Let me start with a small confession, I am a big fan of standardization and certifications. In my day to day work I often encourage and drive my organization towards compliance in the Security and Privacy fields, which is are my view key elements in to growth for tech companies. Recently I led my company through a new certification achivment called ISO\IEC 27701:2019.
As it relates to certification process, over the years, I found that the WHY question about implementing a certain standard is not intuitive and even sometime controversial. Frequently the driver of internal stakeholders regarding #standards and #certification is “be certified because of a customer demand”, but let’s hold on a minute and think about why the customer requested it? isn’t better to meet customer needs with one-time certification process, instead of getting an endless list of privacy and security requirement from each customer? Why your customer feels more comfortable to work with your services when you are certified? If your customer feels more comfortable to work with your services when you are certified, why not actually embrace the process?
The followings are some of my main insights in regard to Standards and Certificates:
#1 Proper Framework and Guidelines enables easier path to growth
Standards and regulations are here to set a baseline of a certain field (e.g. Information security, Privacy, Quality assurance, etc.). Typically, the standard will include the high-level description of the processes and required controls in a way you can customize the implementation in your end.
This is a perfect starting point for organizations that has gaps in some field and wants to work according to the common baseline in the market. Organizations that are already implemented a strong processes and controls will be able to earn the certification quickly.
A certified organization means that the framework is properly implemented and verified by an external auditor.
#2 Ease the sales process by adhering to a high recognizable standard
customers will have an easier time trusting in your organization and services if your organization is certified. In this relationship the standard is a shared term for ‘audited and approved by a proper recognizable institute’. Therefore, customers will usually minimize their audit and controls for certified organizations hence an easier sale process.
#3 Marketing and Customer Trust
A certified organization reflects on its investment and efforts on the field it is certified on. Nowadays, it is common and even obvious to be certified under several different standards, however achieving certification for a special \ rare \ high level standard, puts your organization in a bright light of having proactive market leading approach.
Therefore, my advice to organizations is not to fear or postpone standardization and certifications, but the opposite set the table for growth, a smart organization should embrace the chance to measure itself against industry standards and regulations and resource it as an integral part of the organizational growth plan.
most recently, I had led my company through the new ISO\IEC 27701:2019 certification, a specialized privacy extension to the international information security management standard.
ISO\IEC 27701:2019 is unique in that it specifies the requirements and provides guidance for establishing, implementing, maintaining and continually improving a #Privacy Information Management System (#PIMS).
The adjustment from a company that was already ISO\IEC 27001:2015 compliance was mainly on the governance areas of privacy because the information security part is already covered. Since the organization was already aligned with common Privacy regulations (GDPR, CCPA, etc.) the required adjustments for achieving the new certification was minor, therefore the certification process took only half day of audit including a walk through the organization legal documents, suppliers and privacy practices.
When information security and privacy are part of the organization culture, the Certification\ Standards\ Regulation process will be relatively quick and easy. Hence, I suggest taking a proactive approach, don’t wait for an audit or other compelling event to occur, implement a proper practice in the business processes as part of your day to day work and in that way, audits will be as easy as pie.