ISO stands for the International Organization for Standardization. Headquartered in Geneva, Switzerland, ISO comprises members from 164 nations who develop and produce publications guiding businesses and organizations of nearly every kind in achieving the highest standards of quality in their processes and products.

ISO’s development began in 1946, when 65 delegates from 25 countries met in London to discuss the need for international standards and their development. The following year, the organization had its first meeting of 67 technical committees, or groups of experts each focusing on a different subject.

The organization published its first standard, or “recommendation,”” in 1951: ISO/R 1:1951 Standard reference temperature for industrial length measurements, now ISO 1:2002 Geometrical Product Specifications (GPS) – Standard reference temperature for geometrical product specification.

Over time, the organization grew in membership and expanded its influence, becoming particularly noted for its standards establishing an International System of Units (establishing the second as the official unit of time, for instance); and governing freight and packaging, and environmental quality.

Although there are more than 22,700 ISO standards for different industries today (and counting), a few stand out as important and influential:

The best-selling ISO 9000 family, governing quality management systems (QMS). ISO 9001 is the only standard in this group eligible for certification.

ISO 14001, which provides tools for companies and organizations to help them identify and control their environmental impact

The ISO 27000 family of information security standards, including ISO/IEC 27001, which governs information security systems management (ISMS).

ISO matters because compliance has become a must for pretty much every industry. The benefits of ISO certification, which requires an audit to prove compliance, now extend beyond the prestige of taking that extra “step.” Certification for relevant ISO standards has itself become the standard.

The difference between ISO compliance and ISO certification comes down to one word: audits.

ISO certification requires an external audit by an independent professional who has been accredited by the Committee on Conformity Assessment (CASCO). Mere ISO compliance does not require this audit.

Both ISO compliance and ISO certification are voluntary: These aren’t regulations, but recommendations. That said, however, some organizations, such as manufacturers, may require their third-party suppliers to be ISO certified to ensure the quality of their own goods, services, and processes and the security of their information, systems, and networks.

The benefits of certification are many, including international recognition and, in many industries, the ability to do business at all.

But some organizations, in particular smaller ones with smaller budgets, may opt out of the cost and preparation time needed to pass the audit required for certification. Instead, they may decide that compliance is good enough, and forego the added expense and hassle.

Some of the most commonly sought-after ISO certifications include:

ISO 9001:2015, the international standard for quality management systems (QMS). This standard promotes a process approach to management, examining more than 20 processes.

ISO 27001:2013, the international standard for information security management systems (ISMS)

The pros and cons of ISO certification vs. ISO compliance include:

1. EXPENSE

• Compliance: By choosing compliance only, your organizations may forego costs associated with ISO certification audits, which take place every three years; registration, and off-year “surveillance” audits. You also avoid having to pay the costs of continuous improvements to your QMS or ISMS. However, organizations that opt out of certification may lose business and revenue.
• Certification: Getting certified means paying for certification audits, registration, and surveillance audits. However, since audits tend to be priced according to number of employees, smaller businesses won’t pay as much for them as larger ones.

2. TIME

• Compliance: Depending on the ISO standard and the size and complexity of your organization, ISO compliance can take anywhere from a few months to several years.
• Certification: Achieving ISO certification requires the same processes as compliance, plus added time to prepare for and pass an audit. For ISO 27001, the audit is quite lengthy, taking place in two stages.

3. INTERNATIONAL RECOGNITION

• Compliance: Depending on the ISO standard and the size and complexity of your organization, ISO compliance can take anywhere from a few months to several years.
• Certification: Achieving ISO certification requires the same processes as compliance, plus added time to prepare for and pass an audit. For ISO 27001, the audit is quite lengthy, taking place in two stages.

4. MARKETING

• Compliance: Organizations that are merely compliant have the satisfaction of knowing they meet the relevant standards, but lack the marketing clout that certified companies possess.
• Certification: Those achieving a coveted ISO certification can trumpet their status on their website and in other marketing materials, claiming the edge over uncertified competitors.

5. MAINTENANCE

• Compliance: Enterprises foregoing certification can achieve compliance and move on to other tasks, without having to demonstrate ongoing compliance or pass yearly surveillance audits.
• Certification: Certification requires passing an audit just once every three years, but less-intensive yearly surveillance audits ensure that you continue to meet the relevant ISO standards and that you strive for continual improvement in your enterprise’s processes.

There are more than 22,600 ISO standards to date for many industries. Some of the most common are:

• ISO 9001:2015, a standard for general organizational Quality Management Systems (QMS) including vendor management. ISO has QMS standards for specific industries, as well.
• ISO 27001:2013, a standard for Information Security Management Systems (ISMS)
• ISO 14001:2015, a standard for Environmental Management Systems

These standards can apply to any organization, large or small.

