The creators of isology®

isology® is a world-leading proven step by step roadmap to achieve ISO certification.

Implemented for over 600 organisations with a 100% success rate, we take you from the planning and creation of your bespoke ISO System though to certification with our 7 step process.

There have been a reported 9,478 publicly disclosed data incidents in 2024 alone, with that amounting to over 35 million known records breached.

It has become clear in recent years that information security isn’t just a ‘nice to have’, it’s a necessity to ensure you and your client’s data are protected. Which is especially the case for those processing personal and financial data, such as today’s guest, Mintago.

In this episode, Tom Catnach, Head of Product and Information Security Officer for Mintago, explains their journey towards ISO 27001, the challenges faced and benefits felt from certification to the leading Information Security Standard.

You’ll learn

  • Who are Mintago?
  • Who is Tom Catnach?
  • What was the main driver behind achieving ISO 27001?
  • What was the biggest ‘gap’ identified in the Gap Analysis?
  • What have they learned from the experience?
  • What are the benefits of certification to ISO 27001?
  • What does the threat horizon for information security look like?

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:15] Episode summary: Today we welcome guest Tom Catnach from Mintago to discuss their journey towards ISO 27001 certification.

[02:20] Who are Mintago? – Mintago are an employee benefits company, who work with companies to help their employees be financially better off. They do this in a number of ways, including:

  • Finding lost pension pots
  • Help to save money through finding discounts
  • Retirement planning
  • Offering various salary sacrifice products
  • Helping companies to be more financially efficient with pension salary sacrifice or other national insurance savings
  • Helping people to be more financially literate

[05:10] Who is Tom Catnach?: Tom has a split role at Mintago, his primary role being Head of Product and secondary being Information Security Officer.

Through both roles he looks after all the products and offerings as well as the information security across the business, he was also the driving force behind achieving ISO 27001.

Outside of work, Tom likes to travel via motorbike, preferring to stay away from the screens and enjoying the sights.

[06:30] What was Mintago’s main driver to Implement ISO 27001?: Mintago, and most other businesses by their nature, are required to hold a lot of sensitive data and so have a responsibility to their clients and employees to ensure it’s security.

Mintago were looking for a robust framework to base their Information Security around, and what better option that the leading Information Security Standard, ISO 27001.

ISO 27001 also offers the assessment of general business practice and allows for growth and scaling. As a start-up, they wanted to have a solid base for policies, training ect to roll out to new hires as they expand.

[08:30] Aligning Standards with core values: Trust is one of Mintago’s core values and they want to give their clients the assurance that they can be trusted to protect their data.

ISO 27001 can be compared to the likes of Bcorp as it’s an on-going process. It doesn’t just stop at getting the certificate, you have annual surveillance to ensure you are still compliant year on year.

[10:15] What was the scope of Mintago’s certification?: For the initial implementation, Mintago opted to just scope in Product and Customer Service.

This was because all of the sensitive data is handled in those departments and they don’t allow access to any other teams, so it made sense to start there with a view to expand the scope after certification.

That being said, they still rolled out Information Security training to all staff, and everything has been set-up to allow for an easy business wide roll-out when they’re ready.

[11:50] How long was Mintago’s certification journey?: They started their journey in September 2023, in fact it was Tom’s first project with Mintago!

Mintago enlisted Blackmores help to implement ISO 27001, and after nine months they have been successfully certified.

Tom attributes their ease of implementation to the fact that they are currently a small business, citing that it’s an advantage to implement ISO Standards early while your agile so that your management system grows with you.  

[14:25] What was the biggest ‘gap’ identified at the Gap Analysis?  Mintago are lucky in the fact that they are a new business so are using modern tech, and don’t have the burden a larger site or other physical elements such as rack mounted servers.

However, policy, procedure and evidence to ensure they were doing the right thing were lacking at the start of their journey. They did have a good 70% in place and that last 30% was mostly down to having the ability to evidence their compliance.

There was also some additional work to do to improve existing policies and procedures. One example of this was having a solid Business Continuity Plan in place.

[16:35] Did Mintago experience any significant barriers in addressing identified gaps?  Being a smaller business, they were able to adapt a lot quicker than a larger organisation may have been able to.

One of the biggest struggles for Tom was getting the necessary technology to aid with Information Security. They needed to show that they had a competent Mobile Device Management Solution (MDM), antivirus and anti-phishing in place.

When trying to buy some software solutions, Tom encountered a lot of companies simply not replying to his requests due to Mintago’s size. Many organisations sadly prioritize bigger potential clients, and so it took a while to finally get all the required software.

[18:45] Engagement is key –  Getting everyone involved with the management system is critically important. Especially with information security as the people most often targeted are frontline workers, so they need to be actively engaged in security.

Mintago also has the advantage of being a smaller business, so getting communication out isn’t a hardship and resulted in high engagement. This was benefitted from a top-down initiative via their ‘C-Suite’.

Tom also states that you can make any necessary training more lighthearted, team based or interactive, as that’s something that people would want to engage in.  

It’s also important to stress that any information security training can be beneficial for personal use too to avoid being a victim of fraud or a scam. It can be something people take away to their family members to ensure they stay safe online.

[23:10] Did the adoption of ISO 27001 highlight any issues not already considered by Mintago? –  The biggest thing was how their internal process could be improved. For example, looking at the scenario of ‘what if our back-ups don’t work?’, ISO 27001 drilled down to ask specifics such as:

  • How do we recover from that scenario?
  • Are we 100% confident in our back-ups?
  • Will they work near instantaneously?
  • What’s Mintago’s availability like in that scenario?
  • How do we prevent disruption to our clients during that scenario?

So, while they did have back-ups they weren’t necessarily considering the whole scenario, especially if those back-ups were to fail. ISO 27001 ultimately helped to flesh out existing plans to make a much more robust system.

In regards to threat horizons, Mintago do practice OWASP and keep the team informed via e-mail, newsletters and GitHub repositories.

[25:00] Internal Auditing – A beneficial tool –  Tom found the internal auditing process to be very beneficial for Mintago, currently they do a few monthly on average.

Blackmores assisted with the audits during implementation to ensure they were in the right place for assessment. Of course, the Certification Body audits were a bit more nerve wracking for Stage 1 and 2 as they would determine if they would be certified.

Mintago passed their Stage 1 (documentary review) with flying colours, their Stage 2 (evidence checking) highlighted a few non-conformities that were quickly addressed. Following the Stage 2, they were recommended for ISO 27001 certification.

[27:20] Minor Non-conformities aren’t the end of the line – There’s a common misconception that getting a certain number of minor non-conformities during a Stage 2 assessment means you can’t be certified, but that’s simply not true!

If an Assessor is comfortable that you are in a good position for certification, they will recommend you.

ISO Standards are all about continual Improvement, which is something Mintago are embracing as they continue to address issues raised at audits.

[29:00] Benefits of ISO 27001 certification – Benefits Mintago are already experiencing include:

Internal Stakeholders – The Team worked hard to achieve the Standard and have embraced it’s core qualities to the benefit of their own Information Security practices.

Positive Market Response – Much larger clients who are also ISO 27001 certified now have a mutual understanding of each other’s commitment to information security.

Gaining certification early – As a start-up, Mintago are agile and will be able to develop and mature their ISMS (Information Security Management System) as they grow.

[31:10] Any concerns on the threat horizon?:  As the Information Security Officer, Tom is concerned about new emerging trends in AI led scams. They’re going to be a lot more sophisticated and harder to spot and deal with.

Thankfully, even if they are impacted, it will be rather isolated. Tom raises concerns for vital services such as Air Traffic Control which could have dire consequences if they were to be affected by a data incident.

However, with ISO 27001 Mintago are in a good place to keep on-top of their threat horizon and have the processes in place to mitigate potential incidents and continually improve their own security.

[34:30] In Summary: Mintago are a shining example of gaining certification for the right reasons. It’s not just about getting a badge, they have truly embraced a culture of continual improvement and are utilising ISO 27001 to ensure they have a robust information security management system in place.

If you would like to learn more about Mintago and their financial services, check out their website.  

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Greenhouse Gas (GHG) accounting has become increasingly important in recent years due to the demand for more environmental accountability.

Whether by choice or due to legislation or mandatory Government led schemes, organisations need to able to effectively calculate their current impact before they can the right steps to reduce and offset the remaining emissions.

There are a lot of different routes to take, and some may look so similar that you have to squint to see a difference.

In this episode, Mel Blackmore breaks down the similarities and differences between the leading GHG emission reporting frameworks, ISO 14064-1 and the GHG Protocol Corporate Standard.

You’ll learn

  • What are the 2 leading GHG accounting frameworks?
  • What are the similarities between the GHG Protocol and ISO 14064?
  • What are the differences between the GHG Protocol and ISO 14064?
  • Reporting on indirect emissions
  • Choosing the right framework
  • How can the GHG Protocol and ISO 14064 complement each other?

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:30] Episode summary: Mel will look at the similarities and differences between the 2 leading GHG emissions reporting frameworks, the GHG Protocol and ISO 14064-1:2018.

[02:20] What are the 2 leading GHG accounting frameworks? – Greenhouse gas (GHG) accounting has become increasingly important for organisations seeking to manage their environmental impact and contribute to climate change mitigation efforts. Two prominent frameworks guide this process: ISO 14064-1:2018 and the GHG Protocol Corporate Standard.

Climate change concerns necessitate robust methodologies for quantifying and reporting organisational GHG emissions. Standardised frameworks offer a transparent and reliable approach for organisations to measure their impact and contribute to environmental sustainability goals. This article examines two leading frameworks: ISO 14064-1:2018 and the GHG Protocol Corporate Standard.

[06:10] What are the similarities between the GHG Protocol and ISO 14064? – GHG Scope Definition: Both frameworks categorise emissions into three scopes: Scope 1 (direct emissions from owned or controlled sources), Scope 2 (indirect emissions from purchased electricity, heat, or steam), and Scope 3 (other indirect emissions throughout the value chain).

In general, the GHG Emissions covered in the GHG Protocol Corporate Standard conform to ISO 14064-1 if significant Sope 3 GHG emissions and GHG removals are both considered.

Quantification Principles: Both emphasize the importance of accuracy, completeness, consistency, transparency, and relevance when quantifying emissions.

GHG Reporting Boundaries: Both require clear definition of the organisational boundaries for which emissions are quantified.

GHG Inventory: Both frameworks guide the development of a GHG inventory, a comprehensive record of all organisational emissions.

[09:15] What are the differences between the GHG Protocol and ISO 14064? – Focus: ISO 14064-1 is a more procedural framework, outlining the steps for quantifying, reporting, and verifying GHG emissions. The GHG Protocol, on the other hand, offers detailed guidance on calculating emissions for various activities and sectors but lacks formal verification requirements.

Level of Detail: The GHG Protocol provides a more comprehensive and detailed approach, including calculation methods, guidance on emission factors, and best practices. ISO 14064-1 offers a less prescriptive approach, allowing organisations to choose calculation methodologies based on their specific needs.

Avoided GHG Emissions: The concept of avoided GHG emissions is not addressed in ISO 14064-1.  However, the GHG Protocol Corporate Standard addresses the quantification of avoided emissions, which are required to be reported separately.

Verification: Verification by a third-party verifier is optional under the GHG Protocol but mandatory for organisations seeking public disclosure or certification under ISO 14064-1. Verification enhances the credibility and reliability of reported emissions data, this could be to schemes like EcoVadis.

Value Chain Emissions: While both frameworks acknowledge Scope 3 emissions, the GHG Protocol offers a dedicated standard – the Corporate Value Chain (Scope 3) Standard – providing specific guidance on quantifying these emissions.

Addressing GHG Emissions and Removals: ISO 14064-1 clearly address GHG emissions and removals for each  category and removals are therefore an inherent part of the GHG quantification. The guidance in the GHG protocol is not as clear but allows for the reporting of removals separately from GHG Emissions.

[13:30] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.

[17:05] Reporting on indirect emissions:  The main challenge for organisations is the reporting of indirect emissions (Scope 3), often leading to confusion based on a lack of clarity and understanding of how granular the data needs to be, combined with challenges extracting data from third-parties. 

ISO 14064-1 is very clear regarding which Scope 3 emissions are to be included, whereas the GHG Protocol standard maybe viewed as more open to interpretation.

In contrast, GHG Protocol standards require the inclusion of Scope 2 (indirect emissions from purchased energy); the inclusion of other indirect GHG Emissions under scope 3 is optional.

The GHG Protocol standard is referred to in various GHG reporting and disclosure initiatives whose requirements for the reporting of the Scope 3 emissions vary.  Whereas ISO 14064-1 has been created and approved by representatives from 61 nations to determine a specification for Scope 3 emissions reporting.

[20:30] Choosing the right Framework: The choice between ISO 14064-1 and the GHG Protocol depends on an organisation’s specific needs and goals. Here are some considerations:

  • Is there a need for Verification? i.e. is it a mandatory requirement
  • What level of detail is required? If a detailed approach with extensive calculation guidance is preferred, the GHG Protocol might be more suitable.
  • Resource availability – Do you have the resource to do this yourself or will you need a helping hand?
  • Disclosure reporting requirements – check what you need to comply with as this could determine which framework you use.

[23:30] How can the GHG Protocol and ISO 14064 complement each other? –  This podcast may have you thinking that it has to be one or the other, but in actuality the two frameworks can be used together effectively. Organisations can utilise the GHG Protocol’s detailed guidance to develop their GHG inventory and then follow ISO 14064-1’s process for verification and reporting.

If you would like some help with GHG reporting or Verification, please get in touch with Carbonology.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

ESG is a very broad topic to try and address for any organisation, leaving many scratching their heads on where to start with ESG reporting.

Currently, there is no official certification for ESG, however there are a number of schemes that will give you either a score or rating for your level of compliance against their requirements.

For those currently working towards one of these schemes, you may already have a solid foundation in place if you’re certified to one or many ISO Standards.

In this episode, Ian Battersby and Ali Henshaw discuss ESG compliance and how elements of an ISO Management system can help with ESG reporting.  

You’ll learn

  • What is ESG?
  • Is ESG reporting required?
  • Is ESG a nice to have or good solid business practice? 
  • Is ESG certifiable?
  • How can ISO Standards help to address the 3 pillars of ESG?
  • How ESG compliance helps to combat Greenwashing

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:00] Episode summary: Ian and Ali will be discussing how ISO Standards can help with ESG reporting.  

[02:20] What is ESG? – ESG stands for Environmental, Social, and Governance. Analysis and evaluation against these three elements help organisations to consider different areas within their overall sustainability profile.

The Environmental section looks at issues surrounding climate change and actions to address an organisation’s environmental responsibility. This includes monitoring and management of your energy consumption, waste management and pollution. It also seeks to tackle how organisations can address, reduce and mitigate their overall environmental impact.

The Social aspect is based around the relationships an organisation has with its stakeholders. This is focused on employees and looks at a broad range of topics including employee wellbeing, fair and competitive pay, benefits and human resource related policies. Considerations can also include wider business relationships such as supplier relations, local community and government work.

[05:00] The pillars of ESG aren’t silos – You shouldn’t approach each pillar of ESG in isolation, as they cross over in a lot of areas.

For example, in environmental management you may manage hazardous substances, you’ll have a duty to ensure those substances don’t pollute the surrounding area or bodies of water. However, you will also need to consider the health and safety aspect of storing and working with that material. So already you have 1 issue that crosses both the Environmental and Social pillar of ESG.

 [05:50] What does the Governance pillar cover? – Governance criteria focuses on creating a business environment that is fair, transparent, and accountable. Considerations in this area include board composition, fairness in pay structures and executive compensation, business ethics and risk management.

[07:05] What types of ESG reporting are required?  – For small organisations, there is currently no set requirement as it stands, but you many encounter stakeholder or customer requirements that encourage ESG reporting on some level.

For larger organisations at certain sizes there are mandatory reporting frameworks that you will be required to fulfill. At the moment it’s quite sector specific but this is a trend that will only increase over time.

Like with anything new, this is likely to trickle down to smaller organisations over time, however there will likely be funding and grants available to assist when that time comes.

[08:25] Is ESG a nice to have or good solid business practice?  If you want to be a sustainable business, with good legacy that has the ability to grow and develop, ESG is a fantastic tool.

Investors are now looking for sustainable businesses, it’s become a market trend for an ever increasingly environmentally conscious consumer base. You either need to move with the times of get left behind, and sustainability is one key factor that will determine which of those categories you fall into.

[09:50] Which ISO Standards can support ESG?: From a holistic point of view, the structure of ISO standards, the plan do check Act (PDCA) cycle, the need for monitoring and measurement and the need for improvement supports the principles of ESG in terms of quantifiable results.

The additional aspect of having set objectives and proof of tangible improvement actions was something that fulfilled CSR (Corporate Social Responsibility), which in turn has been superseded by ESG.

ISO Standards high-level structure and life cycle approach lend themselves to support various aspects of ESG, depending on the Standard you implement.

ISO 14001 for example, would support the environmental pillar, as it looks at your significant aspects and impacts in addition to that of your supply chain. You’ll need to factor these into your objectives and overall business strategy.

ISO 45001 would tackle elements of the social pillar as it directly addresses the well-being of your employees. It also includes a clause for the consultation and participation of workers, so work directly with employees to identify and address risks that may be missed by management.

[13:40] Is there a certifiable Standard for ESG?: Not currently, but an ISO guidance document is in the works.

Standards that address core elements of ESG include ISO 26000 (Social Accountability) and ISO 20400 (Sustainable Procurement). Again, these aren’t certifiable, but provide invaluable guidance.

Guidance documents have the advantage of being selective in what elements you decide to adopt. The ESG one in development is a good example, ESG as a topic is huge, a smaller organisation may not realistically be able to implement all of the advice.

But, it can be used as a starting point for a materiality assessment that will allow you to be selective of the core subjects you apply to your business.

The idea of guidance documents is not to be a bolt on, as those quickly get forgotten. It’s all about embedding their elements into existing processes.

[17:10] Utilising elements of ISO Implementation for ESG reporting:  If you’ve already got an ISO Management System in place, i.e. ISO 14001 or ISO 45001, then you’ll already have objectives, processes  and monitoring & measurement in place to address those elements.

ISO 26000 is another good example as it covers a wide range of topics, including human rights, labour practices, the environment, community involvement and development, consumer issues and fair operating practices. Some may not be applicable to you, but as mentioned, it’s a guidance document so you have the freedom to be selective about the aspects you incorporate into your management system.

You need to decide what really applies to you. It’s better to prioritise and take 10 steps on one subject vs 1 on 10 subjects.

[20:25] ESG isn’t a once a year activity:  There’s no tick box exercise that you can do once a year and claim compliance, ESG is an on-going endeavor for as long as your business is running. It’s a way of operating, much like ISO Standards. It will develop and grow with your business.

[21:30] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.

[23:36] Will elements of ESG become certifiable down the line? We’ll never say never! It’s still very much a developing field. There is currently a framework being developed by the International Standards Organisation, it’s currently in draft form.

Ali herself is on the commenting committee for it’s development, and can confirm that the framework is looking at the links between certifiable Standards and the tangible application.

ISO Standards require third-party verification of your claims before getting certified. In that aspect, they’re the perfect tool to provide tangible proof that you are doing what you say you’re doing, but only in select aspects.

ESG is broad, almost too broad to certify. It’s not really feasible for one person to come in and assess a whole business like they would do for an ISO Assessment, there’s simply too much to cover!

[25:00] The trouble with ESG verification: Currently, a lot of voluntary schemes require you to report against and fulfill, but they are very sector specific because a general one would be too broad and likely will not cover every aspect appliable to every business.

Schemes out there are doing something to battle greenwashing, as the environmental aspects are easier to verify, however social aspects are a lot more tricky and can get even more complicated outside of the UK where there is no HSE annual reporting available.

[26:20] How can you support the Social aspect of ESG?: Measuring your social value can difficult, many think of education as the solution. Here are some ideas to consider:

  • Working with local schools – Improvement projects driven by Student run business studies
  • Work experience
  • Charitable work – allow staff to have a charity day as part of a benefits package

[28:10] How can we prevent the greenwashing of ESG compliance?: Government Bodies are working to tackle this. It’s being built into legislation to prevent greenwashing in future where self-policing hasn’t gone far enough.

