Wednesday, 11 March 2020

ISO Certification bodies, what are the differences? Be aware...

Dear all

I'd like to bring your attention to a most important issue that I need you to be aware of, for your own businesses sake. There are differences between certification bodies, there are some that are regulated and supervised by the national authority and some that are not; those that are not properly accredited by our National Accreditation body may bring out any excuse if you dare to challenge them if they are not accredited by our National Accreditation Body, UKAS. See their website at: https://www.ukas.com/ for details of registered UKAS Accredited bodies.

UKAS is appointed as the only National Accreditation body by Accreditation Regulations 2009 (SI No 3155/2009) and the EU Regulation (EC) 765/2008 and operates under a Memorandum of Understanding with the UK Government through the Secretary of State for Business, Energy & Industrial Strategy.

In their own words from their website: "UKAS is the UK’s National Accreditation Body, responsible for determining, in the public interest, the technical competence and integrity of organisations such as those offering testing, calibration and certification services."

Steven Burgess Consulting will only recommend Certification to ISO 9001 and ISO 27001 through UKAS Accredited Certification bodies like BSI or World Certification Services Limited.

The certificating bodies should be regulated and supervised, UKAS use ISO 17021 to Accredit the certification body as suitable to undertake audits of management systems such as ISO 9001, ISO 14001 or ISO 27001, this is a very important thing to ask of certification bodies to make sure that you get the right one to serve your business. They should have a registration number with UKAS and their literature and website material may show appropriate logos.

There are some certification bodies out there that perform consultancy and certification services combined, this is dangerous for one reason, any self respecting consultant cannot both consult and certificate, it's not in the best interests of the client, who is looking for impartiality. We at Steven Burgess only offer consultancy support to help you to achieve say ISO 9001 or ISO 27001, we do not undertake certification as this would lead to a conflict of interest. I'd say some of the non accredited certification bodies doing consultancy and certification combined are only in it for the money at the top level of management, not the standards themselves. Whereas certification bodies who are properly accredited are looking to uphold the law, standards and properly written business procedures. That's not to say that others aren't, it's just in my experience the accredited certification bodies are overseen to apply standards which otherwise may go unenforced.

To me, applying certification needs to be a robust process undertaken by a separate body, they need to be disciplined, impartial and not afraid to use their experience in helping the company aiming for certification. A UKAS Accredited body will provide you with these attributes and those who do not, leave well alone in my opinion. The only caveat to this is that there are some certification bodies who are 'working towards accreditation' - and this is fine, but just ask a few more questions about their intentions before engaging with them. Maybe they'd like to use your company in assisting them to be UKAS Accredited, after all, UKAS have to supervise some certification audits, and that's right.

I have heard on many occasion that some organisations will not accept non accredited ISO certificates, so be wary. A UKAS Accredited certificate will be universally accepted by those who understand the sector, understand certification and understand standards themselves.

Be wise when it comes to choosing a certification body for your company, and as UKAS responsibly says - "in the public interest."

That's why i'm informing you.

Regards

SteveB

Steven Burgess is a Consultant to companies in the UK and also a Data Protection Officer for Disclosure Services Limited, a company that process data relating to criminal record checks.

https://www.stevenburgessconsulting.com/

Thursday, 5 March 2020

The best form of defence is preventive action, get in there first

Hi all

You may well know that I am an advocate of International Standards, very much so, so it was a little bit of a surprise to many when the ISO dropped the preventive action clause from it's standards in the 2010's. I felt that they missed a trick here.

Preventive action is the best form of defence in information security, health and safety and quality, whilst the ISO may have removed the clause of preventive action, implementing a standard in itself is considered a preventive action vehicle. Using standards is using and leaning upon the experience of what others have learned previously, the ISO (International Organisation for Standardization) has technical committees, these technical committees are staffed by people from relevant sectors such as engineering, health and safety, pharmaceutical, to name but a few.

The ISO don't take chances, they use industry experts to gain insight into current trends and conditions and develop standards in order to protect industry from harm, weaknesses and lawsuits.

Preventive actions are always being implemented in organisations, they are the best method of improvement because preventive actions lower risk, make your company more efficient and make you look far more attractive to customers and investors because you are always planning to be better - and this will show in your product and service delivery, something to consider when applying standards.

In industry, it's easy to forget that standards and preventive actions are applied for a reason, it is for increasing health and safety in the workplace, it's about committing to technical excellence, it's about using standards as a benchmark for growth and it's about committing to best practices that support and sustain your organisation.

