The ISO Show (Blackmores UK)

There have been a reported 9,478 publicly disclosed data incidents in 2024 alone, with that amounting to over 35 million known records breached.

It has become clear in recent years that information security isn’t just a ‘nice to have’, it’s a necessity to ensure you and your client’s data are protected. Which is especially the case for those processing personal and financial data, such as today’s guest, Mintago.

In this episode, Tom Catnach, Head of Product and Information Security Officer for Mintago, explains their journey towards ISO 27001, the challenges faced and benefits felt from certification to the leading Information Security Standard.

You’ll learn

·      Who are Mintago?

·      Who is Tom Catnach?

·      What was the main driver behind achieving ISO 27001?

·      What was the biggest ‘gap’ identified in the Gap Analysis?

·      What have they learned from the experience?

·      What are the benefits of certification to ISO 27001?

·      What does the threat horizon for information security look like?

Resources

·      Mintago

·      Isologyhub

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:15] Episode summary: Today we welcome guest Tom Catnach from Mintago to discuss their journey towards ISO 27001 certification.

[02:20] Who are Mintago? – Mintago are an employee benefits company, who work with companies to help their employees be financially better off. They do this in a number of ways, including:

·      Finding lost pension pots

·      Help to save money through finding discounts

·      Retirement planning

·      Offering various salary sacrifice products

·      Helping companies to be more financially efficient with pension salary sacrifice or other national insurance savings

·      Helping people to be more financially literate

[05:10] Who is Tom Catnach?: Tom has a split role at Mintago, his primary role being Head of Product and secondary being Information Security Officer.

Through both roles he looks after all the products and offerings as well as the information security across the business, he was also the driving force behind achieving ISO 27001.

Outside of work, Tom likes to travel via motorbike, preferring to stay away from the screens and enjoying the sights.

[06:30] What was Mintago’s main driver to Implement ISO 27001?: Mintago, and most other businesses by their nature, are required to hold a lot of sensitive data and so have a responsibility to their clients and employees to ensure it’s security.

Mintago were looking for a robust framework to base their Information Security around, and what better option that the leading Information Security Standard, ISO 27001.

ISO 27001 also offers the assessment of general business practice, and allows for growth and scaling. As a start-up, they wanted to have a solid base for policies, training ect to roll out to new hires as they expand.

[08:30] Aligning Standards with core values: Trust is one of Mintago’s core values and they want to give their clients the assurance that they can be trusted to protect their data.

ISO 27001 can be compared to the likes of Bcorp as it’s an on-going process. It doesn’t just stop at getting the certificate, you have annual surveillance to ensure you are still compliant year on year.

[10:15] What was the scope of Mintago’s certification?: For the initial implementation, Mintago opted to just scope in Product and Customer Service.

This was because all of the sensitive data is handled in those departments and they don’t allow access to any other teams, so it made sense to start there with a view to expand the scope after certification.

That being said, they still rolled out Information Security training to all staff, and everything has been set-up to allow for an easy business wide roll-out when they’re ready.

[11:50] How long was Mintago’s certification journey?: They started their journey in September 2023, in fact it was Tom’s first project with Mintago!

Mintago enlisted Blackmores help to implement ISO 27001, and after nine months they have been successfully certified.

Tom attributes their ease of implementation to the fact that they are currently a small business, citing that it’s an advantage to implement ISO Standards early while your agile so that your management system grows with you.  

[14:25] What was the biggest ‘gap’ identified at the Gap Analysis?  Mintago are lucky in the fact that they are a new business so are using modern tech, and don’t have the burden a larger site or other physical elements such as rack mounted servers.

However, policy, procedure and evidence to ensure they were doing the right thing were lacking at the start of their journey. They did have a good 70% in place and that last 30% was mostly down to having the ability to evidence their compliance.

There was also some additional work to do to improve existing policies and procedures. One example of this was having a solid Business Continuity Plan in place.

[16:35] Did Mintago experience any significant barriers in addressing identified gaps?  Being a smaller business, they were able to adapt a lot quicker than a larger organisation may have been able to.

One of the biggest struggles for Tom was getting the necessary technology to aid with Information Security. They needed to show that they had a competent Mobile Device Management Solution (MDM), antivirus and anti-phishing in place.

When trying to buy some software solutions, Tom encountered a lot of companies simply not replying to his requests due to Mintago’s size. Many organisations sadly prioritize bigger potential clients, and so it took a while to finally get all the required software.

[18:45] Engagement is key -  Getting everyone involved with the management system is critically important. Especially with information security as the people most often targeted are frontline workers, so they need to be actively engaged in security.

Mintago also has the advantage of being a smaller business, so getting communication out isn’t a hardship and resulted in high engagement. This was benefitted from a top-down initiative via their ‘C-Suite’.

Tom also states that you can make any necessary training more lighthearted, team based or interactive, as that’s something that people would want to engage in.  

It’s also important to stress that any information security training can be beneficial for personal use too to avoid being a victim of fraud or a scam. It can be something people take away to their family members to ensure they stay safe online.

[23:10] Did the adoption of ISO 27001 highlight any issues not already considered by Mintago? -  The biggest thing was how their internal process could be improved. For example, looking at the scenario of ‘what if our back-ups don’t work?’, ISO 27001 drilled down to ask specifics such as:

·      How do we recover from that scenario?

·      Are we 100% confident in our back-ups?

·      Will they work near instantaneously?

·      What’s Mintago’s availability like in that scenario?

·      How do we prevent disruption to our clients during that scenario?

So, while they did have back-ups they weren’t necessarily considering the whole scenario, especially if those back-ups were to fail. ISO 27001 ultimately helped to flesh out existing plans to make a much more robust system.

In regards to threat horizons, Mintago do practice OWASP and keep the team informed via e-mail, newsletters and GitHub repositories.

[25:00] Internal Auditing – A beneficial tool -  Tom found the internal auditing process to be very beneficial for Mintago, currently they do a few monthly on average.

Blackmores assisted with the audits during implementation to ensure they were in the right place for assessment. Of course, the Certification Body audits were a bit more nerve wracking for Stage 1 and 2 as they would determine if they would be certified.

Mintago passed their Stage 1 (documentary review) with flying colours, their Stage 2 (evidence checking) highlighted a few non-conformities that were quickly addressed. Following the Stage 2, they were recommended for ISO 27001 certification.

[27:20] Minor Non-conformities aren’t the end of the line – There’s a common misconception that getting a certain number of minor non-conformities during a Stage 2 assessment means you can’t be certified, but that’s simply not true!

If an Assessor is comfortable that you are in a good position for certification, they will recommend you.

ISO Standards are all about continual Improvement, which is something Mintago are embracing as they continue to address issues raised at audits.

[29:00] Benefits of ISO 27001 certification – Benefits Mintago are already experiencing include:

Internal Stakeholders – The Team worked hard to achieve the Standard and have embraced it’s core qualities to the benefit of their own Information Security practices.

Positive Market Response – Much larger clients who are also ISO 27001 certified now have a mutual understanding of each other’s commitment to information security.

Gaining certification early – As a start-up, Mintago are agile and will be able to develop and mature their ISMS (Information Security Management System) as they grow.

[31:10] Any concerns on the threat horizon?:  As the Information Security Officer, Tom is concerned about new emerging trends in AI led scams. They’re going to be a lot more sophisticated and harder to spot and deal with.

Thankfully, even if they are impacted, it will be rather isolated. Tom raises concerns for vital services such as Air Traffic Control which could have dire consequences if they were to be affected by a data incident.

However, with ISO 27001 Mintago are in a good place to keep on-top of their threat horizon and have the processes in place to mitigate potential incidents and continually improve their own security.

[34:30] In Summary: Mintago are a shining example of gaining certification for the right reasons. It’s not just about getting a badge, they have truly embraced a culture of continual improvement and are utilising ISO 27001 to ensure they have a robust information security management system in place.

If you would like to learn more about Mintago and their financial services, check out their website.  

We’d love to hear your views and comments about the ISO Show, here’s how:

●     Share the ISO Show on Twitter or Linkedin

●     Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

In the workplace, everyone is responsible for safety. 

It’s not just for managers or senior management to worry about where legislation is concerned, everyone from the top to the bottom needs to be actively ensuring the safety of others.

ISO 45001 highlights the importance of this in its most recent iteration, which includes a specific requirement for the consultation and participation of workers. But, how does this work in practice?

Today Ian Battersby explains what consultation and participation of workers in ISO 45001 is, and how you can incorporate elements of reactive and proactive hazard reporting to meet that requirement.

You’ll learn

·      What is consultation and participation of workers in ISO 45001?

·      What is the identification of hazards?

·      What’s the difference between reactive and proactive hazard reporting?

·      Common approaches to reactive and proactive hazard reporting

·      Proactive hazard reporting in action

Resources

·      Isologyhub

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Ian Battersby will be explaining reactive and proactive hazard reporting, and how this relates to the consultation and participation of workers (clause 5.4) requirement in ISO 45001.

[02:30] What is ‘Consultation and Participation of workers? – ISO 45001’s clause 5.4 states:

“The organization must have a process for consultation and participation of workers at all levels and functions, and their representatives in the development, planning, implementation, performance evaluation and actions for improvement of the OH&S management system.”

ISO 45001 expects occupational health and safety aspects to be fully embodied within the organisation structure. All workers should be aware of their responsibilities, and work together to meet the organisation’s health and safety goals.

Everyone is responsible for safety.

Consultation implies two-way communication, so workers can provide feedback to be considered by the organisation before taking a decision.  This is important; the organisation has to consider workers’ feedback before making decisions

Participation implies the contribution of workers, including non-managerial workers, to decision-making related to OH&S performance and to proposed changes.

[05:50] Hazard Identification – A specific issue which must be considered is the identification of hazards:

·      Identifying hazards and assessing risks and opportunities (Clauses 6.1.1 and 6.1.2);

·      Determining actions to eliminate hazards and reduce OH&S risks

There are numerous sources for consideration when it comes to hazards

·      How work is organised

·      Routine/non-routine activities

·      Past incidents

·      Emergency situations

·      People

·      Processes

·      Workplace design

·      Equipment

·      Change

 [07:35] What’s the difference between proactive and reactive hazard reporting? – Proactive is about spotting hazards in advance and putting in place measures to minimise the chances of them materialising and causing harm (eg, through an accident)

Reactive is in response to an event which has already occurred, such as an accident; a hazard existed without being spotted already and dealt with.

[08:20] A common approach to proactive hazard reporting  – Risk Assessment.  Consider hazard sources (i.e. people, processes, equipment, workplace etc) and consider what may happen; what could go wrong.  Then consider what controls could be put in place to try and prevent that happening.

Risk assessment can help you to demonstrate worker consultation and participation by including those affected:

·      Involved in or affected by an activity

·      Those delivering a process

·      Using equipment

·      Occupying a workplace

Those people have valuable knowledge and understanding, sometimes moreso than someone in a supervisory / managerial role.

And an absolute must: recording that all employees have read, understand and are committed to the controls included in Risk Assessments; that process may also give rise to workers’ further involvement – through querying, suggesting change etc

This also helps the culture of hazard spotting and promotes engagement among the workforce, both of which are vital in driving a proactive approach

[11:10] A common approach to reactive hazard reporting: Accident reporting systems is the obvious choice. However, there are ways you can make this more proactive.

There are various levels to accident reporting. Traditional systems wait until an accident occurs before recording and acting upon it.

Some organisations also record near misses: where an event has occurred, but no harm has been caused.

This approach in itself can be very valuable; and it provides an opportunity to act before any harm has occurred.

However, we can go a step further and allow the workforce to observe what’s happening; their surroundings and listen to what they feel may present a hazard to them and their colleagues (remember, everyone is responsible for safety).

[13:00] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.

[15:30] Proactive hazard reporting in action: Ian recounts his experience in a previous company where their proactive hazard reporting led to meaningful change.

This took place in a large manufacturing plant, but there was also significant office-based activity as well.

Because of the nature of the work, many people would not have access to online systems so there was both online and paper systems; this is important; if everybody is responsible, everybody needs access and engagement is vital.

In addition to the traditional accident/near miss system, there was a safety observation card (all data ended up in the same database). It was simple to fill out, would have only taken about 5 minutes at most.

In an organisation of 500ish, we received 2200 observation cards per year by the time I left.

When combined with accidents/incidents, there’s a predictable cycle: more reports, poor quality, more accidents, better quality, improved actions, fewer accidents.

