The Criteria for Certification
ISO certification can provide tremendous benefits, but these are often not realised. At the centre of the problem is dishonest auditors and incompetent certification bodies. Harsh words, but unfortunately very true! Certification bodies must comply with ISO 17021 and ISO auditors must comply with ISO 19011. Unfortunately some organisations choose to have their ISO certification from incompetent auditors and non-compliant certification bodies.
There are two fundamental requirements to ISO certification - the certification body must make public its criteria for certification and the auditor must make public, prior to the audit, the audit requirements you are expected to satisfy. ISO 17021 and ISO 19011 require that this information be publically available. Unfortunately this does not always happen. Before you seek ISO certification, request these two documents from the certification body and auditor respectively. If they are not available, you need to be concerned and you should change your auditors, your certification body, or both. ISO 19011 requires that ISO auditors develop a specific audit programme relevant to your processes, your management system and your stated objectives.
Certain certifications (i.e ISO 9001, ISO 14001, ISO 20000-1, ISO 27001, ISO 31000 and ISO 38500) require a management system, an integrated set of processes and most important of all, a clear set of business objectives to be achieved. A fundamental requirement for ISO certification is the actual achievement of the stated objectives. The three core requirements for ISO certification are 1) agreed business objectives, 2) a management system and 3) an integrated set of processes that will achieve the stated objectives. Without these, you cannot be certified as compliant!
'Auditors' of ISO standard implementations often lack the necessary skill and therefore the audit approach they follow is to simply examine the implemented controls, determine whether they have been documented and establish that they are working as described. For example, an ISO 27001 audit is usually (but incorrectly) based on ISO 27002 - a checklist of control objectives and controls. You don't need ISO 27002 (previously known as ISO 17799) at all! What you do need are processes to achieve the stated objectives and a management system to ensure this happens. Of course controls are required, but the purpose of controls is to place the processes under control, so they achieve the stated objectives. In other words, controls mitigate the process risks.
If you do not achieve the stated business objectives of your ISO implementation, if you do not have an effective and efficient management system and you do not have a set of integrated processes - you are not ISO compliant. Anyone who says you are is incompetent and/or dishonest!