New technologies, industries, and products can increase our quality of life, longevity, and joy — they also come with unknown risks. When a product or service is new or hasn’t been regulated, yet, there’s always the possibility the risks outweigh the value. No company wants to be faced with a product recall or lawsuit, and every company knows the benefits of keeping its employees safe and secure. Standards help you avoid losses and give you a set of clear guidelines and anchors to determine whether your organization is on the right track fiscally, ethically, and legally.
In this article, we’ll offer some background on the International Organization for Standardization (ISO) and its most popular standards, including two of the most popular frameworks for management systems: ISO 27001 for Information Security Management Systems (ISMS) and ISO 9001 for Quality Management Systems (QMS). We’ll also provide a breakdown of what ISO compliance means and why a company might pursue it.
What Is ISO Compliance?
ISO is an international non-governmental organization based in Geneva, Switzerland that initially convened in 1946 and is now one of the dominant standard-setting entities in the world. In partnership with governments, policy-makers, and academics, ISO has set over 22,600 standards, regulating products from child car seats to film speed, and presenting comprehensive frameworks for best practices in business management and manufacturing processes. ISO is best known for a few of its standards, including ISO 9001 on standards for Quality Management Systems (QMS), ISO/IEC 27001 for Information Security Management Systems (ISMS), and ISO 45001 for Occupational Health and Safety though there are many, many more that they offer.
Image: ISO Standards Summary
Source: ISO Standards
ISO offers certification via third-party audit for a number of its standards, including ISO 27001 and ISO 9001. Although ISO itself does not perform certification audits, there are many other certification bodies that companies can contract with to perform formal certification and surveillance audits in line with ISO standards. Make sure to validate that your ISO auditor is appropriately certified.
These certifications can help solidify your organization’s reputation as a business your clients can trust, offering validation and verification that you are following international best practices. Certification helps communicate to your clients, stakeholders, and employees that protecting them is a priority to you. For instance, companies like Dropbox and Salesforce publish their ISO 27001 certification to demonstrate they care about protecting their stakeholders’ and partners’ private information and complying with ISO 27001 and ISO 27002‘s security standards and recommendations (View AuditBoard’s ISO 27001 announcement here). Now, while ISO 27001 is the standard that companies can certify against, ISO 27002 is part of the overarching standards family, and provides guidance for how to implement ISO 27001’s security standards. In addition to standards that can be certified against, ISO also releases supplemental guidance, best practices, and recommendations.
Achieving an ISO certification can be valuable, but also time-consuming and potentially costly. ISO 27001 certification, for example, may initially take about three to six months of pre-work for initial readiness, followed by a two-stage audit by a registrar after the first year, including surveillance audits, and renewal every three years. Before investing in certification (or recertification), many organizations opt to focus on ISO compliance first. ISO compliance is the practice of following a specific ISO standard as a guide for your organization’s structure, business operations, practices, and policies. Achieving compliance can be a first step towards certification or fulfilling partner/stakeholder requirements. The benefits of ISO compliance, even without certification, can give businesses a competitive advantage, especially if they devote themselves to continuous improvement.
Why Is ISO Compliance Important?
ISO standards are considered the global best practices by many industry leaders and consumers, as well as top management; being ISO certified signals to your clients and customers your organization is trustworthy.Whether it’s working towards ISO 9001’s quality management standards for an optimized QMS or ISO 27001’s security controls and security policies, complying and certifying against ISO standards give organizations an edge in the market. ISO standards provide a framework for doing things right, and doing things well, which is an important distinction in today’s business environment.
Security controls like business continuity management and planning, risk assessment, risk management, and data security are all included within ISO’s many standards (including 27001), and complying with them can protect organizations from vulnerabilities and allow them to take corrective action for any nonconformities.
ISO compliance alone is the process of making sure your organization adheres to the ISO standards relevant to your enterprise, even if you aren’t yet ready to invest time and resources into the certification process. However, the process of becoming ISO compliant can get you on track to becoming ISO certified later on.Moreover, not all ISO standards are certifiable, so compliance may be your primary end goal. Compliance informs your partners and customers you are serious about the quality of your processes, products, and services, you value their privacy and safety, and that you are protecting the bottom line.
