4 Benefits of Implementing ISO 45001 in a Small Business

Working is a part of life, but it can also be dangerous. According to the International Labour Organisation (ILO), almost 2.8 million people die every year because of their work activities – and the vast majority of these deaths are not accident-related. Instead, they are the result of long-term exposure to harmful conditions, and that’s just the beginning. The ILO says that there are roughly 374 million non-fatal illnesses and injuries attributed to work every year – issues that could largely have been prevented.

“An organisation’s activities can pose a risk of injury or ill-health, and can result in a serious impairment of health, or even fatality, to those working on its behalf; consequently, it is important for the organisation to eliminate or minimise its OH&S risks by taking appropriate preventive measures,” explains the Compliance Council. “An organisation’s OH&S management system can translate its intentions to prevent incidents into a systematic and ongoing set of processes (supported by the use of appropriate methods and tools) and can reinforce the organisation’s commitment to proactively improving its OH&S performance.”

As a business owner, you want to keep your employees happy and healthy. You can protect them with ISO 45001.

What is ISO 45001?

ISO 45001 is a management system standard that focuses on occupational health and safety (OH&S). It was created by the International Organization for Standardization (ISO).
The standard is intended for use by all companies, regardless of size. It includes parameters for increasing the involvement of workers in identifying potential hazards as well complying with health and safety standards. It takes a process-based approach to minimize and ultimately eliminate potential health risks. Monitoring and measurement also play a role in this internationally-recognized safety standard.

“It is hoped that ISO 45001 will lead to a major transformation in workplace practices and reduce the tragic toll of work-related accidents and illnesses across the globe,” says David Smith, chair of the project committee that created the ISO 45001 standard. “World standards’ writers have come together to provide a framework for a safer workplace for all, whatever sector you work in and wherever you work in the world.”

While ISO 45001 does not outline specific controls for managing hazards, it does provide a framework for addressing safety concerns and employee health risks from which even the smallest company can benefit. With ISO 45001, your company will be able to improve its OH&S performance while reaping several important benefits along the way including but not limited to:

1. Meeting legal requirements

Meeting compliance obligations can be a challenge. Whether the issue is health and safety legislation or sector-specific standards, there are many requirements for your company to keep track of and comply with. However, when you design your Health and Safety Management System to comply with ISO 45001, you will have a framework for meeting those compliance obligations. It can improve your ability to achieve regulatory compliance, today and going forward. As new laws are passed to protect workers, you will already have high standards in place. Demonstrating compliance then becomes a matter of small, incremental adjustments.

2. Identifying and Controlling Hazards

ISO 45001 also provides you with a method for identifying and assessing hazards at your business and gives you a process for systematically controlling the hazards. For instance, think of your production time. When a health and safety incident occurs, the entire operation may have to be put on hold. That costs you time and money. By meeting the requirements of ISO 45001, you can identify and control hazards so that you never have to experience the downtime or lost revenue those issues cause.

3. Winning More Clients

Moreover, your clients will appreciate your commitment to safety. Certification to ISO 45001 demonstrates that your company has quality health and safety processes in place – and that could help you win more work.

Clients who are concerned about social responsibility and ethical operations are going to be impressed that your company went through the work to become certified to the internationally-recognised ISO 45001 standard. For consumers, they may be willing to pay a premium to buy from your company because of its labour practices.

4. Improved Performance

The ISO 45001 standard also helps improve health and safety performance while preventing injuries at work. Your employees will be safer and while that is a benefit in and of itself, there is an additional opportunity here – cost savings. On-the-job injury and illness can be the basis for expensive legal issues. By protecting your people from the beginning, you will have the chance of retaining each employee for the length of his or her working life while helping them be as productive as possible. Absenteeism often goes down when safety standards are high, as does employee turnover.

Adopting the ISO 45001 standard is one of the best things you can do for your business and your employees. By applying that framework to your operations, you can save money through reduced downtime and attract new business.

Where to start?

Purchase an ISO 45001 complaint Health and Safety Management System from ISO Templates to put your business on the path to health and safety success today.

How Can Small Businesses Mitigate Information Security Risks by Complying With ISO 27001?

Information security has taken centre stage in strategic planning for businesses of all sizes, whether you have 30 or 30,000 employees. Larger enterprises have the resources to create governance, risk and compliance (GRC) groups, but for small business owners and startup CEOs, all the responsibility for keeping information safe tends to collect at the top.

As information volumes expand logarithmically, and a host of regulatory bodies revise their requirements with greater regularity, companies have found more and more of their resources are going just to predictive analytics on what could go wrong. Each scenario comes with its own risk and exposure profile, ranging from distracting to devastating. Malicious agents and accidental events can bring down entire networks without warning, so the most proactive IT managers have put together plans and best practices to reduce risks and speed recovery. That’s where the ISO 27001 standard come into the picture.

