How do you know which ISO standards your business should aim for?
What's the real benefit once the certificate is on the wall?
What will be the most valuable standard for 2019?
And how can you make multiple accreditation processes as simple as possible?
Any ISO project takes time, preparation and focus to get over the line, so we asked these questions to the man who'd hit four ISO standards in a single year: Greig Robertson, project manager at Scottish property legal firm Aberdein Considine.
Qualsys: When did you first join Aberdein Considine?
Greig: I joined the firm in 2013 as IT Project Manager.
Very soon after, we decided to go for ISO 27001 certification.
We have a number of clients who wanted us to get our information security certified and that quickly became part of my role.
It was a learning curve getting to grips with 27001, and since then it's snowballed.
In 2015 we decided to go for ESOS - we fell into the parameters for that.
And because we had 27001 in place already and were experienced with ISO, we then decided to go for 50001, the energy management standard.
So my role began to move away from IT because of all this, and my focus became primarily governance, risk and compliance.
Qualsys: Why was it important that you started with information security? What drove the start of your ISO project?
Greig: Our clients wanted us to demonstrate that we had sufficient security measures in place for the information we handled with them.
Achieving an ISO standard felt like a good fit for us. We were putting procedures and policies in place anyway at that time, and the 2013 revision of ISO 27001 had just gone live.
It felt like a good time - so we went for it and got certified to it.
Qualsys: And that was just the start, wasn't it? Tell us about 2017.
Greig: We achieved four standards that year, bringing us up to six standards in total.
We went for:
Since OHSAS 18001 has now been superseded by ISO 45001, we're working to make that transition now.
2017 was a busy year!
Qualsys: How did you achieve so many standards in such a short time?
Greig: I guess one of the key things about ISO standards nowadays is that they're all laid out in a similar way.
They follow the same format so we could use the same context requirements and scope documents for multiple standards.
If you look closely, your internal auditing and non-conformance processes can be applied to more than one ISO standard.
It's only the operational documents and standard-specific policies and procedures that you need to put in place separately.
The feeling was that we had a good deal of the structure built already, so it shouldn't be too difficult to throw up the rest.
There are elements of ISO 22301 (business continuity) in ISO 27001 (information security), for instance. We already had a good business continuity plan in place for 27001, which we could re-use and re-apply.
Qualsys: So you planned in advance which standards you'd like to achieve and looked for areas of crossover so you could tackle more than one at the same time?
Greig: That's it.
It's a case of stepping back to look for crossover. 50001, focusing on energy, links with 14001, which is environmental.
Our clients and the board had certain standards they wanted to us achieve - environmental and health and safety in particular - so it was a case of looking how to combine them together.
So our annual surveillance audits are now focused on our maintenance of six standards across our sites.
One of the key things about ISO standards nowadays is that they're all laid out in a similar way.
If you look closely, your internal auditing and non-conformance processes can be applied to more than one ISO standard.
It's a case of stepping back to look for crossover.
Qualsys: You mentioned ISO 22301, the business continuity standard. More and more businesses are aiming for this standard in order to insulate themselves against disaster or disruption. What would you recommend to a business looking to start their 22301 journey?
Greig: I think the key thing is to start with a full risk assessment.
You need to identify all the areas your business might be at risk, put a plan in place on how best to tackle them, and then test what you've put in place.
You need to cover the full scope, from workplace recovery to full disaster recovery.
For IT, for instance, Aberdein Considine has a back-up data system off-site which is regularly tested.
If our main office became unavailable, IT services would transfer to this site.
Likewise if one of our branch offices was unavailable due to adverse weather - which we've had recently - staff can relocate to another office.
We're lucky how we're spread out across the country so our staff can be rerouted, and sign in from any office.
Qualsys: Thinking of crossover, then, it sounds like there's some overlap between 22301 and 31000, which is the risk management standard.
Greig: Yes, it's about having control of worst-case situations and being able to show auditors that you can test, and have tested, your plans, that you can record lessons learned, and add them to an action log as part of a wider management system.
Categorise and control
Qualsys: What sort of things was your ISO 22301 auditor looking for?
Greig: Core documentation, like our business continuity policies. Our internal audit plans. Our improvement action logs.
And the key thing for business continuity is having a plan in place for your risks and demonstrating that you've tested them. That means reports from each test and being able to show a schedule of testing, ideally for the next year or more.
Qualsys: What's been the benefit of achieving so many ISO standards, particularly in such a short space of time?
Greig: It's been very beneficial for us having various standards for the work we do, being able to show them to clients and on tenders.
We complete detailed questionnaires for banks and building societies for tenders and there's always a section about information security. Being able to demonstrate that we have working management systems with accredited certificates attached is hugely beneficial.
And proving that we're thinking about how we manage our quality, our energy usage, our environmental impact makes us stand out.
