The 10 most common ISO Myths – busted!
If you’re considering getting certified to one or more ISO Management System Standards, you might have heard that “it’s too costly” or, after some brief research, jumped to the conclusion that “it’s not for your business size and industry”.
As a complex topic, achieving and maintaining Certification to an ISO Management System Standard is surrounded by myths, many of which stop businesses from pursuing Certification and from enjoying all the benefits.
That’s why in this blog, we are here to demystify the 10 most common ISO myths, so you will have a clearer understanding of the process, the requirements and benefits.
Myth #1: ISO Certification is only for large businesses
ISO Management System Standards can be just as beneficial for small businesses as they are for large, as the standards are designed to be generic and flexible, to benefit all sizes of organisations.
Take the ISO 9001:2015 Quality Management Systems Standard as an example. This is a solid first standard that many businesses opt for. It’s designed to support your business in delivering a quality service and satisfying your customers. An obvious target for any sized organisation.
In fact, becoming Certified can be a critical competitive advantage while also expanding your market potential by qualifying your business for bigger and better projects, such as government tenders. The process of implementing the requirements of an ISO Standard is similar regardless of the size of your business; it will be adapted to the scale and needs of each organisation.
Myth #2: ISO Certification is too costly to implement and maintain
The cost of achieving and maintaining Certification to an ISO Management System Standard is always one of the biggest concerns for businesses. Some of the initial costs include purchasing the ISO Standard document, ISO Management System Consultant fees (if professional assistance is required), and Conformity Assessment Body (CAB) expenses for your Certification Audit.
However, achieving Certification is an investment in the future of your business, so it’s important to consider the potential return on investment (ROI) when looking at the initial costs. Let’s look at some of the ways your business will see a profitable return on your investment:
Once your business has achieved Certification, the main ongoing expense is your annual Surveillance Audits. Some businesses also choose to get professional assistance from ISO Consultants, to assist with ongoing management activities such as internal audits and business planning workshops. If you want to know more about these ongoing activities, and what your business needs to do post Certification, you can read this article.
Myth #3: The ISO 9001:2015 Quality Management Systems Standard is only for manufacturers
This is something we hear from prospective clients all the time, and it is a major myth!
Businesses from any industry can achieve Certification to the main ISO Management System Standards: ISO 9001:2015, ISO 45001:2018, ISO 14001:2015 and ISO 27001:2022. As stated in the point above, ISO Management System Standards are designed to be generic and flexible, meaning that the requirements can be adapted to any industry.
To put this into perspective, we’ve helped over 200 businesses achieve Certification across 15 different industries, ranging from architects, to marketing agencies, construction, cleaning, recruitment, engineering, manufacturing and other businesses. Becoming Certified to an ISO Management System Standard has no boundaries when it comes to the size, type, or industry of your business.
Myth #4: Businesses must have an ISO Manual for Certification
Businesses often think their Management System must be structured in a manual in accordance with the clauses outlined in the ISO Standards to meet the requirements. However, not only is a manual not even required – this approach is completely wrong! The ISO Management System Standards are intended to be adapted to the requirements of each individual business.
The Management System should be based on the business processes. Key processes critical to the organisation’s success should be identified, documented, implemented and controlled to ensure they’re being conducted effectively and efficiently. Documenting processes also improves communication and training across the organisation.
This process approach helps organisations understand how their activities are interrelated and how they contribute to the overall business performance, enabling clarity to eliminate bottlenecks, improve effectiveness and efficiency, increase consistency and reduce errors and re-work. It also helps identify and manage risks, helping organisations to be more proactive in identifying and addressing issues before they become problems, which results in overall better business performance and customer satisfaction.
When done right, the Management System will be integrated into your daily operations, actively working towards achieving your objectives and targets, and facilitating continual improvement. So much more than just meeting the ISO requirements, a Management System is a valuable tool to improve your business operations; and the Certification Audits hold your team accountable.
Myth #5: The ISO Standards are outdated
Many people wrongly believe that once an ISO Management System Standard is published, it stops in time – this is a complete misconception!
All ISO Standards are reviewed approximately every five years by the relevant ISO member bodies to ensure they continue to reflect current industry best practices, trends and needs. This could result in confirmation, revision (resulting in a new updated version published), or complete withdrawal of the standard.
Just last year, a new edition of ISO 27001 was published. With the last version of ISO 27001 released in 2013, a new version of the Information Security Management System Standard was necessary to help organisations navigate new scenarios and threats, and make sure relevant and current security controls are in place. As a result, in October 2022, ISO announced that the new version had been published: ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection – Information security management systems – Requirements.
