Getting ISO Certified: The Need-to-Know about ISO

Authors

In 1947, 65 delegates from 25 countries collected to produce the International Organization for Standardization (ISO). An independent, non-governmental body, ISO came together with the intention of sharing knowledge in order to ‘support innovation and provide solutions to global challenges’ (see their official website). Just over 70 years since publishing their first ISO standard in 1951, the ‘Standard reference temperature for industrial length measurements’, the organisation has grown exponentially to encompass 24,992 International Standards across the technology, management, and manufacturing sectors.

Cambridge Management Consulting has spent the best part of two years devoted to earning their certification across three families of these standards – namely, 9001, 14001, and 27001 – through a combined effort of meticulousness, analysis, and a commitment to constant improvement, both internally and for the benefit of our customers and clients.

In this article, we go into further detail about what ISO is and what it means to be certified, specifically the three that Cambridge MC have prioritised; why it matters to be certified; the process to getting there; and how Cambridge MC can help you to achieve the same standardisation. 

What is an ISO?

As aforementioned, an ISO is one in a family of standardisations that establish a benchmark for how an organisation should operate within a particular faculty. At the core of this is ISO 9001, which is focussed on quality management; given its emphases of customer focus, top management, process transformation, and continual improvement, 9001 is the most fundamental and adaptable standard that ISO certifies (being applicable to organisations of any size) and is thus the most widely held. At the time of writing, the ISO official website boasts of over one million organisations across over 170 countries holding an ISO 9001. 

However, ISO does not stop here. This page of their official website lists 17 further standards an organisation might wish to undergo, and these are just their ‘most popular’. Using those standards that we decided to adopt as examples, here is a snapshot of the range of business operations that ISO covers:

ISO 9001: To reiterate, ISO 9001 lies at the core of the ISO project. The most commonly held standard, 9001 assists a business to lay their foundational principles of quality management, which further standards, such as those listed below, can subsequently be layered upon. To summarise, using the values listed in more detail here, ISO 9001 prioritises and optimises an organisation’s customer focus, leadership, people engagement, process approach, improvement, evidence-based decision making, and relationship management.

ISO 14001: An ever more pressing, relevant, and vital standard, ISO 14001 focuses on the environmental impact of an organisation, and how they can optimise their operations to be more sustainable. Not only is this an attractive standard to possess from a business point of view, improving the reputation of your organisation and providing a ‘competitive and financial advantage through improved efficiencies and reduced costs’ (see this brochure on the standard), but it also contributes to the betterment of the world and encourages the same from suppliers and clients by integrating them into your own business systems—hence Cambridge MC’s own choice to earn this certification. 

ISO 27001: The most recent standard under Cambridge MC’s belt, ISO 27001 is the world’s most recognised standard for information security management systems (ISMS). In a world with increasingly frequent and prevalent cyber security risks and traps, this standard assists organisations to become equally aware of them, encouraging proactivity by identifying and addressing any chinks in an organisation’s digital armour, and thus tackling any issues before they arise. In short, ISO 27001 names its core values as risk management, cyber-resilience, and operational excellence. 

These are just several of ISO’s thousands of standardisations designed to streamline the operations and running of an organisation. However, the work does not stop here: though ISO has taken the time and care to design these standards, your organisation must apply the effort to implement them. In the next couple of sections, we break down both why it is desirable to have an ISO and the method behind getting certified, from the lessons we learned going through the process. 

Why we chose to get certified

As with most organisations, the choice to become ISO certified for Cambridge MC came down to one thing: risk management. At the crux of the ISO journey, particularly 9001 but also, for Cambridge MC, when it came to beginning 14001 and 27001, is identifying and addressing the potential risks to our organisation before they arise. Waiting to complete an ISO when and while risks become apparent will only cause them to exacerbate. Beginning the process well in advance allows them to be acknowledged, minimised, and resolved before they have a chance to inflict significant damage upon a business. 

For our business environment, one of the most crucial factors to completing ISO 9001 was growth. Though rapidly growing in clientele and project size, Cambridge MC is still a relatively young company, and was, until not too long ago, relatively small. At this time there was less need for an established QMS system, however, as our team began to expand and multiply, we quickly recognised that it would be an essential factor by the time we could prepare the groundwork. In this way, the QMS system that was built through ISO 9001 at the time has since been able to grow and mature as the company does, expanding to incorporate aspects of the company as they come to fruition. To those start-ups or smaller organisations anticipating growth of this nature, we strongly recommend engaging with ISO 9001 sooner rather than later. 

Since then, achieving 14001 and 27001 have felt like very natural steps. Beyond the reasons listed previously, earning and understanding 14001 was very close to the heart of what Cambridge MC does, given our close proximity and working relationship with our sustainability-led sister-company, edenseven. From there the decision was simple: how do we best demonstrate the principles that we promote. 

With 27001, the thought process boiled down to best practice. As a company that handles large amounts of data day-to-day, without adopting an official plan to reduce and avoid security risks, we could potentially jeopardise the running of both our own company and that of our clients. With ISO 27001, we have closed-up any gaps that could allow these dangers to sneak through.

The ISO Process

Earning the ISO certification, beginning specifically with 9001, took around 18 months in total to complete. With regard to identifying and evaluating the risks that you seek to absolve through gaining the ISO, the process opened with an assessment of the scope that the ISO would cover. This does not have to be static, it can reflect the current nature of your organisation in a way that leaves room for change, growth, and maturity over time, as we experienced at Cambridge MC. This beginning stage is further supplemented by the use of an internal auditor, who assists with identifying and substantiating the scope of the project.

Once your scope is outlined, you can begin filling it in. At Cambridge MC, we conducted this by designing and building out a company manual. This initially represented and reflected the QMS principles of ISO 9001 and our assimilation of them into our working patterns, however it has since evolved to include ISO 14001 and 27001. (The latter of these also depended on the achievement of Cyber Essentials and Cyber Essentials Plus externally to the ISO, making us the first organisation affiliated with Data Connectivity (our primary IT provider) to earn these certifications.)

Once this was completed, we then subscribed to a certifying body, who appointed an external auditor to check that we have since complied with ISO standards not just on paper, but in practice. They had the opportunity to delve as deep into our working operations as they please, and open up as much interpretation within our manual as they deemed appropriate, to affirm that we were performing to standard. Only then could we achieve certification.

The process does not end there. At Cambridge MC, we are not concerned with earning the ISO standardisation in order to get a certificate on our wall or a badge on our website’s homepage, and this is something that ISO itself assures. The certification is only valid for three years, at which point it will need to be renewed via another assessment; in the interim your organisation must undergo frequent surveillance to assure that you are keeping to your principles in the meantime. As such, one of the primary values promoted by the ISO and adopted proudly by Cambridge MC, is continual improvement. 

At Cambridge MC, we demonstrate this through our Weekly Learning and Development (L&D) sessions – an internal seminar every Friday afternoon in which one of our clients or team members has the opportunity to educate the rest of the group on a particular topic or industry. Though optional, these sessions are strongly encouraged and give the chance for the Cambridge MC team to improve their learning and skillset outside of their particular specialism or department. Further to this, we are committed to the principles attached to our ISO certification by regularly reviewing our risk register, processes, policies, procedures, etc. The more assimilated these self-assessments become in our working patterns, the more ingrained the ISO values have become.

Notes:

[1] Given that ‘International Organization for Standardization’ translates to different acronyms in different languages, in line with their founding principles, these delegates decided to standardise it to ‘ISO’, partially derived from the Greek ‘isos’ to mean ‘equal’. ‘Whatever the country, whatever the language, we are always ISO.’

How Cambridge MC can help you

Becoming ISO certified is incredibly beneficial, if not near-essential, to the running of a successful and growth-orientated organisation. Assimilating a widely-recognised and proven standardisation system into one’s business and operating patterns not only allows for minimisation of risks and continued improvement throughout growth phases, but it also proves to current and potential clients and customers that you take these principles seriously.

For these reasons, if you are similarly interested in having your organisation become ISO certified, Cambridge Management Consulting is now equipped with the knowledge and experience to help you bring this to fruition. Please get into contact for any insight, advice, or guidance that can help you along your own journey to getting certified. 

About Cambridge Management Consulting

For more information visit www.cambridgemc.com or get in touch below.