Demystifying ISO Compliance

May 30, 2018
How are ISO standards used and what you need to know to establish your organization's ISO standards.

In 1946, the 25 countries who sent delegates to London to attend the Institute of Civil Engineers decided to establish a new organization. The new organization, called International Standards Organization (ISO), would create and combine industrial standards.

Since then, ISO certification has been used to provide potential customers with organization’s conformity via independent validation. Security experts recognize compliance and security does not mean the same thing or automatically work together. Customer fear, as they notice more data breaches, make them more critical of technology when forming mass transit business partnerships. Thus, ISO compliance offers these new clients new ways to measure future customer satisfaction via mass transit organization’s controls.

ISO standards impact the mass transit and other industries. These industries don’t use the penalties established in regulatory requirements. However, meeting these regulatory requirements offer an IT business the opportunity to align itself with many of the regulations. For mass transit companies looking for IT programs, they have three ISO standards to assist compliance: ISO 9001, ISO 27001 and ISO 31000.

The ISO 9001 supports an IT program trying to become ISO 27001 and 31001 certified because it specifies requirements for quality management system, or QMS. QMS document the procedures, processes and responsibilities over the control and quality objectives.

The management standard of ISO 9001 focuses on a workflow that incorporates building, designing, controlling, reviewing and improving. ISO 9001 audits combine three types of review: system, product and process. The long list of documentation needed includes non-mandatory and mandatory information. For example, the list of mandatory documents include records, control procedures, control of non-conformance procedures and preventive action procedures.

The ISO 27001 is the second type of standard. The standard established all industry requirements regarding information security management system or ISMS. It has more than 12 different standards. Those attempting to obtain ISO certification will start creating management systems.

The availability of information, confidentiality, and integrity are the primary focus of ISO 27001. It intends to provide the confidence to both downstream and upstream customers. The certification has two review stages. The first determines whether an organization’s ISMS gets the organization ready for the next stage of review. It always collects documentation.

Mass transit organizations must compile documentation to pass its initial audit stage. The type of documentation gathered includes information security policy, ISMS scope, risk treatment methodology, risk treatment plan and detailed definitions of information security responsibilities and roles.

The last standard is called ISO 31000 standard. ISO 31000 standard establishes the guidelines for participating in enterprise risk management or ERM. This ERM process requires the mass transit’s Board of Directors and executive management review the likelihood and potential of cyber threats. The identification will establish controls to decrease or eliminate the change of threats.

Any auditor assessing the adequacy of ERM for certification is required to document that management did participate in the approaches such as the maturity model approach, principles of risk management approach and principles of risk management approach. Other frameworks may be used to match the ISO requirements and not just the Institute of Internal Auditors, or IIA notes.

ISO conformity is different from its certification. Conformity refers to an organization such as mass transit has decided to show its compliance to a particular ISO standard. A mass transit company can decide to incorporate ISO compliance in its business processes. Conducting internal audits and QMS are two examples of ISO conformity.

Certification indicates the mass transit company’s conformity to the ISO standards. In addition, certification proves to customers and others the mass transit organization does meet the risk assessment, QMS, or ISMS requirements the experts established. Since the ISO writes many standards, one requirement may be to indicate which ISO standard a mass transit company receives certification. For instance, instead of telling clients the mass transit company is certified, it may show which certification is, such as ISO 9001 or ISO 31000.

It is important to note ISO creates standards; it does not issue certificates or engage in the process of certifying an organization. The ISO’s Committee on Conformity Assessment (CASCO) establishes all standards related to the process of certification. This means it determines standards all third-party assessors must follow to determine whether an organization meets certification standards set by CASCO.

Another thing to mention is that ISO accreditation is different than ISO certification. To obtain ISO certification, independent third parties, called “certification bodies,” are required to view the mass transit organization’s documentation, policies and processes. When choosing one of these certification bodies, a mass transit company should pick the one that applies CASCO standards that are relevant to the organization and determine if it is credited. Non-accredited bodies can be chosen; they have not undergone independent review to prove they have CASCO standards, but they do have a capability and establish an organization’s ISO standards.

Ken Lynch is the co-founder and CEO of Reciprocity and can be reached via Twitter at @reciprocitylife or via LinkedIn at