![]()
1
INTRODUCTION
Why would your company go for ISO certification? How is company certification different from personal certification? And, is this book the right choice for you?
This book covers the certification process for all ISO management standards – ISO 9001, ISO 14001, ISO 27001, ISO 20000, ISO 13485, but also OHSAS 18001 and IATF 16949 (former ISO/TS 16949), so in the book I’ll refer to “ISO standard” or simply “standard” to cover any of these standards?
1.1 Why should your company go for the ISO certification?
Before you decide if your company should go for the certification, you have to ask yourself one important question: Do you really need it?
I must tell you there are many organizations who have implemented the standard without going for the certification – one obvious example being banks and other financial institutions. Regulations in most countries are such that they have to implement very strict information security procedures and safeguards, and the majority of them did that using ISO 27001. But, very few of them got certified – they concluded that there was no business reason for them to do so.
And, this is exactly what you need to do – consider carefully if you need the certificate. Here are the potential reasons why you might find the certification useful:
1) Marketing. You can use the certificate to get some new clients (because of, e.g., tenders), or to stay in the business (e.g., all your competitors already have the certificate).
2) Compliance. In rare cases some regulations will require you to implement particular ISO standard, but you may have cases where you will sign contracts with clients that oblige you to implement e.g. quality management system compliant with ISO 9001. And, instead of having to stand the auditors from each of your clients who want to check whether you have fulfilled the contract, you can have the certification auditor do the job, and then show everyone else the certificate.
3) Internal pressure. In some companies, these kinds of projects will never finish unless there is powerful pressure – e.g., a clear deadline. So, if you agree with the certification body on a fixed date for the certification audit, both your management and your employees will have a much stronger sense of urgency for finishing the project.
4) Objective inputs. If you want your information security to be implemented in the best possible way, it is good to call in people with high experience and who know how you can benchmark with the best in the industry. Certification auditors will be more than happy to audit someone who is trying really hard and they will provide inputs on what you could improve.
So, if you found at least one of these benefits applicable to your company, then you should probably go for the certification; but, the opposite is also true: if you didn't find yourself in any of these bullets, your company probably doesn’t need the certificate at all.
1.2 Certification vs. registration vs. accreditation
Before moving deeper into the topic of certification, let’s clarify some basic things first.
How the company certification works. First of all, ISO standards are published by the International Organization for Standardization – this is an international body founded by governments around the world. Its purpose is to publish standards as a way to deliver knowledge and best practice – as of now, almost 20,000 standards are published in total, and they are recognized in every country.
ISO management standards are only part of these 20,000 standards, which were created primarily as a help for companies to improve their operations in certain areas (e.g., ISO 9001 for quality management, ISO 27001 for information security management, etc.) – this is why most of the talk about these standards is related to companies and their registration, certification, and accreditation.
Certification vs. registration. When you want to say that a company has implemented a standard (e.g., an Environmental Management System according to ISO 14001), has successfully completed the certification audit, and the certification body has issued the certificate, you would normally call this registration or certification.
In North America, the term “registration” is most commonly used, while in the rest of the world it is usually called “certification.” So, is there a difference? Technically, yes; but essentially, no.
Certification is when a certification body issues the certificate proving that a company is compliant with a standard; registration is when this certificate is registered with the certification body. So, basically, it comes down to the same thing – a company got a certificate that is formally recognized.
By the way, the International Organization for Standardization recommends usage of the term “certification,” so I’ll use this term from this point forward in this book.
Certification body vs. registrar. This is the terminology difference that directly arises from the usage of certification/registration terms – in North America people usually use the term registrars, while in the rest of the world they are called certification bodies.
But, again, this is one and the same thing – those are the institutions that perform the certification audits and issue the certificates. Here, also, the ISO recommends using the term “certification body.”
Accreditation vs. certification. What is the accreditation, then? In order for certification bodies to be able to perform the certification audits and issue the certificates, they need to get a license – and this license is called “accreditation.” So, certification bodies are getting accredited, while companies are getting certified. (The certification body needs to be compliant with the standard ISO 17021 if they want to get accredited for certifying management systems.)
There is usually only one accreditation body for each country (e.g., UKAS for the United Kingdom), while there are several certification bodies operating ...