Why Being ISO Compliant is Imperative for Organizations
Being ISO compliant is valuable for operationally mature organizations seeking to enhance their reputation as they scale production or think about approaching new markets. ISO 9001 and ISO 27001 specifically are important for organizations that are at a stage where they are ready to systematize their information security and quality management processes. What can ISO compliance do for your organization? Here are a few benefits of ISO compliance and/or certification:
1. Streamlines Operations
If your organization is new or is just starting to think about information security or quality management, ISO provides strong frameworks to follow to make sure you’re covering your bases. Rather than determining how to stand up a program from scratch, your organization can save time and resources by using ISO standards and frameworks as adaptable structures for your efforts.
2. Enhances Reputation
Even without certification, you can show ISO compliance and communicate the steps you’ve taken to become and remain compliant with your clients. ISO compliance is still a powerful marketing tool for your company, especially if you’re on the road to future certification.
3. Indicates Trustworthiness
If your company is following ISO guidelines, it indicates to your clients that your business is trustworthy and you care about the quality of your products and processes. If you can demonstrate ISO 27001 compliance, for example, you’ll show your customers you care about cybersecurity, security controls, and protecting their data.
4. Reduces Losses
Whether preventing flawed products from hitting the market or ensuring manufacturing processes are safe, ISO compliance can prevent or reduce losses to your company. ISO 27001 compliance, for example, not only indicates you’re trustworthy; it also helps to protect you from the threat of a data breach which could cause financial and reputational damage. ISO 27001 outlines steps to take to prevent a data breach and how to respond in the event one occurs. The ISO 31000 family of standards present a framework for risk management and mitigation, helping organizations minimize losses and reduce risk.
5. Increases Revenue
Ultimately, all of the above is good for your bottom line — investing in ISO compliance, and potentially certification or recertification by a third-party auditor, may cost upfront, but it has significant ROI in the longer term. Following ISO standards help you save in multiple ways, from saving costs by developing efficient energy management systems or preventing losses through implementing quality control frameworks.
How Can I Be ISO Compliant?
ISO compliance should be almost as rigorous as certification — but driven by self- or internal audit, instead of third-party audit, thus saving time and money.
ISO 9001, for example, is structured around a four-stage process: plan, do, check, act, often abbreviated to “PDCA”. The standard employs this process to develop, implement, and audit quality management systems, outlining each component that needs to be present in a QMS, from management teams like human resources to production equipment and computing. If you are seeking to demonstrate ISO 27001 compliance, you’ll need to follow the ISO guidelines to develop your Information Security Management System (ISMS), including things like IT leadership, password protection and encryption, and training programs to help staff maintain rigorous protocol around data, then set up a system to track its success.
Today’s compliance management software can help you keep track of the various components of an ISO standard, especially if you’re looking to achieve compliance across a family of standards or multiple standards or frameworks that are interconnected. It can also help you keep track of any updates and encourage continuous improvement since ISO reviews each standard every five years to see if any changes need to be made.
The Different Types of ISO Standards
With input from industry, academia, and government, ISO has published over 22,600 standards across a wide range of fields, some related to processes and others to products. You might find multiple ISO standards that pertain to your organization — while you may want to pursue the certification process in one area, you can also become ISO compliant in other areas. Here are some of the most popular categories of ISO standards:
1. Information Security and IT
The ISO 27000 family — and ISO 27001 specifically — is a popular standard that helps to ensure an organization is doing its utmost to protect the security of its information. The standard outlines the best practices for developing Information Security Management Systems (ISMS), and can be certified by a third-party audit. ISO 27001 covers many security controls (including those associated with cloud services), with significant overlap with SOC 2 — indeed, many businesses weigh pursuing SOC 2 attestation versus ISO 27001 compliance or certification. Some may even opt to pursue both standards, unifying compliance efforts. Many operationally mature organizations choose to certify against ISO 27001 because it communicates to external stakeholders the company is devoting resources, effort, and time to protect and secure their information, and that the company understands how to prevent cybersecurity breaches.
2. Quality Management
ISO 9001 for Quality Management Systems (QMS) is the gold standard for organizations seeking to streamline the controls, standard operating procedures (SOPs), and policies they have around quality assurance. The ISO 9001 standard is certifiable by a third-party auditor and registrar, and covers the design and implementation of a QMS, including whether quality assurance documentation matches quality management practices. Other standards in the 9000 family cover quality control frameworks for more specific industries from road safety to solar panels.
