Thousands of valuable ISO management system certifications earned by UK companies may now be at risk because auditors from Certification Bodies may not have been able to attend organisations’ premises to conduct essential re-certification audits during the current coronavirus pandemic.
Worldwide, hundreds of thousands of certifications are at risk of lapsing as lockdown conditions look set to continue for the foreseeable future.
Current UKAS guidelines – unchanged since August 2016 – state that: “If [a] recertification assessment cannot be undertaken within six months [of the anniversary of the certificate being issued] the certificate should be suspended, and a new initial assessment will be required.” To restore their certifications, affected organisations may incur financial costs easily three times higher than they were expecting to pay for their annual audits – plus considerably higher levels of time and resources – as well as having to remove any reference to their certifications from their websites and other collateral in the meantime.
The issue has been raised by InfoSaaS, a provider of software solutions that help customers achieve information security, data protection and business compliance requirements, up to and including ISO management system certification level.
Peter Rossi, co-founder of InfoSaaS, said: “Across just three [ISO9001, ISO27001 and ISO45001] of the five ISO management system standards that we help organisations to achieve, an average of 2,500 UK certifications per month could be at risk of lapsing due to the break in audit activities - never mind all other ISO standards, and notwithstanding any backlog of audits, whenever they can resume at scale.”
The International Organisation for Standardisation (ISO) doesn’t publish figures for the number of certifications granted across every standard. However, there are more than 1.3 million certifications worldwide across 12 standards for which it has most recently published numbers, in the form of the ISO Survey 2018 (including ISO9001, ISO14001, ISO20000, ISO22000, ISO22301, ISO27001, ISO28000, ISO45001, ISO50001, ISO 13485, ISO37001 and ISO 39001).
Worldwide there are over 870,000 certifications for ISO9001 alone, indicating that – six months on from the start of lockdowns – over 70,000 per month may be at risk of lapsing should surveillance audits remain halted.
“The uncomfortable truth is that, under current circumstances, some organisations may decide not to be re-audited and simply to let their ISO certifications lapse. Any such de-prioritisation may, in turn, lead to an unwanted decline in standards for the likes of information security, environmental management, health and safety and quality management. This is not a good outcome for anyone,” explained Rossi.
Remote audits are impossible when organisations rely on outdated approaches tools such as multiple spreadsheets, which require in-person explanation, justification and cross-reference. Accordingly, InfoSaaS wants to see Certification Bodies conducting remote surveillance audits where the candidate organisation is using an integrated, platform-based solution such as InfoSaaS’s own Compliance Framework platform, which make it easy for auditors to conduct the necessary surveillance and auditing activities.
“Frankly, it’s unnecessary and inefficient for any organisation still to be using the likes of spreadsheets for this purpose. It would make achieving business compliance objectives via a modern platform even more attractive if organisations could be confident that remote audits were not only possible but preferred.” Rossi added.
InfoSaaS’s platform helps organisations achieve and retain several ISO certifications: ISO27001 (information security management), ISO27017 and ISO27018 (enhanced security control sets for cloud services,), ISO9001 (quality management) and ISO45001 (health and safety risks) - as well as data protection workflows in support of GDPR.
ISO certifications to various standards have become increasingly important to organisations operating in increasingly competitive markets around the world: having valid ISO management system certificates clearly communicates relevant or important competencies to potential customers. In particular, demonstrating certification against industry standards and evidencing a mature approach to the protection of sensitive information and personal data have become baseline requirements in many markets and for some customers.