UK ISO Consultants

Common Pitfalls in ISO 27001 Implementation

Holly Lane — Mon, 05 May 2025 17:28:39 +0000

ISO 27001 is a pretty great standard for building a system for managing your information security, it’s a good strategic move for companies wanting to protect information appropriately whilst based on the level of risk associated with that information and it’s a useful for demonstrating your compliance to customers and any other stakeholders or interested parties. However, it can be a head scratcher at times and if you don’t understand something or if you skip a step, you can find yourself driving straight into that spike trap or hopping that fence only to find a deep pit on the other side.

Obviously getting derailed by issues can be a frustrating, demoralising and resource-draining experience. Below we’re going to try and cover most of the common pitfalls you may encounter whilst implementing 27001 so you can avoid them!

Without a doubt, the biggest pitfall is Management Support / Engagement. So let’s start there:

1. The Lack of Management Support

Implementing 27001 needs senior management commitment. Adopting these principles can be painful, if employees within the business see the senior management not following the principles and not leading by example then they will believe there is no point doing it themselves; it will be a case of them sitting and nodding their heads until you as the person implementing the system, run out of momentum and then everything will get shelved and forgotten. Equally even if you have your system already well established and in place, without visible and consistent support from leadership, the management system and its processes will lack authority. Without buy-in from management you also face issues with lack of resources being made available to implement/maintain the system and it will ultimately lack the strategic alignment needed to keep it going long term.

How you can avoid this

Make sure the business case for having ISO 27001 is established but also clearly and succinctly communicated to leadership. Know your market, if your senior management are all about brass taxes then bring it back to money, having 27001 may cost X but it opens Y markets and could potentially save you Z costs from being sued/fined for a data breach.

If you want to go further, demonstrate how it aligns with business goals such as regulatory compliance, customer trust, and operational resilience.

2. Failure to Embed the ISMS in Daily Operations / Resistance to Change

Building off the first pitfall, lack of support. Failing to embed the ISMS into your daily ops means that at an employee/staff level; if people aren’t interacting with the system regularly then they wont pick it up, use it or potentially even understand it. If people don’t understand why, you’ve put the system in place (or if they are just stubborn old mules!), then they are likely to also be resistant to that change; they might view it as an unnecessary extra burden that will just slow down their work during the day for little perceived gain.

Some companies like to treat ISO 27001 as a one-off project that they only need to think about once or twice a year; the result of that, security controls aren’t always maintained, compliance degrades fairly quick (but if you’re lucky you’ll find all those issues during your internal audits a week before your surveillance visit right?) and again people can also be resistant to adopting the system if it disrupts their routine and is then ‘only’ used during audits.

How you can avoid this

Daily beatings and public executions! I joke of course… no, the best way to avoid resistance to change is comprehension; teaching, training and helping people to understand why these processes are being put in place, then obviously also, maintaining their consistent use. Build information security into a core culture of the business, establish regular reviews, monitor key aspects of the system and provide updates about the system to all staff; get their buy-in, align it with other business processes or perhaps even as one of the metrics used in performance-based reward systems if you have that kind of thing in place.

3. Lack of Awareness and Training

Another pitfall that builds on the other two (you can see a trend amongst the biggest reasons, right?) is lack of awareness and training. People are often one of the biggest risks to information security. If employees aren’t aware of your policies, they don’t comprehend what is considered information/data they need to protect; or if they don’t know what to do in order to protect it then even the greatest technical controls in the world will fail.

How you can avoid this

Develop and implement awareness training that is comprehensive and structured; you also need to tailor this to your employees, their roles and responsibilities as well as their level of access to specific data and don’t just drop everyone infront of a 3-hour presentation covering you’re A-Z. A cleaner doesn’t need to know the finer points of secure code writing and peer review, but they do need to know about physical access control and securely destroying physical records (making sure paper records are shredded etc before just chucking them out) or making sure they don’t unplug the server so they can plug in the vacuum! Believe us, its happened before.

4. Underestimating Resource Requirements

An easy mistake to make is underestimating the resource needs. Implementing and then maintaining the ISMS does require time, expertise and financial investment/commitment. Learning the standard and how it applies to your business, having the people with the correct knowledge and using their time and your own, etc. If you misjudge the demands it can lead to delays, overworked employees (and yourself) and ultimately subpar results.

How you can avoid this

Take a step back, slow your roll for a minute and try to develop a realistic project plan that covers staffing, training, tools and other stuff. Which, granted, is a lot easier said than done; like really, how do you plan a project if you’ve never done something like it before? Definitely a non-answer answer right. So personally, I’d say you should opt to use us, your friendly neighbourhood consultants! Asking someone with experience is a fantastic way of helping to gauge resource needs.

5. Neglecting Internal Audits and Continual Improvement

Internal audits are a key requirement of many ISO management systems not just 27001. But, it’s very easy to leave them till the last minute and end up often being rushed or treated as mere checkboxes. Without some genuine internal auditing and follow-up, problems can go unnoticed and your system will stagnate until you get slapped in the face with minor or major non-conformities at your surveillance visits.

How you can avoid this

Super easy, plan ahead and schedule in regular internal audits; do this as part of your annual financial / management planning at the start of each year and stick to it. OH and make sure you are using trained personnel ideally who are also as impartial as they can be to whats being audited (get someone from team/department A to audit team/dept. B, etc.). You should then also treat these findings as opportunities for improvement rather than failures, nobody likes being derided for failing. (we can also do internal audits for you instead if you want!)

6. Poorly defined ISMS Scopes

This can be a fairly common mistake and it can be quite a nuanced skill to write and frame scopes for management systems; we help define scopes all the time for our clients so I’ve only seen a few of these situations in person. That being said, scoping down too narrow can miss critical systems or not accurately reflect the operations of your business. With accredited certifications you’ll get a certificate with the scope of your management system printed front and centre on it (if you want to know more about accredited certification we have another blog post here about it).

Equally, if you go too broad then it can become unmanageable and you’ll be auditing for weeks on end, both internally and externally! Basically, an improperly scoped ISMS leads to gaps in your systems coverage or excessive complexity.

How you can avoid this

Set aside some time to sit and think about what your company’s risks are (what your risk profile is) and what your operational needs are, consider your legal, contractual and stakeholder requirements and try to be as specific as possible about which parts of the organisation need to be included within your scope. Write your scope down, leave it for a while, come back and read it back or fire it around the office/other managers to see what other people think about it. (if you are implementing 27001 for a specific customer contract it might be worth getting clarity from them around what they are looking for the cert to cover)

7. Inadequate Risk Assessment

Risk assessments are a foundational aspect of ISO 27001. However, many companies can wind up only doing superficial or generic assessments that don’t accurately reflect their real risks. As a result, your controls may be misaligned or irrelevant.

How you can avoid this

Break down your assessments to look at context-specific aspects of the business. Look specifically at just hardware, or just software, physical, people, etc. then talk them through with people from different teams / roles in the business to see if they have different risks they associate with those aspects. Use a consistent structure for how you score your risks; tie them back to the SOA within 27001 and ensure that risks are regularly reviewed and updated (build this into your internal auditing schedule!).

8. Overemphasis on Documentation

Documentation is an important component of ISO 27001; within the standard there are sections that state “‘X’ shall be available as documented information”. However, overemphasising it at the expense of actual implementation is a big pitfall, especially with purchased toolkits (don’t get me started, just ask me about the dark abyss of toolkits if you ever get chance!). Some companies can end up producing extensive and sometimes unnecessary documentation that then ends up never being understood or even read by employees, it will weigh your system down and will likely cause you more non-conformities during external audits because they’ve not been maintained correctly or at all.

How you can avoid this

Focus on meaningful, usable documentation. Policies and procedures should reflect actual practices and be integrated into daily operations. Train your staff on how to apply them. Consultants like ourselves can also help you trim the fat when it comes to documentation if needed. Understanding whats actually required to be documented vs what isn’t is helpful information to have when doing all the different ISOs.

9. Poor Change Management

A bit more a niche issue, change management is an easy one to miss. And IT guys, this doesn’t just mean your change control processes for managing code updates and deployments. This relates to practical business changes, updates to the management system, changes to internal business processes, personnel and technologies. Yeah, its cool you’ve found some new software or you’re in the process of moving your entire filing directory to the cloud but have you actually planned it out and recorded what you are doing? Something perceived as innocuous as moving an employee between departments does have information security implications (permission levels changing in data accessibility, that person’s knowledge for X task, the availability of information they have, if they are the only person helping Y customer and they move, who’s got access to the information needed to continue helping that person, etc.) and you need to manage that.

