Thousands of ISO management system certifications are at risk of lapsing over the next few months as certification bodies struggle to overcome a backlog of missed and postponed recertification audit appointments during the Covid-19 coronavirus pandemic.
Currently, guidelines from the UK’s national accreditation body UKAS provide for a six-month overrun for recertification audits in pandemic circumstances, warned security, data protection and business compliance specialist InfoSaaS, which has raised the alarm over the looming risk. As the six-month “anniversary” of the UK’s lockdown approaches, this overrun is now coming to an end.
“Across just three [ISO9001, ISO27001 and ISO45001] of the five ISO management system standards that we help organisations to achieve, an average of 2,500 UK certifications per month could be at risk of lapsing due to the break in audit activities – never mind all other ISO standards, and notwithstanding any backlog of audits, whenever they can resume at scale,” said InfoSaas co-founder Peter Rossi.
The UKAS guidelines state: “If a recertification assessment cannot be undertaken within six months [of the anniversary of the certificate being issued], the certificate should be suspended, and a new initial assessment will be required.”
Rossi said that to restore their lapsed certifications, affected organisations may be forced to pay out costs three times higher than they would expect to pay for an annual ISO audit, alongside more time and resources. They would also have to scrub references to their certifications from their websites and other collateral while the recertification is pending.
While much of the response to the pandemic has been to move everything online to virtual, cloud-based platforms, InfoSaaS pointed out that this was essentially impossible for ISO audits when a great many organisations rely on more old-fashioned approaches, such as multiple spreadsheets requiring in-person explanation, justification and cross-reference. Rossi urged auditors to consider adopting remote management platforms.
“Frankly, it’s unnecessary and inefficient for any organisation still to be using the likes of spreadsheets for this purpose,” he said. “It would make achieving business compliance objectives via a modern platform even more attractive if organisations could be confident that remote audits were not only possible, but preferred.
“The uncomfortable truth is that, under current circumstances, some organisations may decide not to be re-audited and simply let their ISO certifications lapse. Any such de-prioritisation may, in turn, lead to an unwanted decline in standards for the likes of information security, environmental management, health and safety and quality management. This is not a good outcome for anyone.”
DomainTools senior security engineer Tarik Saleh said social distancing measures had added layers of complexity to the already complex task of keeping organisations secure and compliant.
“When it comes down to it, networks, software and end-users can only reach a certain level of cyber resilience,” he said. “Oversights will still happen and mistakes will still be made – we are, after all, only human. What really matters is what you have done on the front end to minimise the impact of a security incident on your organisation.
“That’s why having an IR plan in place – as well as a security team and proper tech – is essential for being able to respond to threats in a quick and professional manner. The plan should be discussed and created by a cross-functional group of key players from different areas of the business, including security and IT, operations, legal – and, often, HR and public relations/comms.”
Saleh added: “The reason for this is to ensure that all areas of decision-making are represented, and the best interests of the organisation are kept in mind. While the amount of stakeholders involved, coupled with social distancing, often makes for a convoluted process, it is entirely necessary that plans and certifications are kept up to date. At an already difficult time for businesses, a cyber attack is the last thing an organisation needs to further complicate matters.”