[17:30] Creating an observation card: It should be easy to understand and record what’s necessary, recommended content includes:

·      Date / Time

·      Who was involved – employee / contractor / visitor ect

·      Location of hazard / incident 

·      Description of hazard / incident (ideally in 10 words or less)

You could get more granular and include:

·      Identification of an unsafe condition or unsafe act

·      Type of hazard or incident: slip, trip or fall / exit obstructed / machinery being used unsafely / unsafe structure / not using PPE

You could also include an option for actions taken if you decide to inform a manager of the issue, if you’ve corrected someone on the use of equipment or PPE ect.

[21:15] The Importance of peer inspections:  Often they would have supervisors from one area, checking a different one. This fresh pair of eyes may offer new insight into something that you usually miss!

Note that you should also encourage any site visitors to do the same. The fact that you’d ask them to report any incident also displays that you take safety seriously, and are open to feedback to improve.  

[22:40] Hazard scoring:  In order to judge that quality, they went a step further and graded all observations from 1-3:

1.    Saw something but didn’t act

2.    Saw it, acted to put it safe there and then

3.    Saw it, acted to prevent it happening again

This allowed them to judge how effective hazard spotting is in removing cause and filters out points-scoring.

[22:45] The results speak for themselves:

Increasing number of observations

Increasing number of participants

Increasing quality of observations

Reducing number and severity of accidents.

Over five years, they increased the number of observations per employee ten-fold.

As a result, they reduced lost time accidents over 75%

This was a superb example of a personal safety campaign and a great demonstration of consultation and participation,

It’s not difficult to do, but it needs leadership commitment, constant and clear comms, user-friendly systems and effective analysis / reporting.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

●     Share the ISO Show on Twitter or Linkedin

●     Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Sustainability is an area that affects all businesses, no matter the sector. We are all currently contributing to the climate crisis, from travel and hospitality to manufacturing to those working in an office or from home.

You may be surprised to hear that the legal sector is currently one of the leaders in championing sustainability, not just in enforcing new environmental legislation, but also leading by example in the race to net zero.

One such stand out leader is today’s guest – Clyde & Co, a global law firm that have made great strides in their sustainability journey.

In this episode, Mel is joined by Paddy Linighan, Chief Sustainability Officer at Clyde & Co, to discuss their ambitious net zero targets, sustainability initiatives and their journey towards ISO 14064 Carbon Verification.

You’ll learn

• What is Paddy Linighan’s role as CSO?
• Who are Clyde & Co?
• What are their net zero targets according to their responsible Business report?
• What sustainability initiatives have Clyde & Co introduced?
• Why get ISO 14064 verified?
• What were the challenges with obtaining ISO 14064 verification?
• What are the benefits of obtaining ISO 14064 Verification?

Resources

• Clyde & Co
• Clyde & Co Responsible Business report
• Carbonology

In this episode, we talk about:

[00:25] Episode Summary – We welcome today’s guest, Paddy Linighan, Chief Sustainability Officer at Clyde & Co, to dive into their responsible business report, discuss their net zero ambitions and journey towards ISO 14064 Carbon Verification.

[01:40] Introduction to Paddy: Paddy has 30 years experience in the legal sector, and was formerly the Chief Operating Officer for Clyde & Co before transitioning to the role of Chief Sustainability Officer. Paddy is also a Director at the Legal Sustainability Alliance, which is an association committed to supporting the legal sector to measure and manage their carbon emissions to achieve net zero.

One lesser-known fact is that Paddy was a Latin and ballroom dancer!

[02:30] Who are Clyde & Co? – They are a global law firm with 500 partners, 2700 lawyers and 3216 legal professionals across the world and operating out of 70 offices. They set out to help organisations successfully navigate risk and maximise the opportunity in the sectors that underpin global trade, namely insurance, aviation, marine construction, energy, trade and natural resources.

They offer a comprehensive range of contentious and non-contentious legal services and commercially minded legal advice to businesses operating across the world in seamless fashion.

Clyde & Co are committed to operating in a responsible way by progressing a diverse and inclusive workforce that reflects the communities and the clients it serves, and provides an environment in which hopefully everyone can realise their potential. They use their legal and professional skills to support communities through pro bono work, volunteering charitable partnerships, and minimisation of environmental impact through the pursuit of sustainability standards.

[04:25] What are some of the Net Zero targets highlighted in Clyde & Co’s responsible business report?

• Near term target: Reduce their scope 1 and scope 2 emissions by 80% by 2030 and scope 3 emissions by 50% by 2030.
• Long term target: Have a 90% reduction in emissions by 2038
•  Focused on decarbonizing their operations across the globe.

[06:25] What are some of the sustainability initiatives that Clyde & Co have started? All their initiatives can be broadly groups into 3 categories, but ultimately they seek to decarbonize their operations, address resource consumption and offset emissions where possible.

They found that 95% of their emissions reside in their scope 3, which is due to their supply chain. A few of their initiatives include rationalizing their supply chain to reduce the impact of purchasing goods and services.

They are also supporting their supply chain to measure and reduce their own emissions. Clyde & Co have also incorporated their sustainability requirements into their Procurement Process and Due Diligence Process.

One challenging area for a professional services business like Clydo & Co is sustainable business travel. They have adopted a global note on sustainable travel, which trickles down into regional travel policies. Working with travel management companies, they will implement those new policies, in addition to improving the quality of travel data collection and prioritisation of sustainability over cost.

Clyde & Co are also making the move to switch direct and in-direct consumption of fossil fuels to renewable energy in the heating and cooling of their buildings.

As of summer 2023, all UK offices were on 100% renewable energy! They aim to roll this out on a global scale, but understand that there are significant challenges with doing so.

[09:30] How did Clyde & Co celebrate Earth Day? They introduced climate change awareness training on Earth Day. It wasn’t mandatory in any way, and included the rolling out of several blogs and videos which were produced by AXA Climate School in Paris.

They ran these through Earth Day (April 22^nd) to World Environment Day (5^th June). Covering topics such as:

• Financial disclosures
• Plastic pollution
• Saving water
• Beekeeping
• Composting

This led to a campaign called ‘Zero as One’ which helped to create of a network of sustainable champions across their organisation, who help to further raise awareness and where there may be regional issues with reducing resource consumption and energy use.

This campaign has continued and is beginning to facilitate a structured, bespoke training programme for all Clyde & Co staff which covers climate awareness to climate competency. It will encourage people to think ‘How can I, as an individual, make a difference?’

[15:30] The Clyde & Co Community Forest – A 6.2 hectare plot of land is shared with 2 other community groups, and is not only being used for reforestation but also biodiversity, focusing on red squirrels in particular.

Getting this project set up included:

1. Gauging the appetite of colleagues: They offered increased level of refforestation for every response they had to their annual ‘Have your Say’ survey. For every response received, they would add 2 square metres of forest. So, 5000 people would give them a hectare.
2. It was a knowledge gathering exercise and experience of what a carbon offset project would look like.

They know that they’ll never be able to 100% decarbonise their operations, but they hope to get it down to 10% remaining emissions which can be offset with more projects like the community forest.

[19:35] What does Paddy think of the sustainability reporting regulatory requirements affecting the legal sector? Not only do lawyers have a key part to play in supporting and advising clients in relation to how they navigate towards a low carbon economy, but they are also a part of many businesses supply chain – meaning they would be included in scope 3 emissions for others.

Putting in the work at their end enables them to proactively help and assist clients with their emissions reduction and reporting.

The drive in this sector is mostly due to client demand.

[21:10] The increase in sustainability targets in North American companies: Paddy highlights that a recent report issued by Climate Impact Partners found that 79% of North American companies now have climate targets, which is up 6% on Asian companies and just shy of European companies.

61% of those North American companies report under ISO 14064.

[23:00] What were the drivers behind Clyde & Co getting ISO 14064 verified?:

High Transparency: They wanted to ensure that any disclosed information was reliable and that they’d had third-party verification to back that up, making them much more comfortable putting that information out into the public.

Financial Benefits: Sustainability and greenhouse gas emission reduction was a part of their main KPI’s to tackle, the main reason being to save money through not only the reduction in energy use but also reduced interest rates as a result of their sustainability efforts.

[25:20] What were the main challenges in obtaining ISO 14064 verification?: Clyde & Co are a large organisation, so gathering and quantifying the necessary emissions information was like getting blood from a stone!

Nearly 65 – 70 sites only have a small team of 5 people, and getting data from each can be time consuming.

Also, the quality of data can vary a great degree with that many sites, especially on a global scale as you need to consider the conversion factors when collating all the data into something verifiable.

[26:50] What impact has ISO 14064 verification had on Clyde & Co’s sustainability credentials?: Very simply, it validates Clyde & Co’s claims.

With the third-party assessment, it shows that they are actually doing what they say they’re doing, and not simply paying lip service.

[27:45] What were the main benefits of getting ISO 14064 verified?:

Helping to secure financial benefits: ISO 14064 verification is proof enough for banks to issue discounts on interest rates

Ease of process: The audit process introduced for ISO 14064 can be repeated as needed. As a result of getting verified, Clyde & Co found the exercise a good stress test for existing auditing procedures, and found a way to simplify them further.

Credibility: Third-party verification adds a level of credibility which is lacking from internal calculation alone.

[29:00] Paddy’s top tip for anyone considering ISO 14064 verification: Do not let perfection get in the way of progress.

They found that people can become a bit defensive in audits, trying to avoid errors being picked up, however, audits are meant to be constructive. They are opportunities to pick up on areas for improvement.

[30:40] Paddy’s book recommendation: The Ministry for the Future by Kim Stanley Robinson

[32:10] Paddy’s favourite quote: The greatest threat to our planet, is the belief that someone else will save it – Robert Swan OBE

If you would like to learn more about Clyde & Co, and their sustainability initiatives, visit their website.

To find out more about verification visit www.carbonologyhub.com

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Don’t forget to subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

The use of AI within business is starting to become more common place. With major applications like Microsoft Teams and Word integrating many new features designed to make our lives easier. 

However, we still need to exercise caution with this new technology and consider what we can put in place to mitigate any potential security risks while developing or utilizing it. Which is precisely what today’s guest, Monolith, has done.

Monolith provide a machine learning program that engineers can adopt to build highly accurate self-learning AI models that instantly predict the performance of systems in a wide variety of operating conditions.

In this weeks’ episode Mel is joined by Æsc George, Senior Software Engineer at Monolith, to discuss why they have adopted ISO 27001, explain their implementation journey and the benefits of having an Information Security Management System. 

You’ll learn

·       Who are Monolith AI?

·       What was their main driver behind obtaining ISO 27001?

·       What was the biggest Gap identified in the initial Gap Analysis?

·       What benefits did Monolith AI gain from implementing ISO 27001?

Resources

●      Monolith

●      ISO 27001 Transition Gameplan

In this episode, we talk about:

[00:25] An introduction to Monolith and Æsc George – Monolith AI is all about empowering engineers to develop self-learning models from their engineering test data. With this they can develop machine learning models to really accelerate new product introductions and get these new products to market much more quickly, primarily by using these models to accelerate and streamline their testing.

They are currently recommended for ISO 27001 certification, and are eagerly awaiting the arrival of their physical certificate.

Æsc George is a Senior Software Engineer of this web browser based software. He is also the interim security officer, which is why he was tasked with obtaining ISO 27001.

Fun fact about Æsc: He was a proud owner of a colony of 8 rats! He currently takes care of 4 cats, which have access to a plethora of enrichment in his home 😊

[03:35] What was the main driver for Monolith to obtain ISO 27001? – There were a few drivers, the most obvious being that they want to display their commitment and credibility when it comes to Information Security.

Acquiring ISO 27001 makes it easier to show their clients and prospects that their engineering data is in safe hands.

Monolith also know that there's a lot of buzz about artificial intelligence and machine learning at the moment, and that buzz covers both sides of the coin. What good it can do for the world and the harms it can do, so aligning with ISO 27001 shows that they’re trying to use AI in a responsible way.

[05:10] The start-up is getting a head start! – Monolith AI is a start-up company, only a year in and already leading the way for AI development by ensuring security is a priority from the start.

[05:40] How long did it take to implement ISO 27001? Nine months from the point of contacting Blackmores to assist to being recommended for certification.

Æsc recounts his experience: “My perception is that the effort was quite front loaded, so the amount of effort involved in the process almost wound down towards the end - even with the external audit happening towards the end.

I think once the information security management had been established and we'd worked it into our day-to-day, the perceived effort was lower. So I felt pretty confident going through our audit processes because I've experienced the system working already.”

[08:15] What was the biggest gap identified at the Gap Analysis?: There wasn’t a formal approach to information security risk and risk treatment.

There were already a number of existing systems and ad-hoc arrangements to mitigate information security risks – but they had been framed in terms of risk.

They hadn’t gone through a process where risks were quantified and weighed against each other.