Expert Tip
Myth #6: I will have to develop an entirely new management system from scratch
Quite often we hear about businesses creating an entirely separate Management System to meet the requirements of one or more ISO Standards. However, businesses can adapt the systems they already have in place to meet the ISO requirements.
Your business systems should be part of your business operations, so they’re supporting your operational processes and are not a burden to work with. You may need to improve your existing systems to meet the Standard’s requirements, but you do not necessarily need to create a new one to achieve Certification.
Myth #7: The ISO 27001:2022 Information Security Management System Standard is only for information technology businesses
If you’re running a business in 2023, you probably have computers connected to WiFi, exchange emails with clients and employees, and maintain a live website about your business. Any of these scenarios is enough to make your business a “candidate” for the ISO 27001:2022 Information Security Management System Standard.
Unlike 30 years ago, businesses are now dealing with private information and sensitive data in the digital space all the time. As cybercriminals become more sophisticated, many specialists say that it’s not a case of if but when a cyber attack or a data breach will occur. Whether your business offers technology-based solutions to clients, or if your products and services are technology-light or non-existent, you are likely to deal with personal information from consumers and other stakeholders, as well as commercially sensitive information.
ISO 27001:2022 provides a systematic approach to protecting information assets through effective risk management, hence, implementing a Management System for Information Security will benefit organisations in any industry.
Myth #8: Small businesses have little environmental impact, so they don’t need the ISO 14001:2015 Environmental Management System Standard
The flexibility to suit businesses of any size applies to all Standards, including ISO 14001:2015. The Environmental Management System Standard isn’t based on the volume of CO2 emissions, for example, but instead aims to minimise any negative impact on the environment, helping businesses to continually improve in these areas and ensure they comply with applicable environmental laws and regulations.
Nowadays, there’s growing pressure and expectation from consumers, partners and regulators for businesses to integrate environmental and social best practices into their operations, regardless of their size. By achieving Certification to ISO 14001:2015, small businesses will not only benefit from greater operational efficiency, stakeholder confidence and improved brand reputation, but will also be prepared to grow sustainably and in compliance with future environmental requirements.
To find out how your business can set meaningful Environmental Objectives and Targets for ISO 14001:2015 requirements, you can read more here.
Myth #9: The ISO 45001:2018 Occupational Health & Safety Management System Standard is only for businesses that have high risk physical activities
Believing that the Occupational Health & Safety Management System Standard only applies to businesses dealing with hazardous activities and materials is a common misconception. Accidents happen anywhere, not only on manufacturing and construction sites. In fact, even for businesses that run 100% remote, you still have a commitment to your workers’ health and safety.
The ISO 45001:2018 standard provides a framework for businesses from any industry to manage Occupational Health and Safety risks and opportunities, eliminate hazards, and minimise risks by taking effective preventive actions to avert workers’ work-related injury and ill-health and provide a safe and healthy working environment. It also helps businesses continually improve in these areas and ensure they comply with applicable workplace health and safety laws and regulations.
Myth #10: Getting Certified requires a huge amount of documentation
This myth primarily comes from the earlier versions of ISO 9001. However, this has changed over the years to allow businesses to document their management system in a way that makes sense for how the business operates.
This allows businesses to only introduce documented information where it’s relevant and necessary for them, for example, to either mitigate risk or train their people. Exactly how this applies to your business is dictated by numerous factors, such as the size and the nature of your operations.
Use of technology such as cloud-based systems can reduce the need for documentation even further through automating repetitive and non-core tasks, and eliminating the need to have hard copy documents being updated, for example.
All myths cracked, we understand that the ISO Certification process can still sound overwhelming – and we’re here to help you! With over 16 years of experience, our Consulting team can help you achieve and maintain your Certification to one or more ISO Management System Standards.
About the author
Erica is the Managing Director of ISO Certification Experts and ICExperts Academy. She has been helping businesses with their ISO Certification needs for over 20 years. Erica is also a Certified trainer, implementer and auditor for the ISO 9001, ISO 14001, ISO 45001 and ISO 27001 standards. Erica primarily heads up the day-to-day operations of the businesses, and is also a current member of the Standards Australia Committees: QR-008 Quality Systems and ISO 9001 Quality Management Brand Integrity.
All information on this blog site is for informational purposes only. As this information is based on our professional experience, opinion, and knowledge, we make no representations as to the suitability of this information for your individual business circumstances. Especiality Pty Ltd trading as ISO Certification Experts and all related businesses and brands will not be liable for any errors, omissions, legal disputes or any damage arising from its display or use. All information is provided as is, with no warranties and confers no rights.
We will not be responsible for any material that is found at the end of links that we may post on this blog site. The advice, ideas, and strategies should never be used without first assessing your own personal business situation or seeking professional and/or legal advice. Information may also change from time to time to suit industry and business needs, requirements and trends.