Charities, Data Breaches, Financial Losses & ISO 27001

Many often miss the major advantage of being certified to a standard & are unaware how they can prevent financial loss:

BBC Report –

Two charities have been fined over data protection breaches after secretly screening donors so they could be targeted for more money. The Information Commissioner imposed penalties of £25,000 on the RSPCA and £18,000 on the British Heart Foundation over the so-called “wealth screening”. The charities also traded personal details with other charities, the commissioner’s office found. The RSPCA questioned the ICO findings while the BHF said it might appeal. As well as “wealth screening”, the charities traced and targeted new or lapsed donors by piecing together personal information obtained from other sources, and traded personal details with other charities “creating a massive pool of donor data for sale”, the ICO said. Information Commissioner Elizabeth Denham said donors had not been informed of the charity’s practices, and were therefore unable to consent or object to them. She also suggested other charities could also be engaged in similar activities. “The millions of people who give their time and money to benefit good causes will be saddened to learn that their generosity wasn’t enough,” Ms Denham added.

The above could have been prevented if the organizations were ISO 27001 registered. Organisations’ registered to the standard are re-audited at least annually – If your Certification Body discovers a breach of security or legislation they will raise a Non Conformance against you. This is merely a piece of paper you will have to address within a given timescale to maintain your Certification – there is no financial impact.

If the ICO discover a breach of security or legislation the tale is different. While the above fines don’t appear excessive, the financial impact of this publicity could be enormous & far reaching.

Similarly a breach in your ISO 14001 Environmental Certification leads to a piece of paper that guides you back to compliance & possibly avoids an environmental incident. A run-in with the Environmental Agency could cost you tens of thousands.

A breach in your OHSAS 18001 Health & Safety Certification leads to a similar piece of paper that guides you back to compliance & possibly avoids an accident or damage to Human Health. A run-in with the Department of Health & Safety could land you in prison.

We do not like to sell standards into businesses based on a fear factor, but apart from improving your organization & giving access to new work, you should also consider the assurance factor that Certification can deliver.

grant@qmuk.co.uk

Evaluate if ISO 9001 or ISO 27001 will Profit Your Business

It is essential you make an informed decision on whether ISO 9001, ISO 27001 or any of the other standards will help or profit your company before embarking on the Certification process, particularly small businesses that may invest time and money but gain no resulting benefit or return on investment.

The 2 main reasons for seeking ISO Certifications are simple – Business Improvement or access to New Business. You should consider the reasons for pursuing Certification below prior to any decision –

Business Improvement

• Your business is expanding but you feel your processes and systems may not be robust enough to cope

• Your business processes have been static for many years and you want a tool to drive improvements

• There is obvious scope for rationalising processes & increasing efficiency and profitability

• You fear your IT Systems & operations may not be secure enough to protect your business & the critical information it holds (ISO 27001)

Access to New Business

• Your business is growing and the competitors you wish to compete with hold Certifications

• You wish to access Public Sector work or Frameworks

• Certification requirements are more frequently appearing on tenders

• Potential or current customers are asking if you have Certifications

• You are a new or small business and want to verify your credentials with Certification to compete with more established companies

• You fear the effect of Brexit and want to maintain the maximum competitive edge

Look at the processes of achieving certification considering the costs and man-hours involved. We would obviously advise consultancy help, as although this has a cost attached, it will greatly reduce the number of in-house hours consumed by personnel inexperienced in the certification process. Obtain more than one consultancy quote and ensure you determine the cost of internal man-hours in addition to the consultancy fees.

On establishing the ultimate cost, consider if it will produce a return on your investment. For the smaller businesses or new starts it is worth speaking to potential customers & directly asking – will Certification improve our chances of doing new business?

Get a free & brief initial review & honest quote from us that will include our costs, UKAS Certification Fees & the estimated man-hours your people will have to invest, and then GO COMPARE……

Quotes by email correspondence – no Sales Pitches ENQUIRIES

brexIT and ISO

How will business uncertainty impact the desire for companies to achieve ISO 9001, ISO 27001 OR ISO 14001 Certification?

During the recent economic recession we saw a surge in demand for ISO Certification, which slowed as businesses entered positive growth. I believe in a recession businesses look for anything that can give them a competitive edge, while in “Boom Times” there is no immediate requirement or desire & everybody is “too busy” in any case. During a recession there is often a need to analyse processes, rationalise & improve – the route to ISO 9001 Certification is a good tool for this & ticks a positive box on tenders.

Those putting work out to tender can also afford to be more demanding during a recession, insisting on multiple certifications as more & more companies fight for their business.

Regardless of economy IT companies have in particular driven a demand for ISO 27001 Certification, as the World and his Dog have become increasingly focussed on Information Security. We expect this to continue.