Many other ISO standards were written for a particular industry. Shipping, manufacturing, medical, technology, and rail, even cocoa bean production: These industries and others have their own specific ISO standards.

ISO standards include:

Quality

• ISO 10004:2012 Customer satisfaction
• ISO 10006:2017 Projects
• ISO 13485:2016 Medical devices
• ISO/TS 16949:2009 Automotive
• ISO 17582:2014 Electoral organizations
• ISO 18091 Local government
• ISO 19443:2018 Nuclear energy
• ISO 20001 Educational organizations
• ISO/TS 22163:2017 Business management system requirements for rail organizations
• ISO/TS 29001 Petroleum, petrochemical and natural gas industries
• ISO/IEC 90003 Software engineering

Industry

• ISO 14298:2013 Graphic technology – Management of security printing processes
• ISO 15378:2017 Primary packaging materials for medicinal products
• ISO 16000-40 Indoor air
• ISO 34101-1 Sustainable and traceable cocoa

Environment and energy

• ISO 14002-1 Environmental management systems—guide for applying the 14001 framework
• ISO 14004:2016 Environmental management systems—general guidelines on implementation
• ISO 14005:2010 Environmental management systems—guidelines for phased implementation
• ISO 14006:2011 Environmental management systems—guidelines for incorporating ecodesign
• ISO 14009 Environmental management systems—guidelines for incorporating redesign of products and components to improve material circulation
• ISO 50001:2018 Energy management systems
• ISO 50004:2014 Energy management systems—guidelines for implementation, maintenance and improvement

Services

• ISO 21101:2014 Adventure tourism safety management
• ISO 21404:2018 Tourism and related services: Sustainability management system for accommodation establishments
• ISO 24526 Water efficiency
• ISO 20121:2012 Event sustainability
• ISO/IEC 20000-1: 2011 Information technology—service management

General management

• ISO 19600:2014 Compliance management systems
• ISO 26000 Social responsibility
• ISO 30301:2011 Information and documentation
• ISO 30401 Human resource
• ISO 31000 Risk management
• ISO 37001:2016 Anti-bribery
• ISO 37002 Whistleblowing
• ISO 37101:2016 Sustainable development in communities
• ISO 37301 Compliance management
• ISO 41001 Facility management
• ISO 44001:2017 Collaborative business relationship management
• ISO 44002 Guidelines on the implementation of ISO 44001
• ISO 55001:2014 Asset management
• ISO 55002:2014 Guidelines for the application of ISO 55001
• ISO 56002 Innovation management

Safety and security

• ISO 22000 Food safety management systems
• ISO 22004:2014 Guidance on the application of ISO 22000
• ISO 10377:2013 Consumer product safety
• ISO 10393:2013 Consumer product recall
• ISO 18788:2015 Private security operations
• ISO 22301:2012 Societal security—Business continuity management systems
• ISO 24518:2015 Crisis management of water utilities
• ISO 28007-1:2015 Ships and marine technology
• ISO 29001:2012 Road traffic safety
• ISO/DIS 45001 Occupational health and safety
• ISO/IEC 80079-34:2011 Explosive atmospheres
• ISO/NP 35001 Laboratory biorisk
• ISO/TS 34700:2016 Animal welfare management

Information technology

• ISO/IEC 20000-1 Service management Part 1
• ISO/IEC 20000-2 Service management Part 2
• ISO/IEC 27003:2017 Security techniques
• ISO/IEC 20000-1 Enhancements to ISO/IEC 27001 for privacy management
• ISO/IEC 27010:2015 Information security management for inter-sector and inter-organizational communications
• ISO/IEC 27013:2015 Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1
• ISO/IEC 90003:2014 Software engineering
• ISO/IEC DIS 19770-1 IT asset management

The International Organization for Standardization (ISO) has developed a variety of frameworks designed to help organizations better manage their business in areas including:

• Quality
• Safety
• IT security
• Environmental impacts
• Assets
• Business risk

Framework vs. Standard

“Framework” is defined in one dictionary as “a basic structure underlying a system, concept or text.” In business, frameworks provide a structure for organizations to use to improve their processes or operations. Frameworks are often fairly general, and not prescriptive. They tell what to do, but not how to do it.

Most business and IT frameworks serve to mitigate risks and support internal controls. These processes also must accommodate various measures for risk, financial reporting and revenue performance.

