Guide to ISO Certification and ISO Compliance

Intro

The International Organization for Standardization (ISO) was developed in 1947 to establish quality standards for businesses worldwide. Today, its members from 164 countries have developed some 22,700 requirements, specifications, guidelines, and characteristics governing quality assurance for nearly every type of business and technology.

Compliance with ISO standards is voluntary, as is ISO certification. But the organization and its standards are so highly regarded today that ISO certification has become the norm—a seal of approval that says, "This business cares about quality." Not having the pertinent ISO certification could cost you business.

And there are other, perhaps less-tangible benefits of ISO conformance, among them:
  • Improved quality management
  • Better information security
  • A more environmentally sustainable business
  • Increased customer satisfaction
  • Improved occupational health and safety

Rigorously developed, these international standards are designed to ensure that the materials and products businesses produce are safe to use and high-quality. You ignore ISO at your peril, risking customer satisfaction and safety, as well as fines or litigation for your enterprise.

Which set of standards is right for my organization?

ISO has published hundreds of frameworks establishing standards in a variety of sectors and industries including service, environment and industry, technology, and health and medical. Each entity will choose to comply with different frameworks depending on its situation and sector.

Some ISO frameworks are highly specific. For example, ISO 34101-1:2019 sets standards for the cocoa bean industry and ISO/IEC 80079-34 governs manufacturing in explosive atmospheres.

Other ISO publications are more general: ISO 14001 serves as a guide to developing an effective environmental management system, and can be useful for any organization.

How to use this guide

No single guide could discuss all the ISO frameworks. To help you understand ISO compliance, why it matters, and how to obtain that coveted ISO certification, this guide will focus on some of the most common ISO frameworks: ISO 9000/9001 for quality management and ISO 27001/27002 for managing information security.

Each section of this guide addresses a different aspect of ISO and ISO compliance by providing answers to some of the most common questions regarding the framework. Sections consist of a brief overview with links leading to a more in-depth exploration of the topic at hand.

You may want to read this guide straight through, or consult only the sections applicable to your organization’s needs. Or jump to the end to learn how to up your organization’s compliance game in a fraction of the time and with greater efficiency than that of the system you’re using now—especially if that system involves old-fashioned spreadsheets.

What Is ISO? Definition and Background

ISO stands for the International Organization for Standardization. Headquartered in Geneva, Switzerland, ISO comprises members from 164 nations who develop and produce publications guiding businesses and organizations of nearly every kind in achieving the highest standards of quality in their processes and products.

ISO’s development began in 1946, when 65 delegates from 25 countries met in London to discuss the need for international standards and their development. The following year, the organization had its first meeting of 67 technical committees, or groups of experts each focusing on a different subject.

The organization published its first standard, or "recommendation,"" in 1951: ISO/R 1:1951 Standard reference temperature for industrial length measurements, now ISO 1:2002 Geometrical Product Specifications (GPS) - Standard reference temperature for geometrical product specification.

Over time, the organization grew in membership and expanded its influence, becoming particularly noted for its standards establishing an International System of Units (establishing the second as the official unit of time, for instance); and governing freight and packaging, and environmental quality.

Although there are more than 22,700 ISO standards for different industries today (and counting), a few stand out as important and influential:

The best-selling ISO 9000 family, governing quality management systems (QMS). ISO 9001 is the only standard in this group eligible for certification.
ISO 14001, which provides tools for companies and organizations to help them identify and control their environmental impact
The ISO 27000 family of information security standards, including ISO/IEC 27001, which governs information security systems management (ISMS).

ISO matters because compliance has become a must for pretty much every industry. The benefits of ISO certification, which requires an audit to prove compliance, now extend beyond the prestige of taking that extra "step." Certification for relevant ISO standards has itself become the standard.

ISO Compliance vs. ISO Certification - What's the Difference?

The difference between ISO compliance and ISO certification comes down to one word: audits.

ISO certification requires an external audit by an independent professional who has been accredited by the Committee on Conformity Assessment (CASCO). Mere ISO compliance does not require this audit.

