Evaluate if ISO 9001 or ISO 27001 will Profit Your Business

It is essential you make an informed decision on whether ISO 9001, ISO 27001 or any of the other standards will help or profit your company before embarking on the Certification process, particularly small businesses that may invest time and money but gain no resulting benefit or return on investment.

The 2 main reasons for seeking ISO Certifications are simple – Business Improvement or access to New Business. You should consider the reasons for pursuing Certification below prior to any decision –

Business Improvement

• Your business is expanding but you feel your processes and systems may not be robust enough to cope

• Your business processes have been static for many years and you want a tool to drive improvements

• There is obvious scope for rationalising processes & increasing efficiency and profitability

• You fear your IT Systems & operations may not be secure enough to protect your business & the critical information it holds (ISO 27001)

Access to New Business

• Your business is growing and the competitors you wish to compete with hold Certifications

• You wish to access Public Sector work or Frameworks

• Certification requirements are more frequently appearing on tenders

• Potential or current customers are asking if you have Certifications

• You are a new or small business and want to verify your credentials with Certification to compete with more established companies

• You fear the effect of Brexit and want to maintain the maximum competitive edge

Look at the processes of achieving certification considering the costs and man-hours involved. We would obviously advise consultancy help, as although this has a cost attached, it will greatly reduce the number of in-house hours consumed by personnel inexperienced in the certification process. Obtain more than one consultancy quote and ensure you determine the cost of internal man-hours in addition to the consultancy fees.

On establishing the ultimate cost, consider if it will produce a return on your investment. For the smaller businesses or new starts it is worth speaking to potential customers & directly asking – will Certification improve our chances of doing new business?

Get a free & brief initial review & honest quote from us that will include our costs, UKAS Certification Fees & the estimated man-hours your people will have to invest, and then GO COMPARE……

Quotes by email correspondence – no Sales Pitches ENQUIRIES

“I know a company who has ISO 9001, and they are totally useless”

So just how much of a Benchmark is it – How Credible is ISO Certification?

ISO 9001

ISO 9001 is the Quality Standard but as such the most open to controversy. This is because there is often confusion as to what “Quality” actually is. If one company produced a Ford Focus & another a Ferrari, most would regard the later as having produced the highest Quality Product. However “Quality” is defined as the ability to deliver to pre-defined requirements. Therefore if the requirements were a roomy car that did 40 mpg & could be retailed at less than £20k, the production of a Ferrari would be a very poor Quality Output.

It should also be noted that ISO 9001 is certification of your Management System, not your product or service. Certification to the standard confirms your Management System has achieved a standard that can ensure consistency of product or service. What level a company sets itself to deliver is up to them and in fact Ford and Ferrari could operate to the very same Quality Management System – they just produce to different specifications. So before you right off an ISO 9001 company you have to ask, are they consistently delivering to their (or your) specification – not everybody can afford a Ferrari.

ISO 27001

The Information Security Standard. This is the most current & in demand as Cyber Attacks become more frequent & companies become more aware of their vulnerabilities and the need to secure services from companies that can safeguard their information. This standard is the most reliable measure of a company’s credentials, as Information Security is more measurable and less subjective than Quality.

There are 2 main parts to ISO 27001. A company has to identify all of its Information Assets, Risk Assess & Control. The other main part of ISO 27001 is a detailed list of “Control Objectives” (requirements) for which, if applicable – you must put a control in place. This makes 27001 the most measurable & auditable of standards, therefore Certification does ensure a high level of Information Security.

ISO 14001

The Environmental Standard. This is a reliable measure that a company has systematic control over any possible environmental impact and has plans in place for continual improvement. A large part of this is similar to 27001 in that a company has to identify all of its Environmental Aspects rather than Information Assets, but still Risk Assesses & Controls. Environmental Objectives must also be established to where possible, continually improve environmental performance.

If you feel a company claiming to be holding one of these standards is poorly performing, don’t take it on face value. Check it is a credible Certification, or that it is a certification at all. If it is a UKAS Approved Certification Body ask for their name or take it off a displayed logo and contact them asking if the company is actually ISO Registered with them. If it is in the UK and not a UKAS Certification, it’s best not taking it as verification of anything……

grant@qmuk.co.uk

ISO 9001 & ISO 27001 – Questions & Answers

Sometimes a good question prompts informative answers. Here are 2 I answered today regarding ISO 9001 & 27001 –

Q Someone in the know recently described ISO Standards to me as “nothing more than shrink wrapped bureaucracy”. What do you think?

A It depends how the systems are created. The standards are generic to cover all business types, this in itself leaves them wide open to interpretation paticularly 9001. A system made best fit for your business within the requirements will give a base for improvements, or at least the means to monitor your current performance, You have to produce evidence you meet the requirements, hence a poor consultant will produce that evidence in the form of additional “paperwork” producing “shrink wrapped bureaucracy”. Similarly an internal employee tasked with the project will as a novice, normally go “Belt and Braces” to ensure all requirements are evidenced – “shrink wrapped bureaucracy”. I’d advise select a good consultant by obtaining references. 14001 & 27001 are similar, but do not have the same impact on your business ongoing as they only address 2 specifics – Information Security & the Environment.

Q In reference to Morrisons being sued by 2300 employees for losing their information – What a minefield this is! And its going to get worse – not better. What’s your take on it?

A Businesses have for hundreds of years protected their information against physical theft or damage, but software has developed over a very short period of time catching many out. Most businesses have just got their heads around protecting against data loss or damage, hence the boom in Cloud Hosting. Living in an age of “Ambulance Chasers” & the impending publication of the new Data Protection Act however, businesses will soon become aware of the financial implications & hopefully get more rigorous systems & controls in place.

Any questions you have ( ISO 9001 & ISO 27001, 14001 or OHSAS 18001) just email them to us, or myself – grant@qmuk.co.uk

ISO 9001 & ISO 27001 – So What’s the Cost Then?

The cost of ISO 9001 & ISO 27001 breaks into 3 clear elements –

• Man hours of your internal staff (often overlooked)

• External training or consultants help

• Independent UKAS Approved Certification Body

There are one-stop shop companies who sell “guaranteed certification”, “in 30 days” etc. These are generally not UKAS approved & therefore most would regard these certificates as totally worthless. Basically, pay the money – get your certificate (guaranteed). UKAS Approved Certification Bodies are totally independent – so like a driving examiner, if you don’t meet the standard you fail. Guaranteed certification on payment of an invoice could never be a measure of quality, information security etc – in fact it is more a reflection on your company’s disregard for standards.

So to the costs! The first 2 cost elements are directly related – Internal Resources/External Help. External help should reduce the amount of Internal Resource you require. How much help do you need to pass your Test? –

• Training Courses give a good but generic overview of the standard

• Carefully selected External Consultants can fast-track the process

We believe because it is our offering, that good consultancy help is the most cost effective as costs are more predictable. Even attending the best external courses you will already have eaten into your man hours, but still have no actual experience of implementing a system. The task will therefore be more laborious & you will end up operating to a system built by a beginner (increasing ongoing costs & efficiency). A novice normally takes a “Belt & Braces” approach to gaining certification, therefore establishing a cumbersome & bureaucratic system impractical to maintain. A good consultant will fast-track the process, provide a professional system & take you down a well trodden path to Guaranteed UKAS Certification.

The fees for a UKAS Certification audit will vary. Either your consultant should advise, or you should select yourself

At QM.UK we pride ourselves on demystifying the process & are publicly open on our costing, please view

https://www.qmuk.co.uk/iso-9001-27001-14001-18001-cost.php

Or simply message for a no obligation quote & no phone calls unless requested – ENQUIRIES