving your QMS, ISMS, or other pertinent systems
    • Implementing the system
    • Performing a gap analysis and risk analysis as needed
    • Conducting internal audits to determine compliance with ISO
    • Ongoing system maintenance
    • Employee training
  • External resource costs. Hiring consultants and an ISO-certified auditor accredited by ISO’s Committee on Conformity Assessment (CASCO) will incur additional charges, depending on the scope of your ISO system implementation and assessment. Those costs include:
    • Implementation costs
    • The cost of a registrar to oversee your ISO application and audit
    • Re-certification audit fees (once every three years)
    • Annual surveillance audit fees to confirm ongoing ISO compliance

How to Get ISO Certification

The ISO certification process can be lengthy, taking as long as three years for organizations to prepare for that first ISO audit. Still, the process is essential for any organization planning to apply for ISO certification. Preparation is a must to ensure a successful audit. ISO recommends a process-oriented “Plan, Do, Check, Act” approach.

  1. PLAN: Planning and Preparation

    • Identify the relevant management system for your enterprise. Which ISO standard or standards will you be certifying? ISO 9001, governing quality management systems (QMS), and ISO 27001, setting standards for information security management systems (ISMS), are the most popular.

    For this step, you will need to document your business objectives and processes that are relevant to the standards for which you are pursuing certification. Value stream mapping, systems architecture mapping, and the ISO standard can help. Designate a team of employees and senior management to oversee the ISO certification initiative, and a lead person to direct the process. Checklists help to assure nothing gets missed.

    • Analyze your gaps by studying the ISO standard you have chosen. Figure out where you comply and where you fall short. For this step, you may wish to work with an ISO consultant.
    • Conduct a risk analysis of your processes and decide how to mitigate or minimize those issues you find.
    • Train your personnel and make sure that everyone is familiar with the ISO standard or (if you’re renewing certification) with updates to the existing standard.
  2. DO: Systems and ISO implementation

    • Implement your new or updated system. This can happen in-house, or you may work with a consultant.
    • Train employees on how to use the system.
  3. CHECK: Testing

    • Perform testing to assure that the system works as it should, following the proper ISO standard.
    • Ongoing internal audits verify that processes are consistently following and yielding expected results.
  4. ACT: Closing compliance gaps

    • Make changes where needed to bring your organization into compliance.
    • Document everything, from the first step through the last.
  5. AUDIT: Getting your certification

    • Choose an ISO-certified company to work with. This company consists of a registrar, independent, third-party assessor, and other personnel to help with the certification process. Make sure to find a company accredited by ISO’s Committee on Conformity Assessment (CASCO). Otherwise your audit will not be valid.

    The certification company may also provide you with an ISO certification kit that can be helpful as you prepare for your audit.

    • Gather your documents. You need to provide evidence to the auditor of your compliance efforts. Reciprocity’s ISO audit guide contains a checklist.

Two Birds, One Stone

Because ISO certification applies to standards for general management – of quality, information security, information technology, food safety, and business continuity, among other categories – enterprises often need more than one ISO certification.

The good news is that ISO 9001, governing quality management systems (QMS), can usually be integrated with other management standards to streamline the ISO certification process. In addition, quality GRC software may tell you where you already conform to ISO standards to avoid costly and time-consuming duplication of efforts.

How to Be ISO Compliant

The “Plan, Do, Check, Act” steps needed to achieve ISO certification are essentially the same as those required for ISO compliance. The only crucial difference: when only seeking compliance, you don’t need an external audit.

While independent from certification, compliance also means assuring that you maintain compliance over time, which entails striving for continual improvement in your management systems and processes.

Enterprises choose compliance over certification for a variety of reasons. We should also remember that many ISO standards aren’t even eligible for certification; the only choice is compliance. For example, the entire ISO 9000 family except ISO 9001 is ineligible for certification.

Organizations choose to comply with ISO standards for many reasons, often because compliance helps them stay competitive or improve their business processes and, by extension, their profits.

On the other hand, noncompliance with the essential ISO standards (ISO 9001 and ISO 27001 for most entities) can mean a loss of international reputation and business.

An ISO compliance checklist can be invaluable for guidance through the ISO 27001/2 compliance process, saving your enterprise time and money.