Trade Associations are also pushing their members towards more legitimate frameworks to ensure they do remain accountable and transparent about their activities in relation to ESG compliance.

[30:00] What resources do Blackmores have to help? We’ve developed an ESG Gap Analysis, based on the guidance provided in ISO 26000 Social Accountability.

This ESG Gap Analysis will highlight where you’re already compliant and where there is work to be done.

You may be surprised to see that you’re more compliant that you think! Especially if you’re certified to one or many ISO Standards.

We also have a Materiality Assessment, which will help you to determine which topics are of importance to your business and your stakeholders.

You can take the findings from both to help develop your ESG Strategy. If you’re not mandated to do any reporting, you can leave it at that. However, you may want to consider sector specific frameworks to get ahead of the curve for when elements of ESG do become mandated down the line.

[36:00] Where should you start with tackling ESG using ISO Standards? If you’re certified to one or many ISO Standards, then you will have processes in place that can support an ESG initiative program strategy, and you can make it as big or as small as you want.

Start by looking at your environmental, social and governments impacts and work to embed ESG into your existing ISO Management System before they become mandated by stakeholders and legislation – being ahead also feeds into the principles behind social responsibility.

You’re embedding a culture, and it becomes a norm which can be developed further. Then, when legislation or customer requirements come in, you’re already prepared to answer.

Also, with ESG there is a focus on people and you can’t have a successful business without good people. ESG isn’t only attractive to your customers, but also to potential employees who will want to work for ethical, sustainable businesses. If you aren’t keeping up and fulfilling that, you will struggle to find new talent.

It also goes without saying that being ESG compliant will attract consumers. Greenwashing, as frustrating as it is, exists for a reason – because people want businesses to be sustainable. People wouldn’t lie about it if it wasn’t important to someone, so stand out by beating the greenwashing allegations and take the right steps towards tacking ESG.

If you’d like to book a demo for the isologyhub, or would like help with an ESG Gap Analysis, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

In July 2024, A logic error in an update for CrowdStrike’s Falcon software caused 8.5 million windows computers to crash. While a fix was pushed out shortly after, the nature of the error meant that a full recovery of all effected machines took weeks to complete.

Many businesses were caught up in the disruption, regardless of if this affected them directly or by proxy due to affected suppliers. So, what can businesses learn from this?

Today, Ian Battersby and Steve Mason discuss the aftermath of the CrowdStrike crash, the importance of good business continuity and what actions all businesses should take to ensure they are prepared in the event of an IT incident.

You’ll learn

  • What happened following the CrowdStrike crash?
  • How long did it take businesses to recover?
  • Which ISO management system standards would this impact?
  • How can you use your Management System to address the affects of an IT incident?
  • How would this change your understanding of the needs and expectations of interested parties?
  • How do risk assessments factor in where IT incidents are concerned?

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Ian Battersby is joined by Steve Mason to discuss the recent CrowdStrike crash, the implications on your Management system and business continuity lessons learned that you can apply ahead of any potential future incidents.  

[03:00] What happened following the CrowdStrike crash?– In short, An update to CrowdStrike’s Falcon software brought down computer systems globally.

8.5 million windows systems, which in reality is less than 1% of windows systems, were affected as a result of this error.

Even still, the damage could still be felt from key pillars of our societal infrastructure, with a lot of hospitals and transportation like trains and airlines being the worst affected.

[04:45] How long did it take CrowdStrike to issue a fix? – CrowdStrike fixed the issue in about 30 minutes, but this didn’t mean that computers affected would be automatically fixed.

In many cases applying the fix meant that engineers had to go on site to many different locations which is both time consuming and costly. In some cases Microsoft said that some computers might need as many as 15 reboots to clear the problem.

So, a fix that many were hoping would solve the issue ended up taking a few weeks to fully resolve as not everyone has IT or tech support in the field to issue a manual reboot.

A lot of businesses were caught out as they don’t factor this into their recovery time, some assuming that an issue like this is guaranteed to be fixed within 48 hours, which is not something you can promise. You need to be realistic when filling out a Business Impact Assessment (BIA).

[07:55] How do you know in advance if an outage will need physical intervention to resolve? – There is a lesson to be learnt from this most recent issue. You need to take a look at your current business continuity plans and ask yourself:

  • What systems to you use?
  • How reliable are the third-party applications that you use?
  • If an issue like this to reoccur, how would it affect us?
  • Do we have the necessary resource to fix it? i.e. staff on site if needed?

Third-parties will have a lot of clients, some may even prioritise those that pay a more premium package, so you can’t always count on them for a quick fix.

[09:10] How does this impact out businesses in terms of our management standards? – When we begin to analyse how this has impacted our management systems, we can’t afford to say ‘We don’t use CrowdStrike therefore it did not impact us’ – it may have impacted your suppliers or your customers. Even if there was zero impact, lessons can be learned from this event for all companies.

Standards that were directly affected by the outage were:

  • ISO 22301 – Business Continuity: Recovery times RPO and RTO; BIA; Risk Assessments
  • ISO 27001 – Information Security: Risk Assessment; Likelihood; Severity; BCP; ICT readiness
  • ISO 20000-1 – IT Service Management; Risk Assessment of service delivery; Service continuity; Service Availability

Remember, our management systems should reflect reality and not aspiration

[11:30] How do we use our Management Systems to navigate a path of corrective action and continual improvement? – First and foremost an event like this must be raised as an Incident – in this case it would no doubt have been a Major Incident for some companies. This incident will typically be recorded in the company’s system for capturing non-conformities or continual improvement.

You could liken this to how ISO 45001 requires you to report accidents and incidents.

From the Incident a plan can be created which should include changes to be considered or made to the management system.

The Incident should lead us to conducting a lessons learned activity to determine where changes and improvements need to be made.

We are directed in all standards to Understanding the Organisation and its context

The key requirement here is to determine the internal and external issues that can impact your management system, and prevent it from being effective. Whatever method a company uses for this, perhaps a SWOT and PESTLE; the CrowdStrike/Microsoft Outage should be included in this analysis as a threat and/or Technical issue.

[15:15] What are the lessons learned from our supply chain? – In many ISO Standards, such as ISO 9001 and ISO 27001, there is a requirement to review your suppliers and the effectiveness of the service they’re delivering.

So you could send them an e-mail to ask how they have dealt with the issue, what actions did they take and how long did it take to fully restore services.

This is a collaborative process that you can factor into your own risk assessments, as you can make a better judgement on future risk level if you are privy to their recovery plans.

Many people still think of that requirement only in relation to goods and products. i.e. has my order been delivered ect. However, it relates to services such as IT infrastructure as well. You rely on that service, so evaluate how well it’s being delivered.

[17:35] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.

[19:50] Once you have established lessons learnt, what’s next?  – The Standards provide a logical path to work through.

One of the first steps is to conduct a SWOT and PESTLE, and doing so after a major incident is recommended, as your threats and weaknesses may have changed as a result.

Do not simply put the sole blame on a third-party who an incident may of originated from. This is about your response and recovery, your plans coming into effect to deal with the situation, not about who is at fault.

One such finding may be your lack of business continuity plans, in which case, looking at implementing aspects of ISO 22301 may be an action to consider.

It’s also important to note down any positives from the incident too. You may have dealt with something very fast, communicated the issue effectively and worked with clients to ensure that their level of service was minimally impacted.

If a team dealt with a situation particularly well, they should be recognised for that, as it really does go a long way.

[23:55] The importance of revisiting your SWOT and PESTLE: These exercises shouldn’t just be a one time thing. You should be addressing these after incidents and any major changes within the business.

Ideally, you should be looking at these in all your meetings, as many actions may need to be escalated to a strategic level.

If you’d like to learn about how one of our clients embraced SWOT and PESTLE, and used it to their advantage, check out episode 53.

[25:20] How has our understanding of the needs and expectations of Interested Parties been changed? – How has the Outage impacted the needs and expectations of interested parties? Understanding this might lead companies to ask questions about the robustness and effectiveness of different parts of the management system:

  • Risk Assessment
  • BIA for BCP
  • Recovery Plans
  • DR plans
  • Service Continuity

[27:50] What should you be considering with your risks assessments? – Risk Assessments, if they follow the traditional methodology, with have Likelihood and Impact/Severity scores an in the light of this outage, and any event, the likelihood and Impact scores should be updated.

If a company has set the likelihood as ‘once every 5 years’ it should seriously consider changing this to ‘once every 6 months’ or ‘once every year’ to understand if this poses any new risks to the business. The likelihood score would of course be updated every year until it has recovered to ‘once every 5 years’.

The impact is important to look at. If a company has been impacted by this outage, what has it cost the company to recover – talk to finance and other departments to understand the cost and change the scoring accordingly.

[33:20] Why should a business carry out a risks assessment as part of lessons learnt? – Our risk assessments are not a one-off, but should be living documents that reflect the status of threats to the business. In ISO 27001 there is a statement to identify the ‘Consequences of  unintended changes,’ and it could be argued that an Outage on the level of the CrowdStrike/Microsoft outage was an ‘unintended change that led to consequences in many businesses.

So, use your risk assessments as live tools to report on the reality facing the organisation.

Similarly, BIA assessments for BCP should be reviewed to determine if the assumed impact reflects the real impact; also look at the recovery plans to see if they are effective.

If a recovery plan has stated that this type of incident could be recovered in 48 hours, and in reality it has taken 2 weeks, it means that recovery times in terms of RPO and RTO should be reviewed.

Remember – your management system should reflect reality and not aspiration.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Continual Improvement is at the heart of every ISO Standard.

The cyclical nature of ISO Standards lends itself to regular review and update of your Management System, to ensure it’s working efficiently and to address any issues or opportunities that inevitably crop up.

However, Integrating these improvements can be challenging, even for mature systems.

Today Ian Battersby explains the concept of Improvement as defined in ISO Standards, how to find root cause for non-conformities and integrating improvement actions from multiple sources.  

You’ll learn

  • What is meant by ‘Improvement’ in ISO Standards?
  • Common misconceptions about Improvement in ISO Standards
  • How to address non-conformities in your Management System
  • Finding the root cause of a non-conformity
  • Integrating Improvement actions

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Ian Battersby will be explaining what Improvement means in relation to ISO Standards, how to address non-conformities and integrating the required Improvement actions.

[02:30] What is meant by ‘Improvement’ in ISO Standards? – One of the requirements of all Management System standards is to determine and select opportunities for improvement (Clause 10). This is the fundamental aim of Management Systems: to make things better

In the words of the standards, it is so that an organisation can:

“Implement any necessary actions to meet customer requirements and enhance customer satisfaction

These shall include:

a) improving products and services to meet requirements as well as to address future needs and expectations;

b) correcting, preventing or reducing undesired effects;

c) improving the performance and effectiveness of the management system.”

An organisation going through certification for the first time may never have had in place a system for planning improvements.  Some organisations are dealing with improvements, but not necessarily through a single, consistent route.

While you can meet the requirements of the standards without a single route, the standard is not prescriptive in how you go about this.

[04:45] Common misconceptions about non-conformities – the standard does go on to cover nonconformity and corrective action (10.2); is it suggesting these as the main source of non-conformities (NC).  It isn’t really explicit about other sources, other than specifically including customer complaints as a form of NC.

However, there’s a strong argument for consolidating data from different sources, so it’s worth considering how complaints data is handled. Other sources of non-conformities can include your Internal Audit findings, addressing where you may not be meeting client expectations, addressing failure to meet legal obligations ect.

As a reminder, ISO 9000 (Fundamentals and vocabulary) includes the definition of nonconformity: non-fulfilment of a requirement: need or expectation that is stated, generally implied or obligatory i.e. Legal / client expectation.

[10:00] Addressing non-conformities – You need to evaluate the need for action to eliminate the cause of the nonconformity, to ensure that the issues doesn’t recur, or pop-up elsewhere.

When a non-conformity does occur, you need to:

  • Determine the causes
  • Determining if similar nonconformities exist, or could potentially occur;

Any corrective actions should be appropriate to the effects of the nonconformities encountered.

So, you don’t need to commit a huge amount of resource to minor issues.

[11:40] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.

[13:40] Finding the cause of non-conformities  – Without removing the cause, repetition may occur, and this is where integrating improvement data from multiple sources comes into its own.

The idea of Common cause is – a single cause may manifest itself in very different outcomes. For example, a lack of competence could lead to a process being delivered wrongly, leading to reducing level of quality in service or product, which would be picked up as an NC.

Competence is an area which can also lead to NC’s, through the result of a helath & safety incident or environmental incident if people aren’t trained to use equipment or follow set procedures.  

It can also lead to a customer complaint where the failed process is apparent to a customer.

If a product NC isn’t spotted until after the product delivered/in service it could lead to a warranty claim

Or even a claim for damages should it lead to harm/loss to the customer

It could lead to regulatory breach or even enforcement or legal action

Some of these outcomes may not be apparent until they have impacted upon a customer or other interested party, so would not be recorded internally through a nonconformity system.

All this to say, finding the root cause will require looking in a lot of different places. Having a common methodology in place to address non-conformities, including considerations for different types of issues, makes life a lot easier.

[15:55] Integrating Improvements from multiple sources: There are many sources which can highlight opportunities for Improvement, including:

Internal Audit – This is a conformity assessment, so any gaps or issues identified will be NC’s that need addressing.

Surveillance Audit / Certification Audit – Your Certification Body will also be conducting a third-party conformity assessment, which may highlight something you’ve missed in your own internal audits.

Supply Chain Audit – Auditing your supply chain can also highlight NC’s that you can encourage them to address, both for your benefit and theirs.

Client Audit – You may be audited by clients, especially where there may be specific technical industry related issues.

Management Review – This is the perfect platform to identify Opportunities for Improvement. You can highlight NC trends from Internal Audits here and define if they need to be addressed separately. You will often have members of senior management present at a Management Review, so there is a greater chance for you to plan tangible actions to address issues, especially if they are business critical.

SWOT / PESTLE – This usually happens early on in the Implementation phase, but there’s no reason why you can’t repeat the exercise on an annual basis. This exercise directly identifies your risks and opportunities, both from internal and external sources. Getting input from all levels of staff as they may also shed light on potential NC’s and opportunities other departments may not even be aware of.

Accident reporting / Safety observations – Any incident should be viewed as an opportunity to improve. Some accidents are unavoidable, but many are a result of someone not following instructions, equipment being left unattended or in the wrongs location ect. Addressing these will help you to ensure a safer environment.

Site inspections – Just walking around your site can yield new insights. Ask other departments that may not visit your area to do a sweep and report any findings. Sometimes all you need is a fresh pair of eyes to highlight issues you’ve missed.  

Complaint / Other customer feedback – Allow clients and stakeholders to have input.

Regulatory requirements – You may discover you are breaching a regulation, which needs to be addressed ASAP. Consider a legal register to keep track of all your legal and regulatory requirements.

Enforcement (HSE, EA, professional body) – You may have opportunities for improvement enforced by professional bodies such as the HSE or Environment Agency.

Management Action – Any management meetings should take opportunity suggestions from both management and the general workforce.

Product NC’s – If you’re in the manufacturing industry, you likely already have a system in place for monitoring any product related non-conformities. This process can be applied on a broader scale, as it embodies the same principles: Identify the problem, find the root cause, address the root cause, put preventative measures in place to stop recurrence.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

In the workplace, everyone is responsible for safety.

It’s not just for managers or senior management to worry about where legislation is concerned, everyone from the top to the bottom needs to be actively ensuring the safety of others.

ISO 45001 highlights the importance of this in its most recent iteration, which includes a specific requirement for the consultation and participation of workers. But, how does this work in practice?

Today Ian Battersby explains what consultation and participation of workers in ISO 45001 is, and how you can incorporate elements of reactive and proactive hazard reporting to meet that requirement.

You’ll learn

  • What is consultation and participation of workers in ISO 45001?
  • What is the identification of hazards?
  • What’s the difference between reactive and proactive hazard reporting?
  • Common approaches to reactive and proactive hazard reporting
  • Proactive hazard reporting in action

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Ian Battersby will be explaining reactive and proactive hazard reporting, and how this relates to the consultation and participation of workers (clause 5.4) requirement in ISO 45001.

[02:30] What is ‘Consultation and Participation of workers? – ISO 45001’s clause 5.4 states:

“The organization must have a process for consultation and participation of workers at all levels and functions, and their representatives in the development, planning, implementation, performance evaluation and actions for improvement of the OH&S management system.”

ISO 45001 expects occupational health and safety aspects to be fully embodied within the organisation structure. All workers should be aware of their responsibilities, and work together to meet the organisation’s health and safety goals.

Everyone is responsible for safety.

Consultation implies two-way communication, so workers can provide feedback to be considered by the organisation before taking a decision.  This is important; the organisation has to consider workers’ feedback before making decisions

Participation implies the contribution of workers, including non-managerial workers, to decision-making related to OH&S performance and to proposed changes.

[05:50] Hazard Identification – A specific issue which must be considered is the identification of hazards:

  • Identifying hazards and assessing risks and opportunities (Clauses 6.1.1 and 6.1.2);
  • Determining actions to eliminate hazards and reduce OH&S risks

There are numerous sources for consideration when it comes to hazards

  • How work is organised
  • Routine/non-routine activities
  • Past incidents
  • Emergency situations
  • People
  • Processes
  • Workplace design
  • Equipment
  • Change

 [07:35] What’s the difference between proactive and reactive hazard reporting? – Proactive is about spotting hazards in advance and putting in place measures to minimise the chances of them materialising and causing harm (eg, through an accident)

Reactive is in response to an event which has already occurred, such as an accident; a hazard existed without being spotted already and dealt with.

[08:20] A common approach to proactive hazard reporting  – Risk Assessment.  Consider hazard sources (i.e. people, processes, equipment, workplace etc) and consider what may happen; what could go wrong.  Then consider what controls could be put in place to try and prevent that happening.

Risk assessment can help you to demonstrate worker consultation and participation by including those affected:

  • Involved in or affected by an activity
  • Those delivering a process
  • Using equipment
  • Occupying a workplace

Those people have valuable knowledge and understanding, sometimes moreso than someone in a supervisory / managerial role.

And an absolute must: recording that all employees have read, understand and are committed to the controls included in Risk Assessments; that process may also give rise to workers’ further involvement – through querying, suggesting change etc

This also helps the culture of hazard spotting and promotes engagement among the workforce, both of which are vital in driving a proactive approach

[11:10] A common approach to reactive hazard reporting: Accident reporting systems is the obvious choice. However, there are ways you can make this more proactive.

There are various levels to accident reporting. Traditional systems wait until an accident occurs before recording and acting upon it.

Some organisations also record near misses: where an event has occurred, but no harm has been caused.

This approach in itself can be very valuable; and it provides an opportunity to act before any harm has occurred.

However, we can go a step further and allow the workforce to observe what’s happening; their surroundings and listen to what they feel may present a hazard to them and their colleagues (remember, everyone is responsible for safety).

[13:00] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.

[15:30] Proactive hazard reporting in action: Ian recounts his experience in a previous company where their proactive hazard reporting led to meaningful change.

This took place in a large manufacturing plant, but there was also significant office-based activity as well.

Because of the nature of the work, many people would not have access to online systems so there was both online and paper systems; this is important; if everybody is responsible, everybody needs access and engagement is vital.

In addition to the traditional accident/near miss system, there was a safety observation card (all data ended up in the same database). It was simple to fill out, would have only taken about 5 minutes at most.

In an organisation of 500ish, we received 2200 observation cards per year by the time I left.

When combined with accidents/incidents, there’s a predictable cycle: more reports, poor quality, more accidents, better quality, improved actions, fewer accidents.

[17:30] Creating an observation card: It should be easy to understand and record what’s necessary, recommended content includes:

  • Date / Time
  • Who was involved – employee / contractor / visitor ect
  • Location of hazard / incident 
  • Description of hazard / incident (ideally in 10 words or less)

You could get more granular and include:

  • Identification of an unsafe condition or unsafe act
  • Type of hazard or incident: slip, trip or fall / exit obstructed / machinery being used unsafely / unsafe structure / not using PPE

You could also include an option for actions taken if you decide to inform a manager of the issue, if you’ve corrected someone on the use of equipment or PPE ect.

[21:15] The Importance of peer inspections:  Often they would have supervisors from one area, checking a different one. This fresh pair of eyes may offer new insight into something that you usually miss!