What examples can you come up with of preventive action? Have a think about it. If in engineering it could be applying calibration to machinery, in product testing it could be through monitoring and measurement against known results, in pharmaceutical it could be the strict control of drugs and testing of ingredients, in aerospace it could be the testing of airframes or engines to known standards, in personnel it could be training your staff in relevant and suitable areas. We often do these beforehand but forget that it is preventive action driving your companies and organisations forward. It's all about foresight and this is such a valuable commodity.

Preventive actions also consist of inviting new personnel, consultants, auditors and regulators into your organisation, to help you to improve, if you embrace preventive action through applying standards, your business will go from strength to strength.

Here's to the ISO.

Regards

SteveB

Steven Burgess is a Consultant to companies in the UK and also a Data Protection Officer for Disclosure Services Limited, a company that process data relating to criminal record checks.

https://www.stevenburgessconsulting.com/

Tuesday, 25 February 2020

Certification and the GDPR

Hi all,

I've been looking into the subject of certification within the GDPR articles and it is clear to me that the current format of management system certification, as applied by the certification and accreditation bodies, won't currently support the GDPR's request for certification to ISO 17065. Most certification bodies in the UK are accredited (certificated) against ISO 17021 - conformity assessment, requirements for bodies providing audit and certification of management systems. They are accredited by National bodies such as UKAS to ISO 17021 and have to undergo a periodic assessment no longer than 5 years apart.

Whilst the International Standards are bringing out a new standard for privacy information management - ISO 27701, surely it would have been wiser for the EU to align the requirements in the GDPR at articles 42 and 43 (Certification and Certification Bodies) to ISO 17021? Let me explain...

ISO 17021 is the accreditation that certification bodies have to align themselves to when wanting to certificate companies and organisations to a known management system standard, i.e. ISO 9001 or ISO 27001 for instance, but what has happened is that when the GDPR has been written, the EU have favoured an accreditation that doesn't align to management systems, in which case ISO 27701 Privacy Information Management will not be totally sufficient for GDPR implementation for organisations wishing to implement the GDPR via the standard ISO 27701. This will find organisations coming short when implementing the ISO 27701 standard because it will have to be accredited by ISO 17021 - that's the standard for management system accreditation.

And so, why have the EU done this? Why didn't they align the GDPR to ISO 17021 and thus support company management systems, it doesn't make sense. Unless they want the fines to increase? People in companies, businesses and organisations worldwide will be wanting to support their data protection systems via a known standard to support implementation of legislation. So where does that leave organisations wishing to implement ISO 27701? In my opinion, for a lot of companies it leaves us with no choice but to embrace it and take it on board as an addition to ISO 27001. I've already written about the benefits just last week of ISO 27001 certification and they all apply when you implement ISO 27701. It's all about reducing risk and a known standard will help you to do that.

To summarise, I feel that the ISO is doing the data protection sector a big favour here, but why not align the GDPR to ISO 17021 instead? That's what companies use as an accreditation for management of their systems and driving down further risk. Only the EU knows.

I think also, that the certification bodies, wishing to facilitate and support companies with regards to data protection, will find themselves forking out more costs to implement ISO 17065 in the first place, maybe that's what the EU wanted? But it certainly has ignored ISO 17021 and that will be to the detriment of organisations worldwide.

Regards

SteveB

Steven Burgess is a Consultant to companies in the UK and also a Data Protection Officer for Disclosure Services Limited, a company that process data relating to criminal record checks.

https://www.stevenburgessconsulting.com/


Tuesday, 18 February 2020

The benefits of Certification to ISO 27001 Information Security Management Systems

Hi all,

There are many benefits to certification to a known standard in business but first of all where do standards originate? Standards are formed by National and International Institutions like the British Standards Institution (BSI) or the International Organisation for Standardization (ISO). These organisations get people from all kinds of sectors together, preferably professionals in their industry and discuss how the sector is moving, what will help to continually improve the sector and what hurdles must be overcome to ensure these exacting standards are fulfilled.

