Skip to main content

ISO Certifications Your Company Should Strive For

Greg de la Cruz works in the tech industry and is the author of two published titles on Amazon.

There's more to becoming ISO-certified than just accumulating paperwork.

There's more to becoming ISO-certified than just accumulating paperwork.

Why Should Companies Care About ISO Certification?

Companies want to gain a competitive advantage in this globalized marketplace, and they also like having the recognition of being “legit.” And what better way is there for companies to let potential customers take notice than boasting about being ISO certified?

There are millions of organizations, public and private, that have at least one type of ISO certification. Companies strive for multiple ISO certifications, but that doesn’t mean it’s easy getting your first one.

According to the ISO Survey of Management System Standard Certifications—an annual survey that shows the number of valid certificates worldwide—in 2020, there were more than 1.4 million valid certificates for ISO 9001, 14001, and 45001. Does this mean that being ISO certified is not the competitive advantage it once was?

Being ISO certified still counts for something, especially if your organization is young and is relatively unknown. It’s not just about being able to post the certificate or creating a big sign in front of your facility—following the standards set by each specific ISO standard serves to improve your organization and instills discipline among your workers. Each standard is something that not only strengthens the company’s image but also provides confidence among employees.

A Quick Background and History of ISO

When was the International Organization for Standardization formed?

ISO officially came into existence in 1947 with 67 technical committees. These committees were a group of experts focusing on a specific subject. The year prior, 65 delegates from 25 countries came together in London to discuss the future of international standardization. By 1949, the ISO moved its office to a small private house in Geneva, Switzerland, and by the 1950s, it had five members of staff under its Central Secretariat.

What was the first ISO standard?

The first ISO Standard was, surprise, surprise—ISO 1. They were called “Recommendations” at the time, so it was officially called ISO/R 1:1951. The long name of the very first standard was ISO/R 1:1951 Standard reference temperature for geometrical product specification and verification.

ISO 1 has been updated several times, and is now ISO 1:2016 with the long name ISO 1:2016 Geometrical Product Specifications (GPS) – Standard reference temperature for geometrical product specification and verification.

The temperature is fixed at 20 degrees Celsius, which is 293.15 Kelvin and 68 degrees Fahrenheit.

How many ISO standards are there?

There are roughly 22,000 ISO standards to date covering multiple industries. A basic rundown of the different types of standards can be the following:

  • Quality management standards that aid organizations to work more efficiently;
  • Energy management standards that optimize energy consumption;
  • Health and safety standards to reduce work-related accidents;
  • Environmental management standards that reduce environmental impact, reduce waste, and make processes more sustainable;
  • IT security standards for keeping information secure; and
  • Food safety standards that protect food from contamination.

What are some big mistakes with ISO?

According to Cavendish Scott, which is an ISO management system consulting company established in 1985, there are at least seven big mistakes that an organization can make when implementing ISO:

  1. Picking the wrong project leader – “delegated [the project] to someone without business focus or experience, and without the constant involvement of management, the project is in trouble from the start.”
  2. Lack of management commitment – “Management is keen to get ISO but don’t see it as a way to run the company but rather as something that has to be achieved.”
  3. Getting the requirements wrong – “Without a strong knowledge of what the requirements are asking, systems develop to meet these misunderstandings, and the users quickly dislike seemingly unnecessary activities.”
  4. Doing ISO – “Many organizations tell the project contact to get ISO or get us certified. The problem is that if the goal is to get ISO, then that’s what you end up with… Not a QMS that is valuable to your organization.”
  5. Procedures and Documentation – “Most people don’t know how to write a procedure… The result is poorly written procedures in as many varieties as people you ask to be involved.”
  6. Getting the wrong certification body or auditor – “If your auditor is giving you unimportant findings while there are systemic issues or things that they know they have missed, then you have the wrong auditor… The goal is not to do as little as possible with your ISO system. The goal is to find and fix issues and to constantly improve performance.”
  7. Ineffective internal auditors – “[Internal auditors] are generally unable to identify issues that are meaningful and substantive and are rarely expert enough in the standard to spot issues before the external auditor comes.”