So following the gap analysis, one of the many actions Monolith took was to make sure they were consistently and regularly assessing information security risk in various dimensions.

They now have the right framework in place to allocate the appropriate time and resources towards information security, and to prioritise the biggest risks.

[10:10] What difference has Implementing ISO 27001 made? -  It’s given Monolith more confidence in their understanding of Information Security risks, and assurance that there aren’t any massive, unidentified risks that may cause trouble later down the line.

It’s also made it easier to discuss information security risk and policy decisions. Monolith AI are a remote first company, allowing their staff the freedom to experiment with new technologies, and be in an environment where they feel comfortable. Having formal risk treatment in place means they can maintain this highly flexible, highly innovative and productive way of working – but with their eyes wide open.

[11:40] What has Æsc learned from the experience of Implementing ISO 27001? Æsc is not new to ISO Management Systems, having been involved with the maintenance and implementation of a few in the past.

However, he has gained an appreciation for the nuance in ISO 27001. For example, the knowledge that the standard uses words like ‘should’ and ‘shall’ that have particular intentions – ‘shall’ being mandatory and ‘should’ being recommended.

His previous experiences with Management systems had more available resource than at Monolith, so learning this nuance has been important in the prioritization of focus and resources in his current position.

[13:30] What have been the main benefits from Implementing ISO 27001? Having a holistic and formal approach to Information Security and risk management compared to the ad-hoc approach they had prior.

It’s brought the company together on a really important issue, and helped everyone to understand the role they play in Information Security.

Personally, Æsc has enjoyed reaching out to people he may not ordinarily get the chance to work with, as a result of this unifying issue that everyone at Monolith cares about. 

[17:00] Once Monolith formally receive their ISO 27001 certificate, what benefits will that bring? – Currently Monolith AI are recommended for Certification, and are simply waiting on the delivery of their physical certificate.

Once received, they will be able to present it to prospects and clients if they are questioned on information security credentials – to show that they are serious about their commitment to security.

It will also open doors to new prospects that may bother considering them as a supplier due to the lack of ISO 27001 certification.

They are also a leading example in the relatively new industry of AI, those with ISO 27001 certification at this stage stand out from other competitors.

[19:15] What tips does Æsc have for those starting out on their ISO jorney? –  Speaking from experience, Æsc recommends hiring a specialist in ISO to assist with your implementation.

In his case, Blackmores helped to organise the process, drive a lot of the early gap analysis and gave him confidence in going through internal and external audits.

Having someone with experience acting as a guiding hand makes the whole process go a lot more smoothly. This could be a consultant, or someone you train within your own business.

These projects are the sort of thing that turn passion into action. Whether that’s information security or environmental management ect, it’s better to have someone experienced or trained in the nuances of the Standard to ensure it’s implemented in a way that truly benefits your business.

 [21:20] Æsc’s book recommendation -  Nature's Calendar: The British Year in 72 Seasons by Kiera Chapman, Rowan Jaines, Lulah Ellender and Rebecca Warren. It’s Inspired by a traditional Japanese calendar which divides the year into segments of four to five days, this book guides you through a year of 72 seasons as they manifest in the British Isles.

As Æsc describes: “Lots of the seasons will be very familiar to people who've lived in this country their whole life, but they may not have necessarily thought about the context of it.

So I think is really grounding. Time and the way we measure it can seem so arbitrary and abstract sometimes, and measuring minutes and hours is responsible for so much stress and anxiety, so taking a breath, thinking about how nature moves at a different, slower, more deliberate pace, and finding the time to synchronise with that move with nature can be a really rewarding experience”

[24:15] One of Æsc’s favorite quotes -  “I went to the woods because I wished to live deliberately, to front only the essential facts of life, and see if I could not learn what it had to teach, and not, when I came to die, discover that I had not lived” - Henry David Thoreau (from his book ‘Walden’)

[26:10] Need help with your ISO 27001 transition? – We have an ISO 27001 Transition Gameplan available on the isologyhub. This Gameplan provides a step by step guide for you to transition to the latest 2022 Standard.

If you’d like to learn more about Monolith AI, check out their website.

We’d love to hear your views and comments about the ISO Show, here’s how:

●      Share the ISO Show on Twitter or Linkedin

●      Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

A question that we get every single time somebody asks about an ISO standard is ‘how long does it take to implement an ISO’, or ‘how long does it take to get certified to an ISO’?

In this episode, you’re going to find out what you need to take into consideration when it comes to timescales for implementing and getting certified to an ISO standard. ISO 14001 (the environmental standard) will be used as an example, but don’t worry -this can be applied to most other ISO standards.

So, are you looking to help your business? Create a system for success? To be kind to the planet, and improve your company's brand reputation? Then we're going to be talking about realistic timescales for making this happen.

If you're ready to implement an Environmental Management System (EMS) to help reduce your company's damage to the climate, then you're in the right place!

First and foremost, make sure you download our FREE ISO standards blueprint here. This helps you to plan, create and launch your EMS, ready for getting certified.

Now, let's dive into finding out about timescales for your ISO project!

What you'll learn:

• Timescales for your ISO project
• The different variables involved with an ISO project
• Scope of your certification
• The assessment processes

The short and sweet answer is that most businesses take between 6 to 12 months to get certified. But it depends on the size of your organisation and the complexity of it.

Let’s get to know the different variables involved with this project because there is actually a way that you can implement any EMS in a much quicker timescale (we have had companies that have achieved this in less than three months!). And in fact, you can achieve this also by going to www.isologyhub.com (our new online portal), where you can go at your own pace.

The main thing is to have a clear plan, which is well organised and disciplined. It's worthwhile optimising both your internal and external resources. That would include your environmental champions, or your ISO coach (if you have one) if you're looking at using the isology hub as well because that could have a detrimental impact on the timescales allowed. So, if you're wondering what you should be doing, then it's definitely worthwhile either getting help from someone that does know what they're doing or finding other people within the business who have a bit more knowledge about environmental management and ISO 14001.

Now for larger organisations, it can take longer. You may take up to 12 months or even longer than that. What you need to do is consider breaking the project down into incremental phases. So, let's say you had 10 locations across the globe. You may decide to break that down into incremental phases so that you get certain locations certified in year one, and then you can have other locations included in the scope of certification in years two and three. So, don't think that you have to implement an EMS and get certified across all locations and services. You can go at your own pace. But ultimately, the scope would be for whatever you have set in your objectives for achieving implementation. What we do find is that some businesses implement an EMS across the entire organisation, but they might just get certified for a part of that business (this covered in a previous episode, where we look at assessments and getting quotes for certification as well!).

Remember you can extend your scope of certification at any time. It can be revisited at the annual surveillance visits that you get. Ultimately you want to build your ambitions, your objectives, and your targets for environmental management and achieving certification into your sustainability roadmap.

Now, it was mentioned earlier that you could fast-track creating an EMS, but you do need to establish a time to gather evidence and make sure that the system is working and is effective. So, when you're planning your launch just make sure that you're effectively targeting all key stakeholders (all stakeholders must be aware of this). And the general rule of thumb is to allow three months past the launch to make sure that your system is fully established because when it comes to certification, your certification body will expect to see some evidence and records. So, let's say, within your EMS you say that you have provided training for employees. You need to be able to show the evidence of that on the records and that doesn't happen overnight (obviously). So, with monitoring and measuring information on your environmental footprint, you need to allow time to do that. Ultimately what you're doing is proving that you ‘walk the walk’, and you will allow plenty of time to demonstrate that you're serious about reducing your company's environmental footprint.

Finally, one of the things that a lot of businesses don't really take into consideration is the time allowed for the assessment.  Make sure that you have briefed your employees ahead of the dates of an assessment. Essentially, ensure you consider the timescales for your stage one and stage two assessments.

Let’s find out what’s involved in the assessment process…

Typically stage one is completed first, and then stage two could be within a few weeks or up to a couple of months after. You need to manage timescales so you can go through stage two relatively quickly. You just need to allow a few days in case there are any findings and if you need to implement any corrective action! Once you’ve completed the assessment, you're not actually formally certified as an organisation. There’s a due diligence process that takes place behind the scenes with the certification body, and it can even take several weeks before you actually get a copy of the certificate. Try and factor that into your overall planning, if you're looking at having a communications plan for celebrating your success, that's why six months is typically a good timescale.

A final factor to bear in mind is that if you've already got a management system in place, you could potentially fast-track the integration of ISO 14001 if you're developing an integrated management system.

Now, hopefully, that’s been helpful to you for implementing an EMS and getting certified to ISO 14001.

Remember the isology hub is now live, so feel free to join as a member to get access to all the support that you need on our online membership portal. It's the one and only go-to place for all things ISO. We've got video tutorials, check sheets, quick wins, and we've even got a module on timescales as part of the Planning stage. We take you through all seven stages of isology, in the isology hub. There's everything that you need in there to create, launch, and build your ISO system for success. So head over to www.isologyhub.com!

And finally, don't forget your FREE ISO standards blueprint here, where we cover timescales and there's even a planner within it on timescales which you can use to get your ISO management system kick-started.

Did you know that in the UK alone, 22 million pieces of furniture are discarded each year, the majority of which goes directly to landfill. That amounts to an estimated 670,000 tonnes of furniture wasted, where a significant portion could be recycled and reused. (Source)

It’s clear to see the need for a more sustainable approach to furniture design, manufacture and lifecycle, which is where today’s guest, Design Conformity, come in.

Design Conformity live and breathe circular design, the process for creating products sustainably from the beginning, and offer a Life Cycle Assessment Certification Process which has already led to significant carbon reductions.

Mel is joined by Adam Hamilton-Fletcher, Founder and Director at Design Conformity, to discuss the application of circular design within the furniture manufacture industry and explain how their Life Cycle Assessment certification process can help businesses reduce their carbon footprint.

You’ll learn

·       Who are Design Conformity?

·       What is circular design and how does it help companies reduce their carbon footprint?

·       What are the benefits of Design Conformity’s certification?

·       Can sustainability be of financial and environmental benefit to businesses?

·       Examples of circular design in practice

Resources

·       The ISO Show

·       Design Conformity

·       Carbon Calculator

·       Circular Design Guide

In this episode, we talk about:

[00:25] Introducing today’s guest – We welcome Adam Hamilton-Fletcher, Founder and Director at Design Conformity, onto the show. Design Conformity are currently setting the standard in retail sustainability, particularly in relation to the furniture industry.

[01:30] Who are Design Conformity? Adam worked in the manufacturing industry for about 15 years, designing lighting systems for major retailers like boots, Next, Marks & Spencers and Morrisons. He worked primarily with the lighting used in displays, and had been tasked with selling lighting products. In order to do so, he needed to develop a specification to help understand customer requirements, which would then be used to develop their ideal solution.

The problem: There were little to no Standards in UK and Europe for the retail display industry.

Which directly led to the creation of Design Conformity – who started out as an electrical and lighting Standard certification company, that developed into a full carbon certification company.

They aim to become the gold Standard for sustainable furniture design.

[03:10] What is Circular Design? – Circular design is born out of this principle of a circular economy. To compare, a linear economy is when we take a raw material, use it, process it, and then it’s just disposed of, usually straight to landfill.

Whereas, circular economy is where we take that waste product and we design it so that it can be repurposed and refreshed and reused. Those materials can then eventually be recycled – so the goal is to not use any raw materials at any point.

Circular design is the intent to minimise environmental impact, to design equipment that could be reused and repurposed, and then at the end of its life be recycled.

[04:05] How do Design Conformity operate? – Design Conformity look at the way that companies design their furniture and then take them through a learning process (online course).

They help businesses to understand how to design a product in such a way where it can be repurposed or reused, where raw material usage can be reduced and where the shipping requirements can be reduced.

They provide guidance and advice on recommended materials, including the provision on an online carbon calculator.

They also provide reporting in alignment with existing carbon standards, such as ISO 14064, for product evaluation.

[06:55] How can the Carbon Calculator help? By selecting a product of a particular type, you can use the estimator by entering the details of where and what you’re manufacturing, and then it will give you a carbon footprint for that, which you can use to compare that against other industry designers.

It displays these other designers anonymously, but you can get a feel for if your product is above or below the average for carbon emissions. 

[08:55] An example of the Carbon Calculator in practice –  Design Conformity recently worked with Costa Coffee, who were looking to reduce the environmental impact of their of their shops and coffee lounges. The beginning of that process is to work with their manufacturers, to identify the environmental impact of the furniture that they've got.

They used the Carbon Calculator to help create an initial benchmark, which highlighted key indicators that can lead to carbon reductions.

[09:35] Design Conformity’s Certification – They’ve borrowed the concept used by existing Energy Performance Certificates, by having a carbon efficiency index, ranging from C1 – C7.

