GRC platform vendor InfoSaaS has warned: “Halt to surveillance audits due to coronavirus lockdowns set to cause thousands of ISO certifications to lapse.” For many organisations that hold ISO certifications, it is the sort of news that will cause more than a mild panic. Passing the audits and verification for ISO certifications takes a lot of time and money. For many organisations, especially data centres and security vendors, those certificates are a requirement to do business with some customers.
Peter Rossi, co-founder of InfoSaaS, said: “Across just three [ISO9001, ISO27001 and ISO45001] of the five ISO management system standards that we help organisations to achieve, an average of 2,500 UK certifications per month could be at risk of lapsing due to the break in audit activities – never mind all other ISO standards, and notwithstanding any backlog of audits, whenever they can resume at scale.”
So what is going on? Are we about to see wholesale carnage as businesses are forced to move work from suppliers who are no longer ISO certified?
The short answer is no.
UKAS guidelines risk companies facing huge costs
The United Kingdom Accreditation Service (UKAS) is the sole national accreditation body for the United Kingdom. That means what it says goes.
In its press release, InfoSaaS claims that the Current UKAS guidelines have been unchanged since August 2016. It goes on to cite from those guidelines. “If [a] recertification assessment cannot be undertaken within six months [of the anniversary of the certificate being issued] the certificate should be suspended, and a new initial assessment will be required.”
The press release also issues a dire warning of financial penalties for those who are decertified. “To restore their certifications, affected organisations may incur financial costs easily three times higher than they were expecting to pay for their annual audits – plus considerably higher levels of time and resources – as well as having to remove any reference to their certifications from their websites and other collateral in the meantime.”
There is no question that the current pandemic has created problems, especially for auditors trying to get to site. With many employees working from home, remote audits seem like a solution. InfoSaaS agrees but says: “Remote audits are impossible when organisations rely on outdated approaches tools such as multiple spreadsheets, which require in-person explanation, justification and cross-reference. “
Rossi also commented: “Frankly, it’s unnecessary and inefficient for any organisation still to be using the likes of spreadsheets for this purpose. It would make achieving business compliance objectives via a modern platform even more attractive if organisations could be confident that remote audits were not only possible but preferred.”
UKAS sets the record straight
Enterprise Times contacted UKAS to ask why the guidelines hadn’t changed. It replied:
The document quoted from “Management of Extraordinary Events or Circumstances Affecting UKAS Accredited Certification Bodies and their Certified Organisations” (TPS 62) is a general publication that was published in 2016. However, since the onset of the Coronavirus pandemic, UKAS has been working as part of the International Accreditation Forum (IAF) to allow existing certificates to be maintained during the COVID-19 situation, whilst ensuring that high standards of auditing are sustained. As a result “UKAS Policy on Accreditation and Conformity Assessment During the COVID-19 Outbreak” (TPS 73) was published at the beginning of April 2020. TPS73 reflects IAF advice on certification during COVID-19 and effectively replaces the provisions of TPS 62 for UKAS accredited Certification Bodies (CBs) in the current Coronavirus pandemic.
Clause 4.6 of TPS 73 deals with delays in recertification. (Recertification audits are carried out by CBs every 3 years and are the detailed check that the certificate holder still meets the requirements of the standard.) This states that: “Management system recertification audits are normally expected to be completed and recertification decisions made prior to expiration to avoid loss of certification. IAF ID3 allows for the extension of the certification for a period not normally exceeding 6 months beyond the original expiry date providing that sufficient evidence has been collected to provide confidence that the certified management system is effective.
“Given the unprecedented nature of the coronavirus outbreak, and the uncertainty over the potential impact this will have on the imposed time restrictions relating to travel and social contact, it is anticipated that 6 months may not provide sufficient opportunities for CBs to conclude recertification audits. As a consequence, UKAS policy for this outbreak is that the decision on recertification must be made within 3 months of the lifting of restrictions (e.g. travel) that were preventing the on-site audit taking place. However, if this timeframe exceeds 12 months then the certificate should be withdrawn, and a new initial audit will be required.”
Enterprise Times: What does this mean?
InfoSaaS is a GRC (Governance, Risk management and compliance) tools vendor. Its customers buy its product to ease the problems of getting and staying certified. As such, when it sends out warnings like this, both its customers and prospects, will be rightly concerned.
However, it seems that InfoSaaS, having called out people for using old methods, is using old data. Worse, it is using that to spread FUD (fear, uncertainty and doubt) to promote its own software. The right advice to organisations from InfoSaaS should have been to use this time to get their house in order.
It took one phone call for Enterprise Times to establish that ISO certifications were not going to be wholesale revoked. Why did InfoSaaS not do that? Only it can answer that question.
For those worried about their ISO certifications, don’t panic, you are not about to be decertified. However, a thorough read of the “UKAS Policy on Accreditation and Conformity Assessment During the COVID-19 Outbreak” (TPS 73) is recommended.