3. Health and Safety
From ISO 22000 for Food Safety to ISO 45001 for Occupational Health and Safety, health and safety standards are some of the most popular and best-known ISO offerings. These process-based standards help prevent occupational hazards, employee injury, and the spread of disease in the workplace. They also ensure the safety of products we use every day; an ISO-compliant restaurant chain can help ensure their prepared foods are safe to consume and an automotive company can ensure their vehicles are safe for the road.
4. Environmental Management
The ISO 14000 family of standards sets the framework for how organizations can best work with (and protect) the environment. ISO 14001, for example, outlines how to consider environmental systems, like weather patterns and diverse ecosystems, in developing, sourcing, and manufacturing products and services. The 14000 family also targets environmental audits, communications, and big-picture issues like climate change.
5. Tourism and Events
Tourism and large-scale events can create a strain on a region’s resources, labor, and ecology. ISO standards for event management help to ensure that events are run safely, ethically, efficiently, and sustainably. Following ISO 2012, for example, can help those planning large-scale events consider everything from capacity to zoning requirements to environmental and labor issues. ISO 20121 was released in preparation for the 2012 Olympics in London and ISO is continuing to work on even more specific guidelines for citywide events with ISO 22379. This fresh standard is still under development and is designed with similar future events in mind.d.
6. Energy and Natural Resource Management
As the world adapts to environmental changes, companies are increasingly seeking to increase sustainability. ISO offers standards for sustainable resource management and energy use, including ISO 50001, which offers guidelines for organizations to develop efficient energy management systems (EnMS). Organizations across all sectors can benefit from improved energy use — ISO emphasizes that optimizing energy use is good for the bottom line and also allows organizations to communicate to their stakeholders that they are adopting more sustainable practices.
7. Social Responsibility
ISO 26000 was originally published in 2010 and expands the work ISO started in introducing ISO 14000. This standard offers guidance on how companies can become socially responsible, which extends to sustainability, human rights, labor practices, and economic development. ISO 26000 is ambitiously comprehensive, created in partnership with the International Labour Organization, the Global Compact, the OECD, and a variety of NGOs and community development specialists. It provides guidance alone and cannot be certified, but ISO considers it a product of international consensus.
8. Medical Technology and Practice
ISO has released a number of standards that are very specific to healthcare settings and operations, including ISO 60601, a standard for using electrical equipment in medical settings. For example, as the world continues to respond to the COVID-19 pandemic, ISO regulations for equipment like lung ventilators have become increasingly important. With input from medical professionals, academics, and NGOs, ISO has worked with the International Electrotechnical Committee (IEC) to release standards as specific and detailed as ISO/IEC 80369, which outlines how to use small-bore connectors for liquids and gasses in healthcare applications.
9. Industry and Production
ISO is known for a whole range of standards related to product design, manufacturing, and distribution. ISO 13485, for example, covers regulations and quality for medical devices, including how they are serviced and updated. There are also a number of standards related to road vehicle design and measurements, including fuel consumption in hybrid and electric vehicles, and standardization of the symbols you commonly see on your dashboard. ISO has also created a number of highly specific standards covering everything from mechanical pencils to medical devices like orthopedic drills.
Staying ISO Compliant Moving Forward
A strong compliance strategy will strengthen your stakeholders’ trust in your ISO practices and can increase your marketing success. Pursuing ISO compliance is a worthy challenge that builds a company’s reputation for trustworthiness, security, and quality around the world. ISO compliance and/or certification certainly takes more than minor maintenance and has a strict lifecycle, but this shouldn’t deter companies from incorporating these practices into strategy and operations. Modern compliance management software capable of incorporating multiple frameworks like ISO, and facilitating control automation, helps organizations keep on top of the many compliance frameworks and standards in your organization to support moving towards certification. AuditBoard’s compliance management software can help you plan, track, and review your ISO compliance strategy — learn how to get started today!
Frequently Asked Questions About ISO Compliance
1. What is ISO compliance?
ISO compliance is the practice of following a specific ISO standard as a guide for your organization’s structure, business operations, practices, and policies. Achieving compliance can be a first step towards certification or meeting partner/stakeholder requirements.
2. How does being ISO-compliant help business?
The benefits of ISO compliance, even without certification, can give businesses a competitive advantage, especially if they devote themselves to continuous improvement.
3. What are the different types of ISO standards?
ISO is best known for a few of its standards, including ISO 9001 on standards for Quality Management Systems (QMS), ISO/IEC 27001 for Information Security Management Systems (ISMS), and ISO 45001 for Occupational Health and Safety.
Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn.