ISO certification provides independent validation proving your company’s conformity to a set of baseline standards. However, as information security threats evolve, you need to show your customer’s and auditor proof of continual improvement. Thus, providing documentation that exhibits compliance with ISO standards is more than merely best business practices, it is a way to ensure customer satisfaction.

ISO Certification: Who Needs It and Why

What is ISO?

In 1946, twenty-five countries sent delegates to the Institute of Civil Engineers in London who decided to establish a new organization called the International Standards Organization (ISO) that would create and unify industrial standards. Their Committee on Conformity Assessment (CASCO) establishes measures related to the certification process thus used by a certification body. CASCO determines the criteria third-party assessors must use when determining that a company meets ISO certification standards.

What is the definition of ISO compliant?

Being ISO compliant differs from being ISO accredited which differs further from being ISO certified. Being ISO compliant means adhering to the requirements of a specific standard.

ISO compliant means an organization has chosen one or more standards and followed the best practices within them. ISO compliance focuses on decision-making that creates policies, procedures, and processes that align with specifications.

ISO certification requires internal audits from third-party assessors using CASCO criteria. Internal audits need documentation that your organization follows the policies, procedures, and processes that you aligned to the ISO standards of your choice.

ISO accreditation refers to the CASCO third-party assessor conducting the internal audits. Accredited bodies undergo independent reviews proving they meet CASCO standards. Since the organization approves these auditors, ISO trusts their reviews.

What are the documents required for ISO certification?

The ISO certification process comes in as many flavors as ice cream. Each standard requires different documentation which makes managing compliance difficult. Thus, one of the first steps to becoming ISO certified lies in determining what type of certification you want.

Information technology ISO requirements focus on three main standards: ISO 9001, ISO 27001, and ISO 31000.

What are the documents required for ISO 9001 certification?

ISO 9001 specifies the requirements for a quality management system (QMS). Quality management principles mean documenting the processes, procedures, and responsibilities over quality and control objectives. While ISO 9001 applies to any industry requiring quality controls for continual improvement, it offers a unique perspective for dev ops and compliance.

ISO 9001 audits review products, processes, and systems. The lengthy list of documentation required includes mandatory and non-mandatory information. Mandatory documents include control procedures for documents, records procedures, internal audit procedures, control of non-conformance procedures, corrective action procedures, and preventative action procedures.

What are the documents required for ISO 27001 certification?

ISO 27001 focuses specifically on creating an information security management system (ISMS) that protects the confidentiality, integrity, and availability of information as part of the risk management process.

The list of documentation needed for the initial ISO 27001 audit stage is lengthy. Documents include ISMS scope, information security policy, risk assessment and risk treatment methodology, statement of applicability, risk treatment plan, risk assessment report, detailed definitions of information security roles and responsibilities, inventory of assets, acceptable use policy, access control policy, operating procedures, secure system engineering principles, supplier security policy, incident management procedure, business continuity procedure, and compliance requirements.

What are the documents required for ISO 31000 certification?

ISO 31000 establishes an enterprise risk management (ERM) process approach requiring executive management and Board of Directors oversight.

ISO 31000 audits require management to document either a process elements approach, principles of risk management approach, or maturity model approach to risk. The Institute of Internal Auditors (IIA) notes that while its assessment guidance aligns to 31000, other frameworks may also match the ISO requirements. Thus, choosing a framework that manages ISO 31000 and regulatory requirements can act as a “two for one” strategy.

How much does it cost to get ISO certified?

ISO certification is pricey. First, companies need to obtain the necessary training for the employees involved in the implementation and maintenance of the certification. In some cases, organizations may need to hire consultants to help implement compliance processes. Finally, companies need to think about the hidden costs arising from employees focusing on program implementation instead of their regular jobs.

Second, certification incorporates two stages of independent third-party audits. These audits require certification bodies, and those certification bodies charge money. ISO 9001 compliance, for example, requires one day for the Stage 1 Audit and one day for the Stage 2- Certification Audit. Some certification bodies also charge for off-site document review. The initial assessment total, therefore, can cost anywhere from $2700 to $3375.

Maintaining ISO certification costs money as well. Organizations must conduct two surveillance audits between certification years to establish continued compliance. Each examination last approximately a day, with some firms charging for off-site document review. Thus, the annual interim cost for continued monitoring can range from $1350 to $2025.

How automating ISO certification audit processes with ZenGRC lowers costs

Compiling the extensive documentation required when implementing ISO programs and maintaining compliance records costs companies money. ISO certification promotes a customer-focused approach to compliance.

Once ZenGRC experts onboard an organization, that company has access to content that helps map controls across multiple standards.

When managing your compliance with shared drives or spreadsheets, seeing the overlaps and gaps in corporate compliance can leave managers cross-eyed. ZenGRC’s SaaS compliance platform allows you to map your controls and then perform a gap analysis so that you can view the remaining work and manage your timeline better.

For example, companies already using COSO for their ERM can determine what remaining gaps exist when attempting to navigate ISO 31000 compliance. While COSO often offers a starting point, it does not allow incorporate the various requirements your ISO certification body needs. Thus, using ZenGRC’s gap analysis tool can help fill in the holes allowing you to create an agile compliance program.

Finally, our platform provides a single-source-of-truth giving you one-click access to the documents the audit checklist requires a successful audit.

For more information on how ZenGRC can help ease the ISO certification burden, contact us today to schedule a demo.