Their score is a bit more unique however as it incorporates elements of circular design. Their score is based on a products total carbon emissions, divided by it’s size and total lifespan. An Ecolabel is then awarded based on the final score.

[11:45] What are the benefits of Design Conformity’s certification?:-

·       It’s a mix between carbon reporting and a carbon rating.

·       It’s easier for consumers to understand the benefits in comparison to companies that advertise compliance with ISO 14064 and PAS 2060.

·       Not just a green label, as reporting is a key component of gaining certification.

·       It provides a cradle to cradle analysis on a products carbon footprint and translates that into something that is recognisable.

[14:15] Are businesses right to be skeptical about the value of the cost versus the value of environmental certification?– 100%! It’s not uncommon for eco labels to be more of a marketing tool rather than a tool for tangible carbon reduction. A lot of them out there are unregulated and are contributing to green washing.

That’s where Design Conformity’s differs, as they actually collate and process real data to provide tangible value and add credibility to their claims. 

[16:10] Will there be a time where sustainability can be of financial and environmental benefit to businesses? – Yes, absolutely!  And if there is a way to do that, it’s through Circular Design.

As an example, if you’re a manufacturing company that’s producing shelving, you need to buy in steel, which can fluctuate a lot in price at any given time. But you don’t need to buy more steel every time, where instead you could get your original product back, reprocess and redistribute.

Adam has experience of suppliers who are practicing this, they purchase their products back at 40%-50% of the price, saving a lot of money in raw material!

[19:00] Examples of companies who have embraced circular design –

Tesco: They’ve introduced a policy whereby they purchase metal shelving, use it for 5 years, then take it back out of the store to get powder coated, cleaned and reintroduced to the store. That reduces the carbon footprint by 70% in comparison to buying a new shelving set!

Boots: Their beauty halls wanted to introduce a lot of new brands, which meant a lot more displays were needed. Boots started working with Design Conformity towards earning their certification, specifically in relation to the lighting they used in stores. With Design Confomity’s help, they managed to reduce the carbon footprint at selected stores by 39%!

[21:20] Circular Design Guide – 14 people were involved in creating this guide, which is designed to give you an introduction to and overview of circular design. Access it over on their website.

If you’d like assistance with any ISO Standards, get in contact with Blackmores and we’ll be happy to help 😊

We’d love to hear your views and comments about the ISO Show, here’s how:

●      Share the ISO Show on Twitter or Linkedin

●      Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

ISO 27001 2022 is here, which means it’s time to start thinking about starting the transition process. While the deadline is set at December 2025, we recommend making a start on planning now!

If this is all news to you, check out our previous three episodes, where we reviewed all the major changes to ISO 27001, including clause updates and the 11 completely new controls added.

Join Mel this week as she explains what you need to know before embarking on your ISO 27001 transition journey, in addition to a summary of our transition programme.

You’ll learn

●      How to plan for your ISO 27001 transition

●      How can Blackmores help you?

●      How can you get a free copy of ISO 27001:2022?

Resources

●      Isologyhub

●      ISO 27001 Transition Programme

●      High level overview of ISO 27001 2022 Control changes  

In this episode, we talk about:

[00:44] Businesses have until October 2025 to transition to the updated version of ISO 27001:2022 – but don’t wait until the last minute! Certification Bodies get really booked up in the last year, and you could risk losing your certification and paying for another Stage 1 and 2 Assessment.  

 [01:30] We recommend that you start thinking about your transition in 2023 so you have everything in place to start the process in 2024.  

[02:28] As a recap – the major changes to ISO 27001:2022 are: 56 controls have been merged into 24 newly titled controls, the addition of 11 completely new controls and controls are now categorised into just 4 groups instead of the 14 from the previous version.

[03:00] ISO 27001:2022 Guide to the changes available – Simply fill out the form available at the end of the show notes to grab a copy!

[04:25] Over the next few episodes, Mel will talk through the process of planning, implementing and preparation for the Certification Body transition visit.

[05:51] All steps of the transition process are laid out in our Transition Programme, which includes: an awareness video, a transition action plan, Implementation of changes, Internal auditing of the changes and some optional support during the Certification Body visit.  

[08:45] The Planning Phase: We recommend trying to combine your transition visit with your next Surveillance visit – you can have a chat with your CB to see if that’s possible. This may not be possible if your Surveillance is coming up very soon, as you need time to implement the changes needed. Those that have it in say 6 or more months’ time would be in a good position to make the request.   

[09:30] Certification Bodies are recommending an extra half day for transition -  some may require a desktop review ahead of the actual visit. Combining this visit with your Surveillance is a good way to reduce costs.

[10:30] When planning out your timescales for transition, don’t forget to inform Leadership and key personnel involved in the running of the Management System about the expected changes to come – and plan in time for them to help with the implementation.

[11:10] Understanding the changes: We gave a high-level overview of the 11 new controls in our last episode. We will also have 11 Coffee Break Training courses covering the controls in more detail, available from March 31^st 2023 on the isologyhub.

[12:11] Offer: We’re including a free copy of ISO 27001:2022 for those that sign up to our Transition Programme before April 1^st 2023.

[12:34] You may get asked for a copy of the Standard at your transition visit – as having a copy can come under ‘other’ legal requirements.  

[13:10] Discovery Phase: We have a transition checklist which can help you identify where the gaps are in terms of compliance with the new controls. You may already have some of it in place!

Grab a copy of our ISO 27001:2022 Guide to the changes here

Keep an eye out for next weeks episode where we dive into how to Implement the changes…

We’d love to hear your views and comments about the ISO Show, here’s how:

●      Share the ISO Show on Twitter or Linkedin

●      Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Nearly 60% of businesses that are impacted by a cyber incident go out of business within the 6 months following.

With our heavy reliance on technology to keep both businesses and services running, it’s imperative that everyone take cyber risk seriously.

However, incidents will inevitably happen and it’s up to you to ensure that your business is prepared to ride out the wave, and hopefully make a full recovery!

We invited Jack Morris, Account Director at Epiq, back onto the show to discuss the consequences of not being prepared for a cyber incident and the key steps businesses should take in the event of an incident.

You’ll learn

·      Who are Epiq?

·      What does the current cyber incident landscape look like? 

·      What are the consequences if a business does not respond to a cyber incident effectively?

·      How can a business detect if they’re being attacked?

·      How should businesses respond in the event of a cyber incident?

·      What role does a legal team play in incident response?

Resources

·      Epiq

·      Isologyhub

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Today Mel is joined by guest Jack Morris, Account Director at Epiq, to discuss how businesses should respond to a cyber incident.

[03:00] Who are Epiq?  – Epic is a global leader in technology enabled legal services. In fact, it supports 90% of the top law firms globally! With over 8000 employees spread over 19 countries, it helps to support corporations, law firms and government agencies across the globe.

[04:35] What constitutes a cyber incident and why is it so important to respond effectively? – A cyber incident refers to unathorised access or attempted access to an organisation’s IT systems. Types of incident include breaches, malicious attacks (e.g. Ransomware), and accidental events (e.g. Fire Damage). Responding effectively is crucial to minimize damage and protect sensitive data.

[05:40] What does the cyber incident landscape currently look like, and what challenges will organisations face in responding to an incident? : The cyber incident landscape is ever evolving, but here are some key trends we saw in 2023:

Attacks on the rise – the number of organisations posted on ransomware and data theft sites increased by over 70% year-on-year.

Business Email Compromise (BEC) incidents surged by 67% in 2023 – these events are where people within an organisation fall victim to phishing or similar – clicking on malicious links which ultimately compromise your mailbox.

For me, there are 3 main challenges that organisations face when responding to a cyber incident:

·      Day-to-day management – balancing the technical aspects of the incident with broader business continuity, communications, financial and legal considerations. This can be hugely difficult for an organisation, during and already high stakes situation.

·      Expertise and support – navigating the complex legal, technical and operational aspects of an incident

·      Data-focused impact – understanding and assessing the risk to data after resolving an incident.

[10:00] What are the solutions to these challenges?  – Understanding the various external expertise and support available to a business, whether that be engaging with a law firm, a cyber incident response expert and cyber insurer will give you access to support with both the day-to-day management of an incident, as well as the legal, operational and commercial impact of said incident.

 [12:10] What are the consequences for an organsiation that does not respond effectively to a cyber incident? – : Failing to respond effectively to a cyber incident often leads to a variety of sever complications for a business, such as;

·      Operational Issues: operational disruptions will occur due to prolonged exposure of sensitive information, and if Ransomware has infected systems, the organization will not have access to potentially crucial business information. Financial losses and higher costs to incident response can come as a result of poor planning.

·      Additional Data Breaches: if an organization doesn’t respond effectively to a cyber incident, taking steps to gain control over their systems, additional data breaches can occur from threat actors gaining further access to the organisation’s systems.

·      Financial losses: cyber incidents affect a business’ bottom line. Costs including incident investigations, recovery, legal fees and potential fines. Further, knock on effects such as lost business opportunities and damaged investor confidence come from poorly managed cyber incidents.

·      Damage to Reputation and Trust: Public perception matters for a business. A poorly handled cyber incident damages an organization’s reputation. Customers, partners and stakeholders lost trust, affecting long-term relationships and market position.

·      Legal Consequences: Regulatory fines and potential follow on litigation arise from non-compliance with data protection laws. Organisations failing to report breaches promptly face penalties. Legal battles can be costly and time consuming.

[16:25] How can organisations detect if they are being attacked? – signs will vary depending on the type of cyber incident, but organisations and end users could expect to experience; slow systems, locked accounts (no access to mailboxes etc), inability to access documents or shared drives, ransom demands and unusual emails from organisation domains are all tell-tale signs of a cyber incident. If an organisation has invested in Managed Detection and Response software for their end-points, this will proactively scan your environment and provide alerts to potential and actual cyber incidents.

[17:40] What are the key steps an organization must take in responding to a cyber incident? – It’s a great question, and these key steps will be implemented during a cyber incident response plan – an impacted organization should:

·      Triage: Assess the severity and impact of an incident (organisations can instruct a first response organization to shut the doors, and assess the damage)

·      Identify: Understand what is happening to a business post incident? Things like locked accounts, no access to business systems etc.

·      Resolve: take technical actions to mitigate the incident – shutting off access to accounts – closing the door

·      Report: Notify relevant stakeholders, including legal obligations.

·      Learn: analyse the incident to then take retrospective action to prevent further incidents.

[21:23] Join the isologyhub – Don’t miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub 

[23:48] How does Cyber Insurance play a pivotal role in Cyber Incident Response? – like with most walks of life, insurance plays a crucial role in supporting organisations in effectively responding to disasters.

·      Response Funding: Insurers cover costs related to incident response, including professional services.

·      Response Time: Insurers bring in experts promptly, improving incident resolution.

·      Affordability: For small to medium businesses, insurance may be the only way to afford a response team.

[26:10] What role do vendors like Epiq do to support the incident response lifecycle? – Just like Law firms providing legal advice and support in responding to a cyber incident, cyber incident response providers support with the operational response to a cyber incident.

Initially, vendors like Epiq support with the incident identification and forensic investigations. Essentially finding the open door and closing it.

Further investigation on how the threat actor (baddie) got into the open door is conducted to prevent other doors from opening too.

Following this, the operational partner will support in understanding the extent of the incident, whether that be identifying impacted entities, notifying them of the incident and providing remediation, as well as supporting with any follow on litigation or mass claim.

[27:25] What are the legal obligations that exist after a cyber incident, especially in related to personal data breaches? – the legal obligations are clear – an organisation must report personal data breaches within 72 hours of awareness, unless the risk to individuals’ rights is unlikely. This quick turnaround is why it’s imperative that organisations have an established cyber incident response plan, and know who they should be talking to regarding the legal and operational implications.

[28:45] What support is there out there for organisations that are victim to a cyber incident? – On the previous episode, we discussed what organisations can do to be proactive in mitigating the risks associated to a cyber incident, we discussed the important of Cyber Incident Response plans, as they outline what external support an organisation should seek in the event.

Having playbooks and relationships with law firms, cyber providers like Epiq, and cyber insurance coverage are 3 key focuses for every business.

[30:35] What role does a legal team play in incident response? –  Legal support and advice is critical during an incident. As mentioned, they will help support with report the incident to the regulatory bodies required.

·      Breach Notification – legal support ensures compliance with data breach disclosure laws and regulatory requirements.

·      Breach Counsel – law firms act as a breach counsel for organisations, enabling them to support and advise on the legal implications of a cyber incident. Most law firm cyber practice groups will have relationships with external vendors, like Epiq, to support with the operational response. They can co-ordinate with these external vendors to ensure compliance.