Both ISO compliance and ISO certification are voluntary: These aren’t regulations, but recommendations. That said, however, some organizations, such as manufacturers, may require their third-party suppliers to be ISO certified to ensure the quality of their own goods, services, and processes and the security of their information, systems, and networks.

The benefits of certification are many, including international recognition and, in many industries, the ability to do business at all.

But some organizations, in particular smaller ones with smaller budgets, may opt out of the cost and preparation time needed to pass the audit required for certification. Instead, they may decide that compliance is good enough, and forego the added expense and hassle.

Some of the most commonly sought-after ISO certifications include:

ISO 9001:2015, the international standard for quality management systems (QMS). This standard promotes a process approach to management, examining more than 20 processes.

ISO 27001:2013, the international standard for information security management systems (ISMS)

The pros and cons of ISO certification vs. ISO compliance include:

1. EXPENSE
  • Compliance: By choosing compliance only, your organizations may forego costs associated with ISO certification audits, which take place every three years; registration, and off-year "surveillance" audits. You also avoid having to pay the costs of continuous improvements to your QMS or ISMS. However, organizations that opt out of certification may lose business and revenue.
  • Certification: Getting certified means paying for certification audits, registration, and surveillance audits. However, since audits tend to be priced according to number of employees, smaller businesses won’t pay as much for them as larger ones.
2. TIME
  • Compliance: Depending on the ISO standard and the size and complexity of your organization, ISO compliance can take anywhere from a few months to several years.
  • Certification: Achieving ISO certification requires the same processes as compliance, plus added time to prepare for and pass an audit. For ISO 27001, the audit is quite lengthy, taking place in two stages.
3. INTERNATIONAL RECOGNITION
  • Compliance: Depending on the ISO standard and the size and complexity of your organization, ISO compliance can take anywhere from a few months to several years.
  • Certification: Achieving ISO certification requires the same processes as compliance, plus added time to prepare for and pass an audit. For ISO 27001, the audit is quite lengthy, taking place in two stages.
4. MARKETING
  • Compliance: Organizations that are merely compliant have the satisfaction of knowing they meet the relevant standards, but lack the marketing clout that certified companies possess.
  • Certification: Those achieving a coveted ISO certification can trumpet their status on their website and in other marketing materials, claiming the edge over uncertified competitors.
5. MAINTENANCE
  • Compliance: Enterprises foregoing certification can achieve compliance and move on to other tasks, without having to demonstrate ongoing compliance or pass yearly surveillance audits.
  • Certification: Certification requires passing an audit just once every three years, but less-intensive yearly surveillance audits ensure that you continue to meet the relevant ISO standards and that you strive for continual improvement in your enterprise’s processes.

What Are The Different Types of ISO Standards?

There are more than 22,600 ISO standards to date for many industries. Some of the most common are:
  • ISO 9001:2015, a standard for general organizational Quality Management Systems (QMS) including vendor management. ISO has QMS standards for specific industries, as well.
  • ISO 27001:2013, a standard for Information Security Management Systems (ISMS)
  • ISO 14001:2015, a standard for Environmental Management Systems

These standards can apply to any organization, large or small.

Many other ISO standards were written for a particular industry. Shipping, manufacturing, medical, technology, and rail, even cocoa bean production: These industries and others have their own specific ISO standards.

ISO standards include:

Quality
  • ISO 10004:2012 Customer satisfaction
  • ISO 10006:2017 Projects
  • ISO 13485:2016 Medical devices
  • ISO/TS 16949:2009 Automotive
  • ISO 17582:2014 Electoral organizations
  • ISO 18091 Local government
  • ISO 19443:2018 Nuclear energy
  • ISO 20001 Educational organizations
  • ISO/TS 22163:2017 Business management system requirements for rail organizations
  • ISO/TS 29001 Petroleum, petrochemical and natural gas industries
  • ISO/IEC 90003 Software engineering
Industry
  • ISO 14298:2013 Graphic technology – Management of security printing processes
  • ISO 15378:2017 Primary packaging materials for medicinal products
  • ISO 16000-40 Indoor air
  • ISO 34101-1 Sustainable and traceable cocoa
Environment and energy
  • ISO 14002-1 Environmental management systems—guide for applying the 14001 framework
  • ISO 14004:2016 Environmental management systems—general guidelines on implementation
  • ISO 14005:2010 Environmental management systems—guidelines for phased implementation
  • ISO 14006:2011 Environmental management systems—guidelines for incorporating ecodesign
  • ISO 14009 Environmental management systems—guidelines for incorporating redesign of products and components to improve material circulation
  • ISO 50001:2018 Energy management systems
  • ISO 50004:2014 Energy management systems—guidelines for implementation, maintenance and improvement
Services
  • ISO 21101:2014 Adventure tourism safety management
  • ISO 21404:2018 Tourism and related services: Sustainability management system for accommodation establishments
  • ISO 24526 Water efficiency
  • ISO 20121:2012 Event sustainability
  • ISO/IEC 20000-1: 2011 Information technology—service management
General management
  • ISO 19600:2014 Compliance management systems
  • ISO 26000 Social responsibility
  • ISO 30301:2011 Information and documentation
  • ISO 30401 Human resource
  • ISO 31000 Risk management
  • ISO 37001:2016 Anti-bribery
  • ISO 37002 Whistleblowing
  • ISO 37101:2016 Sustainable development in communities
  • ISO 37301 Compliance management
  • ISO 41001 Facility management
  • ISO 44001:2017 Collaborative business relationship management
  • ISO 44002 Guidelines on the implementation of ISO 44001
  • ISO 55001:2014 Asset management
  • ISO 55002:2014 Guidelines for the application of ISO 55001
  • ISO 56002 Innovation management
Safety and security
  • ISO 22000 Food safety management systems
  • ISO 22004:2014 Guidance on the application of ISO 22000
  • ISO 10377:2013 Consumer product safety
  • ISO 10393:2013 Consumer product recall
  • ISO 18788:2015 Private security operations
  • ISO 22301:2012 Societal security—Business continuity management systems
  • ISO 24518:2015 Crisis management of water utilities
  • ISO 28007-1:2015 Ships and marine technology
  • ISO 29001:2012 Road traffic safety
  • ISO/DIS 45001 Occupational health and safety
  • ISO/IEC 80079-34:2011 Explosive atmospheres
  • ISO/NP 35001 Laboratory biorisk
  • ISO/TS 34700:2016 Animal welfare management
Information technology
  • ISO/IEC 20000-1 Service management Part 1
  • ISO/IEC 20000-2 Service management Part 2
  • ISO/IEC 27003:2017 Security techniques
  • ISO/IEC 20000-1 Enhancements to ISO/IEC 27001 for privacy management
  • ISO/IEC 27010:2015 Information security management for inter-sector and inter-organizational communications
  • ISO/IEC 27013:2015 Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1
  • ISO/IEC 90003:2014 Software engineering
  • ISO/IEC DIS 19770-1 IT asset management

What Are ISO Frameworks and Controls?

The International Organization for Standardization (ISO) has developed a variety of frameworks designed to help organizations better manage their business in areas including:

  • Quality
  • Safety
  • IT security
  • Environmental impacts
  • Assets
  • Business risk

Framework vs. Standard

"Framework" is defined in one dictionary as "a basic structure underlying a system, concept or text." In business, frameworks provide a structure for organizations to use to improve their processes or operations. Frameworks are often fairly general, and not prescriptive. They tell what to do, but not how to do it.

Most business and IT frameworks serve to mitigate risks and support internal controls. These processes also must accommodate various measures for risk, financial reporting and revenue performance.

Framework types:

  • Quality frameworks, which provide a structure for designing, establishing, and maintaining quality management systems
  • Control frameworks, sets of fundamental controls aimed at preventing financial or information loss
  • Program frameworks, which help build, assess, improve, and maintain programs
  • Risk frameworks, which guide through the process steps necessary to successfully manage risk and reduce risk levels
  • Cybersecurity or information security frameworks, designed to help reduce exposure to cyberattacks

Standards, on the other hand, are governance best practices used by various companies.

Standard may be included in guidelines, regulations, frameworks, models, processes, and internal controls for managing business and IT functions.

Standards define mandatory requirements for business and IT audit and assurance. They inform audit and assurance professionals of the minimum level of acceptable performance required to meet professional responsibilities and requirements, and direct how to meet them.

