ISO Standards

What are ISO Standards?

ISO standards are international guidelines for best practices in various fields, including information security, privacy, and AI governance.

Why are ISO standards important to me?

In today’s digital age, information is a critical asset for organizations. Protecting this information from loss, compromise, or destruction is increasingly important.
ISO standards provide risk-based compliance frameworks designed to help organizations effectively manage information security, privacy, and AI governance.

Why are international standards like these important?

Many industries and governments have adopted these ISO standards as the de facto standards for managing information security, privacy, and AI.
They are particularly popular in industries such as ICT and data center hosting. International standards provide significant benefits to the domestic and global economy.

For consumers: Proof of conformity to international standards helps reassure consumers that products, systems, and organizations are safe, reliable, and responsible.

For business: These standards can be strategic tools to help businesses tackle challenges and compete globally.
Adoption can open up new markets, improve competitiveness, reduce costs, streamline processes, and increase productivity.

For society: Standards improve safety, quality, and ethical outcomes while encouraging international trade.

Why are these ISO standards important?

Having international standards allows for common frameworks for managing security, privacy, and AI governance across businesses and borders.
In an increasingly connected world, these aspects are growing in importance.

Data and information need to be safe, secure, accessible, and used responsibly. These standards provide frameworks for effectively managing risks, selecting appropriate controls, and most importantly, processes to achieve, maintain, and prove compliance.

Adoption of these standards provides real credibility that an organization understands and takes seriously its responsibilities in information security, privacy, and AI governance.

What are the elements of these ISO standards?

These standards typically include clauses related to:

  • Organizational context and stakeholders
  • Leadership and high-level support
  • Planning of management systems
  • Risk assessment and treatment
  • Supporting the management systems
  • Making the systems operational
  • Reviewing system performance
  • Adopting an approach for corrective actions

Based on the risk profile of the organization, controls may be selected to manage identified risks.
These controls often cover areas such as policies, organization, human resources, asset management, access control, cryptography, physical security, operations, communications, system development, supplier relationships, incident management, business continuity, and compliance.

How does it work and what is a risk-based approach to compliance?

These ISO standards take a risk-based approach to compliance.
Controls are selected based on their ability to mitigate risks to the organization’s assets and stakeholders.
This ensures that security and governance risks are appropriately prioritized and cost-effectively managed. It’s a “comply or explain” approach – organizations can comply with the controls that help manage risk, or explain why they aren’t relevant.

Where should I start?

Before starting out on the path to certification, it’s worthwhile understanding if certification is required, or if compliance will suffice. For many organizations, certification is not a requirement but compliance to the standards can reap benefits.
Many Organisations choose certification to show they are serious about their business and being a trusted entity by their customers.

For those industries where certification is a requirement, the path should not be treated as a one-off project. Successful organizations treat these areas as critical business processes and invest in ongoing compliance.

For most organizations, the logical place to start is to conduct a gap analysis against the requirements of the relevant ISO standard.

Certainly. Here’s the audit process section adapted to be more general and applicable to ISO standards related to information security, privacy, and AI governance:

The audit process

External certification can only be conducted by an Accredited Certification Body (CB). It’s recommended to seek certification services from reputable CBs only.

The initial audit process is typically undertaken in two stages:

Stage 1 – A Documentation Review that focuses on a desktop review of available management system documentation and processes. Sufficient evidence of a functioning management system is required in order to progress to the Stage 2 audit.

Stage 2 – Focuses on evaluating the implementation and effectiveness of the management system. The audit will assess evidence and will typically require the management system to have been running for a period of at least three months.

The certification cycle also requires regular external surveillance audits to be performed and evidence that the management system is being actively maintained. Surveillance audits are typically performed every six months, however, mature systems in low-risk industries can be extended to an annual audit cycle in consultation with the certification body.

Management system re-certification typically occurs every 3 years.

Tips, tricks and pitfall avoidance

Before certification:

  • Don’t underestimate the number of stakeholders you will need to consult. In large organizations, stakeholder management can be a large undertaking and key requirement for a successful compliance activity.
  • Partner with experienced providers who know the implications of advice, in particular with respect to the selection of controls.
    Many controls sound like a good idea, but the implementation can be much more challenging.
  • Start with an understanding of risks and development of a management system before jumping into controls and technology.
    Investing time up front to understand your risk posture will pay long-term benefits.

During certification:

  • Avoid anybody who guarantees certification within 1 month. They can’t!
    Certification Bodies generally like to see at least 3+ months of evidence at the stage 2 Audit to make a recommendation for certification to the Accreditation Body. For smaller scopes, this timeframe may be less, but it is best to plan on at least 3+ months.
  • Certification Bodies are prevented under another ISO standard (19011) and scheme rules from performing certification and consulting/advisory services due to conflict of interest issues. Some get around this by offering extended pre-assessments or gap analysis.
    While these may appear cheap, there are limits to the amount of actionable recommendations that can be provided.

After certification:

  • You will be entitled to display a certification mark. The certification mark is tangible proof that you take care of information, are committed to protecting data entrusted to you, and are fulfilling your commercial, contractual and legal responsibilities.
    A great idea would be to promote this certification on your marketing collateral and website as a source of differentiation from your competitors.

Control Audits – AI & Cyber Security Platform

Quick Links

Get In Touch

2024 Copyright. All Rights Reserved. Control Audits

Registered New Zealand Business Number NZBN: 9429049352788
New Zealand Address: East Coast Road, Auckland 0630

United Kingdom Address: 2259, 37 Westminster Buildings, Nottingham NG1 6LG

Scroll to Top