Framework types:

• Quality frameworks, which provide a structure for designing, establishing, and maintaining quality management systems
• Control frameworks, sets of fundamental controls aimed at preventing financial or information loss
• Program frameworks, which help build, assess, improve, and maintain programs
• Risk frameworks, which guide through the process steps necessary to successfully manage risk and reduce risk levels
• Cybersecurity or information security frameworks, designed to help reduce exposure to cyberattacks

Standards, on the other hand, are governance best practices used by various companies.

Standard may be included in guidelines, regulations, frameworks, models, processes, and internal controls for managing business and IT functions.

Standards define mandatory requirements for business and IT audit and assurance. They inform audit and assurance professionals of the minimum level of acceptable performance required to meet professional responsibilities and requirements, and direct how to meet them.

The International Organization for Standardization, or ISO, creates and publishes international standards, which it defines as “documents that provide requirements, specifications, guidelines or characteristics that can be used consistently to ensure that materials, products, processes and services are fit for their purpose.”

Because ISO strives to standardize business processes and procedures around the world, it has published more than 22,700 standards.

For instance, the ISO 9001 standard contains guidelines for establishing and maintaining a quality management system (QMS).

The ISO/IEC 27000 family of standards is designed to help organizations “manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.” ISO sets standards by which to manage information security management systems (ISMS). This ISO 27000 family includes:

• ISO 27000 Information security management systems overview and vocabulary
• ISO 27001 Information security management systems requirements
• ISO 27002 Guidance on applying the ISO 27001 controls
• ISO 27005 Conducting an information security risk assessment
• ISO 27015 Information security management for financial services
• ISO 27017 Cloud services information security controls
• ISO 27031 Information and communication technology readiness for business continuity
• ISO 27032 Cybersecurity best practices

Contained in many frameworks and standards are “controls,” or countermeasures or safeguards aimed at minimizing organizational risk. For example, ISO 27001 contains controls to help protect the confidentiality, integrity, and availability of data in an information security management system.

Quality Management Principles (QMPs) form the basis of ISO 9000 and 9001 as well as other quality management standards developed by the International Organization for Standardization (ISO). These principles can help manage a quality management system (QMS).

The seven principles are (in no specific order):

1. Customer focus: The primary focus of quality management is to meet customer requirements and strive to exceed customer expectations.
2. Leadership: Leaders at all levels establish unity of purpose and direction and create the conditions in which people are engaged in achieving the organization’s quality objectives.
3. Engagement of people: Competent, empowered and engaged people at all levels throughout the organization are essential to enhance its capability to create and deliver value.
4. Process approach: Consistent and predictable results are achieved more effectively and efficiently when activities are understood and managed as interrelated processes that function as a coherent system.
5. Improvement: Successful organizations have an ongoing focus on improvement.
6. Evidence-based decision making: Decisions based on the analysis and evaluation of data and information are more likely to produce desired results.
7. Relationship management: For sustained success, an organization manages its relationships with interested parties, such as suppliers.

For many organizations, achieving ISO certification demonstrates that they have met ISO standards and are committed to ongoing, continuous compliance with the international business standard or standards relevant to them.

ISO developed its 22,700 standards in the interest of consistency among organizations worldwide in such areas as safety, security, and quality control.

ISO certification, like compliance, is voluntary. Not every ISO standard is eligible for certification. The International Organization for Standardization doesn’t provide these certifications. They must be issued by an independent, third-party auditor accredited by ISO’s Committee on Conformity Assessment (CASCO). The ISO website lists 10 standards that entities have been certified for over the years:

1. ISO 9001, a standard for general organizational quality management systems (QMS)
2. ISO 14001, a guide to developing an effective environmental management system
3. ISO/IEC 27001, information security management systems (ISMS)
4. ISO 50001, energy management systems
5. ISO 22000, food safety management systems
6. ISO 13485, medical devices
7. ISO 22301, business continuity management systems
8. ISO 20000, information technology service management systems
9. ISO 28000, security management systems
10. ISO 39001, road traffic safety management systems

Benefits to organizations who procure ISO certification include:

• Increased credibility and international recognition
• Potentially increased revenue/competitive advantage
• Demonstration that the entity maintains a culture of security, and assurance that it keeps confidential information, and the exchange of information, secure
• More efficient processes
• Greater consistency of business operations
• Enhanced customer satisfaction
• Demonstrated commitment to minimizing risk exposure
• Increased productivity
• Better quality of goods and services offered
• Increased protection of the company and its assets and shareholders
• Ability to use certification to promote the business

Taking the steps necessary to achieve ISO certification can help your organization comply with other regulations.