How you can avoid this

I know you’re probably busy running the business and doing the changes on the fly but you should integrate your change management into the lifecycle of the ISMS; build the system so that changes are reviewed during the management review or do monthly Informal’s to flag changes and keep a track record of changes, record planned changes and conduct risk assessments for those planned changes.

10. Inadequate Incident Response Planning

Security incidents are the dreaded bane of todays digital world however many companies still find themselves taking the hope and pray approach. Emergency response and business continuity planning are great buzz phrases but are very easy to end up being only basic top-level plans around how you will respond. Having a weak and untested system can lead to confusion, delayed reactions to issues and ultimately a greater extent of damage during a breach.

How you can avoid this

Develop a response plan AND TEST IT. Run that thing through ringer! Plans should ideally include specifically defined roles so people know what they are doing and who to report to, communication strategies for if you need to contact specific people (including customers) and also make sure you do a proper post-incident analysis; make sure you learn from the incident and try to stop it happening again. As I say, test your plan regularly, do this by running simulations and adjust it based on lessons learned, oh and make sure you cover different types of incidents not just the same old easy to do scenario.

Conclusion

Hopefully you’ve found this interesting. ISO 27001 implementation is a powerful way to build trust, reduce risk and enhance your operational resilience. But the journey is not without its challenges. By being aware of the common pitfalls and proactively addressing them, we reckon you should be able to avoid costly missteps and create a management system that works for you and that delivers lasting and reliable value.

Successful implementation is less about checking boxes and more about embedding a culture of security throughout the company. With proper planning, commitment and continuous improvement, ISO 27001 can become a cornerstone of your company’s success in managing information security.

If you’d like help with getting your system off the ground or if you’d just like a little guidance or hell, just some internal audits doing. Then hit us up using our contact us webform or give us a ring.

ISO14001 in Construction and Architecture Industries

Holly Lane — Mon, 14 Apr 2025 12:04:58 +0000

The sun is shining, we’re getting into the kind of weather where its arguably pretty fun to work outside. This got me thinking about our climate and also got me thinking about the construction and architectural industries within the UK.

Despite current economics and politics; the construction of new buildings is going to continue and the demands for sustainable options is higher than ever; it’s no longer a buzzword; It might as well be considered a business imperative for the construction and architectural industries.

These industries have been associated with high resource use and high environmental impacts for hundreds of years so the idea of making these markets more climate-conscious is a pretty big opportunity.

We reckon, ISO 14001 the international standard for environmental management systems (EMS) would be a great thing to consider if you want to take a hold of that opportunity.

The Base Coat Primer

For those of you who aren’t familiar, heres a quick and simple explanation of ISO 14001.

ISO 14001 is a recognised standard that provides a structured and strategic framework for helping you to identify, manage and reduce your ecological footprint; it forces you to examine your legal requirements for environmental regulations and helps make sure you comply with them. Its also designed to help you improve your overall environmental performance.

The current version of ISO 14001 follows a very similar structure to ISO 9001 (which is why its super common to integrate the two and run them concurrently). It uses the same PDCA cycle (Plan-Do-Check-Act) and promotes continual improvement and proactive environmental processes.

Key principles of ISO 14001 include:

Identifying environmental aspects and impacts



Ensuring compliance with legal and other requirements



Setting and reviewing environmental objectives



Monitoring performance and implementing corrective actions

Relevance in Construction and Architecture

As I mentioned before, the construction and architectural industries are inherently impactful due to their use of raw materials, energy consumption, waste generation, and land use. Here’s how ISO 14001 is especially relevant:

1. Environmental Impact Management

Construction sites can have significant environmental consequences; these include soil erosion and water pollution to air quality degradation. The framework that ISO 14001 looks to establish will push you towards having processes in place that help you identify, assess and mitigate these impacts through detailed environmental planning and risk assessment.

2. Regulatory Compliance

Environmental regulations are becoming stricter across the globe. ISO 14001 requires you to maintain a register of local, national and international regulations, the idea is, if you document these and have to maintain the register then it will keep compliance in the forefront of your mind, thereby helping you identify evidence that you need to gather which will ultimately help in reducing the risk of fines and project delays.

3. Resource Efficiency

The standard promotes efficient use of materials, energy, and water. These are crucial in an industry where reducing waste and optimizing resources can significantly lower operational costs and environmental burdens.

4. Stakeholder and Client Expectations

Clients, investors and other interested parties (like the communities local to your project site) are increasingly asking for evidence of sustainable practices. ISO 14001 certification acts as a badge of credibility and transparency, enhancing reputation and competitiveness.

Benefits of ISO 14001 for the Construction and Architectural Sectors

Improved Project Planning

Incorporating ISO 14001 from the design phase enables architects and planners to embed environmental considerations early in the project lifecycle. The idea is that this will lead to more sustainable designs and better project outcomes.

Enhanced Risk Management

By proactively addressing environmental risks, companies can avoid costly incidents and liabilities. ISO 14001 encourages a culture of continuous risk assessment and mitigation.

Operational Efficiency

The standard drives process improvements that reduce waste and resource consumption. In a sector with tight margins, these efficiencies contribute directly to profitability.

Market Differentiation

Certification distinguishes companies in competitive bids, especially for government and large-scale projects where sustainability credentials are often mandatory.

Employee Engagement

A strong environmental management system can promote employee awareness and involvement, fostering a culture of sustainability and shared responsibility.

How to implement ISO 14001 in the Construction and Architecture Industries

Like any industry there are certain nuances but a general method to the madness would follow this:

Step 1

Gap Analysis and Environmental Review

First port of call would be to do a gap analysis, look at your business practices, compare them to the requirements of the standard and plan out what needs to be updated or implemented from scratch. Its worth looking at, and understanding, your legal obligations, your existing policies and what evidence you have already in place showing your environmental aspects.

Step 2

Leadership Commitment & Planning

You need to get senior management buy-in and demonstrate commitment to the management system; setting environmental objectives that are tied to your current business strategy. You should also clearly identify roles and responsibilities within the business around who’s responsible for managing the system and what other responsibilities others will have.

Step 3

Documentation & Integration

Develop the necessary documentation; some of the stuff you identified in step 1 will probably need documenting; things like your environmental policy, procedures and activity impact assessments. You should try to Integrate these into your day-to-day operations and project workflows.

Step 4

Training and Awareness

Educate all of your employees and subcontractors on your new management system including the procedures that apply to them and emphasise their role and any possible obligations they might have in helping you achieve the objectives you’ve set and their need to follow/comply with procedures you’ve established.

Step 5

Monitoring & Continuous Improvement

You can look at establishing and tracking your performance using KPIs. You’ll also need to conduct internal audits and implement any corrective actions for non-conformities you may come across. You’ll need to complete atleast one Management Review per year to comply with the standard; though, the theory is that these help ensure the ongoing relevance & effectiveness of the system, so if you think it’s a benefit to the business you can have management reviews scheduled more regularly.

Real World Impact

We’ve helped a number of companies already within these sectors build management systems covering both ISO 9001 and 14001; we’ve also worked with companies that have moved on from these towards establishing BIM within their businesses.

By implementing ISO 14001, you also establish a good groundwork and supporting evidence for getting BREEAM certifications for your buildings. These two standards align well, especially with ISO 14001’s emphasis on resource efficiency and lifecycle impact.

Many government tenders require ISO certification as a pre-requisite. Having ISO 14001 adds that notch to your belt and can make tendering easier or even lead towards you being regarded as a preferred contractor.

Looking Ahead

We’ve got a climate that is changing, already this is one of the warmest springs we’ve had in a long time and that winter before was just bizarre. The emphasis on climate change and carbon neutrality is therefore going to continue being a focus point and will likely become more prominent than ever over the next few years.

ISO 14001 is vital to get ahead with its ability to help you seize the opportunities coming. There is an upcoming revision, expected to appear some time in January 2026. But even when that comes out, you’ll have 3-year transition period before having to adopt the new standard, so don’t let that stop you from getting a jump on it now (the changes expected are further emphasis on climate-related risks and opportunities, aligning closely with the global sustainability goals agreed at the big boy tables our politicians spend so much money going to!).

For the construction and architectural industries, embracing ISO 14001 isn’t just about compliance; it’s a strategic move toward innovation, resilience and long-term value creation.

In a world where green credentials increasingly matter, ISO 14001 provides the blueprint for building not just structures, but a better tomorrow. Well, that’s the idea anyway.

What is ISO 17020 and does it apply to your SME?

Holly Lane — Tue, 08 Apr 2025 14:01:52 +0000

We’re going to take a quick step away from the usual, well known ISO standards, and have a quick look at the 3 most popular ISOs in the 17000 family of standards. These are ‘accreditation’ standards rather than certification standards (Check out our blog here if you want to know the difference) and these are the ones that apply to companies doing inspections, issuing certificates, testing and calibrating things.

These standards are:

ISO 17020

This is the standard for companies wanting to work in Inspection Services

ISO 17021

This is the standard for companies wanting to be certification bodies or registrars

ISO 17025

This is the standard for companies working as testing laboratories or calibration offices

The idea behind these standards is fairly simple. How do you make sure that the people you hire to do inspections know what they are doing; that they understand the technical aspects of it; that they are sufficiently independent from what they are inspecting and aren’t financially motivated to approve something that should fail or raise false issues with something that is fine.

These standards all build on establishing the competence of the people doing the inspections but have different focus points;

17020 is more geared towards ensuring impartiality and consistency in the inspections themselves

17021 concentrates on the competence of certification bodies and has a lot of supplementals that specify the competence requirements for auditing specific standards. Cert Bodies such as BSI, ISOQAR, Lloyds and Approachable are subject to this standard and they have to be proved as competent for each of the usual ISO standards before they can issue certificates for them, this is why you may find some UKAS accredited cert bodies that ONLY do ISO 27001 or only do 9001, 14001 & 45001, etc.

17025 turns its focus towards how you ensure the accuracy and the reliability of the results gathered from the testing within the labs.

If you want to be accredited to any of these standards in the UK, then you’re going to end up having a rather personal and direct relationship with UKAS, the United Kingdom’s Accreditation Service.

Nobody Expects the UK Accreditation Service!

Quick! Run for cover; they’ve heard us talking about them!

Image: Courtesy of Monty Python’s Flying Circus, The Spanish Inquisition

In the UK, the United Kingdom Accreditation Service (UKAS) is the national accreditation body. There are other legitimate international accreditation bodies that are members of the IAF (the International Accreditation Forum) or members of ILAC (the International Laboratory Accreditation Cooperation) BUT UKAS are the only national body recognised in the UK. Accredited bodies like UKAS ensure that test and inspection providers (the people who issue the certificates) meet the requirements in these standards and that their inspection results are valid and reliable.

Understanding ISO 17020 and Its Relevance to UK SMEs

We’ve said many times in the past that SMEs are the backbone of the UK, and that remains the same despite the government’s latest attempts to cut small businesses down at the ankles.

Many of these small businesses either complete inspection works themselves (like asbestos inspectors) or they use products or services that have inspection works carried out (use any tools to measure stuff in your work? If so, how do you know they are accurate, have they been calibrated? Or, have you ever been PAT tested?).

The kinds of SME we’ve seen interested in this standard have included:



Asbestos Inspectors

Construction and infrastructure work



International Trade Goods Inspectors



Fire Safety Inspectors

Construction and infrastructure work

Environmental Auditing

E.g., air and water quality testing, waste management audits



Food Safety Inspectors

Hygiene inspections, organic certification bodies



Gas and Electrical Safety Inspectors



Vehicle Inspection Companies

MOT testing stations, fleet maintenance auditors



Structural Integrity Inspectors

Construction and infrastructure work

ISO 17021, Management System Certification

17021, as mentioned, is the standard that applies to certification bodies (CBs); if you want ISO 9001, 14001, 45001 or any of the many other standards, these are issued by CBs instead. Those CBs do however need to checked to make sure they are doing a proper job. This is where UKAS become involved; companies like BSI and ISOQAR get audited by UKAS to check their competence, independence and that they are doing there assessments properly too.

ISO 17025, Calibration and the Verification of Accuracy

Labs and calibration businesses also have to be considered competent and reliable so 17025 was developed just for them with a focus on the accuracy and reliability of the measurements that they take on top of their own competency levels. This standard can get very technical in some fields, like calculating the degrees of uncertainty in a reading based on the impacts of temperate on the measurement equipment etc. A standard not for the faint of heart, we’d recommend you have in house resources for this standard.

How Accreditation Standards Affect SME’s

17020, 17021 and 17025 (and others in this series) provide a structured framework for conducting inspections, tests and certifications effectively and impartially. Key requirements include:

Competence and Training

Businesses must ensure that personnel are adequately trained and qualified to perform their roles.

Impartiality and Independence

Businesses should demonstrate that their services are free from undue influence or conflicts of interest.

Inspection Methods and Procedures

CBs must document and follow standardised procedures to maintain consistency in their assessments.

Record Keeping and Reporting

Detailed recording of results must be maintained to provide evidence of compliance and facilitate audits.

Quality Management Systems

Businesses must implement a quality management system to continually monitor and improve their processes.

When you follow these principles and document evidence to support them, it helps demonstrate your credibility, builds the trust your customers will have in you and can also improve your efficiency in the work you complete.

UKAS Accreditation and Processes

In the UK, the United Kingdom Accreditation Service (UKAS) is the national accreditation body responsible for assessing and certifying organisations against ISO 17020. There are other legitimate accreditation bodies that are members of the IAF (the International Accreditation Forum) or members of ILAC (the International Laboratory Accreditation Cooperation) BUT UKAS are the only national body recognised in the UK. Accredited bodies like UKAS ensure that inspection bodies (the people who issue the certificates) meet the stringent requirements set out in the standard and that their inspection results are valid and reliable.

How UKAS Interacts with SMEs

Despite my earlier quip, whilst UKAS are certainly not perfect, we’d still rather have them operating in the UK and regulating industry properly, than having a free-for-all where you have no idea of the competence or honesty of the people providing our goods and services.

In our experience UKAS can be bureaucratic and expensive at times; but this is how the process works:

1. Application and Assessment:

Following initial contact, UKAS will want to know basic information from you like number of employees, what kind of work it is you are planning to do etc. you’ll then be asked to fill out an application form detailing the formal scope of inspection/certification/test activities you want to do and some information about your processes. They’ll send you a quote for the process, then draft up a Customer Agreement which is essentially a terms and conditions/contract that you’ll need to sign and send back to them. UKAS will then schedule in an initial assessment to review your management system documentation and your on-site activities.

1. Application and Assessment:

Following initial contact, UKAS will want to know basic information from you such as number of employees, what kind of work it is you are planning to do etc. you’ll then be asked to fill out an application form detailing the formal scope of inspection/certification activities you want to do and some information about your processes. They’ll send you a quote for the process, then draft up a Customer Agreement which is essentially a terms and conditions / contract that you’ll need to sign and send back to them. UKAS will then schedule in an initial assessment to review your management system documentation and your on-site activities.

2. Audits and Compliance Checks:

You will be visited by UKAS auditors to verify your compliance, they will check personnel competence records, your levels of impartiality to the people you are inspecting/certifying and your overall adherence to your own documented methodologies. This visit can be intense and usually UKAS send auditors in pairs, one being knowledgeable about management systems, and the other an industry/technical expert for the industry that YOU work in. For example, grain inspections on cargo ships, they will send someone with experience of grain and international shipping etc. Obviously, this can be a challenge for very specialised industries; one “expert” we have met was well into his seventies and came out of retirement just to do the visit. The number of days this process takes are based on the complexity and size of your org.

3. Accreditation and Monitoring:

If successful (when successful if you use us!), you’ll receive your accreditation, valid for a specified period. UKAS will then conduct periodic surveillance visits to ensure continued compliance. This can include them coming with you to your customers to witness your inspections. UKAS attendance during CB customer audits is very common (there have been several times we’ve had customers undergoing certification for ISO 9001/14001/27001 etc. only to find the auditor was also being assessed by UKAS).

Obtaining UKAS accreditation is a big and sometimes scary process; but it’s a brilliant way of demonstrating your professional credibility and gaining access to larger clients and government contracts.

Conclusion

Many SMEs across a plethora of diverse industries and sectors can find themselves needing to demonstrate their impartiality, credibility and technical competence. These ISOs are a great way prove you’ve got those aspects within your business.

UKAS are the UK’s ONLY national accreditation body, don’t be fooled. They provide independent verification of compliance and are recognised by the UK government and the IAF. If you want to establish yourself as a trusted provider of these types of service in the UK, then UKAS are your best bet.

We’ve got significant practical experience in dealing with UKAS and taking our customers through accreditation to these standards. If you are interested in going through this process yourselves or just have any extra questions burning away in your head then feel free to drop us a message using our contact form.

What’s the point of keeping an ISO Certificate?

Holly Lane — Mon, 31 Mar 2025 08:11:32 +0000

Is it really worth it?

In a time of global uncertainty, financial turmoil and growing mistrust, why should you maintain your ISO management Systems, like ISO 9001 for Quality Management, ISO 14001 for Environmental Management, ISO 45001 for Health and Safety Management or ISO 27001 for Data and Information Security?

There are many big reasons why these systems are worth maintaining, though sometimes there are also less prominent ones for maintaining them which can be overlooked. Here’s a few:

Standing out from the Crowd

When purchasing decisions are based purely on price, they are often ill fated, resulting in poor products or services. As suppliers you may have cut your costs to the minimum in order to undercut the competition. You might even win some orders that way; but you are likely to end up with an unsustainable business or you’ll have to constantly look for new customers after annoying your existing ones.

In a competitive environment, and especially where purchasers/customers are looking for longer term relationships just being the cheapest isn’t enough. You need to show you aren’t just the cheapest, you need to show you are reliable, trustworthy and that dealing with you isn’t going to give your customers hassle.

An UKAS accredited ISO 9001 certificate is a way of doing that. You are showing the world that your internal ways of working have been validated by an independent third party, and that third party has been confirmed and validated on behalf of the UK government. This kind of certification tells your customers that you are serious about the work you do; that you are looking towards the future of the business, it’s growth and also that you don’t plan on disappearing with their money.

Reducing Customer Risk

Customers don’t want to end up doing business with you if it’s going to increase their own risk. Whether from faulty goods, poor services, environmental damage, data breaches or poor health and safety. Maintaining your ISO certificate reduces those risks, gives customers more confidence and shows them that even if something unforeseen does go wrong, you have the internal structures and resources to address them quickly and efficiently.

Legal Compliance

For the vast majority of people raised in the UK; the tragedy at Grenfell Tower is a core moment in history. Many are also aware that since 2017 there have been ongoing legal battles between people and companies looking for those culpable. These investigations and suits come with enormous costs to the people and the companies involved. It is almost inevitable that with these investigations, someone somewhere may not have followed the correct legal processes; and they will likely be left holding the bill if they aren’t behind bars.

Ensuring that not only your business, but also those suppliers and sub-contractors working for you are legally compliant is essential if you wish to stay out of court. Many, many laws now make it the responsibility of customers to make sure they buy from reliable compliant suppliers – using businesses who do not follow the applicable laws and legislation can make you legally responsible for their failure, ensnaring you in long, difficult legal challenges; draining you of the time needed to build your business, damaging your reputation and possibly even blocking you from potential markets.

ISO 9001, ISO 14001, ISO 45001 and ISO 27001 now all insist on managing legal compliance. So using suppliers and sub-contractors that hold these kinds of certification is a simple, practical and a cost-effective way of ensuring somebody checks your suppliers are behaving correctly, giving you some level of protection.

Tenders & Bids

Tendering and bidding can be expensive and time-consuming activities; but without them how do you get into the larger markets and more lucrative contracts? Holding properly accredited ISO certificates can greatly simplify this process along with the data you need to provide to support your bids. For instance, an ISO 14001 Environmental Management Certificate can save you having to answer pages and pages of questions about your emissions and reduction plans, etc. it also means you shouldn’t need to sink hours into finding the evidence to support your answers. When it comes to tendering and bidding ISO certification generally pays for itself just in your saved time fairly quickly. Having ISO can also be mandatory in some markets, so, it could also give you access to markets and contracts you simply wouldn’t get into without it.

Increasing Revenue

ISO management systems are now based around the objectives and targets you set for your business; they support and help maintain all aspects of performance monitoring and so can support drives to reduce cost, increase sales and use resources more effectively.

Past criticisms of ISO, claiming that it was complex and drowned businesses in bureaucratic admin were addressed long ago. Once the appropriate systems and controls have been developed and installed in your business, maintaining them can be super simple and not specifically costly.

Costs should be well below the advantages and savings you gain through efficiency and improved communications; clear operating processes and additional controls should give to your business.

Properly structured and installed, any of these management systems can be maintained with little impact on work or resources, but as explained above, they should also give you many advantages through access to new markets, reduced risk etc.

If you’d like to know more why not drop us a line and if we can help your business to grow through ISO Certification we will, why not give us a call on 0115932 3770 or go to our contact page.

No AI was used to write this post, so the spelling and grammatical errors are all mine, and the result of a UK, state provided, education 😊, for which I remain, most thankful.

Risk Management Across Different ISO Standards

Holly Lane — Mon, 24 Mar 2025 12:05:51 +0000

Navigating Risk in ISO Standards: A Quick Guide

Risk management is a big aspect of many ISO management systems. it’s core principle and even has its own dedicated standard – ISO 31000 (2018). ISO 31000 provides principles and guidelines for managing risk across your entire business and looks at how you identify, analyse, evaluate, treat, monitor and communicate those risks.

Intense right? I already know how exhausting the thought of doing this yourself can be!

But don’t get too stressed out. You don’t have to apply the same crazily detailed assessments for all the different ISO’s but you do need to have something in place. What we like to suggest is that you have assessments that are effective at meeting the requirements but are still efficient enough to be practical and not cause brain aneurysms.

As it’s a core principle across various ISOs; ensuring that organisations can identify, assess, and mitigate risks is important. Whether in quality management (ISO 9001), information security (ISO 27001), environmental management (ISO 14001), or occupational health and safety (ISO 45001), risk-based thinking is essential to achieving compliance. Lets do a quick breakdown of how risk management applies to the different common ISO standards and how you can go about scoring the risks you might find.

The Role of Risk Management in ISO Standards

ISO 9001: Quality Management System (QMS)

ISO 9001 currently requires organisations to adopt a ‘risk-based’ approach to quality management (this might change in the planned update but we can’t say for sure right now, so were basing this off the 2015 ed.). Clause 6.1 says that you need to identify risks and opportunities that can impact the intended outcomes of the QMS. Risk management in this context focuses on preventing non-conformities and improving customer satisfaction. You don’t actually need to document your risks for 9001 so long as you know what they are and have processes in place to control them.

Practically speaking, this means that if you talk through your risks with an assessor and then show you’ve put controls in place, such as goods in/out checks or peer review on what you are selling and you aren’t getting huge numbers of issues then you should be okay.

ISO 14001: Environmental Management System (EMS)

On the otherhand, ISO 14001 differs from Quality; sections 6.1.1 and 6.1.2 lay out the groundwork that you are actually required to document your risks and opportunities. These need to based off your operations, their environmental aspects, the expectations of your interested parties, legal compliance and anything else you can think of that’s relevant. BUT, only the environmental impacts. So, how you dispose of waste electronics should be a risk in there, but you don’t need to include risks like someone slipping on spilt boiling water in the kitchen. Some risks can fall into multiple categories; when looking at the spillage of paint that’s primarily going to be a health and safety risk of slips and trips but depending on the kind of paint it could also be environmental, some paints you can’t just wash down the drain as they can be poisonous to wildlife; in that situation you’d need to bag the paint as well as any paper towelling or spill kit materials you used and then potentially dispose of them as hazardous waste; this does of course depend on how your waste processor wants to handle the paint; some county councils require specialist waste processes, others may tell you that its fine to put paint in the general waste provided its completely dried out. We’d recommend you check with them though.

ISO 27001: Information Security Management System (ISMS)

Risk assessment within information security is another pretty big one. There’s a requirement for you to document the risks you identify along with how you’ve mitigated them. ISO 27001 differs a bit from the others because we also have the glorious Annex A in place, for those who don’t know, Annex A is a series of Controls that you need to respond to within your documentation. These controls look at aspects of how you should manage your organisational structure, people that can impact your org, physical aspects of your org & the technological structure within your work.

Because you have to respond to the Annex A; a great way of hitting two birds with one stone is by linking your risk assessments to the Annex and vice-versa. For example; a potential risk to your business’s information security is people having access to information that they shouldn’t have. This links up with multiple controls, primarily ‘A.5.18 Access Rights’ this control says that you need to have a process in place for issuing, reviewing, managing and removing someones access to information as needed within the organisation. So, the risk is people having uncontrolled access, the control to mitigate this risk would be to implement an access control system that you regularly review. You can then also tie this into how you classify and label information as these can make how you define access a bit easier, and so on.

ISO 45001: Occupational Health & Safety Management System (OH&S MS)

ISO 45001 focuses on identifying hazards and risks related to workplace safety. Thankfully there is a logic to the madness within most standards so ISO 45001 follows a very similar structure to 9001 and 14001. The risk assessment sections in this standard are also 6.1.1 and 6.1.2, like ISO 14001 you are required to document your risks. The intention is that you identify risks with the aim to prevent work-related injuries and illnesses, ultimately ensuring a safe work environment.

6.1.2 has a good list of areas to consider when thinking about where risks could present themselves, it ranges from your processes and the equipment you use, to things that can contribute towards increased risk such as social factors in the workplace – workload, excessive hours, bullying, etc.

When generating and reviewing these risks you will also need to get your workers involved. ISO 45001 includes clause “5.4 Consultation and participation of workers”, non-managerial staff need to be able to have some input into the risks that are identified; to be fair they are also the ones most likely to be exposed to those risks. This is also a legal requirement under the Health and Safety at Work Act 1974 (in the UK).

ISO 31000: Risk Management - Guidelines

As mentioned above, ISO 31000 provides a generic framework applicable to all types of risks. It sets principles and best practices for risk identification, assessment, treatment, monitoring, and communication. Basically, names on the tin here so to speak.

How to Score Risks in ISO-Based Risk Management

There is no definitive model or required structure to risk assessments or to risk assessment scoring within the ISO standards I’ve mentioned. They just aren’t that prescriptive.

They just want you to ‘effectively manage the risks’, and they say that your assessment method needs to be structured and use a consistent scoring methodology.

This typically involves the following steps:

1. Identify Risks

As we already covered, each ISO looks for risks within a specific context; you should ideally keep your assessment on point and flag the risks that are relevant and within the context of the standard you are going for. Brainstorm (or mind-map if you want) what your processes and procedures are, look at historical issues/data, and don’t forget to account for the human factor.

2. Assess Risk Likelihood and Impact

Once identified, risks must be evaluated based on their likelihood (probability of occurrence) and their impact (severity of consequences) then multiply one by the other. A common method for doing this is using a risk matrix; some people like to use number scoring for likelihood and impact. I’ve even seen someone use a 10 x 10 grid but I’ve not yet found someone who can tell me what the tangible difference is between a score 87 and 85. There is no requirement to use numbering, a lot of people also just use Low/Medium/High like below, but numbers and colour coded risks can be helpful.

3. Establish Risk Criteria

With your risks scored; what you then need to do is decide what score you consider acceptable; this will be your defined threshold or risk tolerance. Anything above that score needs to be addressed using controls or ‘Risk Treatments’.

4. Implement Risk Treatment Measures

You’ve got your threshold/tolerance level, and your risks are scored; now you need to try to address and treat those risks, you should consider this hierarchy to determine the appropriate response (see image):

5. Monitor and Review Risks

Risk assessments must be ongoing, so make sure you are having regular reviews to check the effectiveness of your controls. ISO’s require periodic audits and management reviews that look at your existing risks and any possible new ones, make sure you are reviewing them all at least once annually, but ideally more!

Conclusion

Risk management is a core aspect within ISO standards, this can help you anticipate threats and opportunities.

Use a structured approach to risk identification, assessment and treatment. This will improve how your business works and will help with your legal compliance, business resilience and operational effectiveness. Ultimately, implement a risk scoring system that works for you so that it helps you prioritise your risks appropriately.

If you’d like any help with your ISO journey then please drop us a message as we’re here to help make sense of certification.

ISO Certification: How does it work?

Holly Lane — Mon, 17 Mar 2025 11:23:22 +0000

ISO Certification: How does it work? (and, is there a difference between Certification & Accreditation?)

ISO certification; whats the crack. Is it just another hoop to jump through then?

We get a fair few people coming to us particularly when they’re moving their business into the world of bids and tendering. Quite often you’ll get to that point and whilst looking at the sometimes, dizzying amount of information you need to submit; you’ll see a statement along the lines of “If you have ISO 9001 Certification, submit your certificate and skip to the next section” or something along those lines. If you’ve been sat there and gone What the hell is that. You aren’t alone!

To keep it brief. ISO certification is a globally recognised process of verifying a company is meeting a certain standard or level of professionalism is whatever aspect of work that ISO is written around. So, ISO 9001 (being the most well-known) is focused around Quality; ISO 14001 focuses on how Environmentally you operate, ISO 27001 focuses on your Information Security and so on.

An ISO certificate means you’ve been checked by someone else and they are essentially vouching for you and your business by saying you meet the minimum requirements detailed within the ISO standard you want.

A Long time ago in a country far, far away…

For as long as there has been recorded history, and probably the time before that; there has been trade of goods between civilised mankind. When people traded then it was often that they would see the goods before they agreed a price so that both parties knew what they were getting.

As society developed, trade expanded to being between towns, then cities and eventually internationally. Perhaps if certification was around in ancient Babylonia, we never would have found the worlds oldest existing customer complaint about Ea-nāṣir and his sub-par stock of copper ingots!

People soon realised that these trades needed agreed standards for goods; and with-it people who would independently check or inspect those goods.

It wasn’t until the early 20th century though that we come across the concept of certification; this was certification for standardisation; in 1901, what became the British Standards Institute (BSI) was founded with the aim of standardising the quality of steel sections used in construction within the UK. During World War II, standardisation played a crucial role in manufacturing and production of military equipment.

With the seeds sown; post war efforts from multiple countries saw the creation of the ISO (the International Organization for Standardization). 23rd Feb 1947 saw the official launch of ISO, the founding members saw international standards as a key to rebuilding the world after war.

Japan’s post-war industrial success was a sight to behold; they had developed the Total Quality Management philosophy which emphasised continuous improvement, customer satisfaction and involvement of all employees in achieving their goals around quality of work.

By the 1970’s the UK and other countries recognised the success of Japanese manufacturing achieving higher quality products than their own which led to a focus on quality improvement.

Britain up till then had a mishmash of different services, councils and contractors and had probably got fed up of having to pay all these different levels of administration for disparate industries so they began to make moves.

In 1979 the new British standard BS 5750 (which later became ISO 9001) was published. The big certification bodies such as Lloyds Register of Shipping (and later BSI); companies who had existing networks of inspectors were invited to become the first companies able to issue certificates to businesses for this new standard. Other similar certification companies eventually followed suit and the industry of certification started.

The ISO, forever looking to create universally applicable standards for different industries, took BS 5750 and turned it into the first iteration of ISO 9001, the Quality Management Standard. Since then they have continued to expand their repertoire of standards and both businesses and governments have adopted these standards to demonstrate competence, improve efficiency and ensure compliance with legislation.

Bringing it back to the UK; Through the 1980’s there was a flurry of government ‘requested’ consolidations, the BCS merged with NATLAS and became NAMAS; a few years later they were asked by the government to merge with the NACCB and the child of this merger was the United Kingdom Accreditation Service also known as UKAS in 1995.

So, what is UKAS accreditation and why should you care?

As we eluded to in our previous blog here; Within the UK, third-party assessment is viewed as being critical for a proper certification process. By that, we mean it’s imperative to make sure that the companies issuing the certificates are being fair, meeting the correct standard and are suitably independent from their customers to avoid conflicts of interest. This process is called Accreditation.

In the UK, the United Kingdom Accreditation Service (UKAS) is the sole responsible party for checking the competence of organisations that provide certification, testing and inspection services.

UKAS accreditation is a mark of trust and reliability, demonstrating that a certification body has undergone rigorous assessment of its competence.

UKAS accredited certification bodies and the certificates they issue, will often include the UKAS tick and crown logo. This is a visual cue that the certificate body has been approved by UKAS and complies with their stringent requirements.

You can also verify if a body is accredited by checking the UKAS website here.

Accredited vs. Unaccredited Certification Bodies

Like anything, there are cheap look-alike options you can take, this includes companies selling certificates of conformity. These companies are not assessed by UKAS so you have no guarantee of their competence, impartiality, integrity or auditing process. As a result, a lot of these certificates end up having very little value across many industries.

With accredited certification you know the certification body has been assessed themselves by UKAS. This plays into your own business once you are certified as it these certificates are:



Recognized internationally

Provide credible and independent verification



Enhance reputation and trust among customers and stakeholders



Can be required in certain industries, especially for government contracts

I know we’ve gone a little deep but shake that reminiscent glaze from your eyes! We’re done with the history now so here’s the bit you’re probably most interested in.

How the Certification Process Works (or should work!)

ISO certification involves several key steps, each is designed to make sure your business meets the required standard you’ve chosen to pursue.

Understanding the Standard

Each ISO standard outlines specific requirements that businesses must follow to achieve certification. It’s a good idea for you to familiarise yourselves with the standard you want to go for and make the decision of whether you want to go for it on your own or use the help of some fantastic consultants that try to help people make sense of certification!

Gap Analysis

Whether you use us or go for it solo, doing a gap analysis can help identify where your business currently stands in relation to the ISO requirements. Many companies are already doing some of the work needed for an ISO, it’s rare that you wouldn’t be doing anything to use a gap analysis to highlight the key areas you have, what needs improvement and what still needs implementing.

Implementation

Once gaps are identified, you should implement whats necessary to comply with the standard. This step often involves:

Establishing new policies and procedures
Training employees
Improving documentation and record-keeping
Conducting internal audits

Internal Audits

An internal audit is a check of your own operations how they relate to the ISO you want. Ideally, they should be independent so get someone from a different department or team to do the internal audit for you (we, as consultants, can also complete internal audits for you if you need them). Internal audits will ensure that all implemented changes are effective and your business is ready for external assessment.

Selecting a Certification Body

Once you are confident you are compliant; you need to choose a certification body to conduct external audits. As we’ve already identified above, this is a crucial step so you will need to decide on what kind of certification you want and who you want it from (brand recognition within the certification industry is also a thing!).

Stage 1 Audit

Documentaion Review

During the Stage 1, the certification body reviews your documentation checking if it aligns with the standard’s requirements. If any issues are found, you’re given time to address them. These aren’t typically referred to as non-conformities at this stage, just as findings.

Stage 2 Audit

On-Site Assessment

A follow-up is then completed. This is known as a Stage 2 audit. These assessments are a more in-depth look at your business. This is where auditors will typically visit your premises to evaluate the implementation of the standard (checking that you’re doing what you said you do in your documentation). This includes interviews with employees, process observations, and reviewing records. If you meet the required standard, the auditor will then “recommend” your business for certification. Issues found at this point are raised as non-conformities and you’ll be given a deadline for fixing them.

Technical Review

Auditors submit their reports from these audits back to the certification body along with their recommendation for certification. Because these bodies are subject to UKAS review, they insist that auditors’ reports are verified by one of their peers.

Certification Issuance

If the audit is successful, the certification body issues an ISO certificate; these are valid for 3 years. However, your business must then also undergo regular surveillance audits to ensure continued compliance.

Surveillance Audits

Surveillance audits are usually conducted annually. This is to confirm that your business is still meeting the requirements of the standard. Depending on the size of your business, scope of the certification and complexity of the standard; these surveillance audits often look at particular snippets of your system rather than the entire thing.

Recertification

After three years, a recertification audit is required to renew the certification. A recertification audit is essentially a mini stage 1&2 assessment all over again. They look at the whole management system rather than just the snippets they did during the surveillance visits.

And that’s the cycle. Rinse and repeat every 3 years. Beware though; if you lose your certification or decide to let it time out then you’ll have to go through the whole stage 1 and stage 2 process all over again.

Conclusion

ISO certification is a valuable tool for businesses looking to enhance quality, efficiency, and customer trust. However, the credibility of a certification depends on the integrity of the certification body. UKAS plays a crucial role in ensuring that certification bodies operate to the highest standards, providing businesses and stakeholders with confidence in accredited certification.

While unaccredited certification bodies may offer a quicker or cheaper alternative, the risks associated with unverified certification far outweigh the benefits. For businesses seeking long-term growth, international recognition, and compliance with industry best practices, choosing a UKAS-accredited certification body is the best approach.

By understanding the ISO certification process and the importance of accreditation, businesses can make informed decisions that benefit their reputation, compliance, and operational success.

We understand the ISO certification process and believe that it is important for our customers and others in general to understand it too. It’s the best way for you to make informed decisions about your ISO journey; we’re here to help make sense of certification. So please contact us if you have any questions about your business and how we can help with your certification.

SME’s: Making Headway?

Holly Lane — Mon, 10 Mar 2025 13:54:52 +0000

OK, so you’ve got your company off the ground, you’ve got a few orders, a few repeat customers, the cash is trickling in, so how do you now scale that business upwards and turn that trickle into the torrent which will support your growth and future income?

Business owners have a huge range of intentions for their businesses, none of which should be criticised – if you are in the senior management of an organisation then it’s your business and it’s up to you what happens to it. I know of business owners who are happy to make one sale a week, then spend the rest of the week sitting on a river bank fishing. I know of others who are fighting tooth and nail for every order they can lay their hands on, and many who fit neatly in between.

So, if you want to make a £200 sale then take six days off to catch fish that’s fine, but you probably won’t be reading this blog, so I’ll leave you to your Carp, Perch or whatever your prey might be.

For the rest of us, getting a business off the ground is difficult, and how you scale it up seems to be a minefield, and in between the mines there are plenty of charlatans, ‘business advisers’* and scammers who assure you they will lead you to a pot of gold….

*I’m not saying all business advisors are up to no good by the way, I’ve met and used some who were excellent, but it is a “buyer beware” scenario.

Scaling Up

There are many stories of millionaires who started by making something in their garage or bedroom and then managed to turn it into a global empire. Is that just about having the cash to invest to make that happen? I’d argue no it isn’t, there are many people who’ve had access to finance and still failed.

There are many factors to success, but I’d say the first, and possibly unpopular thing, is discipline. To succeed turning a good idea into a great business requires the discipline to keep focussed, don’t let the small success go to your head, but look at what has made that success. What methods and processes did you follow? They may need to be nudged or modified, but some of the same processes that made a small organisation successful will probably work well in a larger organisation. You don’t have to reinvent the wheel.

So how does your business work, how do you find new opportunities, how do you turn those opportunities into orders, and how do you successfully deliver against those orders and make sure you have happy and satisfied customers who will order again?

A “Management System”?

This problem has been examined internationally, by renowned and successful business leaders from every continent. The result was a model for how the internal processes of a business should mesh together, forming a “Management System”. That management system is described in the International Standard ISO 9001, one of the most successful international standards to date.

ISO 9001, is known as a “Quality Management Standard”, this is in reference to it helping form a high-quality business, not JUST the type or condition of the products that business then sells.

Using ISO 9001 correctly will have a knock-on effect, helping give consistency to the product or service you are selling. This standard is applicable to your business whether you are aiming for high-end, prestige products & services with a large margin, or even if you are in a high volume but highly competitive and low margin environment.

ISO 9001 builds on the idea that, in order to be as successful as possible, a business should first look at the market that it wants to operate in, identify and analyse the risks of working in those markets, then ideally find ways to control or mitigate those risks as much as possible.

It then builds on this by encouraging you to define how the business operates; the processes and methods of how your business really works. Then measure how efficient those processes are, with a view to improving them little-by-little, to make the workings of the business as efficient as possible. This should help by taking the process of turning a potential customer into a happy, satisfied one; and then making this process reliable and consistent, which will then enable you to grow as a business and potentially improve your margins by streamlining processes and reducing rework/complaint costs.

Many large procurement organisations insist on their suppliers using ISO 9001, they believe having these systems in place results in a more reliable supplier. In many cases this is then taken further by asking the suppliers to become “certified” to ISO 9001. This involves an independent third-party assessment* of your company’s operating processes, documentation and evidence to show you conform to the standards requirements.

Many businesses find that ISO 9001 opens opportunities with many more customers, it also greatly simplifies the completion of bid and tender documentation: often providing a copy of your ISO 9001 certification will negate the need to answer pages of questions and supply additional evidence to prove your credibility to the prospective customer.

Get in touch

We’ve been working in quality management and the certification of businesses to ISO 9001 since around 1990, so have experience of many industries, many certification processes, and many standards. Certification doesn’t have to cost a fortune, but could increase your brand recognition and give you access to more customers. If you’d like to know more why not drop us a line.

No AI was used to write this post, so the spelling and grammatical errors are all mine, and the result of a UK, state provided, education 😊, for which I remain, most thankful.

*Within the UK, Europe and many places around the world, third-party assessment is viewed as being critical to proper certification. As such, government-controlled bodies have been developed to ensure that certification companies (the people doing the assessments and issuing certificates) are fair, meet a consistent standard and are suitably independent to minimise conflicts of interest.

For the UK, our body is known as UKAS (United Kingdom Accreditation Service), they make sure the people giving out the certificates are meeting expectations.

It’s easy to check if these companies are approved by UKAS through the online register here.

ISO 27001:2022 Transition: 7 Months and Counting

Holly Lane — Mon, 03 Mar 2025 14:14:04 +0000

That’s right folks, just 7 months left to go for you to get your systems transitioned to the 2022 updated version of ISO 27001.

The final date for transition is Friday 31st October 2025. That’s 35 more Fridays to go; which might sound like a lot but consider for a minute; the update came out Oct 2022, so that’s already been 123 weeks of putting it off as a problem for future you.

In the meantime, threats to information security continue to grow; hopefully you can see them on the horizon, but many companies can find it really easy to start lagging behind. Unfortunately, if you are still working to the 2013 edition of ISO 27001 then you’re now behind the curve.

Its easy to put off the transition; it has been so far anyway. But this will absolutely create unnecessary stress and potential complications down the line for you and your staff. The new updates to the standard introduce a number of controls that can be surprising time-sinks if you aren’t familiar with them. They can also end up costing a significant amount of time and money to implement if you aren’t careful.

The problem is, the longer you wait and mull this over, the greater your potential exposure is to emerging security and compliance threats. And, the greater number of resources and time you’ll need at the last minute to get it sorted. ISO 27001 certification isn’t just a tick-box exercise giving you a badge of compliance. It’s a commitment to proactive cybersecurity. If you fail to transition in time, you risk having your certificate revoked, this can impact existing client trust and even your ability to secure new contracts and customers.

Why transition to ISO 27001:2022 now?

There are some great reasons to act swiftly and update your Information Security Management System (ISMS) sooner rather than later.
Here are a few key benefits:

1. Improved Security Posture

The revised standard includes updated and new controls around cloud security, threat intelligence, incident management and more, this should make your ISMS more effective at protecting against modern cyber threats.

2. Easier Compliance with Regulations

There are several regulations and legislations including GDPR and NIS2; along with other industry specific standards that are getting stricter and some even require companies to demonstrate strong cyber security practices. ISO 27001:2022 aligns better with your typical modern compliance frameworks so it also makes it easier to meet regulatory obligations whilst conforming to ISO 27001 at the same time.

3. Maintain your Competitive Advantage

Many businesses/clients still look for ISO 27001 certification when choosing suppliers or partners. When they come to scrutinize your security certifications it will look infinitely better being on the latest edition of the standard as it demonstrates your commitment to cybersecurity, showing that you are taking your certification seriously.

What’s Changed in ISO 27001:2022?

The 2022 edition introduces some key updates that make the framework more relevant to today’s security landscape, some of these changes are quite crucial and can be surprisingly challenging:

1. Annex A, the Statement of Applicability (SOA) has been rejigged

Definitely the most significant update out of the lot, is the restructuring of Annex A, this now includes 93 controls (down from 114). Several controls have merged, some have been refined, and the overall structure of the SOA has been re-organised into four key themes:

People
Organisational
Technological
Physical

This restructuring is supposedly meant to make it easier to understand an implement the security measures ‘making implementation more effective’ but we’ll have to wait and see if it’s really that groundbreaking.

2. New Security Controls (As part of the SOA update)

The 2022 update introduces 11 new controls that address modern cybersecurity challenges. These cover:

Threat Intelligence – Encouraging organizations to proactively collect and use threat intelligence.

Information security for use of cloud services – Providing specific guidance on securing cloud-based environments.

ICT Readiness for business continuity – Ensuring IT services are resilient against disruptions.

Physical Security Monitoring – brings a more simplified but definitive stance on physical security than the previous edition.

Configuration Management – Enhancing security through better control of system configurations.

Information Deletion – introduces the concept from GDPR that you can no longer keep data forever, as much as your inner dragon likes hoarding gold; you’re no longer along to emulate Smaug in Erebor (but with data!)

Data Masking – introduces the concept that if people don’t need to know specific info to do their job, then they shouldn’t be able to see it. A simple principle in concept but can become complicated when looking at ways to apply it in a meaningful way.

Data Leakage Prevention – Strengthening data protection measures.

Monitoring Activities – Adds a bit of Big Brother seasoning to the standard to make sure your networks, systems and applications aren’t going haywire with “anomalous behaviour”.

Web Filtering – makes it a requirement for you to make sure your staff aren’t using their web browsers to access anywhere dumb during work hours / from a work device.

Secure Coding – this makes industry best practice essentially a requirement. This covers things like code reviews, peer checks before publishing, making sure you apply Least Privilege methodology etc.

3. Enhanced Focus on Risk Management

The new standard places a stronger emphasis on risk-based thinking. Companies must ensure their ISMS is not just a static set of policies but that they are actually used, this also means making sure these policies are efficient and appropriate to the task.

4. More Flexibility in Implementation

ISO 27001:2022 does however allow for a more tailored implementation of controls based on an organisation’s specific risk environment. This should make compliance more efficient, but it also means companies must take a fresh look at how their security measures align with the new framework.

How to Get Started with the Transition

Switching to ISO 27001:2022 doesn’t have to be overwhelming. Here are some tips to make it more manageable:

1. You’ll need Leadership “Buy-In” so make sure they’re involved

All businesses need support from the leadership team when implementing new controls, policies, procedures or anything that disrupts the norm (sometimes even a new kettle needs approval). Without “buy-in” from leadership you may struggle with the resources you need to prioritise transitioning the system and making sure everyone understands and adheres to it.

2. Perform a Gap Analysis (if you want)

If you want to do the transition yourself, then you’ll need to assess your current ISMS against the new requirements; this is so you can identify any gaps and areas that need updating. This should then help you to create a clear action plan for the transition.

3. Update your Policies and Procedures

Many of the new controls require policy updates or even new policies writing from scratch. This is especially prevalent in areas like cloud security, threat intelligence and configuration management. You’ll need to make sure your documentation reflects the latest best practices too. (This is something we can help you do if you don’t have the time or knowledge).

4. Train Your Team

Your staff must understand the changes and their implications. So, you’ll need to provide training on the new controls, risk management approach, and updated compliance requirements. People will need to understand these changes and how they impact the day-to-day operations of the business.

5. Schedule Your Certification Audit

I’ve written this blog on the assumption you’re already certified to ISO 27001:2013, (if that’s not the case then I atleast hope you’ve enjoyed this read! And you should build your system around the 2022 edition from scratch instead of jumping through these hoops).

The certification body I imagine will have also been hounding you by this point; but you need to get booked in with them for your transition and tell them it’s a transition audit; they will undoubtedly want to add an extra day or more to your visit in order to transition you.

I had one customer who forgot to mention they were transitioning to the auditing body so when we were sat down infront of the auditor and I handed over our updated docs he was a little dumb struck; after a quick panic call to his head office we ended up managing to transition that visit but it was only because they were able to switch the auditors ‘office day’ to another assessment day.

They would have been well within their rights to have cancelled and rescheduled the visit along with slapping our customer with an extra charge for the issue had we not been so lucky. SO, plan your transition audit well in advance, this will also help avoid last-minute bottlenecks from the limited supply of 27001 auditors that the cert bodies have.

Final Thoughts

Most cert bodies like to see at least 3 months of evidence of a new system being in place; which means, if you want to show them evidence of your new system, that 7 months to deadline drops to 4 months from now (to get your system updated and audited).

You’ve also got to consider your staff and the availability of the auditors to come and do the transition. With the Summer Holidays and Easter half-term happening, this could make it even more strategically challenging to transition before the deadline.

Ultimately, this deadline for transitioning isn’t as far off as it seems. It’s also not optional – it’s necessary to maintain your existing certification. Companies that delay risk operational disruptions, security vulnerabilities, and compliance failures.

Getting started now will save you from even more last-minute stress. Making the switch sooner means your compliance efforts will be all-round smoother, and you’ll be able to catch up to those early birds already standing proud with their 2022 certs pinned to their chests.

More importantly, waiting and leaving it much longer could mean a rushed, ineffective transition that leaves your organization exposed.

Don’t put it off. The threats won’t wait, and neither should you. Contact us now to get the ball rolling and we’ll see you through with time to spare.

Start your transition to ISO 27001:2022 today.
Contact us HERE

Why a business should bother with ISO 14001 and Environmental Management

Holly Lane — Mon, 24 Feb 2025 10:40:23 +0000

If you are a senior manager or owner of an SME and you aren’t worried about the future of your business or its day-to-day workings, then this blog probably isn’t for you; but don’t worry, feel free to have a read anyway!

Now, if you happen to actually be working your proverbial butt off trying to keep dozens of plates spinning maybe we can help. Running an SME in the UK is hard, despite the fact that nearly 90% of all UK businesses fall into this category. Environmental management can be an entire box of extra plates to spin. So, how do you make it work?

Here are some of our thoughts:

Carbon reduction and enviromental management

The UK started the high-level concerns about greenhouse gases and the seriousness of damaging our planets eco system. In 2015, we, like most other nations, signed the Paris agreement, which committed all those present to limit the impact of climate change by altering the activities which were causing the damage.

Ten years on, those changes haven’t really been followed and the increase in the world’s temperature has grown quicker than expected.

At present it looks like the UK, along with other countries are going to miss the targets they set in 2015, which is embarrassing for politicians, so what? Well the truth is that everybody should be concerned about this, the damage to the worlds eco-system will affect most of those on the planet in one way or another.

