svetazi - stock.adobe.com

Where ISO certification fits in a risk mitigation strategy

Thomas Johnson explores why ISO certification helps organizations as part of their risk mitigation strategy in business continuity planning as companies adjust to the new normal.

Most IT leaders understand that obtaining an International Organization for Standardization (ISO) certification is table stakes for certain organizations, including data centers. Today, though, the ISO badge can serve a secondary purpose: a framework to guide decision-making as our notion of "business continuity" changes drastically amid the pandemic.

Much as a restaurant's health inspection grade is not the only factor that affects its quality, an ISO certification cannot be the endpoint of an organization's risk mitigation strategy. IT leaders who treat ISO certification as a foundation, rather than an endpoint, will be well prepared to handle the "new normal" of continual disruption.

The starting point: ISO enables insurance and credibility

Just as restaurants undergo health inspections to ensure they meet public safety standards, organizations seek (though they are not required to obtain) ISO certifications to ensure they meet industry best practices on data security and governance.

One major benefit of obtaining this certification is insurance eligibility. ISO qualifies organizations for insurance of physical data storage, which is important for public companies with large third-party data centers that are vulnerable to damages.

Another benefit of the ISO seal of approval is that it provides an external validation of quality, which is good for business. An ISO certification is like an "A" restaurant grade in that it can encourage new business on the grounds of reliability. Clients, customers and potential partners often view ISO certification as a sign of safety, efficiency and commitment to digital transformation.

These two merits of ISO are important parts of overall business operations, but they're only pieces of a larger puzzle of risk mitigation. Just as a restaurant isn't going to fill seats by merely meeting health criteria, organizations aren't going to boost productivity and land clients by being secure enough to have insurance.

Don't just check the box during inspections: Test business continuity constantly

Some restaurants notoriously set up elaborate schemes to pass health inspections when, in reality, if the inspector came unannounced, the restaurant would fail.

Organizations that seek ISO certification should be careful to avoid a similar strategy. Even if you pass the (admittedly thorough) technical audit, that only means you were meeting industry standards at the time of application. How are you upholding standards every day?

Though many ISO certifications require annual audits, annual evaluations of processes are not enough. A new normal has emerged for business continuity in the wake of COVID-19: You should never not be testing systems and processes.

One way to run continual continuity tests (so to speak) is to use ISO certification criteria as a blueprint for how to run your own regular internal audits.

Pay close attention to the details -- the ISO guidelines can direct you to the process components you must check and regulate to ensure consistency. To pass a restaurant kitchen inspection, for instance, you need consistency across all technical operations, such as refrigerator maintenance, food preparation processes, employee hygiene, garbage disposal, etc.

To be ISO 9001-inspection ready at any time, for example, you will need to be ready to address hundreds of items in categories including:

  • Organization context
  • Leadership and commitment
  • Planning
  • Support
  • Operation
  • Performance evaluation
  • Improvement

One possible test you can run is a staged company outage that forces teams to develop strategies for working under non-ideal circumstances. Like training chefs for a power outage in a kitchen, this will prepare workforces for crisis management and reveal which workflows need optimization during an emergency and which are critical to your business.

ISO certifications provide guidelines for remote continuity

ISO certifications are also helpful in guiding remote business continuity operations. Static work environments became fluid overnight due to the pandemic, and employees started accessing new services from new places.

Thankfully, major continuity disruptions, even those caused by the pandemic, are not uncharted territory. ISO certifications provide a proven set of standards for businesses making the transition to remote work for the first time.

The concept of business continuity emerged as a response to growing threats of natural disasters and terrorism that impacted businesses during the 1980s and 90s. As it became clear that companies of all sizes needed to prepare for the risk of a massive disruption, ISO released the ISO 22301 certification to guide building business continuity plans that would keep production running during a disruptive incident of any kind, such as a global pandemic.

Specifically, compliance with ISO 22301 shows that business continuity management practices are in place and they have been shown to be tested and effective to a predefined capacity that supports critical operation of the business.

Having an ISO certification and audits (and conducting your own regularly) increases the visibility of process compliance in normal times, which provides your organization with a useful frame of reference when disaster and continuity plans are active.

For example, how do you know when one team's remote productivity is comparable to "normal"? You'll first need in-depth knowledge of how this team operated prior to the disruption.

Leverage ISO certifications to keep risk mitigation nimble

The key to success in business continuity and disaster recovery is to be proactive, not reactive. Having an ISO certification is the first step, but it won't do all the risk mitigation work for you.

Just as restaurants should operate as if an invisible health inspector is present in the restaurant every day, your organization should continuously reevaluate and rebuild processes to stay one step ahead of the changing risk landscape. One way to do that is to use ISO certification criteria as a guiding framework for that vigilance.

About the author

Thomas Johnson is the chief information security officer at ServerCentral Turing Group. SCTG offers cloud-native software development, AWS consulting, cloud infrastructure and global data center services.

Dig Deeper on Risk management and governance