Entering a period of uncertainty as we now are, companies tend to rein in cash spend while they await more predictable outcomes. I expect the most cautious will put spending for ISO projects on hold for a time, while the more proactive will invest in systems & certification that will ensure they remain Robust & Competitive in uncertain times.

For certain Buyers will become more demanding & increasingly insist on Certifications to give some assurance as to quality of goods or services & information security.

Grant McCormick

What is the Financial Impact of ISO?

From our experience businesses pursuing ISO 9001, ISO 27001, ISO 14001 or OHSAS 18001 do it for one of 3 reasons:

• To fulfil tender or customer requirements and win new work

• To drive Business or Process improvement

• Both of the above

I would guestimate from our experience 20% of businesses pursue certification to solely fulfil tender or customer requirements and win new work.

A similar percentage would use their certification project to focus mainly on driving Business or Process improvement.

The bulk of businesses want the certification to win new work but engage with the process of attaining certification, to benefit from both Business & process improvements.

For any Business considering implementing the standards we would always ask that they consider Return on Investment. Firstly obtain a costing for the certification route you think could best help you improve in your operations & best serve a positive outcome in gaining your chosen certification. See previous post for various methods of attaining certification.

The main financial benefit will be the additional tenders it qualifies you for & the extra work it may bring in – ask your potential clients if it could give you a more favourable outcome when bidding for work. Benefits outside of this most obvious financial reward are normally found in the project phase & can be –

ISO 9001 Project Phase

• Enables you to examine your current operating processes & identify areas for improvement

• Pushes you to rationalise & define systematic processes that ensures all are “singing off the same hymn sheet” within the business

• Clearly defined business processes support company growth “before things get out of control”

ISO 27001 Project Phase

• Ensures you identify all information stored within the company & it’s importance to your business

• Systematically guides you through risk assessing the threats & vulnerabilities to the information you hold

• Ensures you put in adequate controls to protect your information and ultimately your business

ISO 14001 Project Phase

• Identifies any aspect of your business that can impact the environment

• Makes you evaluate the impacts your business could have on the environment & identifies the controls needed to reduce the likelihood or prevent such impacts

• Ensures an awareness of Environmental Legislation & avoids any unnecessary & “crippling” fines

OHSAS 18001 Project Phase

• Identifies any Hazards within your business that could impact Human Health or cause Accidents

• Makes you evaluate the Risks associated with these Hazards & identifies the controls needed to reduce the likelihood of accidents or affects on Human Health

• Ensures an awareness of Health and Safety Legislation, avoids any unnecessary “crippling” fines & most importantly protects both your employees and anybody else who can be affected by your work

These are just a few bullet points on some of the ways certification can help your business, there are many more. So if you want any further info just get in touch.

grant@qmuk.co.uk

Is SEO Compatible with ISO 9001?

“Quality” being defined as the ability to deliver to pre-defined requirements – can an SEO (Search Engine Optimisation) company ever really deliver quality, with so many variables & the output being so unpredictable?

At QM.UK we have tried 3 different SEO companies over the years; all at least guaranteeing they would improve our website positioning on the major search engines. Alas none delivered, but actually dropped our site in the ratings.

So can an SEO Company ever achieve ISO 9001 Certification – YES, it can….

I often advise that ISO 9001 is certification of your Management System, not your product or service. Certification to the standard confirms your Management System has achieved a standard that can ensure consistency of process & quality of output. If the requirement is a Ford Fiesta you consistently deliver a Ford Fiesta, same if it is a Rolls Royce. Trouble with SEO is, even with a system in place, the output still varies!

I therefore have had to change my view that ISO 9001 Certifies a company’s ability to deliver to pre-defined requirements – it can only “maximize likelihood” of a pre-defined output.

For an SEO company to achieve ISO 9001 it would have to demonstrate consistency of processes and that it has the necessary tools in place to measure against planned results and make improvements where possible. It is similar for Telemarketing firms for whom we have delivered ISO 9001 UKAS Certifications.

So personally I would still recommend selecting an SEO company that has ISO 9001 Certification, as it does demonstrate in a sector open to such change and variables – they at least have certified systems to measure & maximize performance, increasing the “Likelihood” of your desired outcome – ROI.

Or just type SEO into Google and see how well they have optimized their own website 🙂

QM.UK

“I know a company who has ISO 9001, and they are totally useless”

So just how much of a Benchmark is it – How Credible is ISO Certification?

ISO 9001

ISO 9001 is the Quality Standard but as such the most open to controversy. This is because there is often confusion as to what “Quality” actually is. If one company produced a Ford Focus & another a Ferrari, most would regard the later as having produced the highest Quality Product. However “Quality” is defined as the ability to deliver to pre-defined requirements. Therefore if the requirements were a roomy car that did 40 mpg & could be retailed at less than £20k, the production of a Ferrari would be a very poor Quality Output.