Although industry and business compliance with ISO is widespread, not every organization pursues certification. Some opt out of what can be a costly and time-consuming certification process. But these organizations may be missing out on some of the benefits that certification confers. Mere compliance, which is akin to self-assessment, does not stack up next to a “seal of approval” from an independent, accredited third-party auditor or assessor.

Certification that your company complies with International Organization for Standardization criteria is usually a matter of want, not need. For most industries, certification is voluntary. But certain organizations do need to be certified to do business. To determine whether you are one of them, ask yourself the following questions:

• Is ISO certification required for my industry or business? Just as different ISO standards apply to various industries, rules vary among sectors, as well. For example, ISO 9001 certification, attesting that an enterprise’s quality management system (QMS) meets the standard, is required for automotive industry suppliers.
• Are your competitors ISO certified? If they are and you are not, your business will suffer.
• Do you conduct business internationally, or wish to? ISO standards are international standards, highly respected around the globe.
• Are your customers and clients concerned about data security and privacy? Attaining an ISO 27001 certification verifies that you are committed to protecting their confidential information.
• Are you contractually obligated to maintain certification for an ISO standard or standards?

From this list, it’s easy to see why ISO certification is a must for many organizations. Although some organizations opt out of expensive certification audits and are content to reach ISO compliance, many others need certification to be competitive, it’s expected in their industry. Others have clients or customers who demand certification as a condition of doing business.

And even if you don’t need it, the many benefits of ISO certification—prestige, international recognition, customer confidence, proven commitment to maintaining the highest standards in your industry or sector—may convince you to pursue it, anyway.

The International Standards Organization (ISO) embarked on the development of these standards in 1947 to establish consistency and quality of goods and services worldwide. Proving beyond a doubt that you are committed to meeting ISO standards establishes you as a member of an internationally respected group.

The ISO certification process can be lengthy, taking as long as three years for organizations to prepare for that first-time ISO audit. However, the process is essential for any organization planning to apply for ISO certification. Advance preparation is a must to ensure a successful audit. ISO recommends a process-oriented, “Plan, Do, Check, Act” approach.

1. PLAN: Planning and Preparation

• Develop the relevant management system for your enterprise. For which ISO standard or standards will you be certifying? ISO 9001, governing quality management systems (QMS), and ISO 27001, setting standards for information security management systems (ISMS), are the most popular. For this step, you will need to identify and document your business objectives and processes pertinent to the standard or standards for which you are pursuing certification. Value stream mapping, systems architecture mapping, and the ISO standard itself can all help. You also may wish to designate a team of employees and management to oversee the ISO certification initiative, and a lead person to direct the process. A checklist can help ensure that nothing gets missed.
• Analyze your gaps. Study the ISO standard you have chosen with an eye toward where you comply and where you fall short. For this step, you may wish to work with an ISO consultant.
• Analyze your risk. Conduct a risk analysis of your processes and decide how to mitigate or minimize those you find.
• Train your personnel. Make sure that everyone is familiar with the ISO standard or, if you’re renewing certification, with updates to the existing standard.

2. DO: Systems and ISO implementation

• Implement your new or updated system. This can happen in-house, or you may work with a consultant.
• Train employees in how to use the system.
• Check to ensure that the system is working as it should, following the proper ISO standard.

3. CHECK: Testing

• Implement your new or updated system. This can happen in-house, or you may work with a consultant.
• Train employees in how to use the system.
• Check to ensure that the system is working as it should, following the proper ISO standard.

4. ACT: Closing compliance gaps

• Make changes where needed to bring your organization into compliance.
• Document everything, from the first step through the last.

5. AUDIT: Getting your certification

• Choose an ISO certification company to work with. This company consists of a registrar, independent, third-party assessor, and other personnel to help with the certification process. Make sure to find a company that is accredited by ISO’s Committee on Conformity Assessment (CASCO)—otherwise, your audit will not be valid. The certification company may also provide you with an ISO certification kit that can be very helpful as you prepare for your audit.
• Gather your documents. You will need to provide evidence to the auditor of your compliance efforts. Exactly which documents you need will vary depending on the standard. Reciprocity’s ISO audit guide contains great advice on preparing for an ISO 27001 audit, including a detailed checklist.

Two birds, one stone

Because ISO certification applies to standards for general management—of quality, information security, information technology, food safety, and business continuity, among other categories—enterprises often need more than one ISO certification.

The good news is that ISO 9001, governing quality management systems (QMS), can usually be integrated with other management standards to streamline the ISO certification process. A quality GRC software may tell you where you already conform to ISO standards so you can avoid costly and time-consuming duplication of efforts.

The “Plan, Do, Check, Act” steps needed to achieve ISO certification are essentially the same as those required for ISO compliance except that, to be merely compliant, you don’t need an external audit.