The International Organization for Standardization, or ISO, creates and publishes international standards, which it defines as "documents that provide requirements, specifications, guidelines or characteristics that can be used consistently to ensure that materials, products, processes and services are fit for their purpose."

Because ISO strives to standardize business processes and procedures around the world, it has published more than 22,700 standards.

For instance, the ISO 9001 standard contains guidelines for establishing and maintaining a quality management system (QMS).

The ISO/IEC 27000 family of standards is designed to help organizations "manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties." ISO sets standards by which to manage information security management systems (ISMS). This ISO 27000 family includes:

  • ISO 27000 Information security management systems overview and vocabulary
  • ISO 27001 Information security management systems requirements
  • ISO 27002 Guidance on applying the ISO 27001 controls
  • ISO 27005 Conducting an information security risk assessment
  • ISO 27015 Information security management for financial services
  • ISO 27017 Cloud services information security controls
  • ISO 27031 Information and communication technology readiness for business continuity
  • ISO 27032 Cybersecurity best practices

Contained in many frameworks and standards are "controls," or countermeasures or safeguards aimed at minimizing organizational risk. For example, ISO 27001 contains controls to help protect the confidentiality, integrity, and availability of data in an information security management system.

What Are Quality Management Principles?

Quality Management Principles (QMPs) form the basis of ISO 9000 and 9001 as well as other quality management standards developed by the International Organization for Standardization (ISO). These principles can help manage a quality management system (QMS).

The seven principles are (in no specific order):
  1. Customer focus: The primary focus of quality management is to meet customer requirements and strive to exceed customer expectations.
  2. Leadership: Leaders at all levels establish unity of purpose and direction and create the conditions in which people are engaged in achieving the organization’s quality objectives.
  3. Engagement of people: Competent, empowered and engaged people at all levels throughout the organization are essential to enhance its capability to create and deliver value.
  4. Process approach: Consistent and predictable results are achieved more effectively and efficiently when activities are understood and managed as interrelated processes that function as a coherent system.
  5. Improvement: Successful organizations have an ongoing focus on improvement.
  6. Evidence-based decision making: Decisions based on the analysis and evaluation of data and information are more likely to produce desired results.
  7. Relationship management: For sustained success, an organization manages its relationships with interested parties, such as suppliers.

Why is ISO Certification Important?

For many organizations, achieving ISO certification demonstrates that they have met ISO standards and are committed to ongoing, continuous compliance with the international business standard or standards relevant to them.

ISO developed its 22,700 standards in the interest of consistency among organizations worldwide in such areas as safety, security, and quality control.

ISO certification, like compliance, is voluntary. Not every ISO standard is eligible for certification. The International Organization for Standardization doesn’t provide these certifications. They must be issued by an independent, third-party auditor accredited by ISO’s Committee on Conformity Assessment (CASCO). The ISO website lists 10 standards that entities have been certified for over the years:

  1. ISO 9001, a standard for general organizational quality management systems (QMS)
  2. ISO 14001, a guide to developing an effective environmental management system
  3. ISO/IEC 27001, information security management systems (ISMS)
  4. ISO 50001, energy management systems
  5. ISO 22000, food safety management systems
  6. ISO 13485, medical devices
  7. ISO 22301, business continuity management systems
  8. ISO 20000, information technology service management systems
  9. ISO 28000, security management systems
  10. ISO 39001, road traffic safety management systems

Benefits to organizations who procure ISO certification include:

  • Increased credibility and international recognition
  • Potentially increased revenue/competitive advantage
  • Demonstration that the entity maintains a culture of security, and assurance that it keeps confidential information, and the exchange of information, secure
  • More efficient processes
  • Greater consistency of business operations
  • Enhanced customer satisfaction
  • Demonstrated commitment to minimizing risk exposure
  • Increased productivity
  • Better quality of goods and services offered
  • Increased protection of the company and its assets and shareholders
  • Ability to use certification to promote the business

Taking the steps necessary to achieve ISO certification can help your organization comply with other regulations.

