Certificates, when acquired, are a thing to be proud of. At the end, we have a token that says we have a certain competency. We can hang it on a wall or on a company’s website and…
That’s it? Is this all certificates are for? If so, then why get them? Why not focus just on doing things the right way and not waste time pursuing tokens?
Because the fact that we got a certificate is not entirely why they are worth the pursuit.
They are not for showing off. They are not a result, but rather a process. And this is why it’s worth getting them. To find out from an independent, third-person vantage point if your IT delivery, your customer service, your manufacturing process are as good as you want them to be, and if they adhere to widely recognised standards. To define your business objectives. To find out how and where you can keep improving.
The certificates are not one-off exercise – to keep them, you need to continually pass independent assessments.
As Objectivity, we take special pride in having three certifications:
- ISO 9001:2015
- ISO/IEC 27001:2013
- Cyber Essentials
We could mention more, but let’s focus on the above to find out how getting them helps you improve as a company.
ISO 9001 is a quality management system (QMS). QMS is a framework of processes used to ensure that an organisation can meet the requirements of its customers and achieve its objectives.
ISO 9001 sets out requirements for an efficient QMS. ISO 9001 doesn’t specify the objectives to be achieved by a given company nor does it try do presume what a customer satisfaction is. It can be used by an IT company, a retail business, a hotel, and even by a grade school. Essentially – it gives a framework to define these components that are key to the success of every business. In more detail, ISO 9001 helps you define:
- The people affected by your business and what are their expectations. By extent you define your objectives and business opportunities.
- Your customers. You know their needs therefore you start putting them first.
- Your processes. They are aligned with your goals and understood by everyone in your company. This increases productivity and efficiency.
- What are they? How you can prevent them? Also – what opportunities are available?
- Leadership engagement. All leaders in an organisation must be on board for the ISO 9001 to work.
There are many more fine-grained aspects that ISO 9001 helps you define and address, but the main point is: it gives you a framework to precisely define your objectives and ways of improving your operation.
A company can have the ISO 9001 introduced but the certificate is not required. So why get it? Because in the process of being certified, an independent reviewer checks if the framework is implemented correctly. Also some clients and sectors require companies they work with to have the ISO 9001 certification.
ISO/IEC 27001 is a set of requirements for an efficient information security management system (ISMS). An ISMS is an approach to managing sensitive company information so that it remains secure. It includes people, processes, IT systems, financial information and intellectual property.
To implement this standard, the framework states that:
- The company’s management must systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts.
- A company must have in place a coherent and comprehensive process of dealing with risk regarding information security.
- A company must adopt a management process that makes sure the information security controls are effective.
In a nutshell, ISO/IEC 27001 allows you and your clients to be sure that there is a set of processes guarding vulnerable data. In an age of information, when dealing with sensitive data of your clients (and by extend – with their trust) – this is important.
Cyber Essentials scheme nicely complements the ISO/IEC 27001 framework. While the framework deals with the security of all information, Cyber Essentials allows you to be sure that you “protect the confidentiality, integrity and availability of data stored on devices which connect to the Internet.”
To get Cyber Essentials certificate, a company must ensure that five technical control themes provide proper level of security:
- Secure configuration
- User access control
- Malware protection
- Patch management
The process can help you define and fix gaps.
The certificates are not a miracle cure to troubles that a business may face, and the independent auditors are not business consultants who will guide you to success. Also – introducing a certifiable framework is hard work; all people in the company must eventually end up on the same page when it comes to certain way of work.
And exactly because certificates give you frameworks, not working solutions, and because introducing those frameworks is hard work – it’s worth it. If a framework is to be successful, it must be rooted in the company’s culture.
It is true, that some clients and sectors require you to have a certain certification. But they do, because a successfully implemented framework guarantees your work to be efficient.
Having various certificates allows you to make sure that you have taken care of different aspects of your operation. Which certificates are best for your company is your decision. However, getting them is worthwhile because what is defined, can be improved.