General

A New Era For HR – Above And Beyond ISO 30414

by -
Above And Beyond ISO 30414 - ISOUpdate.com

Written by: Brenna Johnson

ISO 30414 Human Capital Internal and External Reporting standard was published in 2019 and offers a new era for HR managers and to help both their organization and their stakeholders identify relevant information for more effective business management and disclose to interested parties. In this article, we will detail these four ISO standards and the areas covered.

ISO Standard and Companion Documentation for HR

ISO 30414, Human Resource Management – Guidelines for internal and external human capital reporting: The guidelines for internal and external human capital reporting. Companies are expected to report on 23 core metrics with the goal to increase transparency around an organization’s human capital contributions.

Below we have highlighted some relevant companion documentation available to help organizations understand terminology and help with requirements:

  • ISO 30400, Human Resource Management – Terminology: breaks down the fundamental terms used in the HRM (Human Resource Management) Standards.
  • ISO 30409, Human Resource Management Workforce Planning: helps organizations plan and adjust their staffing protocols.
  • ISO 30408, Human Resource Management – Guidelines on human governance: provides the necessary guidelines for establishing human governance system.
  • ISO/TS 24179, Human resource management – Occupational health and safety metrics: The first in a large series of technical specifications and guidance documents to provide comparable measures for internal and external reporting in human resource management. Specifically relates to occupational health and safety data and highlights issues that should be considered with interpreting it such as lost time from work-related injuries, accidents, etc., and the rate of people who have undertaken training on OH&S and shows comparisons over time for target tracking.

Areas Covered In ISO 30414

The ISO standards provide guidelines on the following core Human Capital Reporting areas:

  • Costs
  • Leadership
  • Organizational culture
  • Workforce evaluation
  • Productivity
  • Recruitment
  • Turnover
  • Diversity
  • Workforce availability
  • Skills and capability

Note: ISO 30414 is a guidance standard; meaning organizations cannot become certified to it. If you are looking for certification to a related standard, ISO 45001:2018 Occupational Health & Safety might be of consideration.

Why HR Should Go Above And Beyond ISO 30414

Every Industry Is Different

As with most ISO standards, ISO 30414 is generic in nature and not specifically tailored for health, agriculture, or banking industries. This means that it is easily applicable to any industry and decided to allow organizations to tailor each requirement to how they best run their business. For best results, an HR manager should have autonomy within their scope of work to achieve the requirements of the standard in a manner that serves the needs of their industry and their people. Without applying insight into your company’s best practices and the functionality of the work, strict compliance with these guidelines can lead to unexpected losses or resistance from the organization. There is no “one cap fits all” model in business, and the same should be considered for the application of an ISO Standard.

Consider utilizing a consultant to help you tailor-fit your processes to meet the requirement with how you best run your business. Looking for a consultant? Find an expert consultant in your area here.

Maximizing Productivity and Profits

If the goal of your business is to maximize profits and productivity; ISO Standards are designed to help you achieve this.

ISO Standards help organizations do this by reducing inefficiencies in processes and procedures. When everyone knows what they are doing, it saves time and energy and increases productivity. By doing so, companies often see an increase in profitability and employee satisfaction.

Results May Not Meet Expectations

While effective implantation of ISO Standards often increases profits and productivity through efficient processes and procedures; results may vary. It’s up to the HR leaders and top management to go the extra mile. Without support and effort from management to meet and maintain the requirements of the standard, maintaining an effective ISO 30414 management system will not be possible.

The People Factor

The HR department first and foremost deals with people – the company’s workforce, who have the most significant impact on the company or organization’s performance. If ISO guidelines are followed without amendments or improvements to how the workers’ function, it is the workers who suffer for it.

Reports Aren’t Everything

If reports and reporting are taken too seriously, and other vital areas like working conditions are overlooked, workers will be badly affected, and productivity may decline. HR leaders should be strategic, considering that they’re dealing with people who have feelings before implementing standards. If the standards produce unfavourable results, they should be quick to switch to a more suitable business model.

ISO 30414 gives a clear set of guidelines for evaluating and reporting human capital. While this is convenient for monitoring productivity. However, reporting doesn’t necessarily make workers more productive; rather, it’s a strategy used to organize and mobilize them.

In addition to a sound reporting system, there should be a sound people strategy/relationship. HR managers go beyond the reporting requirements to build the right system for people analytics, partnerships, and a culture that helps the company achieve its goal. Workforce data should be carefully analyzed to make for better working relationships, not just for employee retention, but for employee satisfaction. In short, advanced data analysis is far more powerful than reporting for business transformation.

Summary

ISO 30414 serves as a guideline for effective human capital reporting and paired with the companion documentation, it’s an extremely helpful resource for HR managers. For an organization to stay top of its class, continuous improvements are vital. Implementation of these guideline standards could mean the difference between hiring the best in the industry or increasing market share due to increased consumer satisfaction from your productivity. And because ISO 30414 is generic in nature, any organization can benefit from it. Everyone wants to increase productivity and profits, what will distinguish a particular company from others is whether or not they can go beyond these standards to create advanced policies of their own. Help set yourself apart from the rest, and go above and beyond the call of duty for HR.

Pick an HR system!

About the Author:

Brenna Johnson is an HR professional based in New York, with a passion for technology and modernizing our industry. Brenna helps shape selectsoftwarereviews.com as senior editor, providing expert advice on the best HR and recruiting software.

by -
ISO Terms Explained - ISOUpdate.com

To the novice quality manager, ISO jargon can be extremely overwhelming. What is an NCR? What do you mean by OFI? Are we certified or accredited? But before you go and pull out your hair, let’s take a moment to go over some of the most frequently used terms and their definitions with regards to ISO and Management System Certification.

Are you Accredited, Certified or Registered to an ISO Standard?

First things first. You are not certified to an ISO Standard, your company’s management system is certified. Individuals cannot be certified to an ISO Standard. However, individuals can receive training to become auditors to audit companies against an ISO Standard. For example, you may seek training and personnel certification to become an ISO 27001 Lead Auditor. You cannot be certified to ISO 27001.

The terms ‘’accreditation’’ “registration” and ‘’certification’’ are sometimes used interchangeably, but they don’t share the same meanings, technically.

CERTIFICATION:

An organization is considered certified to an ISO Standard if they have developed and maintained a compliant management system that has been audited by a third-party auditor from an accredited Certification Body (CB). To maintain certification, the organization will undergo annual audits from the CB to verify continuing compliance to the specific standard. A certification document or a certificate will be issued as an attestation of conformity of an organization’s management system to a specific management system standard or other normative requirements. Certification can be revoked if regular audits are not conducted, or if your management system persistently or seriously fails to meet certification requirements.

ACCREDITATION:

Accreditation is how an authoritative body provides formal recognition that an organization is competent to carry out specific tasks. Accreditation Bodies (AB) accredit Certification Bodies (CB) that demonstrate competence to audit and certify organizations conforming with management system standards. The accreditation process ensures impartiality and competence and fosters confidence and acceptance of the CB’s certifications by public and private sector end users. Accreditation provides assurance to customers that CB’s operate according to internationally accepted criteria.

REGISTRATION:

Registration is another term for Certification. The terms Registration and Registrar are not used much anymore in this industry and Certification is now the preferred term.

Audits, Auditing & Auditors

Auditing:

Auditing is the systematic process of collecting and evaluating information about an organization’s management system to determine their level of compliance with the standard they are being audited against.

Types of Auditors

Consultants:

Management system consultants provide organizations with specific advice, instructions or solutions towards the development, implementation, and maintenance of a management system. They may also prepare or produce manuals or procedures for the management system.

Internal Auditors:

An internal auditor is a company employee who independently and objectively evaluates the operations of an organization’s management system. Internal auditors perform internal assessments of the organization and prepare reports for management.

Note: Internal audits are required by ISO management system standards but cannot be used to grant certification to an organization.

Third-Party or External Auditors:

Individual(s) who conducts the audit(s) on behalf of the certification body. Unlike a consultant or internal auditor, third-party auditors are impartial. Their job is to collect and evaluate objective evidence to determine if the management system complies with the ISO Standard. Based on these findings, the CB will make a recommendation for certification.

Certification Body:

A Certification Body (CB) is an accredited third-party organization that audits and issues certificates to companies seeking certification to various ISO Standards. CB’s obtain accreditation to be able to certify to a specific ISO Standard(s). CB’s are audited by Accreditation Bodies (AB) to ensure impartiality and conformity of their work and processes.

Accreditation Body:

An Accreditation Body (AB) is an organization that provides accreditation services. AB’s provide formal, third party recognition that a Certification Body is competent to issue certification to specific ISO Standards.

The ISO Lingo – Commonly Used Term & Definitions:

The following Terms & Definitions are from ISO/IEC 17021-1

Certified Client

organization whose management system has been certified

Impartiality

presence of objectivity ; freedom from conflict of interest / bias

Note 1 to entry: Objectivity means that conflicts of interest do not exist, or are resolved so as not to adversely influence subsequent activities of the certification body.

Client

organization whose management system is being audited for certification purposes

Auditor

person who conducts an audit

Competence

ability to apply knowledge and skills to achieve intended results

Guide

person appointed by the client to assist the audit team

Observer

person who accompanies the audit team but does not audit

Technical Area

area characterized by commonalities of processes relevant to a specific type of management system and

its intended results.

Note: The term “technical area” is applied differently depending on the management system standard being considered. For any management system, the term is related to products, processes and services in the context of the scope of the management system standard. The technical area can be defined by a specific certification scheme or can be determined by the certification body. It is used to cover a number of other terms such as “scopes”, “categories”, “sectors”, etc., which are traditionally used in different management system disciplines.

Nonconformity (NCR)

non-fulfilment of a requirement

Major Nonconformity (Major NCR)

a nonconformity that affects the capability of the management system to achieve the intended results.

Note: Nonconformities could be classified as major in the following circumstances:

  • if there is a significant doubt that effective process control is in place, or that products or services will meet specified requirements;
  • a number of minor nonconformities associated with the same requirement or issue could demonstrate a systemic failure and thus constitute a major nonconformity.

Minor Nonconformity (Minor NCR)

a nonconformity that does not affect the capability of the management system to achieve the intended results.

Technical Expert

person who provides specific knowledge or expertise to the audit team. Specific knowledge or expertise is that which relates to the organization, the process or activity to be audited.

Certification Scheme

conformity assessment system related to management systems to which the same specified requirements, specific rules and procedures apply

Audit Time

time needed to plan and accomplish a complete and effective audit of the client organization’s management system

Duration of management system certification audits (Audit Duration)

part of audit time spent conducting audit activities from the opening meeting to the closing meeting, inclusive.

Audit activities normally include:

  • conducting the opening meeting;
  • performing document review while conducting the audit;
  • communicating during the audit;
  • assigning roles and responsibilities of guides and observers;
  • collecting and verifying information;
  • generating audit findings;
  • preparing audit conclusions;
  • conducting the closing meeting.

Opportunity for Improvement (OFI)

Situations where the evidence presented indicates a requirement has been effectively implemented, but based on auditor experience and knowledge, additional effectiveness or robustness might be possible with a modified approach.

by -

Written by: Narendra Sahoo

Introduction

ISO 27001 is a comprehensive international standard on information security management. Organizations trying to achieve ISO 27001 Certification for the very first time may find this to be a challenging task. Organizations that have developed a management system for information security will need to implement Internal Audits on a regular basis to ensure conformity to the standard. In this article, we will detail a 5-step method for the success of your internal audits.

Stage 1

Scope & Risk Assessment

Before you can begin, you first must determine the scope of your audit, i.e., the focus and identify which areas are of higher priority and need to be audited more frequently, and which areas are of lower priority or risk and can be audited less frequently. All areas affected by the standard must be included in an audit eventually, however not all areas need to be audited at the same frequency. This is called a risk assessment. You are required to conduct a risk-based assessment to determine the areas of higher risk for the audit. For this, your team/consultant will need to understand the business operations, controls, and systems from you and accordingly define the scope as applicable.

An experienced auditor/consultant will understand which areas in your business are of high risk or priority; if you are unsure, consulting an expert is never a bad idea! Looking for experts? Check out [link to consultants]

?It is important that your organization’s audit scope is in alignment with the ISMS policy. This is the first thing that an auditor will check and sets the stage for the remainder of the audit.?

Once you have identified areas in your processes that fall in scope for your internal audit, you will need to prioritize your resources and prepare for the audit.

Want to learn more about Risk within the context of ISO 9001? Read this

Stage 2

Documentation Review

After you have completed determining the scope of your audits and conducted necessary risk assessment you should begin reviewing the documents of the organization concerning the administrative and business operations that are in place.

Documents reviewed at this stage of the audit would be concerning the scope of your management system, policies, procedures, and processes, documents required by the standard, and other necessary documents deemed necessary by the organizations for effectively maintaining the management system. Documents reviewed here should also be within the scope of the audit as covered in step 1. Documents should also be reviewed using a sampling method, as depending on the size of your organization and the vastness of your documentation a full audit into all documentation may not be possible.

Here the auditor does a high-level review of your documents supporting the management systems, processes and establishes whether the internal audit is in place. Reviewing the documents is an essential stage to plan and prepare for the upcoming audit process. The analysis of the documents will allow specific frameworks to be set that may be required during the internal audit process. Moreover, the documentation review helps verify whether the established documents are in alignment with the requirements of the standard.

Want to learn more about Document Review and Control within the context of ISO 9001? Read this

Stage 3

Onsite Audit

Once the audit scope is defined and the documents are thoroughly reviewed the next stage would include performing an onsite audit to gather evidence and identify gaps in the management systems and processes.

This is an evidence-gathering process that includes interviewing employees, managers, and other stakeholders of your organization associated with the ISMS. The onsite audit determines if your organization has met minimum requirements of the standard and is ready for the ISO 27001 certification audit.

An onsite audit includes observing the established practices in your organization, interviewing staff and verifying processes and their effectiveness. Records are reviewed, evidence is collected, and a full audit report is created detailing the gaps identified, areas of nonconformity, and possible improvements in the management system.

Stage 4

Evidence Analysis 

After the onsite audit has concluded evidence collected is analysed and sorted to classify the risks identified during the audit process.  The audit analysis helps identify gaps against the base criteria and requirements of ISO 27001 Standard. The auditors compile these results, reveal the gaps in enforcement, and may further identify areas of ISMS that require additional testing.

Stage 5

Audit Reporting

Audit Reporting is the final stage of the assessment process. Here the auditor presents the findings of their audit. The internal audit report should be a detailed document comprising the scope, objective, high-level analysis, and key findings. The report will also include recommendations and corrective actions needed. The audit report should be presented and discussed with management for a further plan of action.

Final Thoughts

ISO Audits are extensive and require time and resources invested successfully achieve  ISO 27001 Certification. Organizations need to prepare before taking the final plunge. Systematically following the above-mentioned audit process will not just ease the journey but also help ensure your organization meets the standard requirements and achieves ISO 27001 Certification. Understand that like anything in business, the participation of top management in internal audits is critical. Top management ensures company-wide buy-in for developing effective audit plans, defining roles and responsibilities, and ensuring the enforcement of policies, procedures, and processes.

Author Bio

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA

InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.

by -

An accredited ISO certification is beneficial for any organization, regardless of its size or industry. As discussed in an article called ‘What Are the Benefits of Getting an ISO Certification?’, what makes the internationally recognized ISO certification so important is that it helps organizations develop processes and procedures that benefit everyday operations and ensure consistent outputs, while also increasing customer satisfaction. ISO 9001:2015 is an international standard that gives organizations a framework with which they can develop an effective quality management system. This improves employee performance, boosts company efficiency, reduces waste, and enhances the customer experience — increasing your credibility with all stakeholders.

However, many business owners may not necessarily know how to get ISO certified, especially if they’re just starting. Moreover, they could also be struggling to get their fledgling business off the ground. According to the Bureau of Labor Statistics (BLS), approximately 20% of new businesses fail during the first two years of being open. In fact, only 25% of new businesses make it to 15 years or more — numbers that have been consistent since the 1990s. It’s time for business owners to place emphasis on meeting quality standards to ensure success, even as they begin operations.

At ISOUpdate, we offer online resources and advice, for free. However, there is nothing quite like having tangible hardcopy resources on hand for reference. Below we have highlighted four books that we believe are great starting resources to help you better understand international standards and their benefits to your organization.

Discover ISO 9001:2015 Through Practical Examples by Carlos Pereira da Cruz

Discover ISO 9001:2015 Through Practical Examples is a primer for beginners in quality management systems (QMS), although it’s also helpful for those with moderate to expert knowledge of ISO 9001. Veteran quality practitioners will appreciate over 50 case studies, charts, diagrams, and tables that show readers a practical, relevant method of applying ISO 9001 principles to your own business. Instead of blindly following policies or procedures, author and quality management consultant Carlos Pereira da Cruz offers a straightforward way to adapt a QMS into your business and meet ISO 9001:2015 requirements.

Standards, Strategy, and Policy: Cases and Stories by Peter Grindley

Since 1995, author Peter Grindley’s Standards, Strategy, and Policy: Cases and Stories have left a lasting impact on research literature for standards. Grindley establishes “standards” to represent technical specifications for quality, compatibility, and connectivity, and the book discusses how compatibility standards can ensure business success. Grindley provides readers with examples to analyze problems in establishing a new market standard and winning standards contests. He also provides practical analyses on how to maintain standard profitability, as well as how to compete within established standards.

The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers by Ben Horowitz

What happens after you start a business? Many books and blogs talk about how great the beginning is, but no one ever likes to talk about the nitty-gritty of daily business operations with candor. In his book The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers, author Ben Horowitz shares some hard-earned, practical wisdom on managing the tough problems business school won’t cover. With the insights he’s gained from buying, developing, managing, selling, investing in, and supervising technology companies, Horowitz will teach you how to grow a business and let you in on the key to success: not quitting.

Built to Last: Successful Habits of Visionary Companies by James Collins and Jerry Porras

Pursuing Big Hairy Audacious Goals (BHAGs) is probably the most memorable part of Built to Last. Authors James Collins and Jerry Porras researched 18 successful companies over the course of six years to uncover how each one managed the transition from start-up to a large corporation. They found that the secret is to never settle for just being good enough and to chase down BHAGs. Rather than following existing standards, Built to Last recommends setting even higher standards as your goal. The book also highlights an important truth: profit is not the primary focus. Rather, products, services, and employees are the true heart of the business. With purpose and principles, you can’t go wrong.

Additionally, along with purchasing the ISO 9001:2015 Standard, ISO has released companion documents to help you understand the terminology, references and meanings for each clause. Below is a list of companion resources we recommend taking a look at:

ISO 9001 – Debunking the myths –

ISO 9001:2015 for Small Enterprises – What to do?

ISO 9001 Auditing Practices Group (ISO 9001 APG)

About The Author

Jorine Bibi Author LogoJorine Bibi is an environmental blogger. She hopes that her articles provide her readers with information on what the world can do to reduce its energy use. She also believes that if we don’t address the issue of climate change soon it will be too late. In her free time, she likes to tend to her garden.

by -
Top 10 Mistakes Made in Managing an ISO 9001 System

They are easy to make but can be costly to your company, in the short term, and the long term! In this short video, ISO Update talks about the Top 10 most common mistakes we’ve seen companies make when managing an ISO 9001:2015 Quality Management System, AND how to avoid them!

Did you know ISO Update has a Youtube Channel? Subscribe and like our videos so we know you want more content like this video!

You can read the full article here – Top 10 Mistakes Made in Managing an ISO 9001 System

by -
Effective ISO 27001 Risk Assessment

Organizations of all types and sizes collect, store, process and transit information that is valuable to them and to their clients. Safekeeping that information is vital to protect against threats both deliberate and accidental. The adoption of ISO/IEC 27001 helps organizations keep this information secure.

ISO/IEC 27001 is an international standard for Information Security Management which details the requirements for the adoption of a risk management system and process for reviewing and confirming security controls in an organization. The standard helps organizations ensure their processes in place are in line with regulatory, legal, and contractual obligations and are working towards the end goal of security. Risk Assessment is an integral part of the ISO/IEC 27001 Standard as it helps organizations determine, analyze, and evaluate vulnerabilities in their Information Security Processes. In this article ISOUpdate and Narendra Sahoo cover the significance of Risk Assessment and steps to an effective ISO/IEC 27001 Risk Assessment.

Why is Risk Assessment Important for your Organization?

Risk Assessment relating to information security is imperative for organizations to understand various threats and risks to their critical data and what or who their infrastructure is or could be exposed to. It is an essential step to consider when developing an information security management system as it forms a strong foundation for the organization’s security program. The process of Risk Assessment helps identify threats and further helps mitigate the various risk of incidents that could affect the operations of an organization. The process of conducting regular risk assessments helps direct an organization’s focus towards the most critical and highly risk-prone areas of the organization’s infrastructure and determining where weaknesses lie. Below are steps to effective ISO/IEC 27001 Risk Assessment to help your organization.

Risk Assessment Framework

ISO/IEC 27001 Standard (Clause 6.1.2) asks organizations to define and apply a Risk Assessment process that is objective, identifies the information security risks and their owners, analyses and evaluates the risks and provides consistent and comparable results. Organizations shall adopt an approach that addresses the core security requirements in terms of regulatory and contractual requirements. Organizations must tailor their approach based on the following parameters to establish a strong Risk Assessment framework.

The risk parameters include:

  • Risk scale which is based on the likelihood of an incident occurring (frequency of occurrence) and the level of impact (financial loss, reputational damage, operational disruption) that the incident may have on the organization.   
  • Risk appetite which determines the acceptable level of risk to which the organization can withstand.
  • Scenario-based risk which determines the possible events that might affect the security of assets.
  • An asset-based (or process based) risk assessment that determines critical assets (records of personal data, financial data, and medical data) that may be exposed to various risks.

As defined in Clause 6.1.1, when planning your information security management system, risks and opportunities relating to the management system should be addressed to ensure its intended outcomes can be achieved. Risks and opportunities should also be addressed to allow the system to prevent or reduce undesired effects and allow for continual improvement.

As an organization, you must have a process in place to consistently address your plans and actions to identify, assess and treat these risks and opportunities, and how as an organization you will integrate and implement them into your information security management system and its processes as well as the process owners who will champion these tasks. As said by ISMS “Quite simply this means documenting the process for risk identification, assessment and treatment, then showing that is working in practice with management of each risk” – source

Identifying Risks

Identifying risk is the most critical part of Risk Assessment. Identifying risk typically involves determining critical assets that require protection, a possible threat that may impact business operations, and the vulnerability in the business process or asset management or security controls that may result in an incident that impacts the organization.

Asset-Based vs Risk-Based Approach to Risk Assessment

Risk-based approach is a systematic method that identifies, evaluates, and prioritizes threats facing the organization. It is a customizable method that enables the business to tailor their cybersecurity program to specific organizational needs and operational vulnerabilities. By utilizing a risk-based approach to risk assessment organizations use risk to balance the operational performance of the assets against the asset life-cycle cost.

Asset-based approach asks organizations to conduct a risk assessment to determine where your weaknesses are, how likely it is that those weaknesses will be exploited and the impact each one will cause.

The Risk Assessor needs to identify potential risks that may compromise the confidentiality, integrity, or availability of assets and analyse the impact of the organization. Your organization should determine which approach works best for your organization, and what resources you need to ensure its success. This process of risk assessment should be continual and consistent within your organization.

Source: Conducting an asset-based risk assessment in ISO 27001 by Vigilant

Analysing Risks

Risk analysis involves understanding and determining the way an incident may occur and affect your business. This involves identifying possible ways in which identified vulnerabilities found from your asset-based on risk-based approach process can be exploited internally or externally. The analysis must also include an assessment of the likelihood of the incident occurring and the level of impact that it would have on business.

Risks should also be analysed based on whether the organization has in place baseline security controls for effectively addressing the identified risks.

Organizations shall identify controls in place to strengthen the security measures. This should further include evaluating the current controls to determine whether they work appropriately or should be replaced, modified, or supported by additional controls.

Evaluating Risks

The identified and analysed risk(s) must now be evaluated and rated based on their severity. This evaluation should include rating the risk level on a scale of low, medium to high or your internal scale that makes sense for your organization. Risk grading is subjective by nature and should be standardized or based on a set criteria for consistency across your management system.

Evaluating the risk also helps identify whether or not the risk falls within “acceptable levels” of risk. Based on the risk rating, the organization must identify the highest rated risks and, prioritize their resources accordingly to address risks based on their level of severity. With this, the organization must also evaluate the impact of risk on internal and external business and its impact.

Risk Management & Treatment Options

Once the identified, analysed, & evaluated risks are classified, the organization should make an informed research-based decision to mitigate the risk. Generally, the response to addressing the identified risks is classified into four categories. This includes:

  • Modification which involves implementing security controls.
  • Retention of risks which means accepting that the risk falls within the acceptable levels.
  • Avoiding the risk by altering the circumstances causing the eventuality of risk.
  • Share risk with an insurance firm or with a third party who is equipped to manage the risk

The organization needs to identify current controls that are in place and controls that should be established to mitigate and/or reduce risk. 

Reviewing and Monitoring

An organization must consistently review, update and improve the information security management system (ISMS) to ensure that the controls added or in place are effective, appropriately established, and working as intended. The Risk Assessment process must be repeated consistently to ensure your organization has accounted for all the changes and the constantly evolving threat landscape. This process of identifying, analysing, evaluating and monitoring should be seen as an opportunity to continually improve the ISMS and implement control that can address the evolving risks.

Final Thought

Risk Assessment is an ongoing process and should be conducted on an ongoing and consistent basis to ensure your organization is mitigating, eliminating and controlling risks to internal and external threats to your information security. Re-evaluating the security controls and risks regularly can help businesses devote resources accordingly and address the potential threats periodically. Further, Risk Assessment helps businesses make an informed decision for establishing strong security measures and progressive outcomes for the business. 

Author Bio

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA
InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.

by -
integrated audits

What Is an Integrated Management System? 

An Integrated Management System (IMS) is a single management system that combines all related processes and components to meet the requirements of more than one management standard into one overarching system designed to be easier to manage and operate. Integration can be executed by an organization of any size, relating to any sector, and is typically done to lower operating costs and simplify a mature management system. These systems have linkages integrated within them that help processes to be managed smoothly and without duplication. 

An integrated audit assesses an integrated management system with the same set of documentation, policies, processes, and procedures. This can lead to a lower certification cost as well as fewer interruptions to the organization itself.

Benefits of Integrated Management Systems 

By implementing more than one standard within one overarching integrated system, businesses can develop a mutual or single management system component such as policies, objectives, resources, or processes and integrate their processes, saving organizations time and money.

As individual systems are integrated to show a coherency between their objectives, processes, and resources, there is an improvement in accountability and responsibility. Using integration to create a sense of consistency in one’s organization allows the system to become less complex and more easily understood by interested parties. Consistency also helps establish a mutual set of objectives that are important to the organization.

Integration also eliminates redundancy by taking a systematic approach towards decision-making. This is usually not the case when management standards are implemented due to the layers of hierarchy and inability to streamline decisions. As the processes become better equipped to accommodate change, we often see a reduction in bureaucracy. 

Establishing cross-functional teams and merging them with process owners can make decision-making and deployment easier. Integrated management systems also allow organizations to conduct integrated audits and assessments, which help with time management and reduce costs.

Auditing Multiple Standards Utilizing Integrated Audits

Integrated audits can lead to fewer work floor interruptions, more streamlined processes, and better consistency with objectives across various systems. An organization can also theoretically save time by having a single audit for multiple certification standards, which may be a cost saving alternative to booking multiple auditors for multiple audits.

This however will depend on the capacity and capabilities of your Certification Body. One saving that could be of benefit to your organization is with integrating audits, your employees only need one stretch of time booked to accommodate the audit, compared to potentially two or three separate occasions for multiple audits over an extended period of time if you have not integrated your system and audits.

Even if it is time conserving, audit time depends on the extent of the integration of the management system and its documentation, the capability of the auditees to provide information on multiple system standards and lastly, the availability of auditors that can audit integrated systems.

Planning Integrated Audits & Schedules

When planning an integrated audit, your organization should focus on a single audit plan and create an audit matrix that clearly shows all the subsections of the different management systems. It should include the processes within the scope of the audit and address the applicable standard requirements during the assessment of these processes. Due to the common requirements throughout some standards, integrated audits can cover multiple standards at once when looking at certain aspects of your company and its processes. For example, internal audit and management review requirements are common to all management standards and would only need to be audited once during an integrated audit.

The audit team as a whole must satisfy the competence requirements as relevant for each management system standard covered by the scope of the audit of an IMS.

by -
Myths of ISO 9001 Certification - ISOUpdate

This article was originally published by ISO.org here and has been expanded and updated by Aurion ISO Consultants and ISOUpdate.

ISO 9001:2015 Certification is seen by many as an essential Standard all organizations should opt for to enhance customer satisfaction and delivering quality first products and services. Implementing a certified Quality Management System through the framework of ISO 9001:2015 aids your organization in building a robust control system to help with quality control, achieve quality objectives, and business goals.

However, there are some myths and misconceptions that tend to surround ISO 9001:2015 that might be affecting your view or opinion of the Standard and Quality Management Systems that someone you know or work with might have. In this article, we will highlight some common myths of ISO 9001:2015 certification and explain why they just are not true!

Here are some of the common myths of ISO 9001:2015 Certification and the reality:

Myth 1 – ISO Is Complicated

ISO Certification guidelines and procedures at first instance seem a bit complicated. They are written with terms and words that we might not be familiar with or phrased in such a way that is not always the easiest to understand for newbies. We get it – there is a reason why companies offer whole courses dedicated to “understanding ISO 9001:2015”.

However, starting with the fundamentals of the quality management principles gives way to a more structured process that any organization can easily follow.

If you can overcome the initial confusion, there are a few simple steps you can take to better wrap your head around the standard.

Step 1: Consider Training

You might want to investigate what courses are available to you, either through your Certification Body, through recommendations from your consultant or auditor, who will often have ample information on ISO standards, tried and tested checklists, and frameworks to easily implement the system standard in any type of organization. You can also view courses listed on ISOUpdate.com or other reputable online sources or even YouTube!

Step 2: Companion Documentation

ISO 9001:2015 has several companion documents that are available to you to help understand the standard. For example:

  • ISO 9002:2016 – Guidelines on the application of ISO 9001:2015
  • ISO 9002:2015 – Quality management – Quality of an organization – Guidance to achieve sustained success
  • ISO 10005:2018 – Quality management – Guidelines for quality plans

If you want to learn more, visit the ISO Subcommittee for Quality Systems website here.

Myth 2 – ISO Follows Very Old Documentation

ISO 9001 was first published in 1987 and historically has been revised and updated every few years. Updates has been made due to feedback, industry trends, and worldwide demand changes. Updates and revisions are made to make ISO 9001 relevant and practical to users. “ISO 9001:2015 incorporates elements such as a stronger focus on stakeholders and the wider context of an organization to fit the evolving needs of modern business” – source.

ISO 9001:2015 framework can be used across organizations of any size of business activity.

It focuses on a holistic approach by following the plan, do, check, act enabling a well-defined structure for organizations to follow. It helps in providing quality services and continually improving the processes.

Note: the year noted after the semi-colon refers to the year the revision was released. As of publishing this article, ISO 9001:2015 is the current revision of the standard. Companies certified to anything older are not considered certified.

Myth 3 – ISO 9001:2015 is Only for Large Businesses

ISO Certification Standards are designed to be generic and flexible to allow organizations to customize to their needs. Any organization can utilize the framework regardless of the size of the business type.

Note: In a smaller organization, implementing ISO 9001 could be quite easy as there will be limited staff to train, and business processes could be easily optimized to the ISO quality benchmarks.

ISO 9001 Standard is about defining, measuring, and improving processes. It provides the organization with quality guidelines and frameworks to ensure employees of all levels follow continuous improvements and best practices.

In large or small organizations, the process of the QMS System implementation is the same. Differences only occur in how each clause of the standard translates to how you do business. Custom-fit your QMS to how you best run your business and ISO 9001:2015 will work for you!

Myth 4 – ISO 9001:2015 Certification is Very Expensive

ISO Certification cost is determined by various factors such as employee size, nature of the business activity, level of technology adoption, scope of the quality management system implementation, employee training requirements, ISO Consultant reputation, ISO Certification body selected, and more.

The cost of ISO Certification implementation for an organization is often negotiable (to an extent) and does not have a fixed cost structure. It varies depending on the complexity of the ISO Certification implementation.

Note: Trusted ISO Consultants like AURION will guide you in getting ISO Certified at the lowest cost and best-in-class ISO certification implementation service.

Fixed costs are noted from Accreditation Bodies for the Certification of your QMS which is dictated by the number of employees your organization has. This will determine the number of days your audit will have to take place and is not negotiable.

Read this article to learn more about the cost of ISO 9001:2015 Certification.

Myth 5 – ISO 9001:2015 is Only for Manufacturers

The ISO 9001:2015 Certification Standard is widely in use across many industries such as hospitals, banks, universities, software companies, and other service or manufacturing businesses.

ISO Certification helps organizations to demonstrate their capabilities in delivering quality first products & services. ISO Certification is an internationally recognized standard for quality and standardization of products & services of any organization.

Guidelines and best practices apply to all types of organizations for streamlining their business operations and focus on improving the quality of services and enhance customer satisfaction.

Myth 6 – ISO 9001:2015 Requires a lot of Paperwork

Technically, there is no required documented processes or procedures in ISO 9001:2015. However, you do have to maintain documented information to support the operation of your processes and retain documented information to show processes are being carried out as planned.

Also, if you have deemed it important or necessary for your operations, you must keep documented information necessary for the effectiveness of the QMS. If you say you need it documented, you should keep it documented.

While documentation is required, the true number of things is limited, and especially in the 2015 revision. Historically documentation has been seen as a massive undertaking, however, ISO 9001:2015 is more flexible than previous revisions.

The integration of ISO Certification Standard into an organization system is more of a practical exercise than a policy manual preparation and documentation.

Documentation in ISO 9001:2015 is more flexible and your company is encouraged to document in a way that is appealing to your organization and in a way that makes sense for how your organization operates.

Myth 7- You Need a Perfect System to Get ISO Certified

In short, no – but it must be functioning. While ISO 9001:2015 offers guidelines to transform an existing management system or develop one from scratch, certification requires a few more steps. For your company and its QMS to become certified, you will need to implement the quality management system practices effectively – meaning the ISO 9001:2015 framework needs to be followed, tailored to your organization, processes need to be documented where applicable, and systems need to be audited in regular intervals.

Certification happens over a few stages and lasts for 3-year cycles including an internal and an external audit. To learn more about the Stages of ISO Certification, read this article.

What is helpful for new quality management systems is that it is a forgiving system and auditors are not auditing to find faults in your system but rather find opportunities for improvement. If you receive help from organizations like Aurion or any other local consultant, your organization can be ready for certification in approximately 3 months.

Your system does not need to be perfect – you want to have findings (non-conformances or opportunities for improvement), as it is a way to learn from your mistakes and grow – what the industry calls Value-Added Auditing.

About the Author

John Wick is an ISO Consultant working with Aurion ISO Consultants in Dubai. John likes to write on ISO Training, ISO Consulting, latest changes in ISO Standards, industry-wise benefits from getting ISO Certified. Reach out for expert consultation on any ISO related queries.

About Aurion

aurion-logo

Aurion ISO Consultants, Dubai offers world-class ISO Services such as Training, Consulting, Certification, Implementation, and Audits in Dubai, UAE and Worldwide.

Aurion ISO Consultants is an Award-Winning Consultant firm in Dubai, UAE and one of the fastest-growing ISO Service provider in the UAE and GCC region. We have assisted 1800 clients across several countries globally.

by -

Written by: Narendra Sahoo

Introduction

Data protection and Privacy are today the top-most priority for organizations dealing with sensitive and confidential data. There are many regulatory frameworks established around it to ensure organizations adopt industry best practices to secure their environment.

GDPR Regulation is one such framework established in the EU to ensure Data Protection and Privacy. However, due to the stringent regulation and security requirements, most organizations struggle to achieve Compliance. 

For those organizations looking to achieve GDPR Compliance, implementation of ISO/IEC 27001’s framework will make your compliance journey a lot easier. 

In today’s article, we have discussed how implementing ISO/IEC 27001 Standard will help in achieving GDPR Compliance.

ISO 27001 Standard and GDPR Compliance

ISO/IEC 27001 Certification is a recognized international standard for information security management. Although the standard is not exclusive to Personal Data Protection, yet many requirements are in common with the GDPR Regulation. 

Implementing the ISO/IEC 27001 Standard makes it a lot easier in achieving GDPR Compliance. But, ISO/IEC 27001 and GDPR can by no means be used interchangeably. ISO/IEC 27001 simply provides a framework to ensure certain measures are implemented that also facilitates the GDPR compliance regime. 

Let us take a closer look at the standard and the regulatory requirement to understand what all does ISO27001 cover in the GDPR Compliance:

What is in common between ISO 27001 Standard and GDPR Compliance?

ISO/IEC 27001 Standards can be used for achieving compliance. Given below are some standard framework that overlaps with GDPR Compliance requirements.

Risk Assessment

Risk Assessment which forms an integral part of ISO/IEC 27001 Standard, is also an essential part of GDPR Compliance. Similar to the ISO/IEC 27001 standard which includes identifying risk and applying control measures to reduce the risks to an acceptable level, GDPR requires organizations to conduct a Data Protection Impact Assessment (DPIA) to implement measures to reduce the level of risk exposure.  

Implementing ISO/IEC 27001 Standard as an integrated part of your Risk Management program will also help you meet the GDPR risk assessment requirement.  

Breach Notification 

Articles 33–34 of the GDPR Regulation requires organizations to notify authorities within 72 hours of a breach of personal data. Similar requirements in ISO/IEC 27001, which addresses information security incident management controls require organizations to report security incidents promptly and communicate the events in a way that facilitates timely and corrective actions to be taken.

Data Protection by Design

As under Article 25 of the GDPR Regulation organizations are required to implement technical and organizational measures that ensure data protection and privacy by design. It also requires organizations to protect data privacy by default and ensure only essential information required for a specific purpose must be processed and used. 

So, Privacy by Design which is a mandatory GDPR requirement can be achieved with ISO/IEC 27001 standard which also outlines requirements to ensure information security is an integral part of information systems across the entire lifecycle.

Retention of records 

The GDPR Regulation Article 30 requires organizations to maintain records of processing activities, including categorizing of data, the purpose of processing, and general description of the relevant technical and organizational security measures in place. GDPR also calls for personal information to be not stored for longer than needed. 

Similarly, ISO/IEC 27001 requires organizations to document their security processes, and details of their security risk assessments and risk treatment as per Clause 8. Further, it requires information assets to be classified, inventories, and have in place procedures to ensure the use of data use is defined.

Asset Management

The Annex A of ISO/IEC 27001 Standard which focuses on Asset Classification and Management will also include Personal Information as Information Security Assets. This will lead organizations to classify the type of Personal Data involved, where for long is it stored, its origin, and who can access it, which are all the requirements of the GDPR. This would be in the context of handling, controlling, and/or processing Personal Information.

Can ISO 27001 Certification alone be enough for achieving GDPR Compliance?

ISO/IEC 27001 Standard is an up-and-coming industry best practice for Information Security and an excellent framework for GDPR Compliance. Organizations that implemented the standard will most likely find it easy to achieve GDPR Compliance due to the many overlapping frameworks and best practices.

Implementing the standard will help ensure the protection of Personal data and help ensure the minimization of the risk. 

With many standard requirements overlapping, implementing the internationally recognized ISO/IEC 27001 standard will ease the process of compliance. Although achieving compliance to GDPR Regulation will also require the implementation of other additional security and privacy measures as stated in the GDPR Regulatory framework.

Conclusion

Organizations that have implemented or in the process of implementing the ISO/IEC 27001 standard are definitely in a much better position to achieve compliance with the GDPR requirements. 

The proper implementation of the ISO/IEC 27001 Standard will help organizations meet quite a few overlapping requirements. 

If you are considering taking this step, as experts at VISTA InfoSec we recommend organizations to perform a gap analysis to assess their current position and accordingly implement relevant controls for risk containment associated with confidentiality, integrity, and availability of personal data.  

Though ISO Standards may not guarantee GDPR Compliance, it comes in handy as it provides a practical framework for developing strategies, and building comprehensive policies to minimize security risks that lead to breaches. 

Organizations, in general, should consider pursuing ISO/IEC 27001 certification and GDPR for building security strong and effective measures to protect sensitive data.

Author Bio

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.

Find VISTA InfoSec on Youtube

by -
thumbs-up

Written by: Abroo Murtaza

Customer satisfaction should be the top priority of every company, and that is what makes certification like the internationally recognized ISO certification and CE Mark Certification that “indicates conformity with health, safety, and environmental protection standards for products sold within the European Economic Area”. No matter what product it is, there is always a set standard for it to fit in.

In this article, we will highlight ISO 9001:2015 which is an international standard that helps organizations with a framework for an effective quality management system to improve performance capacity, improve company efficiency, reduce waste and enhance the customer experience through a process-based approach. Here are the benefits you should know if you are considering certification to ISO 9001:2015.

What are the Major Benefits of ISO certification?

Integrating an ISO 9001:2015 quality management system through proper implementation and continued improvement will let you focus on your business’s crucial areas and enhance its efficiency, while also uncovering areas your system is inefficient and areas of potential wasted resources. The management system will create a strong foundation for your business, allowing for smooth operation and consistent results which can translate into increased profits and improved customer satisfaction.

Improved Staff Performance:

ISO certification encourages employees to implement the methods and processes that can help identify the problems and loopholes that are hindering the effectiveness of their operations. Uncovering these areas in a timely manner and before problems arise is beneficial to the company’s bottom line and company morale.

With proper channels and processes established, employees have less risk and responsibility placed on them, and more freedom to do their job and perform better.

To put it simply an ISO 9001:2015 QMS framework is a uniquely individually constructed system within an organization specifically designed with their procedures, documents, the process for keeping the end product’s quality intact, dividing the responsibilities, and allowing for checks and balances at every point.

It also enables employee’s opportunities for things like training and outlets for system improvement like internal audits that help not only the employee grow in their role, but the organization grow with the changing needs of its customers.

Improving the Company’s Efficiency:

After a thorough survey of its working strategy, a properly implemented QMS focuses on dividing the employees’ responsibilities for quality control. This is done by assigning roles, leaders, and responsibilities for the various checks and balances in each process.

This will help improve your company’s operating efficiency and overcome anything hindering your company’s progress. This is done by ensuring no end product or service that your company produces can be allowed to go through the system without proper quality control measures in place to ensure its satisfaction level.

Even after a product is out of your control and in the hands of the customer, the QMS is still working to ensure feedback and continual improvement occurs to continue to make your company the best it can be based on objective evidence, third-party reviews of your system, and consumer feedback.

Reducing Waste and Improving Working Progress:

Instead of moving forward with blind hope that no mistakes will happen or only making changes when a mistake is made, an effective QMS asks you to focus on looking to the future and try to foresee possible problems and prepare for them. Preventative measures that minimize future problems through safety measures and protocols in the event of any foreseeable problems.

QMS helps you to get an improved strategy that directs your way towards improved working progress. It saves both time, energy, and efforts of the employees.

Enhanced Customer Experience:

Enhancing your customer’s experience is often the top goal of an organization. Happy customers are repeat customers. But how can you possibly add that to a procedure or process?

ISO 9001:2015 asks your company to focus on improving the framework of our organization, and having business processes and procedures rooted in quality.

By enhancing work quality you gain a better customer experience through smooth transitions from all aspects of the buyer’s journey, which can achieve the ultimate goal of a happy customer willing to do business with your again or share their experience.

ISO 9001:2015 also asks you to learn from your customers to find out what they enjoyed or did not enjoy through working with you. Through this continual improvement, it helps you as an organization learn and grow from your own customers, increasing the chances of creating happy customers who feel heard.

Suitable for All:

No matter what organization it is, a company or an institute, ISO certification is beneficial for all large and small companies.

Moreover, the best part is that ISO certification is globally recognized and contributes to increasing their authenticity on a broader scale.

Customers can also feel validated that you are who you say you and they are getting what they paid for through the trust gained from holding an international standard.

Looking to Validate an ISO Certificate? Check out IAFCertSearch.org

To Sum it Up!

Getting ISO certification is a win-win situation for the respective organization. It’s suitable for any organization, regardless of its size or industry. It helps an organization reduce wasted time, energy, and money through increased efficiency. It can add to the trustworthiness of a company and increases its credibility among people. It also is a tool to boost morale amongst employees who feel heard and not overworked.


What are you waiting for? Learn more about how you can get certified to ISO 9001:2015 by talking to an Accredited Certification Body Today.

About the Author

AbrooAbroo Murtaza is the one enthusiastic and passionate writer who love to write about traveling based on the interest of exploring new places, reading about them and then delivering the knowledge through her pen. Moreover, Abroo is also fond of writing about technology trends, gadgets like latest, mobiles, cameras etc. She thus strives to provide accurate information and knowledge in respective areas of interest and educate people on real terms.