kemaltaner - Fotolia

Lapsing ISO certifications: Myth versus risk

Allowing ISO certifications to lapse presents businesses with serious risks when workarounds are possible

With ISO audits currently on hold because of the Covid-19 pandemic, there has been a lot of furore around thousands of certifications potentially lapsing. Some affected business may shrug this off – after all, it’s not going to stop you doing business.

Yet the reality is that ISOs are often crucial elements within contractual obligations. In many cases, the certifications your business holds form part of the reason many clients or partners have chosen to do business with you. 

Take ISO 27001, for example. This certification provides other companies with an assurance that you have a robust security management system in place and that it is assessed independently against the international framework. In the event that the certification lapses, contracts with customers and partners that were secured on the fact that the certification was in place could be breached. What is more, your reputation and client relationships could be at stake.

And it’s not just existing relationships that are affected. By allowing the certification to lapse, you also risk losing out on new business opportunities from prospective clients who want to work with a company that has both gained and maintained the certification.

Beyond attracting and retaining business, ISOs do have other tangible benefits. In the case of ISO 27001, certified businesses benefit from stronger internal governance and leadership acknowledgement for robust security. If that certification is allowed to lapse, internal regard for security management could diminish.

There are plenty of risks in allowing certifications to lapse and in the current landscape, businesses need to question whether these risks are really worth taking. But, despite the furore, you need not worry about the inability to get audited because workarounds are entirely possible.

Many companies have been forced to embrace remote working during the pandemic and certification bodies are taking the same approach to performing audits under the guidance of the UK Accreditation Service (UKAS).

We have seen first-hand clients successfully pursuing ISO 27001 certification over the last few months with remote auditing and surveillance audits arranged with certification bodies. We have also seen other certification activities that require in-person interaction be rescheduled, allowing companies to handle the business impact of Covid-19 without losing their certification.

If you decide to pursue the remote auditing route, you need to consider your approach carefully for the best chance of success. It is common during on-site audits for the auditor to choose who in the business they want to engage with and who in the business should drive the audit.

Read more about ISO certifications

To ensure the most appropriate individuals are able to become the auditor’s point of contact during a remote audit, you need to ensure you fully understand the areas being assessed and identify the individuals who are responsible for each of those areas. Those representatives should then be made available to the auditors throughout the assessment, ensuring they have appropriate access to evidence that will support a successful audit.

Also be sure to emphasise the policies, processes, awareness initiatives and training they implement as clearly as possible.

Preparing for an ISO certification audit can be time-consuming and costly, and given the business challenges that have arisen from the pandemic, your business may be looking to cut costs where possible. But although allowing a certification lapse might seem tempting, the benefits of having a certification really do outweigh the risks of letting it go.

The pandemic has rapidly accelerated digital transformation across nearly all industries and you need to consider how a lack of certification might reflect with the increased focus on the management of systems, processes and security. Similarly, if your business is not yet certified and is now reconsidering whether to bother going for an ISO certification, you should also consider these arguments. A certification could be crucial to winning and retaining customers, now more so than ever before.

To ensure your business keeps running effectively in the new way of working, you need to engage in a transparent dialogue with the relevant certification body and work with them to ensure they can deal with the certification and auditing challenges that have resulted from Covid-19.

Measures that are necessary to achieving certification often need to be implemented quickly, but with many workforces currently dispersed, this could be a bigger challenge. Engaging with experienced consultants who can provide expert support in achieving the relevant certification will give your business a greater chance of success.

Recognising that the benefit of ISO certification is greater than the risk of operating without it is imperative as we acclimatise to the new normal.

Scott Nicholson is a director and technical delivery lead at Bridewell Consulting, a supplier of information security services. He began his career in law enforcement at Gwent Police before becoming a security and privacy consultant at IBM, and has over a decade’s worth of cyber security and compliance experience.

Read more on IT risk management

Data Center
Data Management