It should also be noted that ISO 9001 is certification of your Management System, not your product or service. Certification to the standard confirms your Management System has achieved a standard that can ensure consistency of product or service. What level a company sets itself to deliver is up to them and in fact Ford and Ferrari could operate to the very same Quality Management System – they just produce to different specifications. So before you right off an ISO 9001 company you have to ask, are they consistently delivering to their (or your) specification – not everybody can afford a Ferrari.

ISO 27001

The Information Security Standard. This is the most current & in demand as Cyber Attacks become more frequent & companies become more aware of their vulnerabilities and the need to secure services from companies that can safeguard their information. This standard is the most reliable measure of a company’s credentials, as Information Security is more measurable and less subjective than Quality.

There are 2 main parts to ISO 27001. A company has to identify all of its Information Assets, Risk Assess & Control. The other main part of ISO 27001 is a detailed list of “Control Objectives” (requirements) for which, if applicable – you must put a control in place. This makes 27001 the most measurable & auditable of standards, therefore Certification does ensure a high level of Information Security.

ISO 14001

The Environmental Standard. This is a reliable measure that a company has systematic control over any possible environmental impact and has plans in place for continual improvement. A large part of this is similar to 27001 in that a company has to identify all of its Environmental Aspects rather than Information Assets, but still Risk Assesses & Controls. Environmental Objectives must also be established to where possible, continually improve environmental performance.

If you feel a company claiming to be holding one of these standards is poorly performing, don’t take it on face value. Check it is a credible Certification, or that it is a certification at all. If it is a UKAS Approved Certification Body ask for their name or take it off a displayed logo and contact them asking if the company is actually ISO Registered with them. If it is in the UK and not a UKAS Certification, it’s best not taking it as verification of anything……

grant@qmuk.co.uk

ISO 9001, ISO 27001, ISO 14001 & OHSAS 18001 – How Long Does It Take?

Time Scale varies greatly for the various ISO offerings in the Market Place, as does client requirements & expectations. The time to Certification depends on Internal Expertise, External Help, Management Commitment, Internal Resource & the Route you chose.

As independent UKAS Certification is the only certification recognised by ISO & the British Government, if you choose any other route – pay your money and demand it right away. Don’t be surprised though if it costs business rather than creates.

3 main routes to UKAS Certification:

1. Internal Expertise

If you have an internal member of your team who has been through the process before or is a relevant practising Quality, Information Security, Environmental or Health & Safety Mgr, he will probably be able to successfully guide you through the process. Timeframe will depend on how much experience they have of taking organisations through the process & how much commitment they get from their colleagues. Being internal the most frequent downfall is that chargeable work often tends to take priority & ISO is often put on the back burner – or seen as almost the sole responsibility of that Manager & is hard to integrate.

2. Training

If you wish to proceed without an external consultant but do not have the full internal expertise to proceed, there are training courses available. We would recommend you seek UKAS Certification Bodies for these courses. The trouble is these courses are very generic & we would only recommend this route if you have a Manager or person who may just fall short. We would recommend them as refresher or top-up courses, rather than a one-stop shop to ISO Certification. Timeframe raises same concerns as previous route, only a less experienced person is likely to attract less internal commitment & their aptitude for training is less predictable. The less experienced the person is, the more likely they are to go “Belt & Braces” with their systems to ensure conformance to all the clauses. This often produces cumbersome systems costly & time consuming to maintain ongoing.

3. External Consultancy

External Consultants who have several years experience of implementing systems & gaining ISO Certification should give a more predictable outcome. “Buyers Beware” – consultants can promise to meet your fast-track timeframes, but it is still less than predictable. To successfully implement a system & be able to demonstrate full integration into your working practices, there still requires internal commitment & resource. While an external consultant can produce a lean, dynamic system & guarantee a positive outcome – timeframe will still rely heavily on Internal Commitment.

While at QM.UK we offer the third option, we recommend you explore all options before making a decision.

QM.UK UKAS ISO 9001. ISO 27001, ISO 14001 & OHSAS 18001 Consultants

So What Is ISO 9001, ISO 27001, 14001 etc?

The International Organization for Standardization (ISO) is an international standard-setting body composed of representatives from various national standards organizations.

Founded on 23 February 1947, the organization promotes worldwide proprietary, industrial and commercial standards. It is headquartered in Geneva, Switzerland and as of 2013 worked in 164 countries.

There is only one National Standards Body recognised from each country and they in turn must be recognised by their Government. UKAS is the only ISO recognised Body in the UK.

The United Kingdom Accreditation Service (UKAS) is the national accreditation body for the United Kingdom, appointed by government, to assess organizations that provide certification, testing, inspection and calibration services. There are many UKAS Approved ISO Certification Bodies, the most commonly recognized being BSI & Lloyds, but there is a full list on their website

Gaining UKAS Certification to an ISO Standard demonstrates a company or organization has achieved and operates to a certain standard, been verified by an independent & recognized body. Ongoing audits by the Certification Body evidences they consistently meet these standards.