We talk about sectors, like quality, information security, health and safety, the environment and data privacy, to name but a few, but today we'll concentrate on ISO 27001, Information Security Management Systems. So what are the obvious benefits of certification and application of standards relating to information security?
  • A credible application of standards inside your organisation, using a standard that has been developed by forward thinking and pioneering organisations and people whose lessons that we can all learn from;
  • Recognition by investors and consumers that you are doing all that you can in minimising the impacts on them as individuals and businesses;
  • Recognition from National Authorities that you are aiming to meet an International Standard and one that they recognise as important, credible and above all, helps you to be ever more secure;
  • A systemised method of doing things in your organisation which help to control the risks to your organisation and help with continuous improvement;
  • Help you to deal with threats and vulnerabilities posed by criminals, especially online;
  • Support you in applying National legislation and regulation;
  • Align with industry best practice;
  • Be recognised as a forward thinking business, dedicated to reducing risk to all involved, an extremely responsible attitude.
The reasons above serve as good reasons to implement standards, not only do they improve the viability of the business as a whole, they also help to reduce the risks to all involved, including suppliers, customers, consumers, directors and potential investors.

The only thing is, very often in business standards implementation is overseen by one person when it needs to involve more than one person. Much of my life consulting have I seen one person being tasked with the job of information security or quality manager, and being left to their own devices. The information security standard at clause 5 asks for leadership to get involved. Information security should be on the agenda at least once a month in organisations, the reason is you should keep ahead of the curve and preempt any issues before they happen.

The Data Protection Act and GDPR are used to prosecute organisations; when you fall foul of these information laws and you need to be ready if you have a data breach, even if its not reportable under the GDPR. Standards - when properly implemented, taken seriously and through a team, lessen the chances of prosecution because:
  • You dedicated yourselves to continuous improvement and didn't leave it to chance;
  • You showed that you were always willing to comply with the law, which standards help you to do;
  • You co-operated with National enforcement agencies - which means reduced fines, if any.
  • You mitigated the chances of information breaches by getting ahead with technology and through people's great ideas;
Standards are a force for good, let's keep them high on the agenda in business.

Hope this helps.

Regards

SteveB

Steven Burgess is a Consultant and Data Protection Officer for Disclosure Services Limited, a company that process data relating to criminal record checks.

https://www.stevenburgessconsulting.com/


Wednesday, 12 February 2020

Stay safe online

Hi all

Today's blog is all about staying safe online, I feel that it right to bring to your attention certain things that go on in the online world that we all need protecting from. I feel passionate about this as I myself have once suffered from serious mental health issues, one of my past mental health problems started when I read a book once, that changed my thinking so drastically that it harmed my mental health and it took me some years to get over. The point that I am trying to make is that reading harmful content can harm people and its absolutely vital that we protect not only ourselves, but our friends, family and acquaintances online and off, by warning people of the dangers that are out there.

Today is a day when new powers are being announced to tackle harmful content online, websites and social media pages that encourage harming yourself are to be targeted and hopefully taken down. It is a move by the UK Authorities and hopefully will be backed up by the US and EU.

We have to be aware that some online content is dangerous to your mental health, and, by being aware of it, it all helps us to be safer online. One of the news articles on the TV this week featured a young lady that had taken her own life after viewing social media pages and harmful websites online, these pages actually encouraged her to hurt herself, she was young and extremely vulnerable. These people who invest their time and effort to encourage self harm are a disgrace, sick isn't the word for it. You must be aware that these pages are out there, people can post some terrible content online and you need to be prepared if you ever come across it because it is dangerous.

I call upon the security services of the United Kingdom, the US and the EU to protect us all from online harm. You have the power and authority to banish these websites and social media content from our portals and you must do all that you can in protecting us and our children.

The likes of Facebook, Google and Twitter as well, you must do more to protect people online, too much harmful content is allowed online, and it's high time you put a stop to it. People wouldn't say and do some of the things in the general public which they do online and it is the big social media companies who must do more and shift some of this data from our devices.

The much vaunted GDPR (General Data Protection Regulation) doesn't go far enough in protecting people from online harm sites. In fact I don't think that it's in it, if it is it isn't clear. More must be done at regulatory level in shifting this harmful bile from our screens.

It's a strong message I know but it's important, take time to see what websites your children are viewing and see what they are accessing, not to spy but to encourage security, safety and learning what is good to do online and what not to do.

The National Cyber Security Centre (A UK Government Institution) is an invaluable website that helps you in your cyber world, it is a place where security is discussed and these people help to keep you safer online. It's a really good Government department that is very responsible, forward thinking and available for you. You can find their website here: https://www.ncsc.gov.uk/ they also have a section for individuals and families.

I thank you for your time in reading this article, my message is simple.

Stay safe online

Regards

SteveB

Steven Burgess is a Consultant and Data Protection Officer for Disclosure Services Limited, a company that process data relating to criminal record checks.

https://www.stevenburgessconsulting.com/