If you’re a follower of our blog you may remember that CertiKit started on the road to add ISO9001 to our existing ISO27001 certification back in the latter months of 2015 (see our earlier article). The new version of ISO9001 had just been published and we wanted to find out how easy it would be to implement and run a combined management system that conforms to the ISO’s new “Annex SL” structure (if you don’t know what that is, see our blog post on the subject).
Well the good news is that we had our stage 2 audit in December 2015 and our certification to ISO9001:2015 was confirmed in January 2016. We used BSI as our Registered Certification Body (RCB) and were suitably impressed with their responsiveness and admin organization and the quality of the auditor herself.
Although we are now running a combined management system, we took the decision to keep our ISO27001 and ISO9001 audits separate and to use two different RCBs (we use ISOQAR for ISO/IEC 27001). This makes sense for us because it gives us more exposure to the RCBs and a wider variety of auditing styles so that we can better help our customers, but for most organizations it would probably be appropriate to use a single RCB for both standards.
Having already put the main components of the management system in place we found it very straightforward to add the extra requirements of ISO9001 and broaden the objectives, metrics, roles and processes to be more business, rather than security, related. We would summarize the top 5 lessons we learned as follows:
Lesson 1 – It’s useful to set objectives – although we were measuring many aspects of our business, we hadn’t defined where we were trying to get to in enough detail. Doing this has helped understand what we (and our suppliers) need to do to meet the new objectives and carry the business forward.
Lesson 2- Don’t bother with ISO9000 (Fundamentals and Vocabulary) – although the ISO9001 standard states that ISO9000 is “essential background” we bought it and then wished we hadn’t. In our humble opinion it didn’t add that much to our implementation efforts and includes some quite frankly weird spider-like diagrams at the back that didn’t help our understanding at all. Save your money (sorry ISO).
Lesson 3 – Better understanding of risks and opportunities – for the first time, ISO9001 now asks for a risk assessment. Nothing new to those familiar with other standards such as ISO/IEC 27001, ISO/IEC 20000 or ISO22301 perhaps. But we did find that risk-assessing the business processes was a useful addition to our existing, asset-based risk assessment for ISO27001. And we had a long discussion with the auditor about what an opportunity is and how to assess them (basically a risk with a positive potential outcome).
Lesson 4 – Supply chain is where it’s at – Ok, our customers have been telling us this for ages, but we came out of the audit with increased determination to look hard at our suppliers, both during procurement and once established. It’s very easy nowadays to Google a requirement, find a cloud supplier and sign up within minutes, without having done enough due diligence from a security, business and legal angle. Don’t assume it’s safe, check.
Lesson 5 – Procedures are boring, but necessary – having been through the process of documenting the way we do things we actually found it helped a lot, both in asking why we do it that way and in helping to ensure it’s done that way each time. Although ISO9001 doesn’t insist on things being written down, it really is a no-brainer.
We’re delighted that CertiKit itself is certified to both ISO/IEC 27001 and ISO9001 because it’s good for our business, good for our customers and good for our industry too.
So if you’re already certified to the 2008 version of ISO9001 and you’re wondering how difficult the changes will be, rest assured that it’s really not that bad. And if you already have another management system in place (e.g. ISO27001) then you have a great head start.