What is ISO Certification and do I need it?

Laura Parker
Apr 2021

You may have heard about ISO standards or seen companies displaying their certification on documentation, products, or vehicles.

But what is this family of standards? What do they mean? Are they required?

In this article we will give you an insight as to what they are all about, and give you the information you need to decide for yourself. From there, we’ll give you a brief insight into what the certification process involves.

Who, what & how of ISO

Who or What is ISO?

The International Organisation for Standardisation (ISO) is an organisation established in 1946 with 25 Civil Engineers to obtain consensus across different countries in Europe to have a consistent set of specifications for a given subject matter.

Contrary to popular belief, ‘ISO’ is not a pure acronym. According to ISO themselves:

“Because ‘International Organization for Standardization’ would have different acronyms in different languages (IOS in English, OIN in French for Organisation internationale de normalisation), our founders decided to give it the short form ISO. ISO is derived from the Greek ‘isos’, meaning equal. Whatever the country, whatever the language, we are always ISO.”

They occasionally work in joint committees, and you may see this reflected in certain ISO standards. For instance, ISO/IEC refers to the joint committee between the International Organization for Standardization and the International Electrotechnical Commission. 

How is ISO relevant today?

Today, ISO have moved on from their Civil Engineering roots. It currently has almost 30,000 different standards covering everything from quality, food safety, pharmaceuticals, information security and manufacturing standards, to name but a few. Thanks to their specific requirements, ISO are behind the ability for us to be able to order a credit card and use it in any card reader in the UK, France, Spain, or to purchase a car seat in Italy which fits any vehicle in France.

The most instantly recognised piece of standardisation is the humble shipping container. Whilst not developed by ISO, it was adopted in 1968 as their ‘Standard Box’. Conformance to this standard enabled vehicle manufacturers, shipbuilders and handling agents to have one set of common dimensions.

Who is ISO suitable for?

There is time and effort required to obtain a certification, along with the cost of the certification itself and ongoing maintenance. It needs to be obtained through an accredited certification body, and there are strict regulatory requirements involved. Unless there is a specific industry or contractual reason, organisations under 15 staff would not ordinarily go though certification. There is, however, benefits to working to the principles of the standard for every organisation.

We do not manufacture; does that mean ISO is not relevant for us?

No. With such an array of different standards available, there will be a standard to cover a wide variety of requirements. The five common standards listed below will fit well with most organisations.

What are the five most common ISO standards?

ISO have thousands of international standards, across dozens of industries. However, some of their standards transcend these boundaries. Let’s take a look at five of the most common standards.

ISO 9001 Quality Management

This is the cornerstone standard that organisations should have, with the most recent version being ISO 9001:2015. While there are a few standards within the ISO 9000 family (which covers quality management), the ISO 9001 is the only standard which you can be certified in.

There are several industry specific cases based on this standard (e.g., Aerospace which uses AS9100D). The business processes and procedures will reside in a system of some form, often referred to as a Quality Management System (QMS), but in principle the standard exists to:

  • Ensure the products and services provided are as defined in requirements.
  • Have a mechanism in place that monitors the effectiveness of the quality management system and its outputs, along with processes and procedures to prevent the escape of non-conforming products and services.
  • Ensure that roles and responsibilities for the management system and its activities which it contains are clearly defined and that stakeholders and top management are accountable for what is produced.
  • Embed a programme of continual improvement.

ISO 14001 Environmental Management

This standard is designed to help organisations fulfil their obligations under the Environmental obligations in the UK, as per the Environmental Protection Act 1990. This standard integrates well with ISO 9001 and other quality management standards. Rather than having an Environmental Management System (EMS), some organisations integrate it with their Quality Management System (QMS) and refer to it as an Integrated Management System (IMS). The primary purpose of this standard is to:

  • Meet legal obligations
  • Improve resource efficiency
  • Reduce waste
  • Reduce environmental impact
  • Reduce risk
  • Reduce costs.

ISO 45001 Health and Safety

Released in 2018, ISO 45001 is based on OHSAS 18001. Containing the basic elements of ISO 9001. Its primary function is to:

  • Reduce occupational injuries and diseases
  • Promote and protect physical and mental health

ISO 27001 Information Security

In both the modern workplace and individuals’ personal lives, we place a lot of our information in paper and electronic systems. ISO 27001 is designed for information security management, and helps protect:

  • Confidentiality – by allowing only authorised persons to access relevant information and not everything an organisation has on file.
  • Information Integrity – ensuring only trained and authorised individuals can change records.
  • Availability – information to be available to authorised persons on demand.

ISO 27001 also focuses more than ISO 9001 on risk and risk-based thinking.

ISO 44001 Collaborative working

In the past a single organisation would often design, build, and deliver a complete project. Companies are now starting to specialise and are becoming global entities. This means many projects to use two or more entities to deliver the output. ISO 44001 is a mechanism to setup, manage and conclude agreed working practices. Based around the core clauses of ISO 9001’s quality management principles, ISO 44001 focuses around:

  • Planning, identifying the benefits of other parties and developing a business case
  • Developing a high-quality model
  • Developing value
  • Awareness and communication
  • Managing and monitoring the relationship
  • Exit strategy

CEO Interview: Journey & Learnings

What does working with an organisation that has an ISO Standard mean?

Organisations with an ISO certification work to a prescribed set of requirements. They will have processes, procedures and policies in place to create an environment that produces a consistent set of outputs. They also have mechanisms in place to deal with issues where those outputs are not expected.

It is worth noting, however, that ISO is a framework advising on what an organisation should have in place, but it does not advise on how to achieve that outcome.

An organisation that is ISO 9001 certified, for instance, will have shown compliance to the standard and have been independently audited. Certification will only have been awarded after all necessary criteria have been met.