A Short List of ISO Certifications Your Company Should Strive For

For practicality, your organization shouldn’t try to get as many ISO certifications as it possibly can – it should simply aim for ones that are not only popular but also make sense. Here are seven ISO certifications your company should strive for:

  1. ISO 9001 – Quality Management System (QMS)
  2. ISO 14001 – Environmental Management System (EMS)
  3. ISO 22301 – Business Continuity Management System (BCMS)
  4. ISO 27001 – Information Security Management System (ISMS)
  5. ISO 37001 – Anti-Bribery Management System (ABMS)
  6. ISO 45001 – Occupational Health and Safety
  7. ISO 50001 – Energy Management System (EnMS)

1. ISO 9001

ISO 9001:2015 is the standard that specifies the requirements for a quality management system (QMS) when an organization needs to “demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements” and aims to “enhance customer satisfaction through the effective application of the system…”

The requirements of this standard are meant to be applicable to any type of organization, unlike a standard like ISO 22000, which only applies to those in the food industry.

The quality management principles (QMPs) are something to live by, which are:

  1. Customer focus
  2. Leadership
  3. Engagement of people
  4. Process approach
  5. Improvement
  6. Evidence-based decision making
  7. Relationship management

Why you should get certified: Being the most basic, generic ISO standard out there—an organization should look into getting certified for ISO 9001:2015 before looking at any other standard. Without a quality product or service, is a company really worth any interest to a customer?

Touted as “the world’s favorite standard,” ISO 9001 is based on the idea of continual improvement and is designed to be flexible enough for use by many types of organizations. According to the annual survey by the ISO, there were over 900,000 valid certificates as of 2020 across nearly 1.3 million sites.

2. ISO 14001

ISO 14001:2015 is the standard that sets out requirements for an environmental management system (EMS). If your organization seeks to manage its environmental responsibilities in a systematic manner that contributes to the “pillar of sustainability,” then implementing this standard is the way to go.

The intended outcomes of an EMS are as follows:

  • Enhancement of environmental performance;
  • Fulfillment of compliance obligations; and
  • Achievement of environmental objectives.

Like ISO:9001, this standard is applicable to any type of organization regardless of size, type, and nature. It applies to the environmental aspects of its activities, products, and services, which the organization can control considering a life cycle perspective.

Why you should get certified: Aside from improving your company’s reputation and confidence by having an EMS, ISO 14001 certification also provides a financial advantage due to improved efficiency and reduced costs. In turn, your company would also encourage its suppliers to improve its own environmental performance if you’re able to integrate them into your organization’s business systems.

ISO 50001 may be the most appropriate standard for energy management, but ISO 14001 certification in itself can set your company up for success in reducing energy and water consumption. It also allows a more systematic approach to both legal and contractual compliance.

3. ISO 22301

In the age of the service economy, where we are still largely in, having a business continuity management system is more important than ever. ISO 22301:2019 sets requirements to implement, maintain, and improve a management system to “protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions as they arise (ISO.org).”

Not having business continuity plans (BCP) are deal-breakers for many, if not all clients who wish to do business with a service provider. However, it’s not anymore enough for a company to have BCPs—having a systematic approach to managing business continuity and accountability to testing its BCPs is starting to become the minimum expectation from customers.

Why you should get certified: Castellan Solutions, one of the largest providers of resilience management solutions, provides eight reasons why your company’s business continuity program should be ISO 22301 certified:

  1. Can help you become a more resilient organization;
  2. Can help you save money – organizations were able to reduce insurance premiums;
  3. Helps you have fewer disruptive incidents;
  4. Helps your organization recover faster;
  5. Helps you have more consistent business continuity management programs – better manage risks, including streamlining business continuity analytics and evaluation strategies;
  6. Helps improve customer satisfaction – helps build customer trust and a stronger brand;
  7. Improves employee buy-in – increases employee engagement, facilitates employee buy-in about the value and role of business continuity management programs for organizational success; and
  8. Key stakeholder support – metrics can be easily communicated to executive leadership and key stakeholders, which ultimately lead to more time, resources, and financial backing to mature your program over time.

4. ISO 27001

Launched in 2005, ISO/IEC 27001 was the product of the joint committee of the ISO and IEC (International Electrotechnical Commission). ISO 27001:2013 provides requirements for an information security system (ISMS).

Using the standards in the ISO/IEC 27000 family, any type of organization can manage the security of assets such as financial information, intellectual property, employee details, or information entrusted by third parties.

ISO/IEC 27001:2013 remains one of the most popular standards in the world, with more than 44,000 certifications issued across over 84,000 sites in 2020.

Why you should get certified: According to ISMS.online, there are at least four benefits of achieving ISO/IEC 27001:

  1. Retaining customers and winning new business – “For many customers their desire to achieve the ISO 27001 standard is driven by their client requirements, whether existing clients or when tendering to win new client business… ISO 27001 certification demonstrates robust security practices, thereby improving client relationships and client retention.”
  2. Preventing fines and loss of reputation – “Even when an organization has incurred a small fine… it will still have a detrimental effect on their business with them being less attractive to prospective customers.”
  3. Improving processes and strategies – “Cyber attacks and data breaches could always happen, but the forward planning that’s involved with ISO 27001 demonstrates that you have evaluated the risks… and breach reporting plan if things were to go wrong – hopefully reducing any costs incurred.”
  4. Commercial, contractual, and legal compliance – “A good control describes how all relevant statutory, regulatory, contractual requirements, and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization.”

5. ISO 37001

ISO 37001:2016 allows organizations of any type to prevent, detect, and address bribery by “adopting an anti-bribery policy, appointing a person to oversee anti-bribery compliance, training, risk assessments and due diligence on projects and business associates, implementing financial and commercial controls, and instituting reporting and investigation procedures.”

ISO 37001 addresses one of society’s most challenging issues head-on—an issue that’s a criminal activity turning billions of dollars of dirty money annually.

Why you should get certified: There are at least four main benefits to having an Anti-Bribery Management System that meets the ISO 37001 standard, according to PECB University:

  1. Promote trust and confidence – “Organizations that have anti-bribery policies in place promote trust and are more likely to sign agreements with other organizations, rather than with organizations that do not have anti-bribery policies in place.”
  2. Implement the necessary measures designed to prevent, detect and address bribery
  3. Avoid reputational damage
  4. Avoid cost – “Organizations that implement an anti-bribery management system will save money by refusing to pay bribes and by not having to implement costly procedures.”

6. ISO 45001

ISO 45001:2018 specifies the requirements for occupational health and safety to protect both workers and visitors from work-related accidents and diseases. Applicable to any type of organization regardless of size, type, and activities, ISO 45001 takes into account factors such as the context in which the organization operates and the needs and expectations of its workers and other interested parties.

This standard does not, however, address product safety, property damage, or environmental impacts beyond the risks to workers and other interested parties

Why you should get certified: National Quality Assurance (NQA), the management systems certification of National Testing Systems (NTS), provides four benefits of ISO 45001 certification:

  • Improved relationships with employees, customers, suppliers, and other stakeholders;
  • Reduced downtime and lower operating costs;
  • Better reputation and consumer trust; and
  • Potential tax benefits.

According to NQA, ISO 45001 certification is “a good idea for any business that needs to mitigate safety risks and demonstrate a verifiable dedication to preventing work-related illnesses, injuries and deaths.” And examples of industries that should consider certification include automotive, construction, and healthcare.

7. ISO 50001

There’s perhaps no better time than today to implement an energy management system that’s up to the ISO 50001:2018 standard. The intended outcome of this standard is to enable an organization to follow a systematic approach to achieving continual improvement of energy performance.

The adoption of this standard is advantageous to companies that tend to consume significant amounts of energy.

Why you should get certified: Anthony Jones of IS Partners LLC says that “the number of certified companies is rapidly increasing because companies have a greater awareness and appreciation for the benefits associated with it… The economic advantages of reducing costs often translate to higher profit margins and a strategic advantage for organizations operating in competitive markets.”

Is Getting an ISO Certification Worth the Time and Energy?

You might realize before going into the project of securing an ISO certification that it means amassing piles upon piles of paperwork. Suddenly your colleagues are intimidated by all the extra work that needs to be done—they’ll even be asked to write their own procedures and keep documenting everything. It can be tedious.

But bureaucracy and generating reams of company policies are neither the point to getting ISO certified. These may be perceived as the means to getting there, but simply, these are mere consequences of accepting that an organization survives its own members.

People in an organization come and go—but a company’s practices and habits, if they’re the best way to do things—must stay the same or get improved upon. Getting ISO certified is worth all the pain of planning, doing, checking, and acting (PDCA).

If it can’t be emphasized enough, ISO certification is about improving the way your company does things—not making it appear good on paper. “Good on paper, bad in practice” is the last thing your company wants to be.

This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.

© 2022 Greg de la Cruz