What Is an ISO Audit?

The International Organization for Standardization (ISO) defines an ISO audit this way:

A systematic and independent examination to determine whether quality activities and related results comply with planned arrangements and whether these arrangements are implemented effectively and are suitable to achieve objectives.

There are three types of ISO audits:

  1. First-Party Audit

    This audit, conducted internally, is a conformity assessment to check for compliance gaps and to prepare your enterprise for an external ISO certification audit. Internal audits are valuable for catching and remediating gaps before an external stakeholder identifies them.

  2. Second-Party Audit

    An organization you are doing business with may audit your enterprise to determine whether you are ISO compliant. In some cases, customers may insist on doing an on-site audit. Or your organization may audit your contractors or suppliers.

  3. Third-Party Audit

    An auditor accredited by ISO’s Committee on Conformity Assessment (CASCO) assesses whether your organization complies with the appropriate ISO standard. Audit costs depend on your entity’s size, complexity, and maturity level.

The American Society for Quality (ASQ) Lists Three Types of Audits

  • A process audit verifies that your organization is doing what it says and uses processes that conform to the standard you certify. The auditor may:
    • Check conformance to defined requirements such as time, accuracy, temperature, pressure, composition, responsiveness, amperage, and component mixture.
    • Examine the resources (equipment, materials, people) applied to transform the inputs into outputs, the environment, the methods (procedures, instructions), and the measures collected to determine process performance.
    • Check the adequacy and effectiveness of the process controls established by procedures, work instructions, flowcharts, and training and process specifications.
  • A product audit examines a product or service, such as hardware, processed material, or software, to evaluate whether it conforms to the relevant standard.
  • A system audit scrutinizes the entire management system. It’s a documented activity that verifies, by examination and evaluation of objective evidence, that applicable system elements are appropriate and effective and have been developed, documented, and implemented in accordance and conjunction with specified requirements.

Since most ISO standards that are eligible for certification govern systems (quality management systems, information security management systems, food safety management systems, environmental management systems), ISO certification audits are usually system audits.

Part of the ISO certification audit process will likely include several “desk audits,” where an auditor sits one-on-one with an employee to interview them about their job function.

How to Prepare for an ISO Audit: Checklist

Deciding to procure an ISO audit is the first step on any ISO audit checklist.

By the time you reach this phase of your ISO compliance, you no doubt have already established a quality management system or another system relevant to the ISO certification you are pursuing.

Now it’s time to test your system against ISO standards. The following steps apply whether you’re preparing for a second-party audit, where a business partner audits your organization for ISO compliance; or a third-party audit, where an auditor accredited by ISO’s Committee on Conformity Assessment (CASCO) performs a conformity assessment of your enterprise.

The assessor may conduct an ISO system, process, or product audit, depending on your organization and the ISO standard or standards for which you seek certification. The procedure may entail:

  • Checking your system and processes to verify that they function according to the relevant ISO standard
  • Reviewing your documentation to assure that your practices conform to your management principles and that your system has been operational for at least three months
  • Interviewing employees (“desk audit”) about their procedures and roles

For the most efficient and effective ISO audit and the best chance of success, use an ISO audit checklist, preferably one that includes a quality management system (QMS) or information security management system (ISMS) documentation checklist. In addition, our ISO 27001/2 audit guide provides a comprehensive list of questions to ask and documents to gather in advance to help you sail through your ISO audit.

Non-Conformance Risks: What Happens If You Fail Your ISO Audit?

Failing your ISO audit is not the end of the world. But if it’s your first ISO audit and you’ve spent a lot of time, effort, and expense getting here, a failed ISO audit can be disheartening.

Fortunately, you can take action to remedy the situation and achieve that prized ISO certification.

  • Take stock of the situation. The auditor’s non-conformance report will describe whether they found “minor non-conformances” or “major non-conformances.” Your goal is to take corrective action and remedy the problem.
    • A minor non-conformance means the auditor found gaps in your enterprise’s ISO compliance, but nothing disastrous. For example, perhaps an ISO requirement wasn’t followed, or someone lacked the paperwork to demonstrate compliance.
    • A major non-conformance means the management system has a fatal flaw, missing something critical to achieving organizational goals or protecting customers. For example, perhaps a requirement hasn’t been implemented, or the enterprise has not taken corrective or preventive action to assure compliance.
  • Take corrective action. A minor non-conformance will not prevent you from getting an ISO certification as long as you take action immediately to rectify the problems outlined in the report. A major non-conformance, on the other hand, will rule out certification; you must schedule another audit to achieve it.