It's improved the processes within the firm and forced us all to work on the same page. We have lots of branches across Scotland and England and it's good to visit those for an audit and see the same processes being followed.
We've got a uniform approach across the entire branch network.
By targeting crossover between ISO standards, Aberdein Considine
could achieve compliance to multiple standards in a short time
Qualsys: And you're now helping other firms with standards as well? You mentioned helping a firm achieve ISO 27001?
Greig: Well, I worked closely with our auditors for our Stage 1 and 2 ISO 27001 audits, and I put together a lot of the documentation.
Proving that we're thinking about how we manage our quality, our energy usage, our environmental impact makes us stand out.
So I was briefly contracted to another firm to help them with their documentation, pull it together, make sure they had the right records in place and carry out business continuity tests with them.
The firm in question already had 9001 and 14001 accreditation so they were some way there - I helped them get the relevant 27001-specific documents in place and carry out management reviews so they were ready for their audits.
Qualsys: Is it fair to say then that most businesses probably have at least some of the key ingredients in place for the ISO standards they want to achieve?
Is it less of a radical change and more of a stock-taking exercise to get ready for a new ISO project?
Greig: Very much so.
One thing I've picked out from visiting different offices and embedding ISO 27001 is that there usually are at least some processes in place already.
For instance, they might have great paper-based records but just need educating and prompting to lock particular sections away and add extra levels of security.
The entrance might be secure, but should a stranger find their way in, locking documents away is that extra layer of security.
It's a layering exercise.
Qualsys: ISO 9001 is typically seen as the benchmark of the modern QMS and a springboard for other standards.
What would you say is a typical timeframe for a business wanting to start the 9001 process, prepare, and then complete their audits?
Greig: Well it took us 6-7 months from start to finish.
But it's important to consider what kind of business you're working with. We're lucky in that we don't produce anything, so it was perhaps easier for us to become 9001-accredited than, say, a steel plant.
That's not to say it's an easy process, because it's not. And it's the same with any standard you want to put in place.
Qualsys: What's the best way to start an ISO project? Let's say a board have decided they want a quality manager to start working to certification. What then?
Greig: Good question.
I think having an idea of why you need the standard is the best starting point.
It's not just a badge or something you can get and then forget about it.
One thing I've picked out from visiting different offices and embedding ISO 27001 is that there usually are at least some processes in place already.
It's a layering exercise.
You have to constantly update documents and records to ensure you comply. It isn't over when you get the certificate. You need to keep on top of things.
So knowing why a particular standard is needed and listening to customers and how it will help your relationship with them is the start point for me.
EQMS has been great for helping us maintain compliance. Without it I'd have to have an entire calendar system built up for reviews and amends.
Particularly with six standards, it makes life so much easier by having an automated structure with everything in one place and with risk reminders popping up in the system.
Qualsys: Well it's great that EQMS is working well for you and supporting your needs.
Do you think having an electronic quality software system has helped your journey to those ISO standards?
Greig: It'd be a huge job setting something up to control hundreds or thousands of documents for multiple ISO standards without EQMS.
The review functionality, being able to give anyone in the company controlled access to documentation, to manage risks centrally rather than in a spreadsheet and link policies to risks, has all saved me so much time and made my life easier.
It's become manageable. I think I'd cry without EQMS now!
Aberdein Considine became Qualsys customers in 2016 to
manage their quality and compliance electronically with EQMS
It'd be a huge job setting something up to control hundreds or thousands of documents for multiple ISO standards without EQMS.
Qualsys: Don't worry, we aren't going anywhere! What's next for you then? What's the next standard?
Greig: We have Cyber Essentials in place, we're looking at Cyber Essentials Plus now to start in March or April.
We're also looking at ISO 37001 now, which is the anti-bribery standard.
And as I said before, we're transitioning OHSAS 18001 to ISO 45001.
Then we need to keep them all running at once!
Qualsys: What would you say is the standard to have in 2019? What are the main problems that could be solved with an ISO-accredited management system?
Greig: Information security is the one that will benefit most firms.
And if businesses already have 27001, I'd recommend looking at ISO 22301 and business continuity.
There's a continual increase in hacking and pharming and phishing so businesses need to know how to counter those. And with more and more adverse weather expected, business continuity is a good all-round standard for those problems.
So ISO 27001 and ISO 22301 are the key ones for me.
Information security is the one that will benefit most firms.
And if businesses already have 27001, I'd recommend looking at ISO 22301 and business continuity.
Qualsys: Thanks, Greig. Do you have any other recommendations?
Greig: I would definitely recommend EQMS to any business that doesn't already have it. It's a nice and easy system to use and it saves a lot of time and stress having it in place.
As I say, I'd probably cry if I came in one day and it wasn't there!
Next steps
Our Head of Quality Kate Armitage presented a webinar on ISO 9001:2015 for World Quality Day 2018.
Access the recording here:
Share your thoughts on this article