This gives companies confidence when purchasing products or services from an organisation with one of these certifications. It shows a particular standard of decision making, continuous improvement, and quality/ This allows for fair comparisons between suppliers that have the same accreditation.

Organisations may feel they have an advantage when competing for work over other suppliers that are not certified. One of the major benefits of ISO is the confidence in their products and services that certification demonstrates.

Is having an ISO certification mandatory?

No. There is no legal requirement to have an ISO certification. That said, in some industries, customers may not work with a supplier that does not hold a certification. For instance, if you supply medical devices, you may be expect to hold ISO 13485. This is because customers will have no frame of reference to be able to trust the outputs the supplier produces.

ISO sounds great, can I just buy a certification?

This is a question that has caused great debate and has some polarised viewpoints. There are providers out there that will offer software packages that claim to give you everything you need in a box and a certification in the fastest time possible.

Beware of companies that are awarding ISO certifications. UKAS (United Kingdom Accreditation Service) are the only recognised awarding body in the UK. Certification bodies must be registered with UKAS. If they do not show the UK tick mark in their logo, they are not recognised.

Having an ISO certification should not be seen as a tick in the box or a certification on a wall. Instead, consider it part of a process approach – it should be seen as a tool to help your organisation meet customer expectations, and become a vehicle for growth.

The best organisations that have a certification are great companies first, and almost as a side note have certification second. They will already have had quality assurance, document control, or management system standards in place. The certification is simply validating that you have good controls and understand how your organisation works. To gain a certification, not only do you need to have your processes, procedures and policies defined, but they need to be relevant to your organisation and the way you work.

Five pitfalls of ISO implementation

If I can’t just buy a certification, what is involved in getting set up?

For a successful ISO implementation, regardless of the standard you are looking to achieve, you need to consider the following:

Motivation and ownership

To have a successful implementation, it must be driven from the top – right up to the CEO. There needs to be ownership and accountability for getting tasks done. It should be a standing topic on the agenda of the Senior Leadership Team regular meetings.

Time and resources

You will need to allocate appropriate resources to the set-up, certification and maintenance of your processes and procedures. For an organisation that does not have any formal documentation, the project will need to be broken down into phases. This could include assessing past metrics, setting up training courses, or writing a quality manual.

Most implementations will not have dedicated resources allocated to them and will have to schedule around existing day-to-day tasks. Having a project plan and milestones set, will break the project up into manageable actions.

Information storage

The management of documents and records is an essential aspect of a good company set up. Consistency is key. Knowing where to find documented information and if it is up to date, will help any business become more efficient with less time searching and more time finding.

You may wish to look at implementing a specific set of tools to manage your processes and procedure, along with a formal document management system. For businesses with a customer focus, a CRM (Customer Relationship Management) tool may be helpful.

Costs

The cost of an ISO certification depends on the size of the organisation and the scope of the certification to be obtained. If you are looking at multiple certifications, ISO have now started to bring their own clauses in to symmetry, meaning if you comply with one clause from ISO 9001 for 10.3 Continual improvement, this same clause will appear in 14001 and 45001, but broadly speaking you need to consider the following categories:

1. Staff or consultancy costs to:

  • Conduct a gap analysis of the materials you already have in place and if they are suitable for use in an ISO environment
  • Create or update materials required
  • Provide training courses if new ways of working are to be implemented.
  • Ongoing auditing of processes and procedures

2. Software costs to:

  • Manage processes, procedures, and policies
  • Manage documents and records

3. Certification costs:

  • Initial full certification audit
  • Maintenance or ‘surveillance’ audits

ISO Checklist

Depending on the ISO standard you are going to apply, the detailed questions will vary, but at a high level, all standards will require the following questions to be answered. This simple 10 point checklist will help establish where you are on the journey.

  1. Do you currently have a Management System and a defined scope?
  2. Have you identified the processes, procedures and policies required?
  3. Have you identified the criteria, methods, responsibilities, and key performance indicators for the management system?
  4. Have top management been engaged and accountable for the Management system?
  5. Have risks and opportunities been identified, and actions put in place?
  6. Have suitable resources been allocated to the Management System project and ongoing maintenance?
  7. Are there provisions to monitor activities such as an internal audit programme?
  8. Are there mechanisms in place to ensure the product or services are what is required, designed, and delivered?
  9. Do you measure customer satisfaction?
  10. Do you have a programme of process improvements?

Depending on the answers to these questions will give you an indication as to how far along your ISO journey you may have already progressed.

Conclusion

We can help in two ways;

1. Assessment and implementation

  • We can provide you with experienced Certified ISO Lead Auditor resource to discuss your requirements and make recommendations on how best to proceed. You may simply need some pointers to make sure you’re on the right track, or alternatively we can help map and implement process throughout your journey towards certification – and then help you to maintain and improve on an ongoing basis.

2. Process & workflow management software

  • beSlick itself is an easy to use software platform that allows you to centralise business process and manage associated workflow. As it supports process feedback and improvement, along with an audit trail of all activity and changes, it is ideally suited to help ensure that ISO implementation and business management is as simple and effective as possible.

For more information, and to request your free personalised ISO business report, take a look at our ISO guidance page here.

Author , Managing Director of Process Envision

Paul Elson-Vining has over 15 years of experience of process experience with more than 100 Business Process Management (BPM) implementations globally.

A recognised authority on process, he regularly speaks on the future of workforce engagement and business efficiency as a combined strategic initiative.

Certifications include CMI Level 7 in Professional Consulting, IRCA certified Lead Auditor, QMS Internal Auditor, GASQ Certified GDPR Practitioner, LCS Lean Foundation.