Skip to content

To certify or not to certify. That is the question

To certify or not to certify. That is the question
May 11, 2023 Hannah Rowe

Rowe is certified against ISO 9001 and 27001, the quality and information security standard.  ISO stands for the International Organisation of Standardisation.  In case you are already confused, it is not an abbreviation, but a word derived from the Greek isos, meaning equal.

ISO is a global organisation which looks at creating standards based on best practice.  So, a quality management system certified against ISO 9001 in Italy should equate to the same best practice as an ISO certified in the US.  Theoretically.

Underpinning every implementation of an ISO standard should be this thought:

The ISO is there to work for the business, not the other way round.

There are areas (clauses) you need to do if you want to be certified against the standard, but they make sense when you break them down:

  • They ask you to look at the scope of your business.
  • To consider all your stakeholders.
  • To look at business risks and opportunities.
  • To have considered communication both internally and externally.

This then leads to continual improvement at a cultural level.  Made part of the of everyday business and the company culture, it adds value and understanding around business purpose.

Any business can download an ISO at huge cost and use it to improve their processes and strategic thinking.  There are enough websites giving advice and done properly, ISOs can genuinely drive change and improvements.  But are they worth being certified against?

As always, it will depend upon the ‘why’ you are doing it.

If you are looking to simply improve standards across the business, the cost and pain of certification may not be worth it.  You can still comply with the standard whilst not being certified against it.  For example, it is worthwhile for SMEs working in the public sector to engage with ISO 27001 information security.  Some bids ask you to have it, but most ask if you have an information management system.  They will then often ask you to fill in hundreds of security related questions anyway which often makes the certification feel pointless.  But understanding ISO 27001 Annex A and mitigating risks in the business is a worthwhile exercise.

Being certified is expensive both in monetary and resource terms.  You need to weigh up the value of it.  We did a Project Initiation Document when considering our ISO journey.  It needed everyone to be onboard and to own the system.  Being certified was the right decision for Rowe but isn’t for every business.

What I have since learnt is the value of a good auditor.  They will take the time to understand the business and how the ISO has been implemented.  An auditor who focuses on how you safely collect the post from reception rather than how you ensure secure development adds no value.  An auditor that questions and ensures that the system is fit for purpose is worth their weight in gold.  They are part of the continual improvement process and ultimately the reason for certification.

So to certify or not to certify?  What do you think?