Note that you should also encourage any site visitors to do the same. The fact that you’d ask them to report any incident also displays that you take safety seriously, and are open to feedback to improve.  

[22:40] Hazard scoring:  In order to judge that quality, they went a step further and graded all observations from 1-3:

  1. Saw something but didn’t act
  2. Saw it, acted to put it safe there and then
  3. Saw it, acted to prevent it happening again

This allowed them to judge how effective hazard spotting is in removing cause and filters out points-scoring.

[22:45] The results speak for themselves:

Increasing number of observations

Increasing number of participants

Increasing quality of observations

Reducing number and severity of accidents.

Over five years, they increased the number of observations per employee ten-fold.

As a result, they reduced lost time accidents over 75%

This was a superb example of a personal safety campaign and a great demonstration of consultation and participation,

It’s not difficult to do, but it needs leadership commitment, constant and clear comms, user-friendly systems and effective analysis / reporting.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

ESG compliance has fast become a focus for many organisations looking to address their wider sustainability profile.

However, its broad framework has left many scratching their heads on exactly where to start with evaluating and addressing various elements of Environmental, Social, and Governance compliance.

For those looking for some direction, you may already have a solid foundation in place if you’re certified to one or many ISO Standards.

Today Steph Churchman will explain what ESG is, how it can be scored and what role ISO Standards can play in ESG compliance.

You’ll learn

  • What is ESG?
  • What scoring systems are available for ESG?
  • How can ISO Standards support ESG compliance?
  • What ISO Standards can support each pillar of ESG?

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Steph will be breaking down what ESG compliance means, how ISO Standards can support ESG compliance and give some examples of what ISO Standards can support each pillar of ESG.

[02:50] What is ESG? – ESG stands for Environmental, Social, and Governance. Analysis and evaluation against these three elements help organisations to consider different areas within their overall sustainability profile.

The Environmental section looks at issues surrounding climate change and actions to address an organisation’s environmental responsibility. This includes monitoring and management of your energy consumption, waste management and pollution. It also seeks to tackle how organisations can address, reduce and mitigate their overall environmental impact.

The Social aspect is based around the relationships an organisation has with its stakeholders. This is focused on employees and looks at a broad range of topics including employee wellbeing, fair and competitive pay, benefits and human resource related policies. Considerations can also include wider business relationships such as supplier relations, local community and government work.

Governance criteria focuses on creating a business environment that is fair, transparent, and accountable. Considerations in this area include board composition, fairness in pay structures and executive compensation, business ethics and risk management.

[04:15] An evolution of CSR – CSR (Corporate Social Responsibility) is very similar to ESG, but is less sustainability focused. It also lacked substance in the form of effective and accountable scoring systems that held businesses to account. This is where ESG differs, with many scoring systems, certifications and even mandatory requirements driving businesses to address their compliance.

 [04:45] ESG scoring – There are many schemes, scoring systems and certifications available for ESG, some of which are specific to industry sectors and company sizes. What one you pick will be up to you (note that some many be mandatory in select countries), however, here are a few examples:

The S&P Global ESG Score – This assesses a company’s performance and management of ESG risks and opportunities using a combination of company disclosures, media analysis, and industry-specific questionnaires. A score of 0-100 is given based on their findings and are relative within a company’s industry sector.

Fitch Ratings ESG Relevance Scores – Fitch Ratings assigns ESG Relevance Scores alongside their traditional credit ratings. These scores assess how ESG factors could impact a company’s creditworthiness. Their scores range from 1-5, with 5 indicating the highest ESG relevance to credit risk.

MSCI – They offer ESG ratings for a broad range of companies, it’s not really limited by sector or size. They use a letter grade system, going from AAA-CCC, to assess a company’s relative ESG risks and opportunities compared to its peers. The scoring for this one assigns companies as either an ESG leader, average or laggard within their industry.

[06:10] How can ISO Standards support ESG Compliance  – It’s important to clarify that there’s no single ISO standard that guarantees ESG compliance because ESG is a broad framework. However, ISO standards provide a strong foundation for implementing many aspects of an ESG strategy.

[06:35] Supporting ESG – Structure and Framework: ISO standards offer a structured approach to managing environmental, social, and governance practices. This helps companies identify key areas for improvement and develop a systematic plan to address them.

[07:10] Supporting ESG – Improved Performance: By following ISO standards, companies can demonstrably improve their environmental performance, social responsibility, and governance structures by putting in frameworks that align with best practice standards

[07:30] Supporting ESG – Transparency and Credibility: Achieving certification to a relevant ISO standard involves a third-party audit, which verifies that a company’s systems and processes meet the standard’s requirements. This certification acts as a credible signal to stakeholders such as your investors, customers, regulators, that you’re committed to ESG principles.

[07:55] Supporting ESG – Risk Management:  Proactive management of ESG risks is a key component of any ESG strategy. Many ISO standards focus on risk identification and mitigation. For example, ISO 37001 (Anti-Bribery Management Systems) helps identify and address bribery risks, which can have significant financial and reputational consequences. Or ISO 45001 health and safety management, which requires risk assessments to be carried out to ensure the safety and well being of your employees on site locations, which would fall under the social aspect of ESG.

[08:30] Supporting ESG – Competitive Advantage:  Strong ESG performance is increasingly sought after by investors and stakeholders. Implementing ISO standards can help companies demonstrate their ESG commitment and gain a competitive advantage in the marketplace. You’ll also feel the benefit of gaining multiple badges, through ISO certification and possibly an ESG score if you choose to go through one of the official scoring schemes.

[08:55] Think of ISO standards as building blocks. They provide the foundation and structure for a strong ESG strategy. By implementing relevant standards and achieving certification, you can demonstrate a dedicated commitment to ESG principles.

[09:50] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.

[11:55] What ISO Standards can support the Environmental aspect of ESG Compliance?:

  • ISO 14001: Environmental Management – This provides a framework for managing environmental impacts, reducing waste, and improving your resource efficiency.
  • ISO 50001: Energy Management – this helps companies monitor and  optimize their energy use with the aim to help reduce greenhouse gas emissions.
  • ISO 20400: Sustainable Procurement – This will help you to adopt sustainable procurement principles and practices within your organisation, by looking at how you can reduce waste, choose more sustainable options for required resources, how you can extend the life of resources available through remanufacturing and recovery of waste, and encourages the use of more innovative products and services.
  • ISO 20121: Sustainable Event Management – This Standard is mostly applicable to the events sector, and aims to help reduce the amount of waste produced during events, either through potential energy savings and the production and recycling of resources used during an event. It’s recently had an update, so check out our latest episode to find out what the changes are.
  • ISO 14064: Greenhouse Gas Verification – This provides a framework for measuring and managing greenhouse gas emissions. This is a crucial step if you’re working towards Net Zero, as you need to know what your baseline is before you can work on reducing and offsetting remaining emissions.
  • ISO 14068: A framework for helping businesses achieve Net Zero, this standard will replace PAS 2060 in November 2025, so anyone looking into PAS 2060 now may be better off going with ISO 14068 as it includes more guidance on purchasing credible carbon credits.

[14:15] What ISO Standards can support the Social aspect of ESG Compliance?:–

  • ISO 26000: Social Responsibility – which offers guidance on integrating social responsibility practices throughout your organization.
  • ISO 45001: Occupational Health and Safety Management – which helps companies create a safe and healthy work environment. It provides a robust set of requirements designed for improving workplace safety in organisations and supply chains, with the aim of reducing workplace injury and illness.
  • ISO 45003: Psychosocial Health & Safety Management aka Mental health in the workplace. For the last 4 years or so, work related stress, depression and anxiety has been the leading cause for work related ill-health cases and lost working days. That’s according to the annual HSE reports, which clearly highlights a big issue that many more need to consider and address. 

[14:15] What ISO Standards can support the Governance aspect of ESG Compliance?:–

  • ISO 9001: Quality Management – this is the leading global ‘quality mark’ for businesses and designed as a vital business improvement tool. It’s quite simply A blueprint for running your business successfully.
  • ISO 22301: Business Continuity Management – Which provides a basis for planning to ensure your long-term survivability following a disruptive event. This is a Standard that many align with, but don’t always certify to, and for good reason as it provides some invaluable guidance for establishing robust Business Continuity Plans.
  • ISO 27001: Information Security – This is a Standard that is common place for most sectors now, given how reliant we all are on tech. ISO 27001 will help you to implement an Information Security Management System (ISMS), which is a systematic approach to managing sensitive company information, ensuring it remains secure and available. It encompasses people, processes and IT systems.
  • ISO 37001: Anti-Bribery Management Systems – It’s the International Standard that allows organizations of all types to prevent, detect and address bribery by adopting an anti-bribery policy, appointing a person to oversee anti-bribery compliance, training and carry out risk assessments.
  • ISO 44001: Collaborative Business Management – This was originally  a British Standard that had been created to provide a framework for creating and managing collaborative business relationships between organisations. The standard promotes the best way for businesses to work together, thus effectively developing and managing their interactions with each other for maximum benefit to all.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify|YouTube|iTunes|Soundcloud | Mailing List

ISO 20121:2012, the Standard for Sustainable events management, was originally created and launched in coordination with the London 2012 olympics. 12 years on, it seems only fitting that its next revision would applied to the 2024 Paris Olympic Games.

10 Years on from it’s original release, the Standard has received a substantial update to not only bring it in-line with other ISO Standards, but to also address additional elements within event management, such as human rights and legacy.

Today Steph Churchman will explain the changes to ISO 20121:2024, what certified companies must do to transition and the consequences of not doing so before the deadline.

You’ll learn

  • What is ISO 20121?
  • What are the changes to ISO 20121:2024?
  • What steps should certified companies take to complete their transition?
  • What should you be updating?
  • What are the consequences for not completing your transition ahead of the deadline?

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Steph will be discussing the changes to the Sustainable Event Management Standard, ISO 20121:2024, in addition to outlining what you should be updating ahead of your transition to the latest version of the Standard.

[02:30] What is ISO 20121? – . The Standard for Sustainable events management was originally created and launched in coordination with the London 2012 olympics.

When it came to planning the 2012 Olympic Games, they took a step back and considered the impact of required development and construction would have on biodiversity, as well as how they could reduce their Greenhouse Gas emissions and general waste in the preparation and running of the event.

12 years on, it seems only fitting that it’s next revision would applied to the 2024 Paris Olympic Games.

ISO 20121 specifies the requirements for an Event Sustainability Management System to improve the sustainability of events. The standard applies to all types and sizes of organisations involved in the events industry – from caterers, lighting and sound engineers, security companies, stage builders and venues to independent event organisers and corporate and public sector event teams.

[04:45] A high-level overview of the changes to ISO 20121:2024 – One of the biggest and most welcomed changes is the fact that the Standard is now aligned with the familiar High Level Structure that many other ISO’s follow. This means it will be easier to integrate with other Standards like ISO 9001 and ISO 14001.

Next, there is a bigger focus on climate change, legacy and human rights. These elements weren’t necessarily missing from the previous version, but they weren’t a key focus either.

 [05:10] Climate Change in ISO 20121:2024 – , ISO 20121:2024 now explicitly requires considering climate change and its impact on your event and stakeholders. So, this might involve carbon emission reduction strategies and adapting to potential climate-related disruptions. Biodiveristy may also fall under this, especially if your events require construction, or take place in an outside venue such as a park or field.

A quick reminder that 31 common ISO Standards also received a Climate Change Amendment, so if you haven’t addressed that yet, check out our podcast episode and workshop recording to learn about what you need to do.

What does this focus on climate change mean for certified companies?:

  • It provides an opportunity for event professionals and event organisers to demonstrate leadership in taking action around climate change
  • Certified organisations are required to ensure that any carbon offsetting completed via carbon credits are credible
  • ISO 20121:2024 Standard facilitates the process of taking credible action and aligns ISO 20121 with big changes relating to climate change

[06:55] Human Rights in ISO 20121:2024  – The new version also expands beyond environmental concerns to encompass human and child rights, social impact (including mental health and diversity), and digital responsibility. Your management system will need to address these aspects throughout the event lifecycle.

What does the increased focus on human rights in ISO 20121 mean for certified organisations?:

  • Certified organisations will need to demonstrate and adhere to UN Guiding Principles on Business and Human Rights.
  • The revised standard also now references social impact in its definitions – primarily in the definition for Sustainable Development and Stewardship.
  • A new Annex has been added – Annex D: Guidance on Human and Child Rights.
  • Added guidance states that event organisers should consult with Human and Child Rights experts and conduct a Human Rights Assessment to identify potential risks to the people as a result of an event and its surrounding activities.
  • You should publish a Human Rights Policy to ensure that Human Rights consideration is embedded in the whole lifecycle of an event.

[08:40] Legacy in ISO 20121:2024 – An added focus on Legacy provides an opportunity to event organisers to focus, not only on the few days of event delivery, but also supports in creating enduring results for the hosting community.

For example, creating an economic impact for the local population, by providing the opportunity to acquire new skills, to share best practices on how to do events in a more sustainable way or by improving a public place close to the event.

[09:20] Join the isologyhub and get access to limitless ISO resources  – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.

[11:30] A strengthening of Stakeholder Engagement – The Standard now emphasizes demonstrating sustainability throughout your supply chain. This might involve you requesting proof of sustainability practices from vendors and incorporating ethical sourcing practices.

The definition of stakeholders has also now been expanded to include partners and sponsors. So, you’ll need to consider how their sustainability practices align with your event’s goals.

The policy clause now requires reporting on your sustainability achievements and lessons learned. Building a system for tracking and reporting these aspects will be crucial, and will likely involve a lot more communication between your stakeholders to gather any necessary data for reporting purposes.

[12:35] alignment and flexibility – The updated standard aligns with other management system standards thanks to the high level structure update, making integration easier for organizations with existing systems.

The revised standard also caters to events of all sizes and complexities, allowing for adaptation to your specific needs.

There’s now alignment with Global Frameworks, like the UN Sustainable Development Goals (SDG’s) and the Paris Agreement. If you’d like to learn more about the SDG’s, check out a few previous podcast episodes: 106, 107 & 108.

[13:30] Transition Deadline – What happens if you miss it? –  Anyone certified to the 2012 version of the Standard will have until the 31st March 2027 to transition to the 2024 version.

If you don’t, you’ll risk losing your certification, and you’ll have to go through the whole Stage 1 and 2 Assessment again to get that certificate back, which is obviously quite costly.

[14:15] What do you need to do to transition? – Here’s a very high-level of the steps you should take:

  • Review and conduct a Gap Analysis: This is to compare your existing system against the new standard’s requirements to identify areas needing improvement.
  • Update your Policies and Procedures: specifically your event sustainability policy to reflect the broader range of sustainability issues and incorporate reporting requirements.
  • Develop a plan to engage with a wider range of stakeholders, including sponsors and partners, on sustainability initiatives.
  • Review your Supply Chain Management: This will involve establishing or updating procedures for assessing and integrating sustainability practices throughout your vendor network.
  • Training and Awareness: Any and all changes should be communicated. Educate your team on the new standard’s requirements and integrate them into event planning and execution processes.
  • Carry out Internal Audits: Once you’ve implemented the changes, audit against the new Standard and ensure you’re compliant. Then you’ll need to prepare for your Certification Body Transition visit.

[15:30] What Specific actions can you take to update your ISO 20121 Management System?

Here are some suggested actions to address Human Rights and Children’s Rights:

  • Update your event sustainability policy to explicitly state your commitment to respecting human rights and children’s rights throughout the event lifecycle.
  • Update your Risk Assessments as you’re going to need to identify potential human rights risks associated with your event, such as discrimination in hiring or unfair labour practices within the supply chain.
  • Review your Supplier Management as you’ll need to ensure your suppliers uphold human rights standards.
  • Engage with relevant stakeholders like human rights organizations or local communities to understand potential human rights concerns and incorporate their feedback into your planning.

A few other actions you could do include:

  • Partnering with organizations promoting fair labor practices and human rights.
  • Including human rights clauses in contracts with suppliers and partners.
  • Conduct training for staff on identifying and mitigating human rights risks.
  • Implementing a grievance process for reporting potential human rights violations.

[17:00] What further actions can you take to address Legacy?:

  • Integrate legacy planning into the early stages of event development. Consider aspects like infrastructure, also workforce development (for example training opportunities for local communities), and universal accessibility for people with disabilities.
  • Develop metrics to measure the positive legacy of your event. This could involve tracking the number of jobs created, increased accessibility measures implemented, or infrastructure donated to the community.
  • Consider the potential to partner with local organizations to ensure the event’s legacy benefits the community in the long term. This might involve collaborating on infrastructure projects or workforce development initiatives.
  • You should also Conduct a post-event impact assessment to evaluate the event’s legacy.

[18:00] Reporting on the social, economic and environmental impacts – The first step should be to develop a Reporting Framework: This framework should consider relevant metrics for social (e.g., job creation, diversity), economic (e.g., local business involvement), and environmental (e.g., carbon footprint, waste generation) impacts.

Next, you need to Implement a system for collecting and analyzing data related to your event’s social, economic, and environmental performance.

And lastly, choose appropriate communication channels for your sustainability report, such as your website, annual reports, or dedicated sustainability reports.

You could look at specific reporting software or get help from a third-party such as Blackmores.  

We’d recommend purchasing a copy of the Standard so you can review the specific changes yourself, in addition to reviewing the updated guidance provided in the Annexes.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

ISO Standards provide a framework to help businesses manage various aspects of their activities. Whether that’s quality, risk, environmental or Information Security management, they provide invaluable guidance to establish an effective Management System.

One element that is key, no matter the Standard or subject area, is Leadership. Without this driving force, your Management System will not get the momentum it needs to truly benefit your way of working.

Today Ian Battersby will explain the integral role of leadership within the Implementation and maintenance of an ISO Management System, and how their active participation benefits the whole business.

You’ll learn

  • What is Leadership?
  • Where is Leadership referenced in ISO Standards?
  • How do Leadership get involved with the Implementation and Management of ISO Standards?
  • How does Leadership participation benefit the business?

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Ian will be discussing the role of Leadership within ISO Management Systems and how their active participation can benefit the business as a whole.

[02:30] What is Leadership? – Leadership is central to success in achieving any goal in business. It involves motivating a group of people toward a common pursuit, and it certainly isn’t straightforward without leadership believing in what it’s doing.

Without showing that belief, why would the workforce sit up and take note: ‘If it’s not important to you, why should it be to me?’

[03:30] Why should Leadership get involved? – The need for leadership has been recognised by Standards bodies, hence why it’s been made central to all Management System Standards.

For many years, Management Systems were separate from the day-to-day activities of running a business, often boiled down to just a person in a room with manuals, getting through certifications and earning a nice shiny badge.But this had little to no impact on the bottom line (be honest)!

But, a well-run Management System can have huge impacts and benefits on all types of organisation, and updated ISO standards aim to deliver that impact more readily, so leadership gets its own clause (Clause 5 – Leadership)

 [05:25] Clause 5.1 Top management shall demonstrate leadership & commitment – This boils down to taking accountability for effectiveness of the system, but how do you do this?

Firstly, the system can only be effective if it is designed correctly, so leadership must ensure it fits with its context of the organisation, which is required in Clause 4.

There are ways of doing this, but we favour a SWOT and PESTLE. This is simply to ensure that those establishing context don’t do it in a vacuum, opening up the floor to get input from everyone effected by the Management System.

This is key because Senior Managers need active involvement to understand how the system works, its resource needs and its performance.

[07:25] Ensuring quality policy and objectives are established and compatible with context and strategic direction – The quality objectives must contribute to the business, so there’s a role for senior managers to ensure that they are aligned and have a measurable contribution to the business.

What measures are included in your objectives which can demonstrably show that they affect the business in some way in a good way?

That’s what senior management have to do to link quality objectives with strategic organisational business objectives.

[08:20] Ensuring integration into the organisation’s business processes – The quality objectives must contribute to the business, so there’s a role for senior managers to ensure that they are aligned and have a measurable contribution to the business.

They must ensure integration into the organisations’ business processes, which in turn must be aligned with the context. They must also be relevant to the way the organisation runs and senior management needs to oversee a system which allows processes to do that.

[05:20] Promoting use of the process approach and risk-based thinking – This requires senior management to actually do some promotion – which is stipulated as ‘Shall Promote’. For those that don’t know, whenever the word ‘Shall’ is used in an ISO Standard, that essentially means you MUST do it.

In this instance, that means actually contributing the communications and raising of Management System Awareness.

Senior Management have to be involved in the process of describing to people what’s important, why the standards are important and that risk and process are central to the organisations operations.

[09:35] Providing resources for the system – There’s a number of resources that Senior Management need to consider, including:

  • People – Need to be enlisted to run a system and to operate the system throughout the organisation.
  • Competence – You may need to invest in training if required.
  • Expertise in the standard – Do you have expertise in-house on the Standard you’re certifying to? If not, you will have to invest in training or additional help from a third-party.
  • Systems / Access and Documented Information – Do you have a place for hosting of documentation, workflows, forms? Further considerations are needed for required authorization and controlled access.
  • Time – Implementing and maintaining a Management System is a big task, whether done by an individual or a team, they will need time to complete necessary Management System activities.

[10:30] Communicating the importance of an effective system and conforming to its requirements – Everyone looks up to Senior Management in regard to what their priorities are. It’s up to them to effectively communicate the importance of the Management System, it’s processes, their role in relation to the Management System and how to confirm with it’s requirements.

Key points to get across:

  • How this system makes your workplace a better place.
  • How it contributes to success of the organisation – I.e. happier customers, safer working conditions, ect
  • How it can make their daily routine more fulfilling – i.e. having a complete picture of their place in the business, how they contribute to its success.
  • What could nonconformity bring if people choose to step outside a management system? – I.e. With ISO 45001, nonconformance could risk someone getting injured.

[13:50] Engaging/directing/supporting persons to contribute to effectiveness of the system – Team managers should be harnessing the people at all levels to be able to fulfil the requirements of the Management System.

They should do that by providing clear expectations, which can be done via so communications and objective setting.

[14:30] Promoting improvement – Continual Improvement is absolutely key to every management system.

When something does go wrong, senior management must provide the resources for actively asking why things may have underperformed, so you can get to the cause of why it’s underperforming and put it right.

It’s also an opportunity to highlight when things have improved and celebrate those that contributed to that success.

[15:30] Join the isologyhub and get access to limitless ISO resources  – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.

[17:40] Supporting other management to demonstrate leadership in their areas – Leadership drives top to bottom. Everybody can have a role in leadership.

Roles and responsibilities are assigned by senior management, and this offers the opportunity for individuals to provide their own leadership in their specific areas.  

[18:15] 5.2 Policy – The definition of Policy in ISO Standards is:

The overall intentions and direction of the organisation, expressed by senior management.  A policy exists to govern the behaviour of an organisation and its employees in order to provide the best outcomes.  It also provides the basis for the establishment of objectives.  It does not explain how the policy is to be delivered through individual tasks.  This may not be a detail for top management.

What’s the requirement?:

Top management must ensure its appropriate to the purpose and context of the organization and supports its strategic direction

It’s not simply just a piece of paper to sign once a year.

[19:25] 5.3 Organizational roles, responsibilities and authorities – What does the Standard say:

 ‘Top management shall ensure that responsibilities and authorities for relevant roles are assigned, communicated and understood within the organization’

What does this actually mean?:

  • Ensuring the Management system conforms to your ISO Standard(s)
  • Ensuring processes deliver desired results
  • Performance reporting including opportunities for improvement
  • Promotion of customer focus
  • Ensuring integrity of the management system through change and continual improvement

[21:30] Leadership in practice – Ian recounts an experience where senior management did regular safety checks in an organisation he worked with previously.

Senior Management took an hour out each month to do a floor walk and actually talk to those on the ground floor to ask them about risk, equipment and just generally get a feel for how everything really worked.

In turn, they were challenged by their staff on safe working systems and this proper conversation led to better understanding on both parts. The staff got to see their Senior Management genuinely care about their work and well-being, and Senior Management got much needed insight into the actual day-to-day activities and see first hand where improvements could be made.

Those familiar with ISO 45001 will know that worker participation is a requirement of the Standard, but there’s no reason why you can’t apply this to other Standards.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

There is a growing pressure on businesses to address their environmental impact, both from the Government as well as a more sustainably minded consumer base.

As a result, the need to carry out Greenhouse Gas (GHG) emissions reporting is being introduced as a mandatory requirement for tenders, and Government led initiatives such as Streamlined Energy and Carbon Reporting (SECR).  

Today Mel Blackmore will discuss Greenhouse Gas (GHG) emissions reporting, and how verifying GHG Statements in alignment with ISO 14064-1 can benefit your business.

You’ll learn

  • Why is there a growing need to report on GHG emissions?
  • What is the difference between certification and verification?
  • What is ISO 14064-1?
  • What are the benefits of ISO 14064-1?

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Mel will be discussing GHG emissions reporting, and why verifying your businesses GHG Statements in alignment with ISO 14064-1 is a smart move.     

[02:30] What’s the difference between Certification and Verification? – We covered this in detail on a previous episode, go back and listen to episode 162

[02:40] Why is there a growing need to address GHG emissions? – Climate change is a top concern for many. Consumers, investors and governments across the globe are all demanding greater transparency and accountability from businesses regarding their environmental impact. In particular, the carbon footprint a business claims to have.

[03:25] What is ISO 14064-1? – ISO 14064-1 is in internationally recognised Standard for quantification of Greenhouse Gas (GHG) emissions and removals at the organisational level.

In simple terms, this is the go-to Standard for businesses looking to calculate, verify and publish its carbon emissions.

[03:40] Benefit #1: Making compliance and reporting easier – Now, it’s important to note that the first time you go through this process will be like pulling teeth. You will need to do a fair bit of work initially, but once that’s set-up, it will make the necessary annual reporting a much easier process.

ISO 14064-1 verification ensures you are complying with applicable regulations such as SECR and the Governments requirement for a PPN 06/21 (within the UK).

If you are based in the UK, there is now Public Sector tendering requirement to identify what your carbon footprint is and make recommendations for reductions in the form of a Carbon Reduction Plan (CRP).

It can also help to streamline initiatives like the CDP (Carbon Disclosure Project) or EcoVardis.

[05:40] Benefit #2: Taking a deeper look at your emissions footprint – Verification is not simply just ticking a box, it’s about providing a clear picture of your organisations’ total GHG emissions.

Not just your CO2 emissions, ISO 14064-1 ensure you account for different types of emissions sources. This granular understanding will be crucial in identifying areas for improvement and developing an effective reduction strategy.

[06:25] Benefit #3: Providing Trust and Transparency – Having your report verified by am independent third-party adds a layer of credibility to your GHG reporting.

Anyone can just say their carbon emissions are X, but it’s another to have that backed up by a third-party. They can ensure your claims are true, correct and that there is a credible methodology behind it.

Stakeholders such as investors, consumers and regulators will then have the confidence that your emissions data is accurate and transparent.

Carbonology can assist you with the training resources needed to do this – so check out their website to learn more.

[07:30] Benefit #4: Pave a way for Carbon Reduction Strategies – We mentioned earlier about the requirement for a PPN 06/21, this requires a Carbon Reduction Plan (CRP).

Whether you create one based on a mandatory requirement or not, having a CRP is a no brainer for any business.

It helps you to understand your emissions, which is the first step towards reducing them. ISO 14064-1 verification lays the ground work for developing and implementing an effective CRP.

This can translate into significant cost savings and a competitive edge in the long run.

[08:30] Benefit #5: Embrace Mitigation – The verification goes beyond just cutting emissions. It supports mitigation actions like carbon removal projects, allowing you to demonstrate a holistic approach to tackling climate change year on year.

[08:50] Benefit #6: It’s a global Standard – ISO 14064-1 was created by over 140 representatives from over 50 countries globally to define exactly what greenhouse gas emission verification should look like.

While there are lots of other ways to achieve Net Zero, it makes more sense to choose an established route that will be recognised as best practice globally.

[10:25] Benefit #7: Tracking your progress – Verifying your GHG statements allows you to track progress over time.

This data is invaluable for communicating your achievements both internally and externally to key stakeholders about your drive towards net zero goals. It also helps to showcase your commitment to sustainability.

[11:00] Benefit #8: Participation in sustainability initiatives – Verification opens doors to participating in voluntary GHG registries and sustainability reporting initiatives.

This in turn will help to broaden your visibility as an organisation, amongst the environmentally conscious stakeholders that will be looking for credible sustainable businesses to work with or buy from.

[11:45] ISO 14064 is a no-brainer – It offers a significant strategic advantage and can help to demonstrate transparency with GHG reporting – something very sought after in the midst of a lot of green washing claims.

If you’d like assistance with ISO 14064-1, visit Carbonology’s website and get in contact, they’d be happy to help.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

ISO Standards provide a framework to help businesses manage various aspects of their activities. Whether that’s quality, risk, environmental or Information Security management, they provide invaluable guidance to establish an effective Management System.

However, for those who are new to ISO Standards, the Standards themselves can seem rather intimidating to interpret.

Back in 2015, the Annex SL format was introduced to provide a common high-level structure for Management Systems. With 10 clauses now common in most widely adopted ISO Standards, it can still be a bit difficult to understand exactly how these all work together.

Today Ian Battersby will explain how ISO Standard clauses interconnect to create a cohesive cycle, from context of the organisation through to Improvement.   

You’ll learn

  • What is the high-level structure?
  • What are ISO Standards structured this way?
  • How do ISO Standard clauses interconnect?
  • How does this apply to Quality Management?

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Ian will be discussing the interconnectedness of clauses, which basically just means explaining the key links between the clauses and how that applies to your management system.    

[02:40] High level structure – 10 years ago, Annex SL was introduced to create a common framework for ISO Standards. Today, Ian will focus on ISO 9001 as that really is the grandfather of all Management System Standards. ISO 9001 includes elements which are applied to most commonly adopted ISO Standards, and sets the scene in terms of how the clauses link together.

[03:20] Why are ISO Standards structured this way? – On their surface, ISO Standards can seem very repetitive in the way that they’re written, but there is a good reason for that.

There are all based around the Plan-Do-Check-Act cycle.

[04:10] What is the Plan Do Check Act cycle? – This is a simple process that all Management System Standards adhere to.

So you start with a ‘Plan’ to establish objectives, the resources which you need to deliver results, you identify risks and opportunities. From that point you fulfil the ‘Do’ part through Implementation and using the Management System.

From there you ‘Check’ so you monitor against the policies, objectives and any other requirements. Basically monitor against what you said you’d do and then you ‘Act’ if you find anything that needs to change, you make that change and you improve as an organisation and you improve that management system.

[05:00] A logical path – Management System Standards are designed in such a way that they flow from one clause to the other. One cannot exist without the other.

[05:20] How does Clause 4 Context of the Organisation link with Clause 6 Planning? – As clause 4 Context of the Organisation states:

 ‘external and internal issues relevant to your purpose and strategic direction…

…and that affect your ability to achieve intended results’

The scope of your management system depends entirely on this.

The world in which you operate – what you buy, the people you employ, what you make, who you sell to, the laws you follow…

Clause 4 also requires us to identify all interested parties (which we’ll address later!).

With careful planning, you can align documentation you develop for one clause with other clauses.

Clause 4 doesn’t tell us how we should work out our context, but it provides some very good clues

  • NOTE 1 Issues can include positive and negative factors
  • NOTE 2 Understand the external context by considering issues arising from legal, technological, competitive, market, cultural, social and economic environments

So they’re not saying how to do it, but they’ve said what you can consider

This sounds a lot like a traditional SWOT/PESTLE analysis…

If we skip to Clause 6, Planning, the first thing we must do when we plan is to identify actions to address risks and opps

A SWOT will mean you’ve covered these elements, consider the following =

  • Weakness = Risk
  • Threat = Risk
  • Opportunity = Opportunity

We can similarly view the PESTLE in the same light.

So you can see that with careful planning, as mentioned you can align documentation for one clause with other clauses.

[10:00] How does Clause 6 link with Clauses 7 & 8? – Skipping from Clause 6.1

If you’ve identified what might go wrong (aka – risk), you need to plan to ensure it doesn’t happen again. That may involve a single improvement action, which is linked to clause 10 (funnily enough, Improvement)

It may be that you need something bigger, involving many steps, over a period of time, say an objective (clause 6.2)?

So, the planning of objectives links directly to the context of the organisation, the world in which you operate. It may be that you need an operational control to mitigate risk, a process or procedure that helps to manage the situation as a business as usual situation (clause 7 documented info and clause 8, operation)

So the planning of processes and procedures links directly to the context of the organisation, the world in which you operate. In all these circumstances, it’s the same for opportunities, except you’re putting in place measures to take advantage of the opportunities.

[13:05] Join the isologyhub and get access to limitless ISO resources  – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.

[15:10] Clause 7 Support and related links – Moving through the standard, clause 7.4 relates to Communications.

You need to determine internal and external communications relevant to the QMS (for 9001). In clause 4, you would have looked at interested parties (i.e. stakeholders). You need to determine who affects the way in which you operate and what they need/expect from you. Parties to consider include:

  • Customers
  • Employees
  • Shareholders
  • Suppliers
  • Regulators
  • Neighbours
  • Media

So, by Clause 7 you will have already identified who’s interested and what interests them, so it’s only a small step to add to this the communications plan.  ISO 9001 doesn’t ask for one specifically, but it’s a good way to fulfil the requirements of clause 7.3.

Clause 7 also mentions Monitoring and measuring resources (7.1.5).  This is a very brief clause, but central to establishing the means for demonstrating performance.

We need reliable results when monitoring or measuring is used to verify the conformity of products and services to requirements, i.e. do we do what we say we do?

Clause 7.5 requires us to document how we do things.  Again it’s very brief in its requirements (leaves it up to you to decide), but clause 8 is all about operation – which is the way you do things.

It’s much more specific about understanding what the customer wants, designing it correctly, controlling changes, making it, delivery and addressing issues.

This is what you measure: 7.1.5 requires you to ensure you can measure, 7.5 requires you to document how you do things, 8 requires you to do things according to the way you’ve said you will.

[20:10] Clause 9 Performance Evaluation and related links – Moving onto Clause 9, Performance Evaluation, again risk appears.  We’ve already assessed risk right at the start, now we evaluate whether we’ve successfully controlled risk.

We decide what to audit based on the level of risk attached to certain controls (policies, procedures, processes…). We’ve set objectives based on risks and opportunities and now we must measure performance.

We’ve put in place operational controls to mitigate risk (clause 8) and now we measure whether those controls work.

[21:30] Clause 10 Improvement and related links – This one is fairly self-evident. If something goes wrong, find out why and put it right and make sure it doesn’t happen again. Look at your system and continually improve based on your evaluations in Clause 9.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

After 5 years of hosting the ISO Show, Mel Blackmore will be taking a step back as she focuses on her sustainability related endeavours.

She’s passing the baton onto our new host – Ian Battersby. Ian is a Senior isologist at Blackmores, and while relatively new to the team, he has a wealth of Standard and ISO related knowledge to share with you all.

Today we Introduce Ian Battersby as the new host for the ISO Show and learn about his background in Standards and ISO.    

You’ll learn

  • Taking a step back
  • Introduction to Steph Churchman
  • Introduction to Ian Battersby
  • What Standards has Ian worked with?
  • What Sectors has Ian worked in?

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: After 5 years of the ISO Show, Mel Blackmore is handing the hosting baton over to Ian Battersby   

[02:25] Interim host – Ian will be the main host going forward, but there will be additions from Blackmores’ Communication Manager – Steph Churchman.

You may recognise her from recent episode such as:

Steph will be sharing findings from our own research, standards updates and conducting interviews with our isologists.

[03:35] An Introduction to Ian Battersby – Ian has been working for Blackmores since August 2023. Although he is meant to be part-time, he’s had a very busy first few months here!

Ian began working in British Aerospace, specifically manufacturing, in 1984. He later decided to return to university to study electrical and electronic engineering, which was promptly dropped.

His return to BAE lasted a few years before he moved onto the civil service for the Department of Health, working with them to conduct safety investigations and helped to create a broader risk profile.

When he moved to work with the NHS, firstly, with the litigation authority setting up governance and risk standards and then as a risk manager.

Surprisingly, after moving up a few levels, he decided to move onto run a restaurant! A Curry House to be specific, but after a year of rather stressful work that ended up costing a lot more than expected, he returned to work within the construction industry which is where he became more involved with ISO Standards.

From there he went onto work in manufacturing of high pressure pumps for a while before moving onto an organisation who rant he estate for the Department of Work and Pensions.

In the end, Ian left them due to being unable to live the life he wanted to live.

[05:15] What Standards has Ian worked with? – He started with ISO 9001, ISO 14001 and OHSAS 18001 (now ISO 45001).

[06:00] Digital Nomad – Ian currently splits his time between Leeds in the UK and Malaga in Spain.

Having a lot of experience working remotely in previous industries, this leap didn’t impede on his work in any way.

[07:15] What other Standards has Ian worked with? – He has assisted with ISO 44001 (Collaborative Business Management), but admittedly it was not his favorite ISO Standard to work with. It’s one of the rare instances in ISO where the Standard doesn’t quite align with others.

[08:00] What Sectors has Ian worked in – Ian’s extensive work history has afforded him the opportunity to work in a number of sectors, including:

  • Construction and Fit out
  • Manufacturing
  • Estate Management
  • Private enterprise
  • Healthcare / NHS
  • Facilities

With this list growing at a rapid pace since his introduction at Blackmores!

[09:45] What’s a big challenge that Ian’s had to overcome in the past? – In terms of ISO, it has to be Leadership. Ian’s found that to always be an issue within businesses attempting to implement ISO Standards.

A good looking Management System will only go so far without leadership commitment.

While working in facilitating Standards for an organisation, you won’t be implementing the whole system yourself. It’s more a case of delivering through others, the organisation controls and delivers their own processes and improvements, and so it’s imperative that Leadership are also embedding and encouraging these actions.

Ian will be going more in-depth on this topic in a future episode.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Can you believe we’ve been publishing the ISO Show for 5 years now! We certainly can’t!

The ISO Show began back in 2019, following a trip to Cumbria by the host Mel Blackmore. She was, and still is, an avid fan of podcasts and while listening to a few of her favourites on the 4 hour trip, she got to wondering if there were any podcasts about ISO Standards.

As it happened, there wasn’t at the time, and so the idea for the ISO Show was born. Not more than a few months later the first episode went live, and the rest is history.

For the past 5 years, we’ve had the honour of sharing our team’s combined 18 years of knowledge, including amazing insights from our clients and industry experts along the way.

Today Mel Blackmore will reflect on the ISO Show so far and share it’s next evolution as we introduce a new host.  

You’ll learn

  • Why was the ISO Show created?
  • Why is Mel taking a step back?
  • What will be the focus for the future?
  • An introduction to the new host(s)

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: After 5 years of the ISO Show, it’s hitting a turning point as we introduce a new host.  

[02:25] An amazing journey – It’s been an amazing 5 years of digging deep into some of the most pressing issues we’ve faced, sharing tips and dispelling myths about ISO Standards.

We’ve explored a lot of topics over the years, including:

  • Sharing our ISO 22301 (Business Continuity) knowledge when COVID hit, to help people with future and current response plans.
  • Transitioning to new versions of Standards, such as ISO 27001:2022
  • Interviewing leaders within the ISO space, such as Kit Oung, who helped to develop the UK’s current energy and climate change regulations.

[04:05] Mel’s sustainability journey – why she’s taking a step back as host – Mel’s made it no secret that her passion lies with Sustainability Standards. This podcast has helped to amplify their importance within our space, but she wants to take this a step further.

Going forward, Mel will be dedicating herself full-time to researching the crucial role of carbon standards in achieving Net Zero emissions by 2050.

[05:00] An evolution for the ISO Show – All this to say, the ISO Show isn’t going anywhere, rather we are introducing a new main host – Ian Battersby!

[05:05] Who is Ian Battersby? – Ian is a senior Isologist here at Blackmores. Ian brings a wealth of knowledge, expertise and a passion for helping businesses raise their game with ISO standards.

He’s a bit of a digital nomad, splitting his time between working from Span and England, he works part-time at Blackmores.

So he is very much involved in the day-to-day understanding of challenges of ISO Management, This includes the frustrations that businesses face and also how ISO standards support the achievement of greater productivity and profitability.

Ian will be introducing himself fully on the next episode 😊

[06:25] Thank you for making the ISO Show such a success! – We’ve now got a few thousand subscribers, with a global reach, we honestly never expected to have so many listeners when we started.

So whether you’re a regular or occasional listener, thank you for being here with us, we truly hope that our knowledge has helped you on your own journey to continual improvement within your own organisation.

[07:25] A long journey – A lot has happened over the past 5 years. In addition to being the CEO of Blackmores, Mel has also developed the isologyhub – an on-line learning platform which helps to raise awareness and understanding of ISO Standards.

She has also founded Carbonology – a sister company that specialises in carbon related Standards, which will be where focuses her main efforts over the next few years.

[07:44] Stepping back – but not gone – While you will be hearing less from Mel, she won’t be completely absent. She will be joining us at least once a month to explore how ISO Standards are shaping the landscape of Net Zero.

She will be sharing her journey to achieve net zero based on academic research, including primary and secondary research on how the various carbon related standards support the Sustainable Development goals and achieving net zero.

This will primarily be diving into Standards such as ISO 14064 (Carbon Verification) and ISO 14068 (Net Zero), in relation to how they support the Sustainable Development Goals, help to create a level playing field, providing transparency, reliability, accountability and without a doubt, credibility.

[09:20] Why the focus on sustainability? – Mel will be studying a masters by researching the role of Carbon Standards Verification in contributing to achieving Net Zero.

This focus hasn’t appeared out of the blue. Mel founded Carbonology with the goal of tacking Net Zero, one business at a time. They’ve already had great success over the past few years’ but there’s still so much more to do when it comes to understanding Greenhouse Gas emission verification, carbon removals, reductions and offsetting.

[10:10] Another big thank you – The ISO Show has been running for the past years with the assistance of Blackmores Communication Manager – Steph Churchman.

Starting from humble beginnings of recording using a mic housed in a shoebox, to being stuffed in a cupboard to combat our offices’ terrible acoustics. We’ve thankfully since upgraded our set-up to something much more comfortable.

Along the way we’ve experienced our fair share of technical issues, as you can’t really go 5 years of recording without something going wrong. However, there wasn’t much we couldn’t work around in some way or another.

As Steph has helped in researching topics we’ve discussed over the years, she will also be joining Ian on hosting the ISO Show in future episodes.  

[12:45] On to the next chapter – It’s not goodbye from Mel, but rather see you later. We’ll be bringing you all along on this next chapter of the ISO Show, so make sure you subscribe to stay up-to-date with our latest episodes.  

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Data Centres could be considered the powerhouse of thousands of businesses globally.

Long gone are the days of small physical servers being housed on-site, instead we rely on data centres to keep all our critical data safe and secure. But how do we know they are doing just that?

Many hold certifications to security-based Standards such as SOC 2 or NIST to display their commitment to data security. However, many also hold various ISO certifications that cover other aspects of the business outside of information security.

Today Steph Churchman, Communications Manager at Blackmores, will be sharing the top ISO Standard trends within the UK Data Centre industry.

You’ll learn

  • Why did we look into the Data Centre industry specifically?
  • What are the top 5 ISO Standard Trends in Data Centres?
  • Why are these ISO Standards essential for Data Centres?
  • Other commonly adopted ISO Standards within the data centre space

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:25] Episode summary: We’ll be taking a look at the top ISO Standard Trends within the UK Data Centre Industry

[02:30] Why did we look into the Data Centre industry specifically? – In the mid 2010’s, we noticed an influx in enquiries from Data Centres in regard to Implementation of ISO Standards. That prompted a research project that led to Blackmores working with some of the top UK Data Centres.

Now in 2023 and 2024 we’re starting to see a similar push for ISO Standards within the same industry. So, we revived the project to get a grasp on the modern ISO landscape, and took a look at the top 100 Data Centres within the UK.

[03:34] #1: ISO 27001 Information Security – Out of the 100 data centres sampled 72% of them were certified to ISO 27001.

Security is of upmost importance to data centres, and the great thing about ISO 27001 is that it considers security for not only the digital environment, but also for people and physical security.

This Standard is also, in most cases, a stakeholder requirement. Certification to ISO 27001 indicates that you’re adhering to best practice in information security, and through the creation of an ISO 27001 compliant Management system, you will have documentation in place such as an information security policy and data retention policy, that often get requested by potential clients.

If you’d like to learn more about the Implementation process for ISO 27001, we’ve got a helpful 3-part podcast series that summarises the entire process from Gap Analysis to Assessment preparation.

anyone currently certified to ISO 27001:2013 that you have just over 1 more year to complete your transition to ISO 27001:2022. If you don’t do so by October 31st 2025, you’ll risk losing your ISO 27001 certification.

That’s not the only reason you should be transitioning though. The new version of the Standard includes 11 new controls, which cover some newer technologies which really weren’t around when the 2013 version was published. So regardless of the risk of losing your certification, it’s in your best interest to ensure that you’re adhering to the latest version.

If this is all news to you, then you can also go back and check out episodes 128 through to 133. This was a little mini-series we did to summarise the key changes to ISO 27001 and what actions you need to take to transition. We also have a Transition Gameplan available on the isologyhub if you’d like a more guided approach, including document templates and training videos covering those new controls.

[06:25] #2: ISO 9001 Quality Management – The Quality Management Standard is as popular as ever, even within the data centre space, with 51% of the 100 sampled data centres being certified.

ISO 9001 is considered the leading ‘Quality mark’ for businesses and is often the starting point for many diving into the world of ISO implementation. ISO 9001 creates a well-rounded base Management system to help you manage your risks and opportunities, as well as ensuring you drive a culture of continual Improvement. Its guidance can help you establish your core policies, processes and procedures to ensure everyone is singing from the same song sheet.

The fact that this one is popular among data centres isn’t too much of a surprise, it’s a universally adopted Standard that isn’t limited by industry or organisational size. Currently, there are over 1 million ISO 9001 certificates issued worldwide, and that trend shows no signs of slowing down.

[08:25] #3 ISO 14001 Environmental Management  – A surprising 25% of the sampled data centres were certified to ISO 14001.

From an objective point of view, it makes sense for data centres to consider their environmental footprint. But a lot of that would fall under energy usage rather than just general environmental management, so this likely means it’s mainly driven by stakeholder requirements.

ISO 14001 is being requested more and more for the likes of large Government contracts, so If you want a chance at bidding for these, ISO 14001 is a must.

Now don’t get me wrong, I’m sure a lot of data centres have implemented this Standard in an earnest effort to monitor and measure their impact holistically. After all ISO 14001 asks businesses to consider how they can prevent environmental impacts such as pollution and degradation of nature. And the additional guidance provides some helpful starting points for those that may not be sure where to start, for example making commitments to recycling, protection of biodiversity and climate change mitigation.

For data centres specifically, this may come into effect when we think of the amount of electronic waste that they could potentially produce. Obviously, this can’t just be thrown out in a standard green lidded bin, it’ll need to be taken to a dedicated electronic waste facility for processing, disposal and recycling. Racking, shelving and cables will all also need to be replaced at some point, and it’s up to each data centre to ensure they have the appropriate processes and policies to ensure this is done correctly and more importantly legally, which again, is where ISO 14001 can help put those frameworks in place.

[10:30] Join the isologyhub and get access to limitless ISO resources  – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.

[12:45] #4: ISO 50001 Energy Management – With just 13% of the 100 sampled data centres certified! This one is a shocker because, typically, data centres highest cost is in relation to their energy usage. They require enormous amounts of energy to keep their facilities running and to cool down their equipment 24/7. Which I imagine they’d be quite keen to reduce if only to save on running costs.

This is where ISO 50001 can come in, to help create a structured approach to effectively monitor that energy usage, so you can identify key trends and opportunities to reduce overall energy consumption, which in turn will save a lot of money.

With a healthier proportion being certified to ISO 14001, it seems a shame that so many are missing out on the additional benefits that ISO 50001 can bring, especially when it can very easily be integrated with ISO 14001. In fact, if you’re already certified to ISO 14001, then you’ve already done half the work to implement ISO 50001. Both frameworks are based on that Annex SL format, and both have a lot in common in terms of what documentation is required.

It can also help with compliance with some UK and EU based energy initiatives. For example, here in the UK we have ESOS (The Energy Savings Opportunities Scheme) which applies to large organisations that fit within its criteria. They’re usually required to provide a report once every 4 years, however as of 2023, Phase 3 now requires organisations to provide an Energy Action Plan which details what actions they plan to take to reduce their energy consumption.

There are likely a few data centres that would fall into ESOS’s criteria, and if you’re sick of going through the ESOS song and dance every few years, then ISO 50001 may be the answer for you, as being certified means that you’re going above and beyond ESOS’s requirements and will be considered compliant. Meaning no more pesky reporting, or having to locate an ESOS assessor to sign off on those reports.

[15:10] #5 ISO 22301 Business Continuity Management – With 12% of the 100 sampled data centres being certified.

ISO 22301 is the Standard for Business Continuity, and provides a basis for planning to ensure your long-term survivability following a disruptive event.

That 12% may not be truly reflective of all the data centres that have business continuity plans in place however, as according to a recent Business Continuity institute survey, 56% of surveyed businesses use ISO 22301 as a framework but aren’t certified to it.

There will be a fair few data centres in our sample list that fall under that category.

Why should this Standard be a priority for Data Centres? Well, the answer should be simple, if a disaster were to knock out a data centre, that has a massive knock-on effect. Many house servers used by hundreds if not thousands of businesses and users. If they’re unable to provide services, that will in-turn cause multiple other businesses to grind to a halt.

The true cause of failures at data centres can be many things such as hardware failure, human error or a disaster such as flooding or fires. However, the advantage of utilising ISO 22301 is the ability to be able to effectively deal with these incidents and restore services, which is essential for an industry which is quite literally the powerhouse for millions of other business and people.

If you fail to plan, you plan to fail

Having a robust business continuity plan should be a top priority for any business, especially data centres, seeing as so many rely on them to keep their own services running. Even if you don’t want to go through the full certification process, it’s worth grabbing a copy of the Standard, as it provides a lot of helpful guidance.

If you’d like to learn more about ISO 22301 in general, go back and check out episode 42 where we go over the Standard in more detail and it’s many benefits.

[17:45] Runner up: ISO 20000 Service Management – Saw 11% of our sample data centres certified to this Standard.

This actually used to be known specifically as the IT Service Management Standard, so that probably clues you into why this would be adopted by many with in tech spaces. However, it truly is applicable to any business offering services.

The aim of ISO 20000 is to provide a framework for an effective end-to-end service management system which encompasses the entire lifecycle of a service from concept and design, through to service removal and end-of-life.

[18:55] Runner up: ISO 27017 information security controls for cloud services – With just 5% of our sampled Data Centres certified.

This one is fairly self explanatory in it’s relation to data centres, which operate solely on cloud based services.

This Standard was introduced after the 2013 version of ISO 27001 was published, as the main standard didn’t really address cloud security controls specifically. Mostly because cloud computing and its related security weren’t as widely adopted as they are now. So ISO 27017 was created to try and bridge those gaps.

In the latest 2022 version of ISO 27001, there’s now a new control for cloud security. So, we may see less interest in ISO 27017 certification going forward.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Working towards a sustainable future is going to require a joint effort from everyone if we’re to reach our 2030 and 2050 targets.

Several initiatives have come out in recent years to try and address one of our biggest challenges, energy consumption. Many of us in the UK will be familiar with ESOS (The Energy Savings Opportunities Scheme), which involves regular reporting from those that fit its criteria. It’s also recently updated to include a stipulation to include an ESOS Energy Plan, which requires you to detail a route to reduce your energy consumption.

However, many businesses would prefer a more consistent approach to energy management, such as today’s guest – Daisy Corporate Services.

Today Mel is joined by Damian Edwards, ISO Standards Manager at Daisy Corporate Services, to discuss why they Implemented ISO 50001, what they’ve learned from the experience and the benefits gained from implementing an Energy Management System

You’ll learn

  • Who is Damian and who are Daisy Corporate Services?
  • Why did they decide to Implement ISO 50001?
  • What was the biggest gap identified during their Gap Analysis?
  • What lessons did they learn from Implementing ISO 50001?
  • What benefits did they gain from ISO 50001 certification?

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:30] Episode summary: Mel is joined by guest Damian Edwards, ISO Standards Manager at Daisy Corporate Services, to discuss their journey towards ISO 50001 certification.

Daisy are not strangers to ISO Standards, already having achieved: ISO 9001, ISO 14001, ISO 27001, ISO 45001, ISO 20000 and ISO 22301!

They have also recently won the Sustainability and Tech Awards 2024 and the Green Shoots Awards too.

[04:15] Who is Damian Edwards? – Damian has worked at Daisy as their ISO Standards Manager for the past year. A little known fact about Damian: He listens to classical music as a way to focus.

[05:25] Who are Daisy Corporate Services? – The are primarily a provider of IT and Communications. They currently supply a range of services including:

  • Unified Communications
  • Connectivity
  • Modern Workplace
  • Cyber Security
  • Cloud services
  • Managed Services
  • Operational Resilience

[06:25] What were the main drivers behind obtaining ISO 50001 Certification? – In addition to the office spaces Daisy controls, they also have a number of data centres, which use massive amounts of energy. Finding ways to monitor, measure and potentially reduce that energy use, and subsequently cost, was essential. 

The second main driver is mainly for commercial reasons. Without Standards like ISO 50001, you can’t bid for larger contracts or Government frameworks.

[08:30] Daisy’s commitment to ESG  – Daisy have a made a solid commitment to ESG, explained further on their website as they break it down into 10 key focus areas. Energy Management is one of the logical steps to tackle reducing carbon emissions.

Data centres can be very inefficient, so being able to consistently monitor, measure and improve their energy consumption is a key part of tackling some of their ESG related goals.

Also being certified means you have the certificate to back up your claims. It’s not you just making a statement, it has to be verified by a third-party.

[10:30] How long did it take to Implement ISO 50001? – It took between 8 – 11 months. For a Standard like ISO 50001, it’s important to do it properly. Some organisations may request it in 6 months, but for larger organisations, that would be a tough ask, and you run the risk of rushing into certification without having those processes embedded in.

[11:45] Did having existing ISO Standards make the process smoother? – Yes, as it was a case of integrating ISO 50001 with our existing systems rather than starting from scratch. Though, having so many ISO’s can water the message down a bit, to combat that we’ve got a single statement that gets across everything you need to know about Daisy.

[12:55] What was the biggest gap identified during the Gap Analysis? – Because we already have so many ISO’s, we can be a bit big headed and say there weren’t many gaps at all, however, there were still some things we could do. One of the biggest areas for improvement was Clause 7, Documentation, as all ISO Standards have their own required documentation.

Another was putting in place a plan for monitoring and measuring our energy usage. We have a Property Director who did do that, but he wasn’t really documenting it, so we’ve put in place some proper processes to help show that we’re actively monitoring it, looking at the trends and putting in actions to reduce and improve on that.  

[14:55] Join the isologyhub and get access to limitless ISO resources  – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.

[17:10] Did closing those gaps make a big difference? – We did have a lot of help from Blackmores in order to address those gaps. Out consultant advised us to combine elements of out Management Review with out monthly Team Meetings, as our Director is involved with those, and we avoid another meeting for meeting’s sake.

We now also produce a pack of all the monitoring and measuring that’s done throughout the month, which makes it easy for us to analyse and identify trends in energy use. Any actions from reviewing this are then recorded and followed up on. So, in essence it’s just made everything a lot smoother.

[19:55] What did Daisy learn from Implementing ISO 50001? – It takes a team to achieve this – you can’t do it on your own. You also can’t rush it!

Another key take away is that the whole project needs to be driven by top management, without all of those elements combined, it’s probably not going to work (or be a lot slower and more painful!)

It’s also really helped with our commitment and messaging around ESG too. So within those monthly Management Review meetings we have a representative from the energy efficiency team, the ESG team and our bids team. They’re then all communicating what the customer message is, that they expect of us, in turn they’re kept in the loop about our energy usage and related actions and can communicate that outwards.

[21:15] What other benefits are there from achieving ISO 50001? – Having our management system verified by a third-party means that we can confidently say we’re adhering to best practice. It also just validates that we are doing things correctly!

It also means that we can monitor opportunities for improvement. If we identify more gaps in future, we have the processes in place to address them.

ISO 50001 has also helped to put some context behind the energy data we’re collecting. Thanks to the new processes we can accurately identify key trends and explain why energy usage may be going up and down.

[23:25] Damian’s top tip – Ensure that your project is driven by top management. They’re involvement means it’s a lot easier to communicate that message that you’re doing the right thing.

Also, ISO 50001 helps with your regulatory compliance too. If you’re a larger organisation, then you likely have to adhere to schemes like SECR or ESOS. If you’re certified to ISO 50001, then you’re already complying with both.

[24:35] Damian’s book recommendation – Beryl in search of Britain’s greatest athlete.

[26:45] Damian’s favorite quotes – Hard work beats talent when talent doesn’t work hard” and “You miss 100% of the shots you don’t take.”

If you’d like to learn more about Daisy Corporate Services, visit their website.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

In February 2024, the ISO and IAF issued an unprecedented change to 31 commonly adopted ISO Standards, such as ISO 9001, ISO 14001 and ISO 27001. 

This change saw the addition of a new ‘Climate Change Amendment’, which was applied in part due to the ISO’s resolution in support of the ISO London Declaration on Climate Change.

So what does this mean for ISO certified businesses? 

Join Mel as she discusses what this new ISO Climate Change Amendment is, why it was introduced, what are the consequences if you don’t address it and the benefits of its introduction.

You’ll learn

  • What is the ISO Climate Change Amendment?
  • Why was it introduced?
  • What are the consequences if you do not address the change?
  • What are the benefits of the Climate Change Amendment?

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:30] Episode summary: We break down the new ISO Climate Change Amendment, including why it was introduced and why you should address it ahead of your next Certification Body visit.

[02:55] Join our Workshop– If you’re not sure where to start with addressing this amendment, join our interactive workshop taking place on the 20th May (14:00 – 16:00 GMT). There we will explain how you can integrate the new changes into your existing ISO Management System. Register your place here.  

[04:30] What is the new ISO Climate Change Amendment? – A key clarification before we go into more detail, this is not a new version of a Standard i.e. ISO 27001:2022, where you must transition to a new version.

So, what is it? In February 2024, the International Organization for Standardization (ISO) introduced a groundbreaking amendment to integrate climate change considerations into various management system standards.

The amendment doesn’t assign specific actions. Instead, it adds text to existing clauses in 31 standards (including ISO 9001, 14001, 27001) requiring organizations to consider:

  • Relevance of climate change: Organizations must assess if climate change is a relevant issue for their operations and context (Clause 4.1).
  • Stakeholder expectations: Note added: Relevant Interested Parties can have requirements related to climate change (Clause 4.2).

As we’ve learned from our sister company, Carbonology, it is often Stakeholders driving forward that need to verify a business’s carbon footprint and take steps towards Net Zero.

[09:30] Why was this change Introduced? – This change was in part due to ISO’s resolution in support of the ISO London Declaration on Climate Change. The aim is making climate change considerations an integral part of management systems, their guiding policies and practises – not simply as an afterthought.

As we all know, climate change will affect everyone, and should be a concern that every business fully considers to ensure they are resilient and adaptable enough to deal with climate related risks.

This amendment means businesss will need to address these risks where relevant, and integrate them into strategic objectives and look what can be done from a risk mitigation perspective.

The global business community will be one of the driving forces for paving a way to a more sustainable future – It all starts with changing the way we work, making the shift towards embedding environmental consciousness into the very heart of your business.

ISO Standards are widely adopted, and this change offers a catalyst for meaningful climate action on a global scale.

[11:00] Join the isologyhub and get access to limitless ISO resources  – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.

[13:20] What are the consequences for not addressing this change? – Certification bodies will be asking you about these amendments effective immediately. If you’ve not addressed them ahead of your next certification body visit, you could run the risk of getting a non-conformity. The amendment added to Clause 4.1 especially states ‘Must’ – so there’s no getting away with simply ignoring it.