Although industry and business compliance with ISO is widespread, not every organization pursues certification. Some opt out of what can be a costly and time-consuming certification process. But these organizations may be missing out on some of the benefits that certification confers. Mere compliance, which is akin to self-assessment, does not stack up next to a "seal of approval" from an independent, accredited third-party auditor or assessor.

Does Your Company Need ISO Certification?

Certification that your company complies with International Organization for Standardization criteria is usually a matter of want, not need. For most industries, certification is voluntary. But certain organizations do need to be certified to do business. To determine whether you are one of them, ask yourself the following questions:

  • Is ISO certification required for my industry or business? Just as different ISO standards apply to various industries, rules vary among sectors, as well. For example, ISO 9001 certification, attesting that an enterprise’s quality management system (QMS) meets the standard, is required for automotive industry suppliers.
  • Are your competitors ISO certified? If they are and you are not, your business will suffer.
  • Do you conduct business internationally, or wish to? ISO standards are international standards, highly respected around the globe.
  • Are your customers and clients concerned about data security and privacy? Attaining an ISO 27001 certification verifies that you are committed to protecting their confidential information.
  • Are you contractually obligated to maintain certification for an ISO standard or standards?

From this list, it’s easy to see why ISO certification is a must for many organizations. Although some organizations opt out of expensive certification audits and are content to reach ISO compliance, many others need certification to be competitive, it’s expected in their industry. Others have clients or customers who demand certification as a condition of doing business.

And even if you don’t need it, the many benefits of ISO certification—prestige, international recognition, customer confidence, proven commitment to maintaining the highest standards in your industry or sector—may convince you to pursue it, anyway.

The International Standards Organization (ISO) embarked on the development of these standards in 1947 to establish consistency and quality of goods and services worldwide. Proving beyond a doubt that you are committed to meeting ISO standards establishes you as a member of an internationally respected group.

How to Get ISO Certification

The ISO certification process can be lengthy, taking as long as three years for organizations to prepare for that first-time ISO audit. However, the process is essential for any organization planning to apply for ISO certification. Advance preparation is a must to ensure a successful audit. ISO recommends a process-oriented, "Plan, Do, Check, Act" approach.

1. PLAN: Planning and Preparation
  • Develop the relevant management system for your enterprise. For which ISO standard or standards will you be certifying? ISO 9001, governing quality management systems (QMS), and ISO 27001, setting standards for information security management systems (ISMS), are the most popular. For this step, you will need to identify and document your business objectives and processes pertinent to the standard or standards for which you are pursuing certification. Value stream mapping, systems architecture mapping, and the ISO standard itself can all help. You also may wish to designate a team of employees and management to oversee the ISO certification initiative, and a lead person to direct the process. A checklist can help ensure that nothing gets missed.
  • Analyze your gaps. Study the ISO standard you have chosen with an eye toward where you comply and where you fall short. For this step, you may wish to work with an ISO consultant.
  • Analyze your risk. Conduct a risk analysis of your processes and decide how to mitigate or minimize those you find.
  • Train your personnel. Make sure that everyone is familiar with the ISO standard or, if you’re renewing certification, with updates to the existing standard.
2. DO: Systems and ISO implementation
  • Implement your new or updated system. This can happen in-house, or you may work with a consultant.
  • Train employees in how to use the system.
  • Check to ensure that the system is working as it should, following the proper ISO standard.
3. CHECK: Testing
  • Implement your new or updated system. This can happen in-house, or you may work with a consultant.
  • Train employees in how to use the system.
  • Check to ensure that the system is working as it should, following the proper ISO standard.
4. ACT: Closing compliance gaps
  • Make changes where needed to bring your organization into compliance.
  • Document everything, from the first step through the last.
5. AUDIT: Getting your certification
  • Choose an ISO certification company to work with. This company consists of a registrar, independent, third-party assessor, and other personnel to help with the certification process. Make sure to find a company that is accredited by ISO’s Committee on Conformity Assessment (CASCO)—otherwise, your audit will not be valid. The certification company may also provide you with an ISO certification kit that can be very helpful as you prepare for your audit.
  • Gather your documents. You will need to provide evidence to the auditor of your compliance efforts. Exactly which documents you need will vary depending on the standard. Reciprocity’s ISO audit guide contains great advice on preparing for an ISO 27001 audit, including a detailed checklist.

