Whether it’s ISO 13485 for managing the quality of medical devices throughout their life cycles or ISO 22000 for confidently managing food products, ISO standards are considered the leading best practices internationally agreed upon by experts, and they run the gamut from quality management to IT security standards.

Abiding by relevant ISO standards not only guides your business decisions with vetted industry wisdom, but it also provides:

• consumer confidence
• a competitive edge
• regulatory assurance

The question then becomes: exactly how does a business implement and maintain ISO compliance?

In this post, we’ll define ISO compliance and why it is a game-changer for businesses. We will also look at a few examples of ISO compliance and how your business can achieve ISO compliance as well.

What exactly is ISO compliance?

ISO compliance is the act of adhering to the requirements of ISO standards.

ISO compliance is different than ISO certification. ISO compliance means voluntarily using ISO standards as guidelines for aligning your policies, processes and operating procedures. Formal ISO certification typically involves a lengthy, sometimes costly process where an independent body conducts a comprehensive audit and then provides written assurance that your product or service meets the requirements of designated ISO standards. The ISO organization does not provide the actual certifications or assessments, which is why these are also known as “third-party conformity assessments.”

To fully understand ISO compliance, it’s helpful to understand what ISO is. ISO is the acronym for the International Organization for Standardization, a global, non-government organization whose members represent various national standards organizations. ISO members bring together experts “to share knowledge and develop voluntary, consensus-based, market-relevant international standards that support innovation and provide solutions to global challenges.”

ISO standards are the cumulative recommendations of these subject matter experts who fully understand the needs of the specific industry organizations they represent, like producers, manufacturers, buyers, sellers, customers, users, or regulators.

ISO Compliance vs. ISO Certification

Rather than go through the cost, time, and effort of official certification, self-assessed compliance may meet customer expectations, particularly for something like ISO 9001:2015 Quality Systems Management. For example, you would still implement an ISO-aligned QMS, but you would not proceed with hiring an external certification body. ISO compliance is a viable and efficient option for businesses to show accountability against requirements, particularly those adhering to ISO 14001:2015 Environmental Management Systems, ISO/EIC 27001: 2013 Information Technology, and ISO 45001 Occupational Health & Safety Management Systems.

Why is ISO compliance important?

Why does ISO compliance matter? Should you pursue formal certification versus diligent self-compliance?

Many companies choose to become ISO-certified because it can give them a competitive advantage. While there are no fines or penalties for ISO non-compliance, if you’re a manufacturer or a wholesaler, ISO certification, indeed, ensures that your products and procedures meet the highest, internationally recognized standards. In addition to increasing your credibility, being ISO-certified can also influence other benefits, such as lower insurance premiums (as a result of good practices in place) and increased sales (as a result of efficient, quality production).

Based on an estimation of the number of valid certificates as of December 31, 2020, the latest results of the 2020 ISO survey show an increase, from 2019, of approximately 18% of the total number of valid certificates for the 12 ISO management system standards. According to ISO, “part of this is due to the very large increase in the certification to ISO 45001 that was published in 2018. ISO 45001 replaces OHSAS 18001 which was not previously included as it was not an international management system standard.”

With or without formal certification, complying with ISO standards & requirements can provide substantial benefits to a company in several ways:

• increased reputational value
• improved performance capabilities
• increased customer satisfaction & trust
• reduced costs
• better risk management

3 examples of ISO compliance with Onspring

The most common ISO family of standards among Onspring customers is ISO 27001. As one of the most widely recognized and prestigious security standards available, the ISO 27001 is a standards-based certification for IT Security Management Systems that helps organizations create and maintain emergency response plans in severe cyber incidents. The response plans ensure that all employees are aware of how they should react if an attack on the company’s system or website should occur. Having the clearest and best plan in place for such events is critical not only for the business proper but also for a company’s entire ecosystems of connections, customers, partners, and suppliers.

Here are three examples of businesses that have used Onspring to manage and maintain ISO 27001 compliance.

1. Curvature

Curvature is a global leader in new and pre-owned IT hardware. As such, they have a rigorous Information Security Management System (ISMS) and a high-level security committee that is committed to preserving the integrity, confidentiality, and availability of all its information assets throughout its organization by supporting the ISMS framework, including ISO 27001, and continuously reviewing the system for improvement. This effort protects their customer data, protects their reputation, adds a competitive advantage, and maximizes their return on business opportunities.