[14:50] What are the benefits of this change? – Some of the benefits will likely already be felt by those with existing environmental standards such as ISO 14001 and ISO 50001 in place. So, let’s take a look at how you can benefit from addressing this amendment: 

  • Reduced Environmental Footprint: By integrating climate change considerations, businesses can identify and implement practices that lower their carbon emissions and resource consumption.
  • Enhanced Sustainability: Addressing climate change demonstrates a commitment to sustainability, which is increasingly important for attracting environmentally conscious customers and investors.
  • Cost Savings: Climate-conscious practices can lead to cost savings through improved resource efficiency, reduced waste, and potentially lower energy bills.
  • Resilience and Risk Management: By considering climate-related risks (e.g., extreme weather events, resource scarcity), businesses can proactively develop strategies to mitigate these risks and ensure operational continuity.
  • Innovation: Focusing on climate change can lead to innovation in areas like cleaner technologies or sustainable product development, giving businesses a competitive edge.
  • Positive Brand Image: Demonstrating proactive action on climate change can enhance a company’s brand image and reputation among environmentally conscious stakeholders. This is a particularly important issue to younger generations who are becoming the dominant buying power from a commercial perspective.
  • Stronger Stakeholder Relationships: By considering stakeholder expectations around climate change, businesses can build stronger relationships with customers, investors, and regulators.
  • Holistic Approach to sustainability: Integrating climate change considerations strengthens a businesses’ overall management system by fostering a more comprehensive and future-proof approach.
  • Continual Improvement: The amendment emphasizes continual improvement, encouraging businesses to constantly seek ways to reduce their environmental impact, leading to long-term sustainability benefits.

If you’d like to learn about what actions you can take to integrate the ISO Climate Change Amendment into your ISO Management System, join our live event on the 20th May – register here.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

ISO 42001 was published in December of 2023, and is the first International Standard for Artificial Intelligence Management Systems.

It was introduced following growing calls for a common framework for organisations who develop or use AI, to help implement, maintain and improve AI management practices.

However, its benefits extends past simply establishing an effective AI Management System.

Join Steph Churchman, Communications Manager at Blackmores, on this episode as she discusses the top 10 reasons to adopt ISO 42001.

You’ll learn

  • What is ISO 42001?
  • What are the top 10 reasons to use ISO 42001?
  • What risks can ISO 42001 help to mitigate?
  • How can ISO 42001 benefit both users and developers of AI?

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:30] What is ISO 42001?: Go back and listen to episode 166, where we discuss what ISO 42001 is, why it was introduced and how it can help businesses mitigate AI risks.  

[02:45] Episode summary: We take a look at the top 10 reasons why you should consider implementing ISO 42001.

[02:55] #1: ISO 42001 helps to demonstrate responsible use of AI.  – , ISO 42001 helps ensure fairness, non-discrimination, and respect for human rights in AI development and use.

Remember, AI can still be bias based on the fact that AI models are typically trained on existing data, so any existing bias will carry over into those AI models – an example of this is the existing lack of representation for minority groups.

We also need to take care in the use of AI over people, as staff being replaced by AI is a very real concern and should not be treated lightly. We’ve already seen a few cases where this has happened, especially across the tech support field where some companies mistakenly think that a chatbot can replace all human staff.

We also need to consider the ethics of AI content. It’s predicted that 90% of online content will be AI generated by 2026!

A lot of this generated content includes things like images, which poses a real concern over the values we’re translating to people. The content we consume shapes the way we think and if all we have is artificial, then what message is that conveying?

An example of this is Dove’s recent advert, which showed an example of AI generating images of very unobtainable ideals of a beautiful face. Which were predictably absolutely flawless, almost inhuman and something that can only be achieved through photo editing. If the internet was flooded with this sort of imagery, then that starts to become the expectation to live up to, which can be tremendously damaging to people’s self-esteem. They then went on to show actual unedited people, in all their varied and wonderful glory and stated that they will never use AI imagery in any of their future marketing or promotional material.

Which sends a very strong message – AI definitely has its place, but we need to fully consider the implications and consequences of it’s use and possible oversaturation.

[05:20] #2: Traceability, transparency and reliability – Information sourced via AI is not always correct – It collates information published online, and as many of us are aware, not everything on the internet is correct or accurate.

Data sets carelessly scrapped from online sources may also contain sensitive or unsavoury content. We’ve had cases where people have managed to ‘break’ Chat GPT, causing it to spew out nonsense answers which also contained sensitive information such as health data and personal phone numbers. While not usually accessible when requested, it does not stop the risk of this data being dug up through exploits. AI is like any other technology, and is not infallible.

So, it’s up to developers to ensure that the data used to train models is safe and appropriate for use. It should be expected that data sets will be scrutinised from a legal standpoint – either as a result misuse of AI or a mandatory exercise as a part of future legislation. 

There’s also research that suggests data sets can be potentially poisoned to produce inaccurate results – which is another consideration for developers using live data sets, who will need to stay on top of these risks to ensure the integrity of their tools.

ISO 42001 provides specific guidance that covers how developers can ensure transparency and explainability within sample training data.

[06:45] #3: It’s a framework for managing risks and opportunities – AI, like any other new technology, is going to create new risks and opportunities.

Risks include the likes of inaccurate data being used, existing bias in data training sets, plagiarism, information security risks and data poisoning.

If you’re simply using AI to gather information, it’s also a good exercise to ensure that the information is coming from a reputable source. One easy way to so this is to simply ask for the source to be cited when pluging in a prompt into tools like Chat GPT and Gemini. You can then verify how legitimate that source is.

For web developers and SEO specialists, Google has recently updated it’s algorithm to punish those with a lot of AI generated content on their websites. So those within the SEO space may see some interesting trends over the course of 2024. 

Another unfortunate risk is that of more complex scams being implemented through the use of AI. An example of this involves those who may use an AI assistant in their systems, which can be affected by malicious emails that contain prompt injections which could be used to send data from a victims machine to outside sources.

This is only touching on a few risks, but as you can see, there’s a lot to consider and I’ve no doubt that more complex risks will make themselves known as the technology evolves.

However, there are a lot of opportunities to be found with AI use.

There’s a huge potential for AI to be utilised to tackle mundane and routine tasks which could be automated.

AI also has the capability to scan masses of data and provide suggestions based on it’s findings. Obviously, humans can’t possibly compete with the sheer volume of data that AI can process, and so we can utilise it to help us make better more informed decisions.

A lot of commonly used software has already integrated various AI tools which offer great quality of life updates and help make a lot of tasks quicker. Which in turn means our time is better spent elsewhere on tackling the more complex issues that require a more human touch.

ISO 42001 can help you balance out these risks and opportunities by helping you build a robust management system to manage and mitigate risks, and drive forward opportunities through continual improvement.

[10:35] Join the isologyhub and get access to limitless ISO resources  – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.

[12:50] #4: Demonstrate that introducing AI is a strategic decision with clear objectives – Businesses looking to integrate AI should not make this decision lightly.

I know it’s tempting to play with the newest toy, but we should take care to look at any possible risks, and that it aligns with both your company objectives and ethics before rushing to utilise something.

For example, allowing your staff to use ChatGPT for content creation. You need to consider a few things:

You need to make sure Staff aren’t putting in any confidential or sensitive information into publicly available AI tools.

Also, ensuring that Staff understand that content provided by the likes of ChatGPT and Gemini could be plagiarised if used as is. You need to build, adapt and change the content so it’s something unique.

It’s all well and good introducing AI technology if it truly is going to be beneficial to your employees and to the business as a whole, however if you’re just introducing it because everyone else seems to be, then you really have to question if it’s worth it. If it’s not actively making your work lives easier and helping you to achieve your objectives, then is it really worth the potential cost and effort to implement?

It may also be worth looking into how the AI tool you’re using was created. There is sadly still a lot of exploitation involved in the development of new technology, so it’s up to you to ensure that the tools you’re using were created in an ethical way.

Ultimately, ensure that you are using AI safely, ethically and that it aligns with your businesses established objectives. This will need to be communicated clearly to everyone in the business.

ISO 42001 is, at its heart, a Management system standard. Like many other ISO Standards, it includes guidance on setting objectives and communicating these to your wider business.

[15:24] #5: ISO 42001 helps to implement safeguards – Certain features of AI may require safeguards to help protect businesses against the extra risks they pose, such as the increased potential of more sophisticated cyber attacks or compromised training data.

This can be applied within a particular process or an entire system.

Examples of features that may require these safeguards include:

  • Automatic decision making
  • Data analysis, insight and machine learning
  • Continuous learning

Something you need to consider: Cyber scams are going to become a lot more complex with the help of AI, so you need to ensure you’re staff are both aware of this and how they can avoid falling prey to them. Safeguards may simply involve more training on these new risks, or updating to a more robust security software that is able to detect possible AI cyber scams.

Developers are also going to need to keep on top of any data being fed into their tools. Public live data tools especially will be more susceptible to being poisoned and tampered with, so it’s up to them to monitor and ensure the integrity of their data.

ISO 42001 provides guidance in it’s annexes for users and developers to implement these necessary safeguards.

[16:30] #6: ISO 42001 Supports compliance with legal and regulatory Standards – More AI focused legislation is an inevitability, with the new EU AI Act being a perfect example.

It’s important to ensure that you are prepared to comply with legislation as it’s released, or you may be held liable and be subject to fines.

Currently, the UK has no plans to introduce a new regulator for AI, instead relying on existing technology based regulators like the Information Commissioners Office (ICO), Ofcom and FCA.

ISO 42001 includes specific considerations for any potential applicable legislation.

[17:06] #7: ISO 42001 Can enhance your reputation  – ISO Standards are internationally recognised and ensure you are complying with best practice.

Gaining certification to ISO 42001 will show you are confident in your AI related claims, and are happy to have this verified by a third party.

[17:30] #8: ISO 42001 Encourages innovation within your business For as much as we’ve stressed the potential risks AI could expose your business to, ultimately AI is here to help make our lives easier. We just need to ensure we’re responsible when applying it.

ISO 42001 ensures you can safety integrate AI tools and systems within your business. It’s there to help guide the adoption of this new technology, and drive continual improvement as your management system matures. 

[17:55] #9: ISO 42001 Can be easily integrated with existing systems ISO 42001, like many ISO Standards, is based on the Annex SL format and can be easily integrated with existing ISO Management Systems such as an ISO 9001 (Quality management) or ISO 27001 (Information Security management) system.

Risks addressed in ISO 42001 include security, privacy and quality among others, and can help to enhance the effectiveness of your Management system in those areas.

[18:25] #10: ISO 42001 Does not require an existing Management System to implement While ISO 42001 would make a great addition to any ISO Management System, it’s important to note that this can be implemented independently.

It is also not intended to replace or supersede any existing quality, safety or privacy Standards / existing management systems.

We’ll be releasing a suite of ISO 42001 related training content on the isologyhub, if you’d like to get notified as soon as this becomes available, please register your interest on our waitlist.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Nearly 60% of businesses that are impacted by a cyber incident go out of business within the 6 months following.

With our heavy reliance on technology to keep both businesses and services running, it’s imperative that everyone take cyber risk seriously.

However, incidents will inevitably happen and it’s up to you to ensure that your business is prepared to ride out the wave, and hopefully make a full recovery!

We invited Jack Morris, Account Director at Epiq, back onto the show to discuss the consequences of not being prepared for a cyber incident and the key steps businesses should take in the event of an incident.

You’ll learn

  • Who are Epiq?
  • What does the current cyber incident landscape look like? 
  • What are the consequences if a business does not respond to a cyber incident effectively?
  • How can a business detect if they’re being attacked?
  • How should businesses respond in the event of a cyber incident?
  • What role does a legal team play in incident response?

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Today Mel is joined by guest Jack Morris, Account Director at Epiq, to discuss how businesses should respond to a cyber incident.

[03:00] Who are Epiq?  – Epic is a global leader in technology enabled legal services. In fact, it supports 90% of the top law firms globally! With over 8000 employees spread over 19 countries, it helps to support corporations, law firms and government agencies across the globe.

[04:35] What constitutes a cyber incident and why is it so important to respond effectively? – A cyber incident refers to unathorised access or attempted access to an organisation’s IT systems. Types of incident include breaches, malicious attacks (e.g. Ransomware), and accidental events (e.g. Fire Damage). Responding effectively is crucial to minimize damage and protect sensitive data.

[05:40] What does the cyber incident landscape currently look like, and what challenges will organisations face in responding to an incident? : The cyber incident landscape is ever evolving, but here are some key trends we saw in 2023:

Attacks on the rise – the number of organisations posted on ransomware and data theft sites increased by over 70% year-on-year.

Business Email Compromise (BEC) incidents surged by 67% in 2023 – these events are where people within an organisation fall victim to phishing or similar – clicking on malicious links which ultimately compromise your mailbox.

For me, there are 3 main challenges that organisations face when responding to a cyber incident:

  • Day-to-day management – balancing the technical aspects of the incident with broader business continuity, communications, financial and legal considerations. This can be hugely difficult for an organisation, during and already high stakes situation.
  • Expertise and support – navigating the complex legal, technical and operational aspects of an incident
  • Data-focused impact – understanding and assessing the risk to data after resolving an incident.

[10:00] What are the solutions to these challenges?  – Understanding the various external expertise and support available to a business, whether that be engaging with a law firm, a cyber incident response expert and cyber insurer will give you access to support with both the day-to-day management of an incident, as well as the legal, operational and commercial impact of said incident.

 [12:10] What are the consequences for an organsiation that does not respond effectively to a cyber incident? – : Failing to respond effectively to a cyber incident often leads to a variety of sever complications for a business, such as;

  • Operational Issues: operational disruptions will occur due to prolonged exposure of sensitive information, and if Ransomware has infected systems, the organization will not have access to potentially crucial business information. Financial losses and higher costs to incident response can come as a result of poor planning.
  • Additional Data Breaches: if an organization doesn’t respond effectively to a cyber incident, taking steps to gain control over their systems, additional data breaches can occur from threat actors gaining further access to the organisation’s systems.
  • Financial losses: cyber incidents affect a business’ bottom line. Costs including incident investigations, recovery, legal fees and potential fines. Further, knock on effects such as lost business opportunities and damaged investor confidence come from poorly managed cyber incidents.
  • Damage to Reputation and Trust: Public perception matters for a business. A poorly handled cyber incident damages an organization’s reputation. Customers, partners and stakeholders lost trust, affecting long-term relationships and market position.
  • Legal Consequences: Regulatory fines and potential follow on litigation arise from non-compliance with data protection laws. Organisations failing to report breaches promptly face penalties. Legal battles can be costly and time consuming.

[16:25] How can organisations detect if they are being attacked? – signs will vary depending on the type of cyber incident, but organisations and end users could expect to experience; slow systems, locked accounts (no access to mailboxes etc), inability to access documents or shared drives, ransom demands and unusual emails from organisation domains are all tell-tale signs of a cyber incident. If an organisation has invested in Managed Detection and Response software for their end-points, this will proactively scan your environment and provide alerts to potential and actual cyber incidents.

[17:40] What are the key steps an organization must take in responding to a cyber incident? – It’s a great question, and these key steps will be implemented during a cyber incident response plan – an impacted organization should:

  • Triage: Assess the severity and impact of an incident (organisations can instruct a first response organization to shut the doors, and assess the damage)
  • Identify: Understand what is happening to a business post incident? Things like locked accounts, no access to business systems etc.
  • Resolve: take technical actions to mitigate the incident – shutting off access to accounts – closing the door
  • Report: Notify relevant stakeholders, including legal obligations.
  • Learn: analyse the incident to then take retrospective action to prevent further incidents.

[21:23] Join the isologyhub – Don’t miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub 

[23:48] How does Cyber Insurance play a pivotal role in Cyber Incident Response? – like with most walks of life, insurance plays a crucial role in supporting organisations in effectively responding to disasters.

  • Response Funding: Insurers cover costs related to incident response, including professional services.
  • Response Time: Insurers bring in experts promptly, improving incident resolution.
  • Affordability: For small to medium businesses, insurance may be the only way to afford a response team.

[26:10] What role do vendors like Epiq do to support the incident response lifecycle? – Just like Law firms providing legal advice and support in responding to a cyber incident, cyber incident response providers support with the operational response to a cyber incident.

Initially, vendors like Epiq support with the incident identification and forensic investigations. Essentially finding the open door and closing it.

Further investigation on how the threat actor (baddie) got into the open door is conducted to prevent other doors from opening too.

Following this, the operational partner will support in understanding the extent of the incident, whether that be identifying impacted entities, notifying them of the incident and providing remediation, as well as supporting with any follow on litigation or mass claim.

[27:25] What are the legal obligations that exist after a cyber incident, especially in related to personal data breaches? – the legal obligations are clear – an organisation must report personal data breaches within 72 hours of awareness, unless the risk to individuals’ rights is unlikely. This quick turnaround is why it’s imperative that organisations have an established cyber incident response plan, and know who they should be talking to regarding the legal and operational implications.

[28:45] What support is there out there for organisations that are victim to a cyber incident? – On the previous episode, we discussed what organisations can do to be proactive in mitigating the risks associated to a cyber incident, we discussed the important of Cyber Incident Response plans, as they outline what external support an organisation should seek in the event.

Having playbooks and relationships with law firms, cyber providers like Epiq, and cyber insurance coverage are 3 key focuses for every business.

[30:35] What role does a legal team play in incident response? –  Legal support and advice is critical during an incident. As mentioned, they will help support with report the incident to the regulatory bodies required.

  • Breach Notification – legal support ensures compliance with data breach disclosure laws and regulatory requirements.
  • Breach Counsel – law firms act as a breach counsel for organisations, enabling them to support and advise on the legal implications of a cyber incident. Most law firm cyber practice groups will have relationships with external vendors, like Epiq, to support with the operational response. They can co-ordinate with these external vendors to ensure compliance.
  • Privacy Law Compliance – they guide handling of personal data and privacy implications to ensure no further issues.

[32:30] What role do vendors like Epiq do to support the incident response lifecycle? – Just like Law firms providing legal advice and support in responding to a cyber incident, cyber incident response providers support with the operational response to a cyber incident.

Initially, vendors like Epiq support with the incident identification and forensic investigations. Essentially finding the open door and closing it.

Further investigation on how the threat actor (baddie) got into the open door is conducted to prevent other doors from opening too.

Following this, the operational partner will support in understanding the extent of the incident, whether that be identifying impacted entities, notifying them of the incident and providing remediation, as well as supporting with any follow on litigation or mass claim.

[36:00] What should an organisation do in future to prevent further incidents? – Benjamin Franklin’s famous quote is so true here – ‘by failing to prepare, you are preparing to fail’.

The key point here is to learn from your mistakes. There may have been numerous reasons that the organisation wasn’t ready for a cyber incident, but they should learn from what led to the incident previously, and proactively address this to prevent further incidents. 67% of organisations that get hit by a cyber incident are subject to further attacks within 1 year. It’s important to reduce your attack surface, and ensure you have cyber security themes running throughout the business.

[37:45] What are Jack’s top 3 tips to take away from this session to help them respond effectively to an incident? –

  • Establish an Incident Response Plan – we spoke through IR plans during the first episode, but creating a plan that outlines roles, responsibilities and communication channels during an incident is key. Once implemented, regularly testing the plan and simulating these incidents is key to ensuring effective response.
  • Engage external experts early – during this session we identified 3 critical external support pillars to an incident – having legal advice, operational and response support and insurance is key.
  • Prioritise business continuity – enabling the external experts to support you through the incident will free your bandwidth to ensure that you minimise damage and downtime to your business.

 If you’d like to learn more about Epiq and how they can help you, visit their website.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube | iTunes | Soundcloud | Mailing List

Cyber incidents are on the rise as data shows there was a 20% increase in data breaches from 2022 to 2023.

Technology has become an integral part of most businesses, especially post pandemic where many who may have avoided this reliance on tech had no choice but to adapt to survive.

As a result, the question of businesses being affected by a cyber incident has become ‘when’ rather than ‘if’.  However, there are a number of steps you can take to mitigate risks ahead of any potential incidents.  

We invited Jack Morris, Account Director at Epiq, to discuss cyber incidents, the importance of being proactive in reducing cyber incident risk and the steps you can take to mitigate these risks.

