Good news! You’ve achieved certification to an ISO standard, whether it’s for quality, information security, environmental management or perhaps another standard. It’s taken a while and it’s been hard work, but now it’s all over. Or is it?
After the initial excitement has faded, chances are you’ll be surprised at how quickly the first surveillance audit comes around. Will it be a case of having to create lots of missing information in a panic the day before, or will it be a shrug of the shoulders and a cool “let them come”? The choice is yours.
Here we take a look at five main principles of maintaining your ISO management system so that you remain audit-ready at all times.
If you’ve just achieved certification, chances are that your ISO management system is relatively new. As such, it’s likely to be a little rough around the edges, due partly to the need to put so many processes, procedures, reviews etc. in place in a short space of time, and partly due to the fact that ISO management systems are new to you, and your understanding of how they work is still developing.
Because of this, there is probably scope for streamlining your management system, including doing the following:
Once you’ve removed those parts of your management system that aren’t needed, it’s time to look at how you can automate as many of the remaining aspects of it as possible. There are lots of tools available today that can perform tasks that were previously manual (for example sending emails), and in so doing improve not only the timeliness but also the accuracy of them. Look at each of your processes and procedures and ask yourself whether they can be fully or partially automated, perhaps using systems and cloud tools that you already use for other things. For example, can your document management review process be entered into a system that tracks versions and flags when a document is scheduled for review?
It’s not just systems that can be used to automate aspects of your management system; some could be candidates for outsourcing where you pay a third party for a service that saves you time and adds more knowledge to your management system. This could be relevant to keeping up to date with legal changes or keeping on top of your internal audits.
For those aspects that you can’t streamline or automate, the next option is to schedule them so that they don’t get forgotten. This could involve putting dates in calendars for infrequent tasks such as annual management reviews, risk assessments and the internal audit programme. For more frequent tasks, a structure of regular meetings (with minutes of course) with set agendas may be helpful to ensure that you keep on top of things. Once your week, month, quarter and year is planned out, it becomes a case of following the schedule, rather than worrying about remembering what needs to be done.
One of the key ideas of an ISO management system is that it should be embedded within your organization, so that it’s not a separate entity, but “the way we do things here”. This partly comes down to awareness training for pretty much everyone, supplemented by more detailed training for people involved in specific processes or procedures.
This comes to the fore when changes happen such as moves or reorganisations; either the management system parts are retrofitted after the event (not good) or they happen naturally with everything else in the project (much better).
If you want to ace your surveillance audits every time, then you must have something to show the auditor. This is another area where it pays to be proactive because if you did something six months ago, your chances of recreating evidence of it are slim. Get into the habit of keeping records at the time and encourage everyone else to do the same.
Surveillance audits shouldn’t be stressful; they should be a welcome check that you haven’t missed anything and a boost to improving your management system still further. If you’re finding your heart rate is increasing weeks before the audit date, then try some of these tips to smooth the journey and keep everything on track to maintain your ISO certification.
Written by Ken Holmes, CertiKit’s Managing Director and Lead Toolkit Creator. Ken is a CISSP-qualified security and data protection specialist who also holds the internationally-recognised Certified Information Privacy Professional – Europe (CIPP/E).
CertiKit’s ISO Toolkits and ISO Services are available help you first certify to your chosen standard(s), and then maintain your ISO certification long term. The toolkits comes with a perpetual licence with ongoing updates and support, so you’ve got help whenever you need it.