One of the obvious questions every organization that decides to become certified to an international standard needs to be able to answer is “how long will it take?”. An answer is needed for planning purposes, for approval of the project, for customers and for resource allocation to name but a few reasons.
Timescale estimation is not an exact science as there are many variables involved but we thought we’d take a look at the top 5 factors that determine the overall timeframe from start to finish of a certification project.
The time it takes to get from A to B obviously depends on how close the two are together and achieving ISO certification is no different. So if you are already doing much of what the standard requires then your journey may well be a relatively short one. All of the standards CertiKit deal with (ISO27001, ISO20000 and ISO22301) basically consist of two parts; the management system and the subject area (e.g. information security, IT service management, business continuity). Often it’s the case that an organization may be doing many of the requirements for the subject area but it’s the management system that they need to put in place. This will involve setting more formal objectives, holding management reviews, performing risk assessments and internal audits etc. and this can take some time.
The most common way to establish your starting point is to conduct a gap assessment, either internally (we provide a gap assessment tool in the toolkit) or by getting a third party to do it. This can be useful and is probably of more help if you believe you are not that far from being conformant at the moment as it will highlight the extra bits you need to address – if you know that you have very little in place currently then a gap assessment will be of limited use to you as it will simply be a long-winded and potentially expensive way of telling you what you already know.
ISO allows a fair degree of flexibility in defining the scope of your management system (and therefore your certification). You can include or exclude offices or locations, products and services, parts of your organization and other aspects of your business such as specific customers. Clearly, the larger the scope you decide upon, the longer it may take to become certified to your chosen standard. The default position should be that everything is in scope unless you have a good reason to exclude areas but for a large organization a clear scope definition can be a useful tool for breaking a certification project up into more manageable chunks. For a smaller organization you may find that reducing the scope is counter-productive as you can spend more time worrying about how to exclude areas than you save by excluding them, so choose carefully.
It’s a common saying that “many hands make light work” and this is also true of achieving ISO certification. If you are able to dedicate significant resources to your project then you are more likely to make good progress. Often the implementation of new procedures and processes is in addition to people’s day job and this can work well in fostering understanding and commitment to the new ways of working. However in many cases the day job has to take precedence when things are busy with the result that ISO work takes a back seat. So the degree to which you are able to backfill people and free them up will make a difference to how soon you are ready for the audit. Obviously using resource from outside the organization can also speed things up but be careful that internal ownership of the management system and associated processes and controls is still established otherwise you will have problems later.
Don’t forget also that the availability of internal and external auditors will have an impact on your certification timescales so plan ahead and get these resources booked in early.
Business never stands still and it may be that there are other activities going on that will compete with your certification project for priority and resource. Some of these may be known projects and others may crop up unexpectedly in the middle of your implementation. For those that can be predicted, try to plan around them and avoid those times when other activities will become more important. Examples we have seen before are data centre builds, office moves and seasonal activities e.g. in retail and higher education. If something unexpected happens such as a merger or acquisition or disruptive event it may be that you will have to accept that the ISO project will have to be put on hold for a while until that it is resolved.
Management commitment is an oft-quoted prerequisite for major change within any organization and this is often driven by external factors such as profitability or customer demand. The degree to which ISO certification “must happen soon” will also determine when you finally get the certificate on the wall. Inevitably you will be competing for resources with other teams and projects and the relative priority of an ISO implementation will depend on the perception of the management of how useful certification will be. If it is likely to lead to more business then this can help a great deal so if potential customers are saying it’s a “must-have” on their shopping lists then timescales will be inevitably shortened and you may find yourself under pressure to deliver.
We’ve looked at some of the factors that will affect how long it will take your organization to become certified to the ISO standard of your choice and of course there are many others we could have included, including the size of your organization, the industry you are in and your geographical location. Each organization must decide how important certification is compared to the other things it can do with its resources and plan accordingly.