In either scenario, the quality of your organization’s management system or systems—be it a quality management system (QMS), information security management system, (ISMS) or something else—will play a major role in determining your ISO compliance.

ISO compliance entails developing and implementing the management system or systems relevant to the standard or standards with which your enterprise seeks to comply.

If independent from certification, compliance also means being responsible for ensuring that you maintain compliance over time, which entails striving for continual improvement in your management systems and processes.

Enterprises choose compliance over certification for a variety of reasons. Many ISO standards are not eligible for certification.

The most commonly certified standards are management standards including:

• ISO 9001, for quality management
• ISO 27001, for information security management
• Other standards governing food safety, business continuity security, traffic safety, energy, internet technology service, and risk management. On the other hand, the entire ISO 9000 family except ISO 9001 is ineligible for certification.

Organizations choose to be compliant with ISO standards for many reasons, often because compliance helps them stay competitive or improve their business processes and, by extension, their profits.

On the other hand, noncompliance with the most important ISO standards—ISO 9001 and ISO 27001, for most entities—can mean a loss of international reputation and business.

For guidance through the ISO 27001/2 compliance process, an ISO compliance checklist can be invaluable, saving your enterprise time and money.

An enterprise’s ISO certification costs depend on several factors, including the organization’s size, complexity, and maturity level.

The larger and more complex the organization and the less mature the business’s quality management system (QMS), information security system (ISMS), or other area governed by the relevant ISO standard, the higher your auditor costs and other ISO costs will be.

Estimates range from $3,125 for a small (up to 25 employees) enterprise with a mature system in place, to $78,000+ to a very large (500-1,000 employees) with no system in place at all.

Factors to consider when drawing up your ISO certification budget include:

• Internal resource costs. The internal team designated to oversee ISO compliance and certification will spend time away from their other duties performing ISO-related tasks, including:
  • Establishing or improving your QMS, ISMS, or other pertinent systems
  • Implementing the system
  • Performing a gap analysis and risk analysis, as needed
  • Conducting an internal audit to determine compliance with ISO
  • Ongoing system maintenance
• External resource costs. Hiring consultants and an ISO certification company accredited by ISO’s Committee on Conformity Assessment (CASCO) will incur additional costs, depending on the scope of your ISO system implementation and assessment. Those costs include:
  • Implementation costs
  • The cost of a registrar to oversee your ISO application and audit
  • Audit fees (once every three years)
  • Costs to train employees in ISO and in the use of the new or upgraded system
  • “Surveillance audit” fees (yearly) to confirm ongoing ISO compliance

The International Organization for Standardization (ISO) defines an ISO audit this way:

A systematic and independent examination to determine whether quality activities and related results comply with planned arrangements and whether these arrangements are implemented effectively and are suitable to achieve objectives.

There are three types of ISO audits: First party audits, second-party audits, and third-party audits

1. First-party audit.

This audit, conducted internally, is basically a conformity assessment to check for compliance gaps and prepare your enterprise for an external ISO certification audit.

2. Second-party audit.

An organization with which you are doing business may audit your enterprise to determine whether you are ISO compliant. Or, you may have your company’s auditor perform an ISO audit on one of your contractors or suppliers.

3. Third-party audit.

An auditor accredited by ISO’s Committee on Conformity Assessment (CASCO) assesses whether your organization complies with the appropriate ISO standard. Audit costs depend on your entity’s size, complexity, and maturity level.

The American Society for Quality (ASQ) lists three types of audit.

• A process audit verifies that your organization is doing what it says it is, and that it uses processes that conform to the standard for which you are certifying. The auditor may:
  • Check conformance to defined requirements such as time, accuracy, temperature, pressure, composition, responsiveness, amperage, and component mixture.
  • Examine the resources (equipment, materials, people) applied to transform the inputs into outputs, the environment, the methods (procedures, instructions) followed, and the measures collected to determine process performance.
  • Check the adequacy and effectiveness of the process controls established by procedures, work instructions, flowcharts, and training and process specifications.
• A product audit examines a particular product or service, such as hardware, processed material, or software, to evaluate whether it conforms to the relevant standard.
• A system audit scrutinizes a management system. It’s a documented activity that verifies, by examination and evaluation of objective evidence, that applicable elements of the system are appropriate and effective and have been developed, documented, and implemented in accordance and in conjunction with specified requirements.

Since most ISO standards eligible for certification govern systems (quality management systems, information security management systems, food safety management systems, environmental management systems), ISO certification audits are usually system audits.

A desk audit, with the auditor interviewing certain employees, and document review audit may be included in the ISO certification audit process.