Two birds, one stone

Because ISO certification applies to standards for general management—of quality, information security, information technology, food safety, and business continuity, among other categories—enterprises often need more than one ISO certification.

The good news is that ISO 9001, governing quality management systems (QMS), can usually be integrated with other management standards to streamline the ISO certification process. A quality GRC software may tell you where you already conform to ISO standards so you can avoid costly and time-consuming duplication of efforts.

How to Be ISO Compliant

The "Plan, Do, Check, Act" steps needed to achieve ISO certification are essentially the same as those required for ISO compliance except that, to be merely compliant, you don’t need an external audit.

In either scenario, the quality of your organization’s management system or systems—be it a quality management system (QMS), information security management system, (ISMS) or something else—will play a major role in determining your ISO compliance.

ISO compliance entails developing and implementing the management system or systems relevant to the standard or standards with which your enterprise seeks to comply.

If independent from certification, compliance also means being responsible for ensuring that you maintain compliance over time, which entails striving for continual improvement in your management systems and processes.

Enterprises choose compliance over certification for a variety of reasons. Many ISO standards are not eligible for certification.

The most commonly certified standards are management standards including:
  • ISO 9001, for quality management
  • ISO 27001, for information security management
  • Other standards governing food safety, business continuity security, traffic safety, energy, internet technology service, and risk management. On the other hand, the entire ISO 9000 family except ISO 9001 is ineligible for certification.

Organizations choose to be compliant with ISO standards for many reasons, often because compliance helps them stay competitive or improve their business processes and, by extension, their profits.

On the other hand, noncompliance with the most important ISO standards—ISO 9001 and ISO 27001, for most entities—can mean a loss of international reputation and business.

For guidance through the ISO 27001/2 compliance process, an ISO compliance checklist can be invaluable, saving your enterprise time and money.

How Much Does ISO Certification Cost?

An enterprise’s ISO certification costs depend on several factors, including the organization’s size, complexity, and maturity level.

The larger and more complex the organization and the less mature the business’s quality management system (QMS), information security system (ISMS), or other area governed by the relevant ISO standard, the higher your auditor costs and other ISO costs will be.

Estimates range from $3,125 for a small (up to 25 employees) enterprise with a mature system in place, to $78,000+ to a very large (500-1,000 employees) with no system in place at all.

Factors to consider when drawing up your ISO certification budget include:

  • Internal resource costs. The internal team designated to oversee ISO compliance and certification will spend time away from their other duties performing ISO-related tasks, including:
    • Establishing or improving your QMS, ISMS, or other pertinent systems
    • Implementing the system
    • Performing a gap analysis and risk analysis, as needed
    • Conducting an internal audit to determine compliance with ISO
    • Ongoing system maintenance
  • External resource costs. Hiring consultants and an ISO certification company accredited by ISO’s Committee on Conformity Assessment (CASCO) will incur additional costs, depending on the scope of your ISO system implementation and assessment. Those costs include:
    • Implementation costs
    • The cost of a registrar to oversee your ISO application and audit
    • Audit fees (once every three years)
    • Costs to train employees in ISO and in the use of the new or upgraded system
    • "Surveillance audit" fees (yearly) to confirm ongoing ISO compliance

What Is an ISO Audit?

The International Organization for Standardization (ISO) defines an ISO audit this way:

A systematic and independent examination to determine whether quality activities and related results comply with planned arrangements and whether these arrangements are implemented effectively and are suitable to achieve objectives.

There are three types of ISO audits: First party audits, second-party audits, and third-party audits

1. First-party audit.

This audit, conducted internally, is basically a conformity assessment to check for compliance gaps and prepare your enterprise for an external ISO certification audit.

2. Second-party audit.

An organization with which you are doing business may audit your enterprise to determine whether you are ISO compliant. Or, you may have your company’s auditor perform an ISO audit on one of your contractors or suppliers.

3. Third-party audit.

An auditor accredited by ISO’s Committee on Conformity Assessment (CASCO) assesses whether your organization complies with the appropriate ISO standard. Audit costs depend on your entity’s size, complexity, and maturity level.

The American Society for Quality (ASQ) lists three types of audit.

  • A process audit verifies that your organization is doing what it says it is, and that it uses processes that conform to the standard for which you are certifying. The auditor may:
    • Check conformance to defined requirements such as time, accuracy, temperature, pressure, composition, responsiveness, amperage, and component mixture.
    • Examine the resources (equipment, materials, people) applied to transform the inputs into outputs, the environment, the methods (procedures, instructions) followed, and the measures collected to determine process performance.
    • Check the adequacy and effectiveness of the process controls established by procedures, work instructions, flowcharts, and training and process specifications.
  • A product audit examines a particular product or service, such as hardware, processed material, or software, to evaluate whether it conforms to the relevant standard.
  • A system audit scrutinizes a management system. It’s a documented activity that verifies, by examination and evaluation of objective evidence, that applicable elements of the system are appropriate and effective and have been developed, documented, and implemented in accordance and in conjunction with specified requirements.

Since most ISO standards eligible for certification govern systems (quality management systems, information security management systems, food safety management systems, environmental management systems), ISO certification audits are usually system audits.

A desk audit, with the auditor interviewing certain employees, and document review audit may be included in the ISO certification audit process.

How to Prepare for an ISO Audit: Checklist

Deciding to procure an ISO audit is the first step on any ISO audit checklist.

By the time you reach this phase of your ISO compliance, you no doubt have already established a quality management system, information management system, food safety management system, or another system relevant to the ISO certification you are pursuing.

Now it’s time to test your system against ISO standards. Your next steps apply whether you’re preparing for a second-party audit, in which a business partner audits your organization for ISO compliance, or a third-party audit, in which an auditor accredited by ISO’s Committee on Conformity Assessment (CASCO) performs a conformity assessment of your enterprise.

The assessor may conduct an ISO system audit, process audit, or product audit, depending on your organization and the ISO standard or standards for which you are seeking certification. The procedure may entail:

  • Checking your system and processes to ensure that they are functioning in accordance with the relevant ISO standard
  • Reviewing your documentation to ensure that your practices conform to your management principles and that your system has been operational for at least three months
  • Interviewing employees ("desk audit") about their procedures and roles
Preparing for an ISO 27001 and 27002 Audit

Preparing for an
ISO 27001 and 27002 Audit:
A Step-by-Step Guide

Download the checklist

For the most efficient and effective ISO audit, and the best chance of success, use an ISO audit checklist, preferably one that includes a quality management system (QMS) or information security management system (ISMS) documentation checklist. Our ISO 27001/2 audit guide provides a comprehensive list of questions to ask and documents to gather in advance, to help you sail through your ISO audit with ease.

Non-Conformance Risks: What Happens If You Fail Your ISO Audit?

Failing your ISO audit is not the end of the world. But if it’s your first ISO audit and you’ve spent much time, effort and expense getting here, a failed ISO audit can be discouraging and disheartening.

Fortunately, there are actions you can take to remedy the situation and achieve that prized ISO certification at long last.
  • Take stock of the situation. The auditor’s Non-Conformance Report will describe whether they found a "minor non-conformance" vs. a "major non-conformance." Taking corrective action to remedy the problems is your goal.
    • A minor non-conformance means the auditor has found gaps in your enterprise’s ISO compliance, but nothing disastrous. Perhaps an ISO requirement didn’t get followed, or someone lacked the paperwork needed to demonstrate compliance.
    • A major non-conformance means the management system under examination has a fatal flaw—that it is missing something critical to achieving organizational goals or protecting customers. Perhaps a requirement or procedure hasn’t been implemented, or the enterprise has not taken corrective or preventive action to ensure compliance.
  • Take corrective action. A minor non-conformance will not prevent your getting an ISO certification as long as you take action immediately to rectify the problems delineated in the report. A major non-conformance will rule out certification; to achieve it, you will have to schedule another audit.
Fortunately, the auditor’s report will reveal not only your system’s deficiencies but also the corrective actions you need to take. If you have been ISO certified before, the auditor will follow up to ensure that you have returned the enterprise to ISO compliance.
  • Take preventive action. Understand why you failed the audit or had minor non-conformity findings, and correct any institutional or procedural flaws that brought about that failure.
  • Common reasons why enterprises fail their ISO audits include
    • Changes in company structure
    • Loss of personnel with ISO knowledge or skills
    • Updates or changes to the relevant ISO standard

Conducting periodic internal audits including an ISO compliance gap analysis can help your organization avoid similar problems in the future.

