How will COVID-19 affect your ISO certifications?

Allowing your ISO certifications to lapse can lead to high re-certification costs and breach of contract; negatively impacting your business and client relationships.

shutterstock 309866561 02.10.20 could your iso certifications be at risk of lapsing due to covid 19
Shutterstock

The COVID-19 pandemic has caused many interruptions to business, including the inability to conduct re-certification audits. Even though the UK’s national accreditation body UKAS permits an extension during times of pandemic, this has left many organisations in a precarious situation.

Thankfully, lapsing ISO certifications isn’t happening on a large scale just yet. This is in part down to the provisions of TPS73, a policy UKAS brought out due to COVID-19, which allows for audit deadline extensions of up to 12 months.

For those whose audits were due back when Coronavirus first hit the UK, this means they have a buffer zone of another six months – and these are likely to be needed. This is because many organisations are choosing to continue with remote work practices, making it currently impossible for certification bodies to go on-premise and undertake necessary audits in the classic fashion.

But even those that have re-opened their workplaces aren’t out of the woods; there may still be a long wait as certification bodies try to catch up on a backlog of audits caused by the lockdown. Furthermore, the virus hasn’t disappeared, and we don’t know how it much it could affect us going forward.

“How long might the situation last? I don’t know. Spanish Flu caused disruption for two years and its second wave was horrific compared to the first. It’s unappealing to think in such terms, but things could get worse before they get better,” notes Peter Rossi, co-founder and COO of InfoSaaS.

The risks of lapsed certification

Those businesses that don’t complete the necessary audits in time will be required to apply for re-certification, something that can cost three times more than annual auditing fees. But cost of re-certification shouldn’t the biggest concern warns Scott Nicholson, director at Bridewell Consulting; it’s the various risks that come from letting a certification lapse.

“Being ISO certified may be essential to many businesses’ contractual obligations, as it provides clients with the assurance that a management system is in place and assessed independently against an international framework. Therefore, allowing a certification to lapse could mean contracts are breached. This could negatively impact reputation and client relationships, and risk companies losing new business from prospects who’re seeking a partner that’s not just gained certification, but managed to maintain it too.”

Is remote auditing the answer?

But things aren’t as fatalistic as they may seem. The certification industry has been working hard to find ways to handle this unprecedented situation. There’s the ability to extend the validity of certifications when necessary, and the International Accreditation Forum (IAF) also published guidance around off-site audits.

“We’ve been auditing through the pandemic and the majority of our assessments have been delivered using ICT,” says Nonn Reynolds, EMEA head of compliance and accreditation at BSI. “We’ve been working closely with our clients to agree the protocols for sharing information during assessments to ensure both parties are confident in the information security arrangements.”

Although remote auditing is a useful option it’s not always possible, and there have been questions around its efficacy.

“There are questions to answer about how effective they are in comparison to on-site audits, where auditors like to test business processes from the moment they arrive, like trying to gain access to an office by flashing a piece of toast at a security guard, or tailgating someone into the office. These sorts of things are hard to assess remotely,” says Rossi.

This purely focuses on what the certification bodies are doing, however. There are potential issues for companies that may have been forced to place compliance and audit staff on furlough, or even had to make people redundant.

“The result is that some of these companies may not be in a position to be audited,” Rossi highlights. “Another likelihood is that with the wholesale shift to remote working, many companies will have undergone a dramatic, virtually overnight shift in their working practices and the tools they use. Will their compliance teams have fully worked out new policies and procedures and risk assessed accordingly?”

Again, the certification bodies are aware of these issues and doing what they can to mitigate problems. For a very small proportion for BSI’s ISO27001 clients, for example, it has extended the validity of their certificates without conducting audit activity. “This decision has been taken on a case-by-case basis following a documented risk assessment and in line with IFA guidance,” says Gigi Robinson, EMEA product champion – information security and business continuity at BSI. “Typically, these clients are closed with no staff attending site, staff are furloughed and the past performance of the client gives us confidence in their management system.”

What might the future of certification look like?

Some certification bodies have begun to return to clients’ sites when requested, and when they’re satisfied that adequate control is in place. However, remote auditing looks set to continue for some time – Rossi believes in much the same way as remote working has become normalised, so will remote auditing. “Because of this I would expect a significant increase in the rate at which traditional approaches to compliance – spreadsheets and documents – are superseded by cloud-based platforms and software solutions,” he says.

Therefore, the certification bodies are advising companies on the ways they can prepare for the changes taking place.

“I would urge companies to focus on ensuring they proactively capture evidence to aid the audit process,” says Nicholson. "With on-site audits it can be common for the auditor to decide who they should engage with in the business and who should drive the audit. Obviously, this is difficult during a remote audit and to counter this the business should ensure it understands the areas being assessed and identify the individuals who are responsible for each audit area. Those representatives should then be made available to the auditors throughout the assessment, ensuring they have appropriate access to evidence and systems to demonstrate control effectiveness.

“The physical security of the business is another area that’s harder to assess remotely. Businesses really need to emphasis the policies, processes, awareness initiatives and training to demonstrate their commitment to physical security as clearly as possible,” he concludes.