So in my start-up introDus ApS, we're working on getting compliant with ISO 27001, making audits and much more. This post is basically my thoughts on the process coming into ISO standards as totally and utterly newbie.
In the future i will add a checklist post where i share standard documents for free as we make them for our company i will share it with everyone because it seems like a jungle
Enter the ISO jungle
Wtf is an ISO standard, where to start, why are we doing it and what is the difference of compliance and certification, was my initial questions. From those questions came loads more.
"The International Organisation for Standardisation (ISO/ˈaɪsoʊ/) is an international standard-setting body composed of representatives from various national standards organisations."
ISO standards have a series of stages they can be in, so before a ISO standard become a standard they have to go through the following stages:
- PWI – Preliminary Work Item
- NP or NWIP – New Proposal / New Work Item Proposal (e.g., ISO/IEC NP 23007)
- AWI – Approved new Work Item (e.g., ISO/IEC AWI 15444-14)
- WD – Working Draft (e.g., ISO/IEC WD 27032)
- CD – Committee Draft (e.g., ISO/IEC CD 23000-5)
- FCD – Final Committee Draft (e.g., ISO/IEC FCD 23000-12)
- DIS – Draft International Standard (e.g., ISO/IEC DIS 14297)
- FDIS – Final Draft International Standard (e.g., ISO/IEC FDIS 27003)
- PRF – Proof of a new International Standard (e.g., ISO/IEC PRF 18018)
- IS – International Standard (e.g., ISO/IEC 13818-1:2007)
So initially i thought that these standards was only towards digital products, but its widely spread across all kinds of sectors, i took the liberty to share some of the most common ones
- ISO 639 Language codes
- ISO 3166 Country codes
- ISO 4217 Currency codes
- ISO 8601 Date and time format
- ISO 9001 Quality management
- ISO 13216 ISOFIX child seats for cars
- ISO 13485 Medical devices
- ISO 14000 Environmental management
- ISO/IEC 17025 testing and calibration laboratories
- ISO 20121 Sustainable events
- ISO 22000 Food safety management
- ISO 26000 Social responsibility
- ISO/IEC 27001 Information security management
- ISO 31000 Risk management
- ISO 37001 Anti-bribery management systems
- ISO 45001 Occupational health and safety
- ISO 50001 Energy management
What is the difference of compliance and certification
The difference lies in self-proclamation of compliance or a third-party compliance proclamation. The third-party compliance usually cost an insane amount of money compared to the job they actually do.
Compliance is basically that your 100% adheres to all the requirements in the standard, for the ISO 27001 there are a series of documentation requirements and a series of requirements that require actions to be done.
Why are we doing this to ourselves?
Essentially you own a restaurant and you like your customers to come back as you usually do, you wanna make sure that the wholesaler complies with, (eg. 22000 Food safety management) so you don't get infected food. And if they comply with the ISO standard they are following a set of rules that makes it quite unlikely that a bad incident will happen.
So when your client requires you to comply with ISO 27001 it's a message of make sure you take the right precautions to secure their information.
My next task is to read up on ISO 27001, make a documentation toolkit and last but not least make a simple step by step list to make us compliant. And make it very easy for us to get certified if our clients require it.
Here are some of the resources i look at to get kick started:
Hope this helps you a bit of the way