Fortunately, the auditor’s report will detail your system’s deficiencies and the corrective actions you need to take. In addition, if you have been ISO certified before, the auditor will follow up to confirm that you have returned the enterprise to ISO compliance.

  • Take preventive action. Understand why you failed the audit or had non-conformity findings, and correct any institutional or procedural flaws that brought about that failure.
  • Common reasons why enterprises fail their ISO audits include:
    • Changes in company structure
    • Loss of personnel with ISO knowledge or skills
    • Updates or modifications to the relevant ISO standard

Conducting periodic internal audits, including an ISO compliance gap analysis, can help your organization avoid similar problems in the future.

How to Maintain Your ISO Certification

Passing yearly “surveillance audits” is critical to maintaining your ISO certification.

These external audits, also conducted by an assessor accredited by ISO’s Committee on Conformity Assessment (CASCO), are mandatory checks of your quality management system (QMS), information security management system (ISMS), or other relevant systems to verify that your enterprise maintains ISO compliance between the re-certification audits.

ISO recommends the “Plan, Do, Check, Act” process to maintain compliance.

  1. PLAN:

    Set the objectives of the system and processes to deliver results (“what to do” and “how to do it”)

  2. DO:

    Implement and control what was planned

  3. CHECK:

    Monitor and measure processes and results against policies, objectives, and requirements

  4. ACT:

    Report results and take actions to improve the performance of processes

This process is an ongoing cycle of continual improvement.

When you’re in maintenance mode, the plans have already been laid and your standard operating procedures defined. Your organization has moved from the “plan” to the “do” phase:

  • Implementing your systems and controls, including controls of outsourcing partners and suppliers
  • Documenting your efforts for the auditor’s annual review and for discussion in the periodic management review meetings that are essential to maintaining your organization’s ISO compliance

Your organization benefits in two ways by paying attention to ISO compliance throughout the year and not just at audit time. First, you can be confident in holding on to that ISO certification you worked so hard to achieve. Second, you also have the added assurance that the management system you certified is functioning at the highest level, increasing your organization’s chances of success.

Automate ISO Compliance with Reciprocity ZenComply

Becoming compliant with your chosen ISO standard (or standards) requires significant time and effort. You will quickly find that keeping track of compliance tasks on old-fashioned spreadsheets is overwhelming, especially for large or complex organizations.

Juggling all that paperwork, even on a computer screen, means using resources on risk and compliance management that you could devote to your enterprise’s most important asset: your customers. ISO compliance tools can streamline and automate your enterprise’s ISO compliance and certification, saving you hassle and headaches.

Automating your ISO compliance and certification program can accelerate the process and minimize your ISO worries. Whether you’re obtaining certification for the ISO 9001 standard, ISO 27001, or ISO standards for cloud security or risk management, the software will make you, your customers, and your auditors happier.

Reciprocity ZenComply automates the entire ISO compliance process by:

  • Probing your organization’s systems for ISO conformity and alerts you when it finds a flaw.
  • Making detailed, prescriptive suggestions for non-conformance management, including what to do about the quality of information security incidents.
  • Summarizing your risk and compliance posture in real-time.
  • Tracking employee training records.
  • Improving audit management.
  • Documenting root cause analysis and corrective actions.
  • Enabling you to automate your self-audits.
  • Providing a “single source of truth” repository for effective audit management and document control.

With ZenComply performing so many ISO-related tasks for you and, by extension, helping to improve the performance of your management systems, you can stop worrying about your enterprise’s ISO compliance and management processes. You’ll know that your systems are working as smoothly and effectively as possible.

With ZenComply, you can turn your focus to other, more pressing matters, such as pleasing your customers and boosting your bottom line. Contact a Reciprocity expert today to schedule a demo and see what ZenComply can do for you and your ISO compliance and certification program!