·      Privacy Law Compliance – they guide handling of personal data and privacy implications to ensure no further issues.

[32:30] What role do vendors like Epiq do to support the incident response lifecycle? – Just like Law firms providing legal advice and support in responding to a cyber incident, cyber incident response providers support with the operational response to a cyber incident.

Initially, vendors like Epiq support with the incident identification and forensic investigations. Essentially finding the open door and closing it.

Further investigation on how the threat actor (baddie) got into the open door is conducted to prevent other doors from opening too.

Following this, the operational partner will support in understanding the extent of the incident, whether that be identifying impacted entities, notifying them of the incident and providing remediation, as well as supporting with any follow on litigation or mass claim.

[36:00] What should an organisation do in future to prevent further incidents? – Benjamin Franklin’s famous quote is so true here – ‘by failing to prepare, you are preparing to fail’.

The key point here is to learn from your mistakes. There may have been numerous reasons that the organisation wasn’t ready for a cyber incident, but they should learn from what led to the incident previously, and proactively address this to prevent further incidents. 67% of organisations that get hit by a cyber incident are subject to further attacks within 1 year. It’s important to reduce your attack surface, and ensure you have cyber security themes running throughout the business.

[37:45] What are Jack’s top 3 tips to take away from this session to help them respond effectively to an incident? –

·      Establish an Incident Response Plan – we spoke through IR plans during the first episode, but creating a plan that outlines roles, responsibilities and communication channels during an incident is key. Once implemented, regularly testing the plan and simulating these incidents is key to ensuring effective response.

·      Engage external experts early – during this session we identified 3 critical external support pillars to an incident – having legal advice, operational and response support and insurance is key.

·      Prioritise business continuity – enabling the external experts to support you through the incident will free your bandwidth to ensure that you minimise damage and downtime to your business.

 If you’d like to learn more about Epiq and how they can help you, visit their website.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

●     Share the ISO Show on Twitter or Linkedin

●     Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Cyber incidents are on the rise as data shows there was a 20% increase in data breaches from 2022 to 2023. 

Technology has become an integral part of most businesses, especially post pandemic where many who may have avoided this reliance on tech had no choice but to adapt to survive.

As a result, the question of businesses being affected by a cyber incident has become ‘when’ rather than ‘if’.  However, there are a number of steps you can take to mitigate risks ahead of any potential incidents.  

We invited Jack Morris, Account Director at Epiq, to discuss cyber incidents, the importance of being proactive in reducing cyber incident risk and the steps you can take to mitigate these risks. 

You’ll learn

·      Who are Epiq?

·      What is a cyber incident?

·      The importance of being proactive in reducing the risk of an incident

·      What can organisations do to be proactive in mitigating cyber incident risk?

·      What are forensic tabletop exercises, and how do they enhance preparedness?

·      Why might an organisation need to get an incident response retainer?

·      What role do Information Governance consultants play in reducing cyber risk?

Resources

·      Epiq

·      Isologyhub

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Today Mel is joined by guest Jack Morris, Accoutn Director at Epiq, to discuss how to mitigate cyber incident risk.

[02:40] Who are Epiq?  – Epic is a global leader in technology enabled legal services. In fact, it supports 90% of the top law firms globally! With over 8000 employees spread over 19 countries, it helps to support corporations, law firms and government agencies across the globe.

[04:31] Who is Jack Morris? – Jack joined the industry relatively fresh out of university, starting at an organisation called Kroll where he was focused on data management – including overcoming ransomware infected devices and essentially allowing organisations to get access to data that was previously taken away from them.

Kroll was later acquired by Duff and Phelps and went through a turbulent time of many name changes before settling on Kale Discovery. He ended up leaving a year ago and joined Epiq as an Account Director.

Jack’s role at Epiq includes being a facilitator, introducing law firms, corporations and cyber insurers to best in class people and technology.

[06:40] What is a cyber incident?: A Cyber Incident is any unauthorised or unexpected event that compromises the confidentiality, integrity or availability of an organisation’s information systems, data or network. Incidents can range from data breaches and malware infections to single mailbox compromises and insider threats.

Organisations looking to combat information security risks should consider ISO 27001, as it’s key principles include the confidentiality, integrity or availability of your businesses information.

[08:29] Why is it important for organisations to be proactive in reducing their risk of an incident, no matter the size of your business?  – Let’s look at some startling statistics:

In 2022, 39% of businesses in the UK identified a cyber attack in the previous 12 months. Of this 39%, 31% of those businesses experienced attacks at least once a week.

48% of Small to Medium Businesses, globally, experienced a cyber incident in the last 12 months, with 61% of all cyber-attacks specifically targeting small business.

This is the most shocking of the statistics, and why it’s so important for us to be having these kinds of conversations around how business, no matter the size, need to be proactive in mitigating the impact of a cyber incident.

70% of small to medium businesses in the UK believe that they are unprepared to deal with a cyber attack (which excludes those who think they have proper processes in place but ultimately don’t).

Nearly 60% of businesses that are impacted by a cyber incident go out of business within 6 months following!

 [12:10] Are there any particular industries that are most at risk from a cyber incident? – Cyber Incidents are not siloed to particular industries, but there are some trends that we see in the market. Looking at Q1 2024:

January saw a rise in cyber incidents predominantly affecting retail, education and local government.

In February we saw a significant number of breaches, impacting organisations across the full spectrum of markets.

All of this to say that regardless of the size of your business and the industry you operate in, the number of cyber incidents are increasing as well as the severity of said incident.

[13:35] ISO Standard trends – At Blackmores, we’ve seen an increase in demand for ISO 27001 and related data privacy standards across the board for all sectors. A stark difference to 10 years ago where it would mostly only be adopted by those in the managed services or tech based industries.   

[15:30] What can organisations do to be proactive in mitigating cyber incident risk? – Things such as implementing a proactive incident response plan, engaging with law firms and consultancy organisations to become aware of the organisation’s requirements and compliance issues arising from a cyber incident.

If you were hit with an incident today, you must report any personal data breaches to the relevant regulators within 72 hours of becoming aware of an incident or there can be fines that are implicated. To deal with these types of situations, it’s imperative that your organisation has established, sound relationships with law firms and consultants.

[17:25] What is the importance of an incident response plan? – Implementing an incident response plan is crucial because it allows organisations to prepare for potential cyber incidents before they occur. By identifying risks, implementing preventive measures, and conducting exercises, organisations can significantly reduce the impact of incidents.

Organisations should be aware of both the legal and operational issues that arise from a cyber incident – from regulatory compliance and liability concerns right the way through to loss of systems/data and brand reputation are all key considerations that have an effect on the whole of a business.

[18:35] What are forensic tabletop exercises, and how do they enhance preparedness? – Forensic tabletop exercises simulate cyber incidents in a controlled environment. They involve key stakeholders discussing and practicing their roles during an incident. These exercises improve coordination, communication, and decision-making, ensuring a more effective response when a real incident occurs.

The workflow here is clearly defined; implement an incident response plan, and then test that plan for robustness – engaging with external providers, like Epiq, to further add to the existing plan and to test how the organisation will manage an active incident.

[19:35] Join the isologyhub – Don’t miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub 

[21:45] Links with Business Continuity – Response readiness plans and forensic tabletop exercises both tie into aspects of ISO 22301 – business continuity.

In Blackmores’ experience, a lot of organisations don’t actually test their plans, so when going through the process of implementing ISO 22301, where testing these response plans are a requirement, it’s a bit of an eye opener when they realise they’re not as resilient as initially thought.

It’s always better to test these plans in a simulated environment vs a live one, so you can be assured that your plans are up to the task.

[23:40] Why might an organisation need to get an incident response retainer? – We're starting to see a number of industries, particularly in regulated verticals, requiring businesses in their supply chain to meet a number of different cyber security requirements.  One, which keeps popping up, is to have a plan in place for responding to security incidents. Having a retainer can help meet these compliance requirements.

[26:05] What role does Managed Detection and Response (MDR) software play in proactive incident response? – MDR solutions continuously monitor networks, detect threats, and provide real-time alerts. They enhance proactive response by identifying suspicious activities early, allowing organisations to take preventive action before incidents escalate.

[27:50] What role do Information Governance consultants play in reducing cyber risk? – : Information Governance (IG) consultants specialise in helping organisation define their Information Governance Strategy encompassing data security and defining compliance policies.. They support organisations in defining:

·      Data Classification: Identifying Sensitive and PII data and categorising based on their confidentiality or regulatory requirements.

·      Retention Policies: Defining policies on retention period of records and method of disposition aligned with compliance requirements.

·      Legal Holds: Ensuring necessary data is preserved for potential litigation, internal investigation or as part of audit process.

·      Privacy Compliance: Aligning with regulations such as  GDPR, DP, DPA, CCPA.

[33:30] What are Jack’s top tips that the listeners can take away from this podcast session and implement today to begin mitigating their risk? – : Unfortunately mitigating cyber risk isn’t a one-size-fits-all response, however I like seeing cyber risk as 3 buckets, that businesses should be aware of and measure their organisation against:

Technology & Infrastructure – outdated systems, unpatched software and not fit for purpose IT infrastructure pose risks.

These types of vulnerabilities are exploited by attackers, leading to data breaches, malware infections and system disruptions.

So, making sure that your technology and infrastructure is fit for purpose, and up to date is a key takeaway. We spoke about Managed Detection and Response solutions earlier in the session, which is a great, cost effective way of adding an additional layer of technology security.

Human Factor – for me, this is the number 1 frailty to a business. Business Email Compromise incidents increased by 67% in 2023, with Multi-Factor Authentication (MFA) being bypassed in 29% of these cases.

Over recent years, cybersecurity awareness has been the aim of the game. However it is crucial that, as our understanding progresses, we switch our focus to fostering a culture of cybersecurity responsibility among colleagues and employees.

Ensuring that your people are aware of cyber incident (perhaps listening to this podcast), and their role in mitigating the risks associated to a cyber incident are crucial in ensuring that your business is secure.

Preparation – in just about all walks of life, preparation is key for preventing almost anything. We have spoken today about some of the key preparation themes I’m seeing in the industry, from Response Readiness plans, to MDR, to Incident Response Retainers. Getting sufficient Cyber Insurance coverage is of paramount importance to ensure that your business can respond effectively to an incident, should one occur.

If you’d like to learn more about Epiq and how they can help you, visit their website.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

●     Share the ISO Show on Twitter or Linkedin

●     Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

The updated ISO 27001:2022 has had several changes, including the addition of 11 completely new controls and the merging of 56 other controls into 24 newly titled controls.  

These changes mean that anyone with a current ISO 27001:2013 certificate will be required to update and add certain elements in their existing Information Security Management System to ensure compliance to ISO 27001:2022 ahead of the October 2025 deadline.

Join Mel this week as she explains the changes that need to be made, including what key documentation requires updating to align with ISO 27001:2022.

You’ll learn

●      What changes need to be made to your existing Information Security Management System?

●      What key documents need to be updated?

●      How can you get a free copy of ISO 27001:2022?

Resources

●      Isologyhub

●      ISO 27001 Transition Programme

●      What you need to know to transition to ISO 27001:2022

In this episode, we talk about:

[00:44] In the last episode we covered the planning stages for your transition – catch up here

[01:02] We have a free ‘Guide to the ISO 27001 Changes’ available – simply fill out the form at the end of the Show Notes to download your copy

[01:29] You should have a copy of ISO 27001:2022 ahead of Implementing the changes (you can get a free copy if you sign up to our Transition Programme by April 1^st 2023)

[01:35] Before you move onto Implementation, ensure that you have: planned back from your transition date, have an understanding of the new controls and had a Discovery session / Gap Analysis to see where the gaps in your current system are

[02:11] This is also a good opportunity to revamp your Management System! We have a few older episodes to help you with this: #102, #103, #104

[02:50] What needs updating? This will include: 

• Your Statement of Applicability
• Risk Assessment
• Objectives
• Action Plans
• Monitoring and measurement (reviewing what you are monitoring / measuring and how it’s recorded
• Internal Audit Schedule / Programme – To include the new controls

[03:45] At this stage you need to look at what controls you have in place – there may be some you can now merge together to reduce any paperwork involved.

[04:25] We have some tools available to tackle the new controls (i.e Threat Intelligence, data masking, physical security monitoring ect) if you need some extra help

[04:50] It’s not just about updating documentation, you will need to fully implement and communication these new controls to the wider business. You may find that you already have some controls covered, but not yet formalised.