What is ISO 27001?

To address these proliferating threats systematically, the ISO 27001 standard was developed by a committee of subject matter experts representing over 100 countries around the world. ISO facilitated this process over several years. The standard establishes a baseline for an information security management system (ISMS). This was updated in 2013, so it is currently referred to as ISO/ IEC 27001:2013.

Implementation of an ISMS preserves the “confidentiality, integrity and availability” of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.

Let’s look at each of those three terms individually in the context of this standard.

Confidentiality — Customers and partners need to have assurance that their private information assets will not be shared inappropriately or left unattended in vulnerable software or physical locations.

Integrity — This refers to the accuracy and completeness of information. Accounting records maintained in software such as Xero need to have their integrity preserved for tax purposes and general business management so that reports are accurate.

Availability — Just a bank customer expects access to their own money, companies and individuals should have easy access to the information they share, with the ability to amend, update or delete that information on demand.

Why would a small business need ISO 27001?

Within two years of the introduction of these guidelines, more than 30,000 global businesses of all sizes secured their ISO 27001 certification. It has become even more valuable for small businesses recently as they seek ways to comply with legislation such as the Privacy Act in Australia or the General Data Protection Regulation (GDPR) in the European Union. Certification also makes sense due to all of the information security threats to small businesses, including but not limited to:

Hackers – motivated by challenge, ego, status or money

Computer criminals – motivated by destruction of information, illegal information disclosure, monetary gain or unauthorised alteration

Industrial espionage – motivated by competitive advantage and economic espionage

Insiders – motivated by curiosity, monetary gain

Disgruntled ex-employees – motivated by anger and frustration

The ISO explained that companies are looking for a “systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. It can help small, medium and large businesses in any sector keep information assets secure.”

What risks do small businesses face that ISO 27001 could help with?

Today the biggest threats to private information assets come from phishing, fraud, loss, and ransomware attacks that block managers from being able to access their vital business systems. Accenture’s study on the cost of cybercrime found that companies all over the planet lose about $2.4 million per attack on average and they spend 50 days or more trying to recover. Costs have increased by 62 percent over the past 5 years. The study also showed that smaller companies pay 4X more per worker per attack because the costs can’t be spread out over a larger field of cost centres.

One of the biggest threats to information security for a small company is the lack of attention to hard copy documents. ISO 27001 standard applies to information security in the real world just as much as protection of digital assets. What often happens is that workers print out documents and leave them in public areas or on their desks where the information is exposed to visitors, contractors and cleaning staff, any of whom could profit from sharing private company information assets without violating any legal agreements.

Another huge risk factor involves removable media. USB sticks, external drives, digital cameras, Wi-Fi transfers and Bluetooth-enabled devices represent a vulnerability for downloading information assets, uploading viruses and access to networks for malicious code. Informal processes will not protect a business from financial losses and legal exposure, but following the ISO 27001 standard can.

What does ISO 27001 address?

This set of standards was designed to assure the confidentiality, integrity and availability of:

  • Employee records
  • Configurations of technology assets (for restoration)
  • Information in internal communications
  • Customer information
  • Location of your assets, physical and digital
  • Project tenders
  • Product development plans
  • Financial information

The security of this information is required by law in some instances, and the loss of it would expose your company to legal challenges. Data breaches and the loss of customers cost global companies $40 million for every 1 million records lost in 2018 and nearly all of those data were due to criminal or malicious attacks.

Where should you start to comply with ISO 27001?

Even if your organization is not planning on seeking out certification in ISO 27001 standard, you owe it to your customers and other stakeholders to protect their information to the best of your ability.

Best practices recommend you should:

  • Purchase an Information Security Management System from ISO Templates.
  • Look for the highlighted prompts in the template documents to add company-specific information such as logos, name, addresses and change any requirements that won’t be able to be implemented.
  • Follow the steps on the implementation plan provided with the Information Security Management System.
  • Complete the Inventory of Assets including the valuation of the assets.
  • Complete the Statement of Applicability based on the status of the 114 security controls in your business.
  • Complete a risk assessment and treatment plan in accordance with the detailed steps in the Risk Management Procedure using the Information Security Risk Register.
  • Conduct information security awareness training using the PowerPoint template provided.
  • Keep refining and improving your information security as new threats emerge, or move on to a certification audit from a third party to determine how close you are to recognition by the ISO.

On the other side of ISO 27001 compliance

Small businesses can benefit greatly from the authority conferred by ISO certification in information security. Compliance with ISO 27001 through the implementation of an ISMS preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed. Once your company is certified or at least compliant with the ISO 27001 standard, you benefit from better communications using secure channels, lower risk exposure, stronger trust from internal/external stakeholders and a substantial competitive advantage over less secure peers in the market.