In the UK, a governments biggest stick to control people with has two ends, Fines and Taxes. Those are what will be used, to make sure the anything you as a business (that affects the environment) complies with their obligations. These costs are then going to steadily increase until you comply.

A Simple Solution:

Your business has an impact on the environment, we all do. ISO 14001 includes a simple, straight forward methodology for reducing your environmental impact, keeping you within the agreed limits, and hence avoiding the tolls and fines which are coming.

Interested in ISO 1400?

Learn more about how it can help your business reduce its environmental impact and avoid costly penalties.

Get Started

The methodology

Think of the environmental impacts of your business, list them even. How can you control them? How do you keep operational costs down while avoiding fines and breeching the environmental regulations that should help the planet survive. You could invent some new way to do this, or, alternatively, you could implement ISO 14001. This is an internationally agreed best practice framework on how to manage and reduce environmental impact; the processes and approaches used in this system will free up time so you can keep your other plates spinning.

The Reasoning

As touched on in our previous blog; here: www.independentqualityservice.com/smes-enviromental-impact-carbon-reduction/ the majority of businesses will likely find themselves working for the government in one way or another eventually. Governments simply have to implement a ‘trickle-down approach’ in order to force environmental compliance. They stipulate it as a mandatory aspect of all their contracts and hey presto, you as a small independent business end up on the receiving end. It might be six-degree’s of separation but the gov will lean on their tier-one suppliers who in turn will pass it along to theirs, and so on, eventually meaning you too.

Carbon Reduction and Waste Segregation are coming your way…

Carbon reduction plans started being required for NHS contracts around 12-18 months ago. In some cases before the content of such plans was even agreed! The approved structure of plans splits emissions into three categories. It’s possible to make a justified effort at calculating the first two categories, but even now category three, the emissions caused in your supply chain are still almost impossible to reliably estimate.

BUT, requirements aren’t just to plan. Going forward there is a need for that to be updated, and over a period of time you are going to have to show that the emissions you generate are decreasing, or loss of the contract, fines and charges are likely to follow.

Again, using the ISO 14001 best practice can keep you in line here and its methodology assists with reducing your emissions and environmental impact.

Segregating Waste

Under cover of the last election the UK government managed to publish the 2024 Waste Segregation regulations. Beginning at the end of March these regulations will force commercial organisations to segregate waste in the same way householders are supposed to.

Fining householders is difficult and unpopular, and the regulations so mixed and unclear that even Greta Thunberg probably fails to comply fully with them.

However, businesses are much easier to fine. Having your waste/recycling removed and processed is going to make money for the government and the businesses concerned, so rest assured, failing to implement these regulations will get you fined, the question is just when.

More regulations, targets, taxes and fines are on the way. Having a simple methodology to address them and keep you up to date is the ONLY way to keep your business within the agreed budgets and costs. You can struggle with this, on top of all the other difficulties of running a business, or you could just adopt ISO 14001 and reduce the plates you’re spinning before they come crashing down.

If you’d like to know more why not drop us a line and if we can help your business to lower its environmental impact we will.

No AI was used to write this post, so the spelling and grammatical errors are all mine, and the result of a UK, state provided, education 😊, for which I remain, most thankful.

Unpacking Sustainability and how it can impact UK businesses

Holly Lane — Mon, 17 Feb 2025 09:46:33 +0000

Sustainability what is it, and is it just a fad?

In my experience “Sustainability” as a phrase started to appear in tenders and business journals 6 or 7 years ago. Initially, I thought it was just a new phrase to describe environmental management and reducing the generation of greenhouse gases etc.
It was a while later (when I began helping customers to answer questions in tenders) that I researched the issue fully and started to understand the extent of the intended change, plus the growing controversy it can cause. In many ways the concepts covered by UN “sustainability” goals, which were agreed by ALL nations could be summarised as “Lets respect ALL and see if we can ALL prosper together”. A noble and worthy intent. But unfortunately, some of these goals sail close to concepts sometimes thought of as “Political Correctness”. This culture is causing much angst and division at present, but still needs to be treated carefully if you don’t want to be inundated with hate mail and social media hounding.



So what’s this got to do with your SME based in the UK?

The UK, and its current prime minister (an ex-human rights lawyer, so perhaps very much in favour of these goals) is now trying to show that it’s taking the commitments made under the UN’s 2015 Sustainable Development Goals seriously. Inevitably in today’s cash strapped world, the government is pushing the implementation and reporting against these standards into its supply chain through government contracts. We’ve seen with one of our customers this year, that even if you may only have a handful of staff and are struggling to keep trading. You’ll still be asked to report against these Sustainability Goals if you want to continue being a supplier to people like the NHS or other government departments. There is no consideration being given to how you might need to find the resource and time to comply with this.

A storm in an environmentally friendly tea cup?

The sustainability drive is based on 17 goals set by the United Nations. As a small business owner in the UK (who has read the definitions of these goals) I’d have to say they basically fall into two big categories:

1. Things I can’t do anything about, such as the first three, No Poverty, Zero Hunger, Good Health and Well Being – (though having tried to access NHS services of late I wonder whether the UK government should really be claiming allegiance to this goal!)

2. Requirements which are already enshrined in UK legislation, like gender equality, good education, reduced inequalities etc, so we should already be complying with them.

For the goals that can be impacted by our compliance, many of us running companies in the UK will likely find that we are already meeting many of them and with a little thought we can meet the ones we aren’t. As a result, the cost to us providing positive responses to tenders around these needs could be significantly reduced as they’ve already been met.

Wheels within wheels and the need for a referee

A further problem comes in the cost of the reporting that government, and other major purchasing bodies are expecting. Giving them the benefit of the doubt, I don’t think many have the slightest idea how much time and effort goes into responding to these requirements.

There are many organisations offering to complete the reporting for you, but this raises another issue. Until very recently, there have been no real agreements on the reporting required and no standardisation. Most of the organisations offering to “help” with your Sustainability reporting have simply had a reporting website generated. Their idea of help is then to sell you the opportunity to fill in pages and pages of questions and supply the endless evidence to support your answers.

But each site has been written by somebody different, asks different questions, and the organisations themselves have no oversight or accreditation for the service they are selling; they can ask what they want, there are few rules.

Nature abhors a Vacuum

Many of these Sustainability Reporting sites/Owners have managed to grow very close ties with major purchasing organisations, some links may even have financial agreements behind them:

i. You want to sell to company A,

ii. Company A says to do business you need to pay a subscription and complete Company B’s questions

iii. Company B then either pays a subscription to Company A, or could even be owned by them.

Which would explain why there are so many different websites/companies with similar but varying services. But for reliable and honest reporting, the person doing the reporting needs to be independent and competent, but at present this can’t be checked.

At long last, enter ISO 20400, an internationally agreed best practice guide for Sustainable Procurement. Originally written in 2017, this standard ought to result in a level playing field, and independent, honest and meaningful reporting. Let’s hope the UK government and all other UK based major procurement organisations are forced to accept and comply with the practices it enforces, and we all stop having to pay for these unregulated Sustainability Reporting websites hosted in unknown locations around the world.

Should you be interested in the background to Sustainability, and how we got to where we are, there’s a quick synopsis below.

The United Nations role in a divisive subject!

In 1987 a United Nations commission defined Sustainability as “meeting the needs of the present without compromising the ability of future generations to meet their own needs.” A very noble definition and aim.

In 2012 a UN conference agreed a set of Sustainable Development Goals, which were published in 2015. There are 17 of these goals, which is an odd number one way or another, and the UN made them part of their 2030 Agenda for Sustainable Development. At the 2015 conference those present agreed the goals as intended to “mobilize efforts to end all forms of poverty, fight inequalities and tackle climate change, while ensuring that no one is left behind” see here for further details.

All 193 nations who form the UN were present and unanimously agreed to the goals. This included the USA, the Russian Federation, China, India, most of the known world, and even the tiny inconsequential UK.

Those 193 countries are now charged with implementing, monitoring and reporting performance against these goals. Which is really where the problem starts. As UK Prime Minister Harold Wilson is reputed to have said, “a week in politics is a long time” and the last ten years have been particularly tumultuous. As a result, most of the world leaders who agreed to these very worthy and noble aims are now long gone.

Who knows if they will continue to be supported, or where the required financial investment will come from?

If you’d like to know more why not drop us a line and if we can help your business to lower its environmental impact we will.

No AI was used to write this post, so the spelling and grammatical errors are all mine, and the result of a UK, state provided, education 😊, for which I remain, most thankful.