You’ll learn

  • Who are Epiq?
  • What is a cyber incident?
  • The importance of being proactive in reducing the risk of an incident
  • What can organisations do to be proactive in mitigating cyber incident risk?
  • What are forensic tabletop exercises, and how do they enhance preparedness?
  • Why might an organisation need to get an incident response retainer?
  • What role do Information Governance consultants play in reducing cyber risk?

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Today Mel is joined by guest Jack Morris, Accoutn Director at Epiq, to discuss how to mitigate cyber incident risk.

[02:40] Who are Epiq?  – Epic is a global leader in technology enabled legal services. In fact, it supports 90% of the top law firms globally! With over 8000 employees spread over 19 countries, it helps to support corporations, law firms and government agencies across the globe.

[04:31] Who is Jack Morris? – Jack joined the industry relatively fresh out of university, starting at an organisation called Kroll where he was focused on data management – including overcoming ransomware infected devices and essentially allowing organisations to get access to data that was previously taken away from them.

Kroll was later acquired by Duff and Phelps and went through a turbulent time of many name changes before settling on Kale Discovery. He ended up leaving a year ago and joined Epiq as an Account Director.

Jack’s role at Epiq includes being a facilitator, introducing law firms, corporations and cyber insurers to best in class people and technology.

[06:40] What is a cyber incident?: A Cyber Incident is any unauthorised or unexpected event that compromises the confidentiality, integrity or availability of an organisation’s information systems, data or network. Incidents can range from data breaches and malware infections to single mailbox compromises and insider threats.

Organisations looking to combat information security risks should consider ISO 27001, as it’s key principles include the confidentiality, integrity or availability of your businesses information.

[08:29] Why is it important for organisations to be proactive in reducing their risk of an incident, no matter the size of your business?  – Let’s look at some startling statistics:

In 2022, 39% of businesses in the UK identified a cyber attack in the previous 12 months. Of this 39%, 31% of those businesses experienced attacks at least once a week.

48% of Small to Medium Businesses, globally, experienced a cyber incident in the last 12 months, with 61% of all cyber-attacks specifically targeting small business.

This is the most shocking of the statistics, and why it’s so important for us to be having these kinds of conversations around how business, no matter the size, need to be proactive in mitigating the impact of a cyber incident.

70% of small to medium businesses in the UK believe that they are unprepared to deal with a cyber attack (which excludes those who think they have proper processes in place but ultimately don’t).

Nearly 60% of businesses that are impacted by a cyber incident go out of business within 6 months following!

 [12:10] Are there any particular industries that are most at risk from a cyber incident? – Cyber Incidents are not siloed to particular industries, but there are some trends that we see in the market. Looking at Q1 2024:

January saw a rise in cyber incidents predominantly affecting retail, education and local government.

In February we saw a significant number of breaches, impacting organisations across the full spectrum of markets.

All of this to say that regardless of the size of your business and the industry you operate in, the number of cyber incidents are increasing as well as the severity of said incident.

[13:35] ISO Standard trends – At Blackmores, we’ve seen an increase in demand for ISO 27001 and related data privacy standards across the board for all sectors. A stark difference to 10 years ago where it would mostly only be adopted by those in the managed services or tech based industries.   

[15:30] What can organisations do to be proactive in mitigating cyber incident risk? – Things such as implementing a proactive incident response plan, engaging with law firms and consultancy organisations to become aware of the organisation’s requirements and compliance issues arising from a cyber incident.

If you were hit with an incident today, you must report any personal data breaches to the relevant regulators within 72 hours of becoming aware of an incident or there can be fines that are implicated. To deal with these types of situations, it’s imperative that your organisation has established, sound relationships with law firms and consultants.

[17:25] What is the importance of an incident response plan? – Implementing an incident response plan is crucial because it allows organisations to prepare for potential cyber incidents before they occur. By identifying risks, implementing preventive measures, and conducting exercises, organisations can significantly reduce the impact of incidents.

Organisations should be aware of both the legal and operational issues that arise from a cyber incident – from regulatory compliance and liability concerns right the way through to loss of systems/data and brand reputation are all key considerations that have an effect on the whole of a business.

[18:35] What are forensic tabletop exercises, and how do they enhance preparedness? – Forensic tabletop exercises simulate cyber incidents in a controlled environment. They involve key stakeholders discussing and practicing their roles during an incident. These exercises improve coordination, communication, and decision-making, ensuring a more effective response when a real incident occurs.

The workflow here is clearly defined; implement an incident response plan, and then test that plan for robustness – engaging with external providers, like Epiq, to further add to the existing plan and to test how the organisation will manage an active incident.

[19:35] Join the isologyhub – Don’t miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub 

[21:45] Links with Business Continuity – Response readiness plans and forensic tabletop exercises both tie into aspects of ISO 22301 – business continuity.

In Blackmores’ experience, a lot of organisations don’t actually test their plans, so when going through the process of implementing ISO 22301, where testing these response plans are a requirement, it’s a bit of an eye opener when they realise they’re not as resilient as initially thought.

It’s always better to test these plans in a simulated environment vs a live one, so you can be assured that your plans are up to the task.

[23:40] Why might an organisation need to get an incident response retainer? – We’re starting to see a number of industries, particularly in regulated verticals, requiring businesses in their supply chain to meet a number of different cyber security requirements.  One, which keeps popping up, is to have a plan in place for responding to security incidents. Having a retainer can help meet these compliance requirements.

[26:05] What role does Managed Detection and Response (MDR) software play in proactive incident response? – MDR solutions continuously monitor networks, detect threats, and provide real-time alerts. They enhance proactive response by identifying suspicious activities early, allowing organisations to take preventive action before incidents escalate.

[27:50] What role do Information Governance consultants play in reducing cyber risk? – : Information Governance (IG) consultants specialise in helping organisation define their Information Governance Strategy encompassing data security and defining compliance policies.. They support organisations in defining:

  • Data Classification: Identifying Sensitive and PII data and categorising based on their confidentiality or regulatory requirements.
  • Retention Policies: Defining policies on retention period of records and method of disposition aligned with compliance requirements.
  • Legal Holds: Ensuring necessary data is preserved for potential litigation, internal investigation or as part of audit process.
  • Privacy Compliance: Aligning with regulations such as  GDPR, DP, DPA, CCPA.

[33:30] What are Jack’s top tips that the listeners can take away from this podcast session and implement today to begin mitigating their risk? – : Unfortunately mitigating cyber risk isn’t a one-size-fits-all response, however I like seeing cyber risk as 3 buckets, that businesses should be aware of and measure their organisation against:

Technology & Infrastructure – outdated systems, unpatched software and not fit for purpose IT infrastructure pose risks.

These types of vulnerabilities are exploited by attackers, leading to data breaches, malware infections and system disruptions.

So, making sure that your technology and infrastructure is fit for purpose, and up to date is a key takeaway. We spoke about Managed Detection and Response solutions earlier in the session, which is a great, cost effective way of adding an additional layer of technology security.

Human Factor – for me, this is the number 1 frailty to a business. Business Email Compromise incidents increased by 67% in 2023, with Multi-Factor Authentication (MFA) being bypassed in 29% of these cases.

Over recent years, cybersecurity awareness has been the aim of the game. However it is crucial that, as our understanding progresses, we switch our focus to fostering a culture of cybersecurity responsibility among colleagues and employees.

Ensuring that your people are aware of cyber incident (perhaps listening to this podcast), and their role in mitigating the risks associated to a cyber incident are crucial in ensuring that your business is secure.

Preparation – in just about all walks of life, preparation is key for preventing almost anything. We have spoken today about some of the key preparation themes I’m seeing in the industry, from Response Readiness plans, to MDR, to Incident Response Retainers. Getting sufficient Cyber Insurance coverage is of paramount importance to ensure that your business can respond effectively to an incident, should one occur.

If you’d like to learn more about Epiq and how they can help you, visit their website.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Businesses looking to tackle their environmental impact will need to look at how they can reduce their carbon emissions and offset any remaining emissions to ensure that they reach Net Zero.

One of the most common ways businesses offset their emissions is through the purchasing of carbon credits that typically go towards planting trees or re-wilding.

However, there are a number of new emerging trends following on from the current commodification of nature, resulting in an attitude shift from businesses who are looking to get a lot more involved in the offsetting process.

We invited Luke Baldwin, Co-founder and CEO of Nature Broking, back onto the show to explain the latest trends in the carbon market.  

You’ll learn

  • What are the latest trends in the carbon market?
  • The importance of high integrity within carbon offsetting
  • Looking for impactful solutions
  • Why education around carbon offsetting is key for long-term sustainability commitment
  • How buying carbon credits now can lead to significant savings

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Today Mel is joined by guest Luke Baldwin, Co-founder and CEO of Nature Broking, to discuss emerging trends in the carbon market that help businesses tackle their carbon offsetting.  

[02:50] What are the key trends in the Carbon Market  – As of 2024, Luke states the leading trends as:

  • High Integrity
  • Impactful solutions
  • Education
  • Purchase carbon credits now and save later

[04:10] High Integrity – There’s now a lot of carbon credits available and due to the nature of the unregulated carbon markets, it’s led to an increase in bad actors generating revenue in a bad way.

Once example of this is Kariba, a project in Zimbabwe that aimed to tackle deforestation, which was recently exposed in the Guardian and The New Yorker for having incorrect calculations. Credits purchased towards that programme were then called into questions and any associated companies were accused of greenwashing.

To avoid this, businesses are now putting a greater focus on high integrity solutions, which involves considerations such as:

  • Are the credits durable? Will the carbon be stored long term?
  • Are their significant CO2 benefits?
  • Are the credits contributing anything besides just removing carbon? i.e. regenerative agriculture or woodland plantation

[06:20] Impactful Solutions: The carbon markets offers a lot of fantastic solutions and businesses are moving away from the quick commodification of those solutions, and are instead looking to really understand the impact of how they chose to offset their emissions.

It’s becoming more of a question of buying carbon credits that align with your values, whether this be social values or sustainability values.

They’re looking to invest in projects that will have a tangible outcome. Which is exactly what Nature Broking sets out to assist businesses with by tailoring bespoke solutions that adhere to their specific values.

[08:10] Education  – The need for more education around the carbon markets is crucial.

Luke remembers the quote “you can’t love what you don’t know”, which applies as how can a business truly invest in something that they don’t fully understand.

Sustainability is a mindset, and a cultural shift towards more sustainable practices starts with an education.

Carbonology uses an ISO framework, but also provide an education around the carbon reduction plan provided to inspire a mindset shift change towards sustainability.

[09:05] Blackmores experience – Blackmores have been implementing environmental and energy Standards for over 18 years, but it’s only been in recent years that we’ve seen a mindset shift in leadership towards sustainability.

While people may be aware of Standards such as ISO 14001 or B Corp, but may not be aware of other governance frameworks that can help businesses to manage their carbon footprint and carbon neutrality.

[10:20] Join the isologyhub – Don’t miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub  

[12:25] How can you make significant savings when purchasing carbon credits? – A lot of carbon solutions currently are very cost effective, in particualr forestry credits and carbon removal credits.

Some of the more technological ones such as direct air capture or bioenergy and carbon capture and storage can be more expensive now because the technology utilised is still so innovative and in it’s infancy. However, that will change in time.

 If you’re looking at building a carbon portfolio for your net zero journey, for example, say are going through a science based targets initiative and you’ve decided that you cannot avoid the 10% of remaining emissions your net zero journey and you need to buy carbon removals – you’re much better purchasing carbon removals now than in the future.

This is because there will be a supply shortage in future, especially when we see more enforced regulations come into play between 2030 and 2035. This will mean that the price of those carbon credits will rise significantly.

What may cost £20-£30 per tonne for carbon removal now may go up to anywhere between £100 – £150 per tonne!

So it’s worth investing in your carbon portfolio now, especially in the case of tree planting as those tress are going to take a while to grow and actually start storing carbon.

If you finance projects now, you will have already made an amazing impact from the start, and will potentially save yourself a lot of trouble and money in future by planning ahead.   

If You’d like to learn more about Nature Broking and their solutions, check out their website.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube | iTunes | Soundcloud | Mailing List

The UK is the first major economy to achieve it’s 50% reduction target for Greenhouse Gas Emissions (between 1990 and 2022). However, we’ve still got a lot of work to do to reach our 2023 target of a 68% reduction.

Many businesses are already making great strides to reduce their Impact, and while you can reduce, achieving true carbon neutrality will involve offsetting a certain amount of emissions.

One of the biggest challenges for businesses in terms of completing their offsetting is finding a credible carbon offsetting scheme.

Mel is joined by Luke Baldwin, Co-founder and CEO of Nature Broking, to discuss credible nature-based solutions for carbon offsetting.

You’ll learn

  • Who are Nature Broking?
  • What is Natural Capital?
  • How can we restore nature at scale?
  • Financing transition regenerative agriculture through the sale of natural capital
  • How have Nature Broking worked with clients to complete their carbon offsetting?
  • How can you demonstrate a credible carbon offsetting scheme?
  • What projects are Nature Broking currently working on?

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Today Mel is joined by guest Luke Baldwin, Co-founder and CEO of Nature Broking, to discuss credible nature based solutions for carbon offsetting and explore some of the wonderful projects Nature Broking have been involved with.

[04:10] What is natural capital?  – Natural capital is the idea of creating value from nature. What natural capital does is, it encompasses all the things that we get from nature that we rely on. That could be the shelter in your house all the way through to carbon offsets.

[04:55] Who are Nature Broking? – Nature Broking’s story starts off on a somber note. Sadly, Luke lost one of his friends in a mountaineering accident, and in his memory, Luke and another friend rewilded one acre of Scottish Borders Woodlands. This is something they make a point to visit every year, to pay tribute and to keep their living, breathing monument of his friends memory alive and well.

The experience was an eye opening one. For as lovely as the process was, it was incredibly expensive, and not very easy to do. Luke then realised that philanthropy alone wasn’t going to be able to cover the costs of what we required to restore nature.

Looking into the matter further he found that 50% of the world’s GDP is moderately or highly dependent on nature and that the UK, whilst green and beautiful, sits in the bottom 10%.

And so, an idea was sparked. Together his friend and Co-founder Andy started down the nature restoration path and created Nature Broking.

[06:20] What is Nature Broking’s mission?: Nature Broking have 2 major missions:

#1: Help restore nature at scale

#2: Help finance a transition to regenerative agriculture

[06:34] How can we restore nature at scale?  – The UK Government has set targets of halting nature decline by 2030, with a view to increase nature by 2045.

The Green Finance Institute has calculated that there is a funding gap of about 56 billion in order for us to achieve our legally binding environmental targets. That’s a hefty sum to put on public money and philanthropy, which is where private markets and business can make a big impact.

Frameworks like PAS 2060 (ISO 14068) help businesses invest in nature, and with the creation of carbon credits, carbon has been commodified to make it more accessible for businesses to contribute to carbon offsetting.

[08:20] How can we help finance transition regenerative agriculture through the sale of natural capital? – Regenerative agriculture is about restoring the soils, restoring nature back to its original level.

Modern farming techniques, while fruitful, use tools such as fertilisers and mechanised farming that have damaged the soils biome. That’s going to take time and a concerted effort to fix.

Now obviously, we can’t just stop farming, we need food, so not all land can go back to nature. Currently, 70% of the UK is farmed, so the agricultural sector will play a big part in being more regenerative.

However, the current incentives aren’t great, so there’s a lot of work that needs to be done in terms of financing the mechanisms behind it, i.e. funding and subsidies ect. One way we could do this is by ulitilising the carbon markets, as regenerative agriculture can lead to significant carbon sequestration.

[12:20] How do Nature Broking work with clients? – They make sure to work within the bounds of the business itself, as every business is different..

They don’t do off the shelf solutions, preferring to work closely with their clients and help them to really spend time in nature at the place where their carbon credits are being implemented. It’s ultimately about education on the different solutions available, including asking important questions like:

  • What impact do you want to have?
  • What are the challenges with each solution?
  • What do you need to watch out for?

Each solution is tailored to your business. So, if you’d prefer to work in woodland restoration over regenerative agriculture, then Nature Broking would be happy to work with you to achieve that.

Carbon credits include their own set of challenges, one of the main ones being that science changes, so the solutions offered through carbon credits will also change. It may be a case of purchasing credits that tackle different solutions over a large area rather than pooling them all into planting trees for example. Nature Broking are here to help advise and facilitate this.

[15:30] Join the isologyhub – Don’t miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub

[17:45] How can Nature Broking demonstrate credible carbon offsetting? – Nature Broking are at their heart transparent with how they operate. By taking clients to see the actual physical results of their carbon credits, they can educate and help others form a genuine connection to nature. They want clients to truly understand the full impact of their efforts.

 The second element is due diligence, which can be displayed by utilising one of the many carbon related frameworks now available, such as B Corp and Sylvera. Though these don’t always work within a UK setting, so Nature Broking are working towards creating frameworks that do fit within the overall market view.

Lastly, they ensure that the standard they’re using is of high integrity, using frameworks such as the Integrity Council for the voluntary market, which analyses different standards. The 2nd is understanding the quality of the project developer, so looking at their technical expertise, looking at their financial ratings, and then evaluating the individual project itself in terms of potential risks.

[21:50] What are some of the projects that Nature Broking are currently working on? – A broad view of what’s available in terms of schemes include:

They are both defined and funded by DEFRA. These are some of the first carbon codes to move into the UK, however there is a lack of available carbon credits, which should change in future.

Other’s include:

  • Wilder Carbon – A carbon code focused on rewilding, run by The Wildlife Trust.
  • Carbon Code of Conduct – A regenerative agriculture code, so it focuses on analysing the full sequestration and full emissions potential of a whole landholding.

[25:00] Carbon Credits in practice – There’s a current project called Bank Farm in Kent, which is being used as a test site for regenerative agriculture. This includes the likes of agroforestry, which is where you integrate trees into fields which provide shade for animals and store carbon. So, you’re not removing those fields from production, simply adapting them to be more sustainable.

They’re also practicing mob grazing, which is all about using herbivores to maxmise the amount of carbon stored in the soil. You can do this by moving, say cows for example, around a field to graze quickly on small areas before moving them on.

[27:05] Mel’s conclusion – There’s a huge opportunity in the management of agriculture that can be utilised within carbon credit schemes. In addition to helping our economy by creating new jobs within this new approach to tackling emissions and storing carbon. Hopefully we’ll see larger corporations investing in these sorts of schemes both here in the UK and abroad.

If You’d like to learn more about Nature Broking and their solutions, check out their website.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

The UK recently hit a huge milestone, according to the Department for Energy Security and Net Zero (DESNZ), the UK have reduced their Greenhouse Gas Emissions by 50% between 1990 and 2022.

The UK are the first major economy to achieve this, however we’ve still got a lot of work to do to meet our 2030 target of a 68% reduction.

Over the past few years there have been a number of schemes aimed at businesses to help tackle their impact, specifically their energy consumption. Here in the UK, ESOS (The Energy Savings Opportunities Scheme) was introduced as an implementation of the EU Energy Efficiency Directive and has been a mandatory undertaking for large organisations that fit the criteria.

Recently, that scheme has been updated and a number of changes have come into effect for Phase 3.

Ian Boylan, Chief Executive Officer at ISO Baseline, joins Mel to explain the recent changes to ESOS, how they affect organisations in the UK and EU and how ISO Baseline’s software can help businesses consistently manage their energy consumption in alignment with ISO 50001 (The Energy Management Standard).

You’ll learn

  • Who are ISO Baseline?
  • What is the Energy Savings Opportunities Scheme (ESOS)?
  • What are the changes to ESOS?
  • How do the changes affect those who currently comply using ISO 50001
  • What are the changes to the ESOS eligibility requirements?
  • How can ISO Baseline help businesses with their ISO 50001 and ESOS compliance?

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Today Mel is joined by guest Ian Boylan, Chief Executive Officer at ISO Baseline, to discuss the changes to The Energy Savings Opportunities Scheme (ESOS), and how the changes will affect the European Directive on energy management and energy reporting.

[03:20] Who is Ian and ISO Baseline?  – Ian has been involved with ISO Standards for a number of years, starting with the technical aspects of building Management Systems, to working with Certification Bodies as an auditor for Management Systems.

From this experience, Ian really got to understand the challenges that organisations face when implementing ISO Standards. Challenges such as maintenance to ensure they are achieving their requirements and objectives.