[05:30] The main aspect of the Implementation phase is to address the gaps found during the Gap Analysis. For example, new controls such as data masking, threat intelligence and web filtering, which you may not have considered seriously before, now need to put formal documented measures in place to address it.

[06:26] Communication and evidence should be at the forefront of your mind when updating your Info Sec Management System.

[06:39] Don’t just implement controls for the sake of it – considering how they are going to reduce risk and how they’re going to make a difference to improve your Risk Register and Statement of Applicability.

[07:00] The Implementation phase of our Transition Programme is 1-3 days depending on your level of required support

[07:54] You should also consider creating a Communication Plan to share knowledge of these changes to the wider business. Make sure you also compile any evidence of training on new elements of your Management System too. We will have Coffee Break Training available on the isologyhub which could help with this.  

Grab a copy of our ISO 27001:2022 Guideline to the changes here

Keep an eye out for next weeks episode where we explain how to complete your ISO 27001:2022 transition.

We’d love to hear your views and comments about the ISO Show, here’s how:

●      Share the ISO Show on Twitter or Linkedin

●      Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Today’s Guest

Ian Van Der Pool is the chairman of the European Facilities Standards committee and co-author of ISO 41001 and ISO 41014. He also has his own business, which is ISO 41001 CSI. He currently works with the Dutch Ministry of Defence and is responsible for implementing a brand new FM system fully compliant to ISO 41001.

Tune in to this episode to learn from Ian Van Der Pool, who has lots of valuable experience implementing ISO standards for facilities management. Ian speaks about how he got involved with ISO 41001, why it’s important to have an ISO standard, and how such a standard is created. He details the commercial value in ISO 41001, the benefits and main drivers of having a facilities management system in place that is aligned with the standard, and the risk of not having one implemented. The uncertainty of returning to the office amid a pandemic is discussed, along with the effects of this uncertainty. Then, Ian shares his top tips for implementing facilities management systems, noting a valuable lesson he learned in all the organizations he has interviewed.

Website: www.iso41001csi.com

Linkedin: www.linkedin.com/in/ianvanderpool

Course Date: 18th September 2020

Course cost: £500

You’ll learn

• How Ian got involved with ISO 41001
• Why it’s important to have an ISO standard for facilities management
• How multiple countries come together to create these standards
• What drives companies or venues to implement ISO 41001
• The commercial value in ISO 41001 and the risk of not implementing it
• The effects of uncertainty of returning the workplace during coronavirus
• The benefits of having a facilities management system in place
• Ian’s top tips for implementing facilities management systems: where do they begin and how do they comply with the standard?

Resources

• ISO Support Plan
• ISO Elearning
• ISO Steps to Success

In this episode, we talk about:

[00:43] A bit about Ian Van Der Pool

[02:50] Something not many people know about Ian

[03:40] How Ian got involved with ISO 41001

[06:51] Why is it important to have an ISO standard for facilities management?

[08:32] Is ISO 41001 the only certifiable standards that organizations can be certified against?

[09:30] How does a standard get created?

[12:25] Main drivers for implementing ISO 41001 for a facilities management company or venue

[14:39] The commercial value in ISO 41001

[17:39] The risk of not having it implemented

[18:55] The effects of uncertainty regarding going back into the workplace

[20:43] The benefits of having a facilities management system in place that is aligned with the standard

[22:37] Why would you need ISO 41001 in addition to or instead of other standards?

[27:30] Tips for implementing facilities management systems + A valuable lesson learned in all the organizations Ian has interviewed

[31:02] How to learn more about and contact Ian + About his foundation training course

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Today we’re joined by Paul Robinson, Managing Consultant at Blackmores. Paul is here to introduce the Energy Management Standard, ISO 50001, why it’s important and give you an overview of its basic structure.

What you’ll learn:

• Why energy management is so critical in the current climate crisis
• The main purpose of ISO 50001
• A summary of the clauses within ISO 50001

Why have an Energy Management Standard?

There’s a big focus on trying to maintain global warming to that 1.5 degrees increase. Right now, we’re failing on that. In order to get this back on track we need to consider our current energy consumption. During COP26 we heard a lot about phasing out coal power, unfortunately there are some countries who are resistant to that and as a result have had the requirements watered down. Regardless, energy use continues to rise as does the demand.

Energy Management is particularly relevant for organisations who want to measure their impact and put measures in place to reduce their environmental footprint.

Why is it so important to restrict Global Warming to 1.5 degrees?

It’s literally the difference between survival. We’re at a tipping point now, failing to stick to this 1.5 degrees will result in rising sea levels and rising temperatures. Paul shares his experience working in Cyprus where it’s not uncommon now for the temperature to reach 45 degrees. This isn’t sustainable and it will get to the point where it’s difficult for humans to survive if we keep going at this rate. 

What is the main purpose of ISO 50001?

ISO 50001 includes continually improving energy performance, energy efficiency, energy use and energy consumption. Building an energy management system will help you to understand, monitor and measure your use of energy, and like most other ISO’s, continual improvement is at the heart of ISO 50001. Key factors it addresses are energy performance, energy efficiency and energy consumption.

What are the main clauses of ISO 50001?

ISO 50001 went through it’s latest revision in 2018, aligning it with the Annex SL format that many other ISO’s use. The clauses are as follows:

• Clauses 1, 2 and 3 – These are all explanatory clauses, starting with the scope, then Normative References and lastly Terms and Definitions.

• Clause 4 – Context of the Organisation: Here you would define the scope and boundaries of your energy management system and understanding the processes affected. This includes looking at your energy inputs and outputs. You’ll also address any energy issues that affect you and interested parties involved.

• Clause 5 – Leadership: This refers to Top Management commitment, which is necessary if you want your energy management system to be successful. They will need to provide resources required to implement an energy policy, and to define roles and responsibilities.

• Clause 6 – Planning: This is a central pillar behind every Energy Management System as it talks about strategic and tactical considerations. This includes high-level issues, the needs and expectations of interested parties and the risks and opportunities associated with them in an energy context.

This clause also includes an Energy Review, which will help you build a picture of your energy sources and current consumption. From that you can start setting your Objectives and Targets and actions going forward using energy baselines and energy performance indicators established from the Energy Review.

• Clause 7 – Support: This clause talks about provision of resources, competencies, awareness, communication and documented information required for energy management.

• Clause 8 – Operation: This is where operational controls are defined to help you manage your energy effectively. It also covers design and procurement, which means procuring of energy, consuming assets and having effective processes in place to ensure energy is a key consideration when making infrastructure changes.

• Clause 9 – Performance Evaluation: ISO 50001 is very data driven and clause 9 states the requirements for monitoring and measurement of your energy use, which will be used to demonstrate your improvement in energy efficiency. This clause also covers Internal Audits and Management Review to ensure the Management System is performing effectively.

• Clause 10 – Improvement: This clause talks about taking opportunities that drive continual improvement in the Management System, but also recognizing that sometimes things go wrong. It also addresses significant deviations and a structure to investigate and correct those deviations to keep the management system on track.

That’s it from Paul this week! For further information on ISO 50001, visit our Standards page Here. We also have an ISO 50001 Handbook available to members of the isologyhub, sign up here to grab a copy.

If you’re just getting started with ISO, we do have a free ISO Blueprint available for download to help you to plan, create, launch and get certified to ISO Standards.

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Trying to achieve Carbon Neutrality can feel like a monumental task, especially with so many separate elements that you have to complete. From quantifying your data, reducing where possible and offsetting the remainder, it can be hard to keep track of it all with taking a structured approach. 

Which is where ISO 14068 comes in. This is the new Standard for Climate Change Management, and it’s specially designed to help businesses with the transition to Net Zero.

In this weeks’ episode Mel explains 10 reasons why you should use ISO 14068 – the new Standard for Carbon Neutrality.   

You’ll learn

·       What is ISO 14068?

·       Why should you adopt ISO 14068?

·       How can Carbonology Support you with ISO 14068?

Resources

●      Carbonology

●      Grab a copy of our Net Zero Planner

●      ISO 14068

In this episode, we talk about:

[00:25] What is ISO 14068? – This is standard for Climate Change Management. If you’d like to find out more about the Standard, it’s purpose and how it can prevent green washing, go back and watch our previous episode.

[00:55] Where to find more information – This podcast is based off BSI’s most recent Publication on ISO 14068: ‘Climate Change Management – Transition to Net Zero – Part 1: Carbon Neutrality (A BSI Executive Briefing).

You can download this from a recent blog on BSI’s website.

[01:05] Reason 1: A structured approach – Mel found out firsthand from a recent EMEX event that people are looking for a structured approach to carbon neutrality.

ISO 14068 gives organisations a structured process for developing a detailed carbon neutrality management plan with short- and long-term targets.

[02:10] Reason 2: Quality - In contrast to unsubstantiated claims of neutrality, claims under ISO 14068 have to be based on all GHGs, take a lifecycle approach and can only be made after the development of long-term planning, with real GHG reductions in place, and offsetting restricted to residual emissions using high quality carbon credits.

[03:10] Reason 3: Credibility: Use of this internationally recognised standard can offer market benefits by increasing the credibility and verifiability of a product or organisational claim of carbon neutrality.

This Standard has been developed by international technical committees and subject matter experts across the globe, which gives it a lot more credibility in the eyes of Stakeholders. They will have confidence that claims are transparent and reliable from those who adopt ISO 14068.

[04:22] Reason 4: Global Recognition –  A quick reminder - Those who have been listening to the ISO Show for a while now may remember our previous podcasts on PAS 2060 – the previous Standard for Carbon Neutrality. Companies will now have 2 years to transition to ISO 14068. We’ll be doing a podcast on how to go about doing that in 2024!

Circling back to Global Recognition, ISO 14068 provides a common set of criteria for measuring and reporting carbon neutrality. This ensures consistency across different organizations and industries, underpins easer comparisons for carbon neutrality efforts between entities, allows stakeholders to assess and benchmark efforts, and supports global recognition for claims of carbon neutrality.

[05:30] Reason 5: Convenience – If you’ve already got other ISO’s in place, good news! ISO 14068 is designed to work with other quantification standards such as ISO 14064 or other equivalents.

[05:55] Reason 6: Flexibility - ISO 14068 can be used by any sized organisation, in any country or sector. It can also be applied to whole organisations or individual products.

[05:55] Reason 7: Responsibility - The standard encourages organisations to take responsibility for minimising their own carbon footprint before paying third parties to offset their emissions.

We’ve seen in the past where people think just paying for carbon credits will work in the long-term – which just isn’t sustainable. You should be looking to reduce as much as possible before moving onto the Offsetting stage.

[08:00] Reason 9: Risk Mitigation – Adopters of ISO 14068 will be in a strong position to manage current and emerging regulatory and market risks in relation to GHG emissions.

It’s a competitive market place out there, with ESG requirements appearing more on tenders year on year. Many will now require you to prove your commitment to carbon neutrality, and it’s become clear that we need Standards to be able to provide that evidence.

This is where ISO 14068 comes in, as you will have that proven methodology that you can then demonstrate to those stakeholders.

[09:30] Reason 10: Competitiveness –  ISO 14068 demonstrates a commitment to climate action can also mitigate reputational risks and enhance brand value, market access and competitiveness

[10:30] Further Information –  Our sister company, Carbonology, will be publishing more content around ISO 14068 in 2024. Check back on their website to find out more.

We’d love to hear your views and comments about the ISO Show, here’s how:

●      Share the ISO Show on Twitter or Linkedin

●      Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Today, we’re joined by Morgan Sindall’s Head of Information Security and Compliance Neil Binnie, to discuss the Information Security Standard ISO 27001.

Morgan Sindall has been ahead of the curb when it comes to information security having been certified to ISO 27001 for almost 3 years, but with information breaches becoming more common it’s even more vital to get ISO 27001 certified to prove you have a robust information security framework.

Neil explains the importance of information security, the new cloud security standards that are coming out, and the benefits of using ISO 27001.

Website: https://www.morgansindall.com/

You’ll learn

• The importance of information security in the construction industry.
• The benefits of using ISO 27001 as your information security framework.
• How to implement ISO 27001 within your business.
• The recent shift in mindset around data usage.
• How hackers are using supply chains to attack businesses.
• The new standards that are coming out to tackle cloud security.

Resources

• Blackmores
• Morgan Sindall Group plc

In this episode, we talk about:

[02:27] Why information security is so important in the construction industry.

[03:34] The benefits of having the ISO 27001 framework in place.

[05:28] Why supply chain security is so important.

[06:20] How a construction company can help to secure their supply chain.

[08:34] Neil’s experience implementing ISO 27001 in Morgan Sindall.

[12:43] The cloud security standards that are coming out.

[14:52] The benefits of having ISO 27001 in place prior to the Covid lockdowns.