What Are the Steps to Achieve ISO Certification?

The first step in is certifying that your business is ISO compliant is recognising that there is no single right pathway to get there. While there are multiple pathways for preparing for certification, there is only one pathway for achieving certification.

Certification processes can be as unique and individual as a set of company goals or mission statements. There are many industry-specific certifications within the ISO constellation, including those for quality management, environment management, health & safety management, information security management and business continuity. The most widely applicable ISO standards are the 9001 series, which verifies that your products or services meet quality specifications.

What is ISO certification?

Certification is simply the process of verifying that your company has met globally accepted standards in your field. The ISO itself does not certify any businesses. Their role is in the development and agreement on international standards. It is third parties that conduct certification processes and issue the final certificates.

The ISO does provide guidance to a limited number of certification bodies through the Committee on Conformity Assessment (CASCO). Documents produced by this organization guide the certification process for specific businesses.

What is a certification body?

The ISO currently consists of 162 national standard bodies, only one per country. These organizations provide accreditation for certification bodies, which conduct ISO audits, through the International Accreditation Forum (IAF).

Accreditation by the IAF is not required for a company to conduct audits, and lack of accreditation is not an indication that the company is not reputable, but it does matter. A properly accredited organization is one that meets and follows the guidelines set down by CASCO.

How do you select the right certification body?

The ISO recommends three steps in choosing the certification body that is right for your company:

  • Start with your country’s IAF members and signatories. Companies with accreditation provided by members of the IAF come with the assurance of independent valuation.
  • Make sure the certification body uses the relevant CASCO standards.
  • Compare several bodies against each other based on your timeline and the needs of your business.

The comparison steps can be the most time-consuming and complex, but you can simplify it by charting out your top criteria. The cost will certainly be a factor, but make sure the certification body is forthcoming will all the costs, including the initial assessment, the surveillance visits, transfer of certificate fees, additional hourly management fees, and any miscellaneous costs.

What is involved in achieving ISO certification?

There are two essential stages that all companies go through: gap analysis and audit. For the sake of efficiency, it makes sense to choose a certification body that can consult on how to implement systems, provide suggestions on improvements and issue the certification documents at the end of it all.

Most companies choose to have their management systems designed and audited by the same independent third party, known as a Conformity Assessment Body (CAB), which is registered with the IAF. A CAB can only conduct the third-party certification audit. They aren’t allowed to consult or assist with the development of a management system. A management system template can be purchased through ISO Templates or they can look at engaging a consultant to manage the process on their behalf. Compliance Council, ISO Templates sister company, is one of those consultancies.

When the audits are complete, the CABs can issue a registered certificate of compliance to the specified ISO standards.

Stage 1 – Document Review

The purpose of the stage one assessment is to evaluate your management system documentation, including policies, processes, management review records, scope and context as well as system implementation. It sets the foundation for the stage two audit.

Stage 2 – Implementation Audit

The stage two assessment is the final step of the initial certification process. To achieve certification against your systems, auditors will need to verify that the documented requirements of the standard are implemented across the business. They will visit your offices and premises as well as partake in discussions with relevant individuals in your business. The aim of the stage two assessment is to verify that you are doing what your system documentation says you do. Your management system is assessed and verified as being implemented.

What do you get when you have achieved ISO certification?

The most important outcome is that you will be issued a certificate confirming the scope of certification, date of issue, name of standard that the organisation is certified to, expiry date etc.. This certification can help your business compete more effectively and opensup the possibility of partnering with government organisations or larger enterprises. The business improvements driven by the certification process will also have ripple effects on your performance metrics.

At this point, you will need an effective change management program to communicate with workers about how critical it is to document their processes and avoid creating shortcuts without a formal process around changing task definitions. This implies having a robust version control system in place to record old procedures but keep them far from workers currently needing references for doing their jobs or learning new ones. If not, you could lose certification at the next surveillance audit.

How do you maintain ISO certification?

Once a year for the first three years after you are ISO certified, your chosen certification body will conduct a surveillance audit to assure that systems are working as designed and in compliance with ISO standards.

The surveillance audit is shorter than the initial duration of Stage 1 plus Stage 2 combined, as it involves only auditing some sections of the standard. Over the three years the whole standard will be covered incrementally again through the surveillance audits.

At the end of three years, you will be required to go through a recertification audit to reassess your growth and past performance. The recertification audit is longer than a surveillance and involves going through all clauses again. This should be planned and conducted at least three months before the certification end date to give you time to address any non-conformities that may arise.