Managing, achieving, and maintaining ISO 27001 with Onspring confirms that their ISMS is compliant with current industry standards and best practices. Simultaneously, Curvature maintains:

• ISO 14001 Environmental Management System (EMS) certification with regard to its environmental responsibility toward refurbishment and reselling.
• ISO 45001 Occupational Health and Safety Management System certification for providing a safe and healthful workplace.
• ISO 9001 Quality Management System (QMS) certification, demonstrating its ability to deliver the highest quality levels of procurement and refurbishment services for the telecommunications industry worldwide.

 “We created a suite of applications that manage our strategic objectives, tactical objectives, projects, and supporting processes. By measuring the maturity of the supporting process, we can show the maturity of the overall program,” says Christopher Johnson, senior director, IT risk management at Curvature.

According to Johnson, Onspring has greatly enhanced the team’s reporting to the executive leadership team and their board of directors, using the data in Onspring to inform their roadmap. ”Our ISO auditor has been very pleased with the use of Onspring to manage nearly every aspect of our program,” says Johnson.

2. Benevity

Nearly 800 recognized brands rely on Benevity’s corporate social responsibility software for employee engagement, community investment, and customer engagement. As a global company with global clients, Benevity’s products and services are regulated beyond North America, which means they must have international security and compliance practices in place to safeguard data.

Benevity’s security operations team has implemented leading standards and frameworks to ensure that Benevity’s environments—physical locations, IT infrastructure, applications, databases, and third-party providers— are as secure as possible. These include:

• COBIT issued by the IT Governance Institute
• ISO 27001 specification for an Information Security Management System (ISMS)
• SANS Critical Security Controls
• Cloud Security Alliance’s Cloud Controls Matrix

According to Henry Maphosa, vice president of business operations at Benevity, centralizing the ISO 27001 IT Security Management System certification process improves IT cybersecurity standards for any company. In their case, Benevity chose Onspring.

“Onspring gives us a place where we can test once but report in several different ways,” says Maphosa. “We can put all policies and controls in one place and then rationalize that this control meets the requirements of clients A, B, and C. It also meets this ISO 27001 requirement and is included in our SSAE 16 report.”

3.     CommScope Arris

As an international leader in infrastructure solutions for communications networks, CommScope Arris designs manufactures, installs, and supports the hardware infrastructure and software intelligence that enables our modern digital society, such as network convergence, fiber, and mobility everywhere, 5G, Internet of Things and technology architectures.

As you can imagine, there are many layers its technology compliance areas. In fact, for this industry, ISO and International Electrochemical Committee (IEC) work together as a Joint Technical Committee (JTC) to establish standards for cabling. CommScope Arris is active in their Subcommittee 25, Interconnection of Information Technology Equipment, developing worldwide Information and Communication Technology (ICT) standards for business and consumer applications as well as providing the standards for integrating ICT technologies.

When it comes to the requirements for Customer Premise Cabling alone, CommScope Arris maintains compliance with 13 different ISO/EIC standards for cabling systems on customer premises, including test procedures, planning, and installation guidelines.

“Onspring has been a key resource for our organization for our ISO27001/2 compliance and certification with executive-level reporting,” says Josh Knight, information security specialist at CommScope Arris. For Knight, “The Onspring team has been exceptionally supportive since implementation, never failing to deliver a promise on a deadline whenever called upon, and our organization plans on continued usage and expansion of the platform.”

3 Tips to prepare for ISO compliance

If you are just beginning to plan for your ISO compliance, particularly with compliance software like Onspring, here are a few things to keep in mind.

1. Plan for an internal audit first.
   If you are vying for official ISO certification with a third party, it’s wise to conduct an internal audit first to check that requirements have been met. This will allow you to identify any gaps or areas that need remediation before the formal ISO audit.
2. Remediate vulnerabilities as quickly as possible.
   This is simply good risk management and compliance wisdom in any situation, but particularly as you prepare for ISO certification and your ISO self-assessments. No one wants to waste time and money on failed certifications. (And remediation workflows can be managed efficiently in Onspring.)
3. Centralize & connect your documentation
   Policies, controls, assessments, remediation efforts, risk management protocols—the entire gamut of your audit trail and compliance program should be documented in a standardized way, centrally organized, and interrelated for an accurate view of your current state, past actions, and future improvement plans.

Closing

ISO compliance benefits organizations by providing clear standards—from international experts—with which to operate their businesses. ISO compliance and, in turn, ISO certification is particularly important with regard to ISO 27001, and if you’re looking for a compliance software solution to manage ISO 27001 compliance, it must have the ability to map controls to standards and requirements as well as relate audit work, findings and remediation efforts for truly accurate documentation and reporting.