[17:21] The incorrect assumptions people have about ISO 27001.

[18:37] The importance of having a collaborative approach when implementing ISO 27001.

If you need assistance with implementing ISO 27001 – Contact us!

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Anyone whose been involved in the implementation or maintenance of an ISO Management System will know it’s not a small feat. There’s a lot of time and teamwork involved in getting a system in place for certification, so it’s definitely a cause for celebration when you finally do get that certificate at the end!

But what can you do with that? A lot of companies will get an ISO certification as a necessity, whether that be an industry requirement, legal requirement or client requirement. Often times, they’re quite content to just let those interested parties know about it and leave it at that. Which is a shame, as we think it’s something worth shouting about.

It’s a display of your commitment to best practice, whether that be in quality, health & safety, information security, risk management or any combination of those – and better still, it’s a globally recognised certification.

In this episode, Stephanie Churchman, Communications Manager at Blackmores, will take you through a few ways you can celebrate your ISO success.

You’ll learn

●      Why promote your ISO certification?

●      How can you promote your ISO success?

●      How can Blackmores help you celebrate your ISO success?

Resources

·       Isologyhub

In this episode, we talk about:

[00:30] Mel will be back in the next episode after taking a well deserved break 😊

[01:15] Why celebrate your success? You / your team worked hard to put that Management System in place and get it ready for certification, so it’s worth celebrating when you finally do get that certificate. It’s also a globally recognised certification that displays your commitment to Best Practice.  

[02:23] #1 Certificate Award ceremony – This is something you may need to organise ahead of getting your final certificate. It’s worth asking your certification body if they do a certificate award ceremony. Some CB’s will invite clients to a location to hand out certificates in a batch – or they may be happy to come an officially award you your certificate on your own premises. Either way, it’s a great opportunity to get a photo that you can then use later on your website or in social media, in addition to making it more of an event.

[03:09] Publish a blog or news article – This is a newsworthy event! And you should take the time to write a short statement for your website – Bonus points if you can get some statements from those involved with the process. It doesn’t have to be overly long, it can just be a short paragraph.   

[03:35] Social Media Post  – Social media is the main place a lot of people get information nowadays. Many platforms have character limits, so you can keep it short and sweet, as this is just to inform your wider audience who may not regularly visit your website. On platforms like LinkedIn, you can even tag some key members involved so they can add their own comments and experience under the post.

This is also a great opportunity to work in collaboration with your Certification Body – as they’re also keen to show off their clients successes. It’s worth getting in touch with their marketing team and ask if they’d be happy for you to tag them in a post– so they can reciprocate with a post and tag of your company – which would in turn expand your audience for that post significantly depending on how much reach the certification body has.

[04:54] Website Promotion - You could make a more permanent addition to your website. A lot of businesses tend to have a page for awards and accreditations, which is the perfect place to display the digital badge that your certification body will provide following certification. You could also link your current certificate if so inclined. Another place we often see clients displaying those digital badges is the website footer, it’s unobtrusive but makes for something a bit more eye catching when displayed next to the typical links you see in website footers.

[05:35] Email Signatures – Are another subtle way to make sure those digital badges get some use and imprint themselves in the minds of anyone you contact. It’s a relatively easy update to make and is just another way to make sure it’s seen by both internal and external contacts on a daily basis.

[05:55] Newsletters – Many of you will have some sort of weekly, monthly or annual communications with your clients and prospects. Make sure to include a mention of your certification in the next update. If you wanted to make it something special, make it a main feature and include some story behind the why and how you went about Implementation. Let your audience know why that certificate is important and highlight any notable success as a result of that certification, i.e. with ISO 50001 (energy management), you may have already made significant changes to reduce your energy consumption. Whether that be switching all your lighting to a more eco-friendly option or sharing some actual figures on energy reduction following certification.

[06:50] Case Studies – This is just another way to get your ISO journey written down in a concise, easy to digest format that can then be shared via your website and social channels. It’s another great place to highlight the why, how, any challenges you overcame and what your next steps are.

Keep it to 1 page if possible – as people often get turned off by looking at a daunting page count. Bullet point what you can and expand where needed, as that helps to break up walls of text and just makes it a bit easier for people to read. Take a look at some examples online for layout inspiration – there’s no shortage out there. Of course, if you work with us, we’re happy to do all the design and writing for you.

[07:45] Podcast / Video - Not everyone is going to have the means to publish videos and podcasts – So this won’t be applicable to everyone, but that doesn’t necessarily mean you have to drop this idea entirely. For example, we feature a lot of clients on our podcast and we’re more than happy for them to use their episode in marketing, or on their site or wherever they want to. So, if you work with a third party that has a podcast or produces their own videos, it’s worth an ask to see if they’d be open to featuring you. 

For those that do have the means to do this in-house – It’s highly recommended that you do either one or both of these, as you can then link back to them in social posts and other marketing. 

[08:50] This isn’t a one time thing – you can re-use a lot of these resources elsewhere, and remind others that you hold certain certifications when appropriate.

[09:15] The main takeaway is – You worked hard to earn that certificate, so don’t let it be a quiet victory.

We’d love to hear your views and comments about the ISO Show, here’s how:

●      Share the ISO Show on Twitter or Linkedin

●      Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

This episode is Part 3 of our 7-part mini-series explaining our Carbonology service, a 7 step methodology to help companies become Carbon Neutral.

Our resident Carbonologist David Algar is back to talk through the third step of the Carbonology process, Commitment.

David explains how organisations can identify the type of targets to put in place, the importance of having a launch and communications plan, and shares some popular ways organisations can reduce their carbon emissions.

You’ll learn

• How organisations can set targets for their Carbon Neutrality.
• Why it’s important to make a formal commitment.
• Popular ways organisations reduce their carbon emissions.
• The benefits of changing your vehicles from diesel to electric.
• Some of the incentives to achieve emission reductions.
• The importance of having your staff involved with your plan.

Resources

• isology Hub
• Blackmores

In this episode, we talk about:

[02:19] How to begin the commitment stage of Carbonology.

[04:00] Why organisations need a plan to achieve PAS 2060.

[05:27] Popular ways organisations can reduce their carbon emissions.

[06:40] The approach you need to take when setting targets.

[09:30] Typical targets organisations can put in place.

[11:31] The importance of having a launch and communications plan.

[12:06] The typical outcomes and deliverables organisations will be provided.

[13:31] The expectation of businesses to have a carbon footprint management plan.

[14:19] The importance of having your staff involved with your plan.

If you need assistance with implementing ISO 14064, PAS 2060, or another standard – Contact us!

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Today we’re joined by Will Richardson, Founder and Managing Director of Green Element, to discuss how he helps other organizations become more environmentally friendly.

Will established Green Element in 2004 with a desire to help as many businesses as possible to go green.

A pioneer and early adopter of many now-mandatory environmental standards, his visionary approach, and inspiring leadership are exemplary.

Will also runs a podcast that is constantly featured in the top of the eco podcasts, and is a current board member and Chairman of the British Kitesports Association; the NGB to Kitesports; helping push kite sports within the Olympic sporting ecosystem.

In 2018, Will conceived Compare Your Footprint in response to demand from companies that want to reduce their carbon footprint but were not ready to engage with experts.

This episode, he shares how companies can most effectively tackle their energy and carbon management, and the science behind carbon reductions...

You’ll learn

• How Will helps organizations find the carbon footprint of their products.
• The importance of knowing the life cycle of your products.
• How to find out how much of an effect on the environment your product has.
• How long it takes to find out the life cycle of a product.
• How ‘Compare your Footprint’ helps organizations understand their carbon footprint and benchmark it.
• Different types of benchmarking you can do and how to do it.
• The science we know around carbon reductions.
• Why offsetting causes organizations to increase their emissions.

Resources

• Blackmores
• The Green Element Website
• Compare your Footprint
• Sustainable Business Podcast
• Science Based Targets

In this episode, we talk about:

[01:10] How Will got involved with sustainable energy and carbon management.

[02:14] Why Will started his own business and how it’s changed over the years.

[03:58] How Green Element helps organizations become more environmental.

[05:15] The difference between the life cycle analysis for products or services.

[06:24] How long it takes to work out a product’s life cycle.

[07:30] The two different ways there are to look at carbon footprinting.

[10:51] Different types of benchmarking you can do and how to do it.

[14:26] How to successfully carry out energy data reporting and why you shouldn’t rush it.

[17:59] The problems with net carbon zero and carbon neutral targets, and the benefits of Science Based Targets.

[22:36] The complex nature of effective environmental strategies.

If you need assistance with implementing sustainable practices – Contact us!

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Did you know that only a third of the emissions reductions required to achieve the country’s 2030 target are currently covered by credible plans?

As a result, we can expect to see more mandatory and voluntary regulations that require carbon emissions reporting to verify your ESG and net zero claims.

In this episode, Mel closes out the ESG Reporting Disclosures series by explaining what Corporate Sustainability Due Diligence Directive (CSDDD) is, it’s key emissions reporting requirements, the verification requirements and who qualifies for CSDDD.

You’ll learn

·      What is CSRD?

·      Key requirements of CSDDD

·      Key emissions reporting requirements

·      the emissions verification requirements for CSRD?

·      Who qualifies for CSDDD?

·      The likely impact of CSDDD

Resources

·      Carbonology

·      Carbonology LinkedIn

·       Carbonology Instagram

·       CSDDD

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:10] Episode summary: Mel closes out the series on ESG reporting requirements by diving into CSDDD.

[03:10] What is CSDDD? – The Corporate Sustainability Due Diligence Directive (CSDDD) is a new EU directive that promotes sustainable and responsible corporate behaviour in companies’ operations and across their global value chains.

Purpose: It aims to promote sustainable business practices, protect human rights, and address environmental challenges.

The CSDDD was adopted by the European Commission on the 23rd of February 2022 and approved by the Council of the European Union on the 24th of May 2024. The new rules ensure that companies in scope identify and address adverse human rights and environmental impacts of their actions inside and outside Europe. The CSDDD is expected to start affecting companies from 2027 at the earliest once the directive has been transposed into national legislation.

[05:10] What are the key requirements of CSDDD?:

·      Human rights due diligence: Companies must identify, prevent, and mitigate adverse human rights impacts within their value chains.

·      Environmental due diligence: They must assess and manage risks related to climate change, biodiversity loss, and pollution.

·      Disclosure obligations: Companies must disclose their due diligence processes, findings, and any remedial actions taken.

[06:20] What are the Emissions Reporting Requirements? Under the CSDDDD, companies are required to report on their greenhouse gas (GHG) emissions within a climate transition plan.

This includes considerations for Scope 1, 2 and 3. These were explained in more detail in a previous episode on CSRD, so go check that out if you want to learn more about the individual scope requirements.

What if you fit the requirements of both CSRD and CSDDD, do you have to double report on emissions? In short – No!

The climate transition plan required by the CSDDD will be reported within CSRD reporting, as organisations just need to adhere to the CSDDD’s implementation requirements for the transition plan.

[10:10] What are the Emissions Verification Requirements? More definitive guidance on verification requirements is expected closer to 2027. Companies will more than likely need to verify the emissions data reported through CSDDD, as the directive mandates a climate change transition plan that aligns with the Corporate Sustainability Reporting Directive (CSRD), which does require companies to verify their emissions data.

[09:55] Who qualifies for CSDDD? The Corporate Sustainability Due Diligence Directive (CSDDD) applies to both EU and non-EU companies depending on their workforce size and revenue:

EU and non-EU companies (or the ultimate parent company of a group):

·      With more than 1,000 employees and a global net turnover of at least €450 million in the last fiscal year; or

·      Which have franchising or licensing agreements in the EU in return for royalties with more than €22.5 million generated by royalties in the EU and have a net worldwide turnover of over €80 million in the last financial year.

[11:10] What is the possible impact of this new directive? Similar to the other ESG disclosures I’ve covered over the past few weeks in this series on reporting disclosures, the impact of the CSDDD will result in 3 key impacts:-

·      Increased transparency: This directive will provide stakeholders with a clearer picture of companies' sustainability efforts, to combat greenwashing.

·      Enhanced accountability: Companies will be held accountable for their environmental and social performance.

·      Stimulation of sustainable business practices: The directive will encourage companies to adopt more sustainable practices, including regular reporting.

If you would like to learn more about CSDDD or inquire about the related course, please get in touch with Carbonology.

We’d love to hear your views and comments about the ISO Show, here’s how:

●     Share the ISO Show on Twitter or Linkedin

●     Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

To keep global warming to no more than 1.5°C  – as called for in the Paris Agreement – emissions need to be reduced by 45% by 2030 and reach net zero by 2050.