After the recertification audit a new certificate is issued to cover you for another three years, then the surveillance cycle starts again with annual audits. This cycle will continue for as long as the company has certification.

The Age of the Customer

In a world where disruption can literally come from anywhere – around the world and cross-industry – ISO certification can serve as defence against the storms. Customers are looking for ISO certified businesses because it indicates the company has achieved a certain level of proactive planning and attention to continual improvement. Customers control the information flow today, which also puts them in control of the sales cycle. The companies that have realigned their processes around a customer-centric value chain are taking the lead in every industry. It all starts here.

3 Reasons Why a Small Business Should Comply with ISO 9001

No matter how large or small your business may be, productivity is key to using all of the resources you have available to you. You want to be able to do more with less, reduce waste in your processes, and ensure that your customers are receiving the highest quality you can deliver. From your product integrity to the way your customers are serviced, having policies and procedures in place can act as a guiding reference to achieve those higher levels of productivity.

ISO 9001 can help you get there. It is a set of requirements with which an organisation should comply to achieve best practices and establish processes for continual improvement. One of the ways that organisations meet the requirements of the standard is by developing and implementing policies and procedures.

What is ISO 9001?

ISO 9001 is a quality management standard– and it is a popular one. More than one million companies around the world have adopted the ISO 9001 standards set forth by the International Organization for Standardisation (ISO).

ISO 9001 is a set of quality management principles. Having a strong customer focus is included as is the importance of following a process and continually improving the flow of those procedures. The idea is to help make sure that your customers receive consistent quality and service at every transaction or interaction with your company.

To achieve the standards set out by ISO 9001, you will need to do a series of audits to make sure that your company’s performance is up to par, some internal and some led by an outside group. Note: When you are ready to become certified, you will need to contact an independent certification body. ISO only created the standards. They do not provide certification.

Reasons Why a Small Business Should Comply with ISO 9001

Getting certified as ISO 9001 can be a big help to your business, even if it is a very small one. The ISO 9001 certification is your signal to your customers, competitors, and the market at-large that you are committed to delivering quality products and services – and with that comes certain advantages.

1. Process Framework

One of the most vital reasons why a small business would want to follow ISO 9001 is the quality management system (QMS) framework it provides. “Standards make market access easier, in particular for SMEs,” explains Jens Albens, CEO of Germany-based Nanotron Technology Ltd. “They can enhance brand recognition and give customers the guarantee that the technology is tested and reliable.”

2. Cost Reduction

In addition, following ISO 9001 could help you reduce costs. This happens in a couple different ways. Most notably, by reducing waste and error in your processes, you can actually do more with less and with fewer returns, scrap, and mistakes. Over time, your cost savings can be considerable.

In turn, this can lead to greater customer loyalty and repeat business. When your customers know that you follow ISO 9001 standards, they may have more confidence that your products are safe than if you didn’t have such a framework in place. The ISO 9001 certification says that your quality reliable.

3. Market Share

Finally, by having ISO 9001 certification, you may be able to work with companies in different markets and of greater scale than you may have been able to otherwise. “An independent verification of your internal QMS demonstrates a commitment to quality, customer service, and continuous improvement,” explains UK-based Talk Business. “ISO 9001 is an internationally recognised standard that speaks the language that businesses understand. It gives stakeholders confidence in your business’ ability to deliver.”

What Does ISO 9001 Address?

ISO 9001 “promotes the adoption of a process approach when developing, implementing and improving the effectiveness of a quality management system, to enhance customer satisfaction by meeting customer requirements,” explains ISO. The standard “specifies requirements for a quality management system.” This includes competence of employees, the ways in which customer complaints and feedback are handled, communications with customers and internally, monitoring performance, traceability, resources, and much more.

Ultimately, the ISO 9001 standard is all about creating a measurable and specific process for everything and continually improving that system. The process approach helps companies to more effectively integrate their different systems and divisions so that the company as a whole communicates well and uses resources as efficiently as possible. It also involves making sure that management is focused on process improvement and that employees are engaged in focusing on the customer and building relationships.

Where to Start Complying with ISO 9001?

You can start complying with the ISO 9001 standard by examining its requirements and seeing where your company stands in comparison. This process is called a “gap analysis” because it helps you see what “gaps” you have in meeting the ISO 9001 standard. After that, it is generally a good idea to work with a consultant who specializes in ISO certification. He or she will help you better understand your company and the processes it needs to have in place in order to meet the standard and eventually earn certification. Together, you can write down how the process should look and create the system documents that will help guide your operations towards ISO 9001.

ISO 9001 is a powerful tool for helping your small business succeed, so why wait? Take action today. ISO Templates can help your company work towards the standard with document templates that you can modify and implement in your own business.