How to Maintain Your ISO Certification

Passing yearly "surveillance audits" is key to maintaining your ISO certification. These external audits, conducted by an assessor accredited by ISO’s Committee on Conformity Assessment (CASCO), are mandatory checks of your quality management system (QMS), information security management system (ISMS), or other relevant system to ensure that your enterprise maintains ISO compliance between three-year certification audits.

The process that ISO recommends to maintain compliance with its standards is, "Plan, Do, Check, Act."

PLAN:
Set the objectives of the system and processes to deliver results ("what to do" and "how to do it")

DO:
Implement and control what was planned

CHECK:
Monitor and measure processes and results against policies, objectives and requirements and report results

ACT:
Take actions to improve the performance of processes

This process is an ongoing cycle of continual improvement.

When you're in maintenance mode, the plans have already been laid and your standard operating procedures defined. Your organization has moved from the "plan" to the "do" phase:

Implementing your systems and controls, including controls of outsourcing partners and suppliers

Documenting your efforts for the auditor’s annual review, and for discussion in the periodic management review meetings that are essential to maintaining your organization’s ISO compliance

By paying attention to ISO compliance throughout the year and not just at audit time, your organization benefits twofold. Not only can you be confident of holding on to that ISO certification you worked so hard to achieve, but you have the added assurance that the management system you have certified is functioning at the highest level. This increases your organization’s chances of success and your customers’ safety and satisfaction.

How to Automate ISO Compliance and ISO Certification

Becoming compliant with your chosen ISO standard or standards requires enormous investments of time, work, and, for larger and more complex organizations, money—especially for organizations using old-fashioned spreadsheets to keep track of compliance tasks.

Juggling all that paperwork, even on a computer screen, means using resources on risk and compliance management that you could devote to your enterprise’s most important asset: your customers. But ISO compliance tools that automate your enterprise’s ISO compliance and certification can save you hassle and headaches.

Automating your ISO compliance and certification program can hasten the process and minimize your ISO worries. Whether you’re obtaining certification for the ISO 9001 standard , ISO 27001 or ISO standards for cloud security or risk management, you’ll be happier, and so will your customers.

ZenGRC automates the entire ISO compliance process. It
  • Probes your organization’s systems for ISO conformity and alerts you when it finds a flaw.
  • Makes detailed, prescriptive suggestions for nonconformance management, including what to do about quality or information security incidents.
  • Summarizes, in real time, your risk and compliance posture, and help you track and document training management, improve your audit management, and document such actions as a root cause analysis following a security event.
  • Enables you to automate your self audits, and to create, gather, and store documentation of your compliance actions in a "Single Source of Truth" repository for effective audit management and document control.
Reciprocity ZenGRC governance, risk, and compliance software automates many of the tasks associated with ISO compliance and certification and ISO audit management. ZenGRC:
  • Probes your systems to find compliance gaps and alerts you to them, telling how to close them
  • Continuously monitors your systems to ensure that you maintain compliance between audits, and alerts you in real time to issues and vulnerabilities
  • Automatically monitors your third-party-vendors, makes it easy to generate and send vendor surveys, and compiles results automatically
  • Automates your document control by gathering and storing audit-trail document in a "Single Source of Truth" repository
  • Provides an in-a-glance view of your overall compliance posture on user-friendly, color-coded dashboards
  • Performs unlimited self-audits in a few clicks and analyzes the findings

With ZenGRC performing so many ISO-related tasks for you and, by extension, helping to improve the performance of your management systems, you can stop worrying about your enterprise’s ISO compliance and management processes.

You’ll know that your services and products are safe and secure, and that your systems are working as smoothly and effectively as possible.

Worry-free with ZenGRC, you can turn your focus to other, more pressing matters—such as pleasing your customers and boosting your bottom line. Why not call a Reciprocity expert today to learn what ZenGRC can do for you and your ISO compliance and certification program?