Many businesses are already making great strides to reduce their Impact, and while you can reduce, achieving true carbon neutrality will involve offsetting a certain amount of emissions.

Treeconomy are one of the few companies in the UK that offer credible carbon credits. Backed by principles of PAS 2060 (Carbon Neutrality), they seek to break the greenwashing cycle.

Mel is joined by Harry Grocott, CEO and Co-founder of Treeconomy, to discuss their credible carbon offsetting schemes and the innovative technology they use to help quantify the value of nature.

You’ll learn

●      Who are Treeconomy?

●      What is the difference between services offered for landowners and Offset buyers?

●      Can you quantify the value of nature?

●      How can people be sure that they don’t fall prey to Greenwashing?

●      How can someone go about buying and monitoring offsetting credits?

●      Are Treeconomy’s carbon offsetting schemes verified?

Resources

●      Treeconomy

●      Sherwood

●      ISO 14064

●      PAS 2060

In this episode, we talk about:

[00:30] Catch up our episodes covering the Sustainable Development Goals (Part 1 / Part 2), ISO 14064 and PAS 2060.

[01:00] Treeconomy are a company that offer credible carbon offsetting schemes – they are one of the few companies who are recognised by PAS 2060 (the Standard for Carbon Neutrality)

[02:05] Harry Grocott (CEO) introduces Treeconomy -  A nature based, carbon removal and restoration company that operate in the UK and Internationally. They offer schemes that work towards afforestation, peatland restoration, rewilding ect. They are also keen to enable evidencing the impact, developing a software platform, remote sensing, and AI technology to do so.

[03:41] They are part of the Centre for climate change innovation which is an initiative of Imperial College London and the Royal Institution to catalyse innovation of all forms that address the causes and effects of climate change.

[04:22] What is the difference in services for Landowners and Offset Buyers? For landowners, Treeconomy can help you change land use from one to another. I.e changing land used for sheep grazing into something more carbon intensive. Treeconomy will ensure that any project started with them is a verified Carbon Scheme – in-line with the woodland carbon code. Once your project set up has been completed and verified, Treeconomy will assist in the sale of credible carbon credits.

[07:22] For offset buyers: Treeconomy offer a wide range of projects and varyingly priced carbon credits.  

[07:45] Can we quantify the value of nature? Short answer right now is no, but there is a lot of nuance. Nature offers ecosystem services i.e. farms offer a calorific benefit, we can put a price on the value that offers. The same principle applies to resources such as wood or oil. Now we are gaining the ability to quantify CO2 removal, which is undeniably valuable to humanity.

[09:18] Other more recent services such as biodiversity projects are a bit harder to quantify – as they vary so much depending on the country. However, we are starting to assign value to these.

[12:15] How can people be sure that they don’t fall prey to Greenwashing? There are 2 main issues to consider: 1) Are your carbon credits credible? 2) what claims are top management making?

[12:44] Tackling claims made by leadership: ISO standards are starting to solve this issue. There are clear requirements and certifications that need to be in place to back those claims.  

[13:00] Tackling carbon credits: The carbon offsetting market is heavily unregulated currently. Essentially it’s a lot of people trading in invisible gas. There are a number of carbon standards (Not quite at the same level as ISO Standards), such as the Woodland Carbon Code and the Peatland Code, and Internationally there are standards such as Verra VSC – unfortunately, a lot of these standards aren’t very robust and aren’t enforced.

[15:30] Many companies will often look to buy the cheapest offsets available, which are likely to be non-credible and will provide no evidence of actual offsetting occurring. But, there are a lot of new companies emerging that provide tangible evidence of offsetting (such as Treeconomy 😊)

[18:30] How can someone go about buying and monitoring offsetting credits? If you don’t want to use a company like Treeconomy, you would need to directly contact and purchase credits from a company who is developing a project.

[19:23] Treeconomy have created a platform called Sherwood – this displays all the projects they are helping to develop, which also tells you who the landowners are and the carbon inventory attached to each project. It can also help you evidence credits purchased, whether they are historic or future carbon removal.

[21:30] Not many companies offer comprehensive reporting and evidencing of carbon credits in practice. Treeconomy use a range of methods such as drones, satellites and AI programs to report back, and aim to make getting this information as easy as possible for credit purchasers.

[23:20] How did Harry get into this business? Starting off studying geography and Science – he later went onto work in finance for 3 years and qualified as a finance adviser. While working he realised that the amount of money available is rarely the issue, rather the use of it. He saw that there was a large gap in funding for climate change mitigation and adaptation – but not enough money was going towards it. He began wondering why more couldn’t be invested and so decided to study climate change management and finance (partly though Covid), where he met his co-founder. After getting some Government grant funding, investors and landowner partners, they have flourished over the last 3 years.

[27:00] Are Treeconomy’s offsetting schemes verified? Yes – they work under the UK woodland carbon code (and soon the peatland carbon code). They are also working to create a new protocol to tackle rewilding, including how the value and progress can be tracked. Internationally they will be working under Verra.

[29:05]  Treeconomy can help to provide detailed evidence of carbon offsetting thanks to their reporting capabilities, this can be passed onto 3^rd party auditors to verify in-line with any carbon Standard. 

 [30:00]  You can find Treeconomy via their website, LinkedIn, Twitter and Instagram 😊 

We’d love to hear your views and comments about the ISO Show, here’s how:

●      Share the ISO Show on Twitter or Linkedin

●      Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

There’s no escaping it, AI is here to stay. Over the course of 2023 we’ve seen more general and public use of popular AI tools such as ChatGPT and Gemini (previously Google Bard).

It’s now even being integrated into everyday applications such as Microsoft Word and Teams. There is no doubt that there are a lot of benefits to using AI, however, with new technology comes new risks.

So how do we address the growing concerns around AI development and use? That’s where the new Standard for AI Management Systems, ISO 42001 comes in!

Join Mel this week as she explains exactly what ISO 42001 is, who it’s applicable to, why it was created and how ISO 42001 can help businesses manage AI risks.

You’ll learn

·       What ISO 42001 AI Management Systems is

·       Who it’s applicable to

·       Why it was created

·       How ISO 42001 can help businesses manage AI risks

Resources

·       Isologyhub

·       ISO 42001 Webinar registration

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Today we’re touching on a very topical subject – AI, and more specifically the brand new AI Management System Standard – IS0 42001. We’ll also be exploring who it’s applicable to, why it was created and how it can help businesses manage AI risks.

[03:30] What is AI? – AI – otherwise known as Artificial intelligence, as it’s most simplest description is the science of making machines think like humans.

We’ve seen a lot of AI tools be released to the public over the last year or so, tools such as ChatGPT and Google Bard. It’s already being integrated with some of the most commonly used apps and programs like Microsoft word and Teams.

In short, AI integration is here to stay, so we may as well get to grips with it and make sure we’re using it responsibly.

[05:10] What is ISO 42001? – , ISO 42001 is the first International Standard for Artificial Intelligence Management Systems, designed to help organisations implement, maintain, and improve AI management practices.

It was jointly published in December 2023 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

The emphasis of ISO 42001 is on integrating an AI Management System with an organisations existing management system – i.e. ISO 9001 or ISO 27001 compliant management systems.

Interestingly, a lot of the specific mentions of Artificial Intelligence and Machine Learning are within the Annexes rather than the body of the Standard. The Standard itself is very similar to ISO 27001 in that it’s mostly about what organisations should be doing to manage computer systems regardless of any AI components.

[08:00] The 4 Annexes of ISO 42001:

Annex A: This acts as a Management guide for AI system development, with a focus on trustworthiness.

Annex B: This provides implementation guidance for AI controls, with specific measures for Artificial intelligence and Machine Learning – if you’d like to learn more about the difference between the two, go back and listen to episode 135.

Annex C: Which addresses AI-related organisational objectives and risk sources.

Annex D: This one is about the domains and sectors in which an AI system may be used. It also addresses certification, and we’re pleased to see that it actively encourages the use of third-party conformity assessment. This just ensures that your AI claims have more validity.

[09:15] Who is ISO 42001 applicable to? – Those annex descriptions may have you assuming that this Standard is only applicable to organisations developing AI technology but in actuality it’s applicable to any organisation who is involved in developing, deploying OR Using AI systems.

So if you’re a company who is only utilising AI in your day to day activities, it’s still very much applicable to you!

[10:20] Join the isologyhub and get access to limitless ISO resources  – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.

[12:25] Why was ISO 42001 created?:

·       To address the unprecedented rapid growth of AI and all the risks that come with this new technology.

·       To ensure that AI development and use are trustworthy and above all, ethical.

·       The public are also reasonably wary of this new technology, so ISO 42001 aims to help build more public trust and confidence in the future use of AI .

·       ISO 42001 acts as guidance for organisations on exactly how to integrate AI Management controls with their existing systems.

[14:05] AI risks you should be aware of – This isn’t an exhaustive list, as the technology develops, more risks will become known. However, as of the start of 2024, you should be aware of:

Inaccurate information – Many of the chat bots and public AI tools are trained on publicly available information, and as we all know, not everything on the internet is true. So the output from these chat bots will need to be checked and verified by a person before being used or published.

AI bias – Studies have proven that AI results can still be bias. As all the data fed into it is all based on existing information, it still presents the issue of a lack of information from underrepresented groups, or existing bias based on existing data.

Time sensitivity – Not all AI use live data sets. Google Bard does, however Chat GPT is only accurate up until 2021. So double check whichever tool you’re using to make sure the information it produces is up-to-date.

Plagiarism – Data gathered using AI came from somewhere! If you simply copy and paste information provided by AI platforms, there’s a chance you may be plagiarising existing content. Be sure to just use AI as a starting point!

Security risks – Use of AI can expose you to additional security risks, For example, malicious actors could send someone an email with a hidden prompt injection in it. If the receiver happened to use an AI virtual assistant, the attacker might be able to manipulate it into sending the attacker personal information from the victim’s emails.

Data Poisoning – AI uses large data sets to train its models, and we currently rely on these data sets being relatively accurate. However, researchers have found that it’s possible to poison data sets – so in future, AI may not be very reliable if preventative measures aren’t put in place by AI developers.

[17:45] How can ISO 42001 help business manage these risks? – Above all, it provides a structured approach to identify, assess, and mitigate AI risks. ISO 42001 includes the guidance needed to put this in place from the start to ensure you don’t fall prey to the risks mentioned, with a view to monitor and update to address new risks in future.

It promotes transparency and accountability throughout the AI life cycle.

It helps ensure fairness, non-discrimination, and respect for human rights in AI development and deployment.

It will help minimise potential legal and ethical liabilities associated with AI. The UK’s current GDPR and Data Protection Act can loosely cover aspects of AI, depending on how the terminology is applied, but there are already dedicated AI based regulations being developed within the EU which will likely be adopted by the UK. 

It can foster innovation and accelerate adoption of responsible AI practices.

And lastly, it provides a common language and framework for collaboration on AI projects.

[21:35] Don’t miss out on our ISO 42001 webinar – We’re partnering with PJR to bring you a 2-part webinar series on ISO 42001. Catch the first part on the 5^th March 2024 at 3pm GMT, register your interest here.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

●      Share the ISO Show on Twitter or Linkedin

●      Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Greenhouse Gas (GHG) accounting has become increasingly important in recent years due to the demand for more environmental accountability.

Whether by choice or due to legislation or mandatory Government led schemes, organisations need to able to effectively calculate their current impact before they can the right steps to reduce and offset the remaining emissions.

There are a lot of different routes to take, and some may look so similar that you have to squint to see a difference.

In this episode, Mel Blackmore breaks down the similarities and differences between the leading GHG emission reporting frameworks, ISO 14064-1 and the GHG Protocol Corporate Standard.

You’ll learn

·      What are the 2 leading GHG accounting frameworks?

·      What are the similarities between the GHG Protocol and ISO 14064?

·      What are the differences between the GHG Protocol and ISO 14064?

·      Reporting on indirect emissions

·      Choosing the right framework

·      How can the GHG Protocol and ISO 14064 complement each other?

Resources

·      Carbonology

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:30] Episode summary: Mel will look at the similarities and differences between the 2 leading GHG emissions reporting frameworks, the GHG Protocol and ISO 14064-1:2018.

[02:20] What are the 2 leading GHG accounting frameworks? – Greenhouse gas (GHG) accounting has become increasingly important for organisations seeking to manage their environmental impact and contribute to climate change mitigation efforts. Two prominent frameworks guide this process: ISO 14064-1:2018 and the GHG Protocol Corporate Standard.

Climate change concerns necessitate robust methodologies for quantifying and reporting organisational GHG emissions. Standardised frameworks offer a transparent and reliable approach for organisations to