Which is where the concept for ISO Baseline was born. Targeted specifically towards the Energy Management Standard ISO 50001, ISO Baseline’s software allows organisations to manage their energy processes and provide evidence that you are meeting your energy objectives.

[05:30] What features are included in ISO Baseline’s software? – Features include:

Energy reporting: Information can be displayed in graph or Sankey diagrams to help visualize your energy performance.

Identification of opportunities: Any opportunities for improvement found in the provided energy report will be recorded in an ‘Opportunities Register’

Financial Assessments: Work out life-cycle costs for assets, which can be used as a guide to establish possible savings by implementing suggested improvements.

[07:25] What is ESOS?: ESOS was introduced when we were still a part of the European Union, when there was a European Directive on energy efficiency.

It placed a requirement on member states in the EU to put together schemes for ensuring that large organisations undertake energy audits on a regular 4 yearly basis. In the UK this was adopted as the ESOS regulations.

For many years, if a business’s ISO 50001 certification scope covered all of its energy usage, then your business was considered compliant with ESOS.

If you didn’t have an ISO 50001 Management System in place, you would have to undertake energy audits once every 4 years, and have that reviewed, approved and signed off by a lead ESOS assessor.

At the time, this had to cover 90% of your energy usage. One of the more updated inclusions into these regulations was the introduction of transport as a source of energy consumption.

ESOS also included the requirement to identify significant energy consumption and propose a logical way to reduce energy consumption to improve energy performance.

[11:30] Main changes to ESOS: Accounting for your energy consumption  – Instead of accounting for 90% of your total final energy consumption, you’re now required to account for 95% of your total final energy consumption. The de minimis component of it has been reduced by 50%

[012:30] Main changes to ESOS: Activity Metrics – All organisations will be required to develop activity metrics and as part of your audits you’ll be required to submit those activity metrics.

The aim of this is to allow the UK to effectively assess organisations over established periods (i.e. from Phase 3 to phase 4) to see if and how they are actually reducing their energy consumption.

This could potentially lead to benchmarking, where organisations can be measured against each other.

[14:45] Main changes to ESOS: Submitting Actions Plans – Previously, you just had to submit your completed audits and overall savings potential, now you will be required to submit a proposed Action Plan to improve your energy performance.

You will also be required to report annually on your progress towards that Action Plan.

So no longer can companies coast on simply paying to complete an Energy Audit exercise once every 4 years, now you will have to produce publicly available information that will hold organisations to account. Essentially a name and shame for organisations that choose to do nothing.

[16:55] Making Actions Plans publicly available – Incidentally, it always has been a requirement that everything that has been reportable regarding resources should be accessible, but previously you were not required to produce Action Plans. So essentially now that will also become part of the publicly available information.

[17:30] Making ESOS fit for purpose – When ESOS was introduced, there was already so much other legislation around in the UK, so the main focus then was to align them with one another and to ensure that they were all working towards a common purpose.

In this update, it hasn’t ultimately required you to determine your energy savings potential in carbon reduction, but quite obviously that would be a little bit ludicrous if an organisation went down this route and not to look at it from a carbon perspective, as It’s only a tiny little additional step when you’re doing it from a money perspective and an energy perspective to figure out what the carbon impact is.

[18:30] Do you need help with your Carbon Reporting? – If you need assistance with GHG emission or SECR reporting, contact our sister company Carbonology®.

[19:20] Join the isologyhub – Don’t miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub

[21:25] Main changes to ESOS: Confirming your compliance – There are different approaches that you will need to be aware of when submitting your evidence of compliance, and which one you use will depend on which route you’re taking.

For the full ISO 50001 route, you will need to complete the Annex 1 approach, which is a reduced reporting requirement where you do not need to use an ESOS lead Assessor to submit it on your behalf, the organisation can do it themselves.

If you going down either the energy audit route or do not have 100% of your energy consumption covered by ISO 50001 – you will be reporting using the Annex 2 approach. This is where you still require a lead ESOS Assessor to work with you and provide final sign-off on that reporting.

[24:15] Are there any changes in the eligibility requirements? – There aren’t any major changes in ESOS’s eligibility requirements. They have now updated the turnover amounts from Euro to Pound Sterling following our exit from the EU.

[25:35] How will these changes impact organisations? – Organisations will have to adapt to a more proactive approach towards their energy reporting and management.

No longer can you get away with doing an energy audit once every 4 years and then forgetting about it until the next Phase. You need to start looking at it from the perspective of annual reporting, as all this information is going to be publicly available every year, which is going to be scrutinized if you’re seen to not be taking any significant action.

Large organisations will be compared against each other, and if one is taking action every year to reduce its impact and another is doing nothing for 4 years, which do you think will gain a more favorable reputation?

This level of accountability is long overdue, and will be of benefit to organisations in terms of potential cost savings through reduction of energy use, and also more importantly to the environment.  

[30:00] How can ISO Baseline ISO 50001 help organisations with their ESOS compliance? – ISO Baselines tools and software are going to be the most benefit to organisations that have a real objective to improve energy performance. If you’re just doing the bare minimum to meet requirements, then it’s no for you.

ISO Baseline ISO 50001 is a tool to help systemise your organisations approach to energy management. It can help to avoid a lot of the bureaucracy that can hold up progress, so you can spend your time focusing on the objectives and what the Management System is meant to lead to.

Their software will guide you through the required processes involved with ISO 50001 Energy Management, including Internal Audit planning and completion, Management review, logging and addressing non-conformities and corrective actions.

If You’d like to learn more about ISO Baseline and their software, check out their website.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes’:

Stitcher | Spotify | YouTube | iTunes | Soundcloud |

According to the ISO Survey, there’s been a 82.9% increase in worldwide ISO 22301 certificates issued following 2020.

Business Continuity is a must have for businesses who want to ensure long-term survivability following a disruptive event. Many turn to ISO 22301 to help put a framework in place, including today’s guest – Lifelong Learner.

However, what usually takes businesses a minimum of 6 months, Lifelong Learner managed to accomplish in just 4 months across an international organisation! That is no small part due to the tremendous effort of Lifelong Learner’s Manager of Information Security, Governance, Risk and Compliance, Lauren Taylor.

Lauren joins Mel on this weeks’ episode to share her journey and explains the challenges associated with implementing a Business Continuity Management System in just 4 months.

You’ll learn

  • Who are Lifelong Learner?
  • Why did they decide to Implement ISO 22301?
  • What did they learn from implementing ISO 22301?
  • What was the biggest challenge with Implementation?
  • What are the benefits of implementing ISO 22301?

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Today Mel is joined by guest Lauren Taylor who is the Manager of Information Security, Governance, Risk and Compliance at Lifelong Learner Holdings LLC.

Lifelong Learner and it’s brands represent a fusion of comprehensive workforce solutions, with a human-first focus of changing lives through assessment. This includes helping people advance in educational and career aspirations, earning or maintaining licensing or certifications, or providing the tools to develop future leaders.

Lauren has helped Lifelong Learner accomplish a massive milestone, and that’s the implementation of the Business Continuity Standard ISO 22301 across an international organisation, which she managed to do in just 4 months! She’s here to share her journey and lessons learned from implementing ISO 22301.

[03:30] Not many people know this about Lauren  – She had previously trained to be a mental health counsellor.

[04:05] Who are Lifelong Learner LLC? – Lifelong Learner is the parent company of two subsidiaries:

PSI Testing Excellence: a leading provider of assessment solutions for the licensing and certification markets, to Educational Testing Services.

Talogy: A market leader in the talent management space whose core purpose is helping organizations achieve their potential. They manage the talent management side of the business. So what they’ll do is they’ll put together psychometric tests that help companies find the right person for the right job, and will assist with skills development.

[05:00] Adding to Lifelong Learner’s ISO Collection: Lifelong Learner already have an impressive ISO Library, being certified to:

  • ISO 9001 – Quality Management
  • ISO 14001 – Environmental Management
  • ISO 27001 – Information Security Management

[05:20] What was the main driver behind obtaining ISO 22301? – The main driver, as with most companies, is usually a client contractor requirement, but business continuity has been something that we’ve wanted to look further into for a while, just because there’s elements of ISO 27001 that cover the business continuity.

While we were able to get through the audits with what we had, we just felt that it just needed a little bit more building out. Business Continuity is a requirement in part of ISO 27001, but for Stakeholders that want assurance that a business has robust business continuity plans in place, ISO 22301 is the next step.

[06:10] The Implementation Timeline  – In October 2023, we began with the context workshop where we could kind of get a better idea of the scope of the management system.

This was followed by a number of SWOT and PESTLE workshops to help identify what the perceived risks would be.

Next came the Business Impact Analysis (BIA) – So essentially what you’re needing to find out from these workshops is, the core activities that each of the teams perform on the day-to-day basis. You also need to understand what their systems are that they use, if they have any dependencies, and essentially it all comes down to understanding that if the business cannot perform those activities, what would be the impact overtime if those activities were to stop.

Once you have all that information, the next step was to map it across into a risk assessment, which really helps you to understand the granular risks to your business when it comes to business continuity planning.

This risk assessment helped to highlight some weaknesses that we hadn’t considered before, and gave us a point in the right direction as to what we needed to work on to bridge those gaps.

Next was the creation and revamping of documentation inline with ISO 22301 requirements. Thankfully, due to the other ISO’s we hold, we already had a lot in place. Same goes for Internal Audits, so this was more a case of integrating ISO 22301 into our existing Management System.

Once we had all the documentation, we conducted a ransomware test exercise, which we also documented all the findings from. Then we were we were ready for stage 1!

[09:15] What were the biggest gaps Lifelong Leaner needed to address?: Following the BIA and Risk Assessment, we were able to see where we needed response plans because business continuity is always your Plan B. So in our minds, we had an idea of what kind of response plans we would need in terms of i.e. a malware response plan, a ransomware response plan, those sorts of things. But until we actually looked at the BIA we released we needed a few more.

[10:25] What difference did addressing those gaps make? – For us it was understanding the real risks to our business.

We already had ISO 27001 in place, and we figured if there were to be another pandemic for example, that we’d be covered. However, it wasn’t until we did those exercises did we realise that there was a lot we could improve on.  

[13:25] What did Lauren learn from Implementing ISO 22301? – How much people underestimate the importance of a good business impact analysis.

After going through this in a very, very short space of time, I realised that it is actually the driving force behind a good business continuity management system.

Also, it highlighted just how many people believe business continuity is just all about IT and physical security, they completely loft out the human element.

An example of this is having a single point of failure, which is where if somebody left there would be a gap.

[14:40] What benefits have Lifelong Learner experienced since implementing ISO 22301? – Lauren has noticed that more clients are requesting to see their Business Continuity Plans.

It’s helped with the introduction of the latest ISO 27001:2022 controls – as these too also focus on elements of business continuity.

[15:50] Lauren’s top tips for implementing ISO 22301 – Definitely give yourself longer than 4 months!

Logically think about how everything links together, the clauses all have purpose and flow in a logical pattern to help create a Management System.

Your Management Review can be your best friend. It’s your opportunity to really engage with senior management and help them understand what your risks are to the business, how your internal audit is coming along, how you manage your nonconformities and it can be all neatly wrapped up in that nice management review bow.

[18:00] Lauren’s book recommendation – The Matthew Perry Autobiography, Friends, Lovers and the Big Terrible Thing.

[19:30] Lauren’s favorite quote – “You catch more flies with honey than vinegar.”

If You’d like to learn more about Lifelong Learner, check out their website.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

There’s no escaping it, AI is here to stay. Over the course of 2023 we’ve seen more general and public use of popular AI tools such as ChatGPT and Gemini (previously Google Bard).

It’s now even being integrated into everyday applications such as Microsoft Word and Teams. There is no doubt that there are a lot of benefits to using AI, however, with new technology comes new risks.

So how do we address the growing concerns around AI development and use? That’s where the new Standard for AI Management Systems, ISO 42001 comes in!

Join Mel this week as she explains exactly what ISO 42001 is, who it’s applicable to, why it was created and how ISO 42001 can help businesses manage AI risks.

You’ll learn

  • What ISO 42001 AI Management Systems is
  • Who it’s applicable to
  • Why it was created
  • How ISO 42001 can help businesses manage AI risks

Resources

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Today we’re touching on a very topical subject – AI, and more specifically the brand new AI Management System Standard – IS0 42001. We’ll also be exploring who it’s applicable to, why it was created and how it can help businesses manage AI risks.

[03:30] What is AI? – AI – otherwise known as Artificial intelligence, as it’s most simplest description is the science of making machines think like humans.

We’ve seen a lot of AI tools be released to the public over the last year or so, tools such as ChatGPT and Google Bard. It’s already being integrated with some of the most commonly used apps and programs like Microsoft word and Teams.

In short, AI integration is here to stay, so we may as well get to grips with it and make sure we’re using it responsibly.

[05:10] What is ISO 42001? – , ISO 42001 is the first International Standard for Artificial Intelligence Management Systems, designed to help organisations implement, maintain, and improve AI management practices.

It was jointly published in December 2023 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

The emphasis of ISO 42001 is on integrating an AI Management System with an organisations existing management system – i.e. ISO 9001 or ISO 27001 compliant management systems.

Interestingly, a lot of the specific mentions of Artificial Intelligence and Machine Learning are within the Annexes rather than the body of the Standard. The Standard itself is very similar to ISO 27001 in that it’s mostly about what organisations should be doing to manage computer systems regardless of any AI components.

[08:00] The 4 Annexes of ISO 42001:

Annex A: This acts as a Management guide for AI system development, with a focus on trustworthiness.

Annex B: This provides implementation guidance for AI controls, with specific measures for Artificial intelligence and Machine Learning – if you’d like to learn more about the difference between the two, go back and listen to episode 135.

Annex C: Which addresses AI-related organisational objectives and risk sources.

Annex D: This one is about the domains and sectors in which an AI system may be used. It also addresses certification, and we’re pleased to see that it actively encourages the use of third-party conformity assessment. This just ensures that your AI claims have more validity.

[09:15] Who is ISO 42001 applicable to? – Those annex descriptions may have you assuming that this Standard is only applicable to organisations developing AI technology but in actuality it’s applicable to any organisation who is involved in developing, deploying OR Using AI systems.

So if you’re a company who is only utilising AI in your day to day activities, it’s still very much applicable to you!

[10:20] Join the isologyhub and get access to limitless ISO resources  – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.

[12:25] Why was ISO 42001 created?:

  • To address the unprecedented rapid growth of AI and all the risks that come with this new technology.
  • To ensure that AI development and use are trustworthy and above all, ethical.
  • The public are also reasonably wary of this new technology, so ISO 42001 aims to help build more public trust and confidence in the future use of AI .
  • ISO 42001 acts as guidance for organisations on exactly how to integrate AI Management controls with their existing systems.

[14:05] AI risks you should be aware of – This isn’t an exhaustive list, as the technology develops, more risks will become known. However, as of the start of 2024, you should be aware of:

Inaccurate information – Many of the chat bots and public AI tools are trained on publicly available information, and as we all know, not everything on the internet is true. So the output from these chat bots will need to be checked and verified by a person before being used or published.

AI bias – Studies have proven that AI results can still be bias. As all the data fed into it is all based on existing information, it still presents the issue of a lack of information from underrepresented groups, or existing bias based on existing data.

Time sensitivity – Not all AI use live data sets. Google Bard does, however Chat GPT is only accurate up until 2021. So double check whichever tool you’re using to make sure the information it produces is up-to-date.

Plagiarism – Data gathered using AI came from somewhere! If you simply copy and paste information provided by AI platforms, there’s a chance you may be plagiarising existing content. Be sure to just use AI as a starting point!

Security risks – Use of AI can expose you to additional security risks, For example, malicious actors could send someone an email with a hidden prompt injection in it. If the receiver happened to use an AI virtual assistant, the attacker might be able to manipulate it into sending the attacker personal information from the victim’s emails.

Data Poisoning – AI uses large data sets to train its models, and we currently rely on these data sets being relatively accurate. However, researchers have found that it’s possible to poison data sets – so in future, AI may not be very reliable if preventative measures aren’t put in place by AI developers.

[17:45] How can ISO 42001 help business manage these risks? – Above all, it provides a structured approach to identify, assess, and mitigate AI risks. ISO 42001 includes the guidance needed to put this in place from the start to ensure you don’t fall prey to the risks mentioned, with a view to monitor and update to address new risks in future.

It promotes transparency and accountability throughout the AI life cycle.

It helps ensure fairness, non-discrimination, and respect for human rights in AI development and deployment.

It will help minimise potential legal and ethical liabilities associated with AI. The UK’s current GDPR and Data Protection Act can loosely cover aspects of AI, depending on how the terminology is applied, but there are already dedicated AI based regulations being developed within the EU which will likely be adopted by the UK. 

It can foster innovation and accelerate adoption of responsible AI practices.

And lastly, it provides a common language and framework for collaboration on AI projects.

[21:35] Don’t miss out on our ISO 42001 webinar – We’re partnering with PJR to bring you a 2-part webinar series on ISO 42001. Catch the first part on the 5th March 2024 at 3pm GMT, register your interest here.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

  • Share the ISO Show on Twitter or Linkedin
  • Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

ISOlogist logo

Consultancy service

Let us do it for you

ISOlogy hub logo

Online membership

DIY with our isologyhub

About Blackmores

Our 7 Steps to Success

The Blackmores ISO Roadmap is a proven path to go from idea to launching your ISO Management System.

Whether you choose to work with one of our isologist consultants or work your own way through the process on our isology Hub, we’re certain you’ll achieve certification in no time!

What our clients have to say

We engaged Blackmores to develop our ISO 9001, 14001, and 45001 management system from scratch. Throughout the creation and development stages of our ISO journey, Anju Punetha demonstrated remarkable patience, knowledge, and understanding as our dedicated consultant.

During our internal audit preparations, Ian Battersby’s meticulous attention to detail and thorough approach ensured we were well-prepared for our external audit, which we passed with flying colours. His guidance during the external audit was invaluable.

Based on our engagement and experience, I highly recommend the entire Blackmores team. If you’re considering pursuing ISO accreditations, Blackmores should be your first choice.

Graeme Adam

The support and advise I get from our assigned auditors is immense. Forward planning for the following year is great and they are flexible and always willing to help.

Kalil Vandi

“Blackmores have assisted us almost since the start of our adoption of the ISO 9001 quality standard. Their input has improved our processes since the start, and enabled our goal of continuous improvement to be achieved. The people are also extremely easy to get on with, and they really understand our business, giving us a great deal of confidence in their advice.”

David Gibson

Photon Lines Ltd

“Blackmores are the perfect bridge between working on your ISO as an individual or company, to being audited each year.  We find that any queries we have are covered and we feel sure that we have everything as needs be before going into an external audit.”

Mandy Welsby

Jaama Ltd

“We have been extremely impressed with the service and support provided by Blackmores.  There knowledge and assistance through out our ISO journey has been amazing!”

Philip Hannabuss

Dome Consulting

“Blackmores have really kept us on our toes with the broad scope and level of detail they apply to our internal audit schedule. They always stay abreast of ISO standard changes and help us to adapt our processes and documents to embrace these changes accordingly. Having Blackmores shadow our external audits provides invaluable confidence and peace of mind – would highly recommend their services!”

Phil Geens

Kingsley Napley

“Our ISO 27001 certification project has gone so well, that there was no doubt in who we were going to ask to help us with our aspirations of becoming ISO 14001 certified. It’s been an absolute pleasure working with Blackmores, and we are really looking forward to working with them for the foreseeable future.”

dotdigital

Trusted by leading organisations across all sectors, we support companies of all sizes in any location.

Are you ready to start your ISO journey?

     
ISO Show

Listen to our Podcast

Welcome to the ISO Show podcast, dispelling myths and sharing tips for success to improve your business with ISO Standards. Join us to hear interviews with successful business leaders as they share their ISO journey with you.

Get top tips via audio master classes “ISO Steps to Success” on the most popular ISO Standards.

     

Carbonology logo

Ready to go carbon neutral... And achieve ISO Standards?

Welcome to Carbonology®

The proven method for achieving your carbon goals, aligned with ISO 14064 (carbon verification) and PAS 2060 (carbon neutrality)

Blackmores Carbon Neutral       Blackmores Carbon Footprint