ISO 9001 is the internationally recognized Quality Standard. It defines the elements of organization required by a company to systematically deliver quality products, services or advice.

ISO 9001 Certification is verification that you systematically deliver quality services or products. It is a benchmark for potential customers & helps you review and fine tune your own operations ongoing.

ISO 27001 is the internationally recognized Information Security Management Standard. It defines the elements of control required by a company to protect all information it holds.

In an ever increasing age of security awareness & media exposure of careless information handling, the protection of data is critical. Sectors such as finance, health, public and IT have become particularly sensitive. Hence, certification to the standard is increasingly winning both confidence & new contracts.

ISO 14001 is the internationally recognized Environmental Standard. It defines the elements of organization required by a company to control the impact of their activities, products or services on the environment.

14001 Certification demonstrates to an increasingly aware public & business community – a commitment to minimize your impact on their environment. It gives confidence that customer’s environmental credentials & good names won’t be tarnished by their suppliers operations

In general companies & organisations that can demonstrate their operational standards are UKAS certified, gain more confidence in the Market Place.

ISO 9001, ISO 14001 & ISO 27001 – UKAS ISO Assessors or ISO Consultants?

ISO 9001, ISO 14001 & ISO 27001 – UKAS ISO Assessors or ISO Consultants?

There still seems to be general confusion between the Roles of the “Consultant” & the Assessor”.

It is like sitting a GCSE. Teachers give you the tools and prepare you for the exam, independent & impartial examiners mark your papers. Achieve the correct mark you pass. The independent marking is key to assuring standards.

For ISO 9001, ISO 27001 & ISO 14001 the consultant prepares you for a Certification Audit. This can involve documenting your compliant system, training, completing Internal Audits & general prep – The Assessor then independently & impartially performs the final audit to assess if you meet the particular standard. If so, you are certified.

So Why The Confusion?

Sometimes people like to maintain a Black Art in order to force you down a particular path. There are other clear reasons, these being just a few:

• Non UKAS accredited Certification Bodies offer both the system & the certificate, so as a 1 Stop Shop there is no difference between Consultant & Assessor. This means there is no independent assessment & it certainly isn’t impartial – hence not recognised by the informed

• Some UKAS Approved Certification Bodies offer training courses so will be unlikely to push you towards consultants as that could take away your need for a training course

• Some UKAS Approved Certification Bodies advise they are “Friendly” or “Approachable” and do not advocate the use of a consultant – often because they fear a consultant would refer you to a cheaper UKAS Approved Certification Body & they would lose the work

We would advise whatever route you chose get a few quotes & ensure they are quoting like for like. The 3 routes we would advise:

• You already have the internal expertise to fully prepare for the UKAS Assessment – get at least 3 quotes from independent UKAS Approved Certification Bodies, listed on UKAS website

• You think you are almost there but not 100% – either get a consultant to do a one-of Gap Analysis Audit, or select a training course (preferably from a UKAS Approved Cert Body, as it will give some comfort to the standard of the course).

• You feel you need solid guidance as you are not familiar with the standards or have no experience in implementing them (or perhaps just don’t have the time) – select a consultant & be sure to take references. Get more than 1 quote but ensure they are quoting like for like (& don’t forget the cost of the UKAS fees or your consultants attendance on those days).

If the final option is for you, you know where we are – enquiries@qmuk.co.uk

ISO 9001 & ISO 27001 in 60 Days – UKAS!

Our first 2 clients operating in the Banking & Software Sectors engaging our fast track – UKAS ISO 9001 & ISO 27001 Certification in 60 Days, completed this week –

Redline Application Services:

Provides software and services to lenders to support the full end to end credit lifecycle from origination, through scoring, decision making, document production or e-signing, into account management and on to debt collection.

http://www.redlineapplicationservices.com

Reference for our Fast-Track Process can be obtained from Steve Toms (Managing Director) @ stevetoms@redlineapplicationservices.com

Bonafidee:

Specialises in real time, anti-fraud technology solutions which can be accessed instantly via the web or provided as an integrated solution.

http://www.bonafidee.com

Reference for our Fast-Track Process can be obtained from Francis Lang (Head of Development) @ francislang@redlineapplicationservices.com

Part of a small group, both companies proceeded simultaneously, which enabled us to fully utilise consultancy days & minimise costs. The full process from initial visit on 29th October, until conclusion of successful Assessment by a UKAS Approved Certification Body on 15th December took 49 days.

Proceeding at such pace took full commitment & dedication by Senior Personnel & wouldn’t have had the positive outcome otherwise. Without that commitment we wouldn’t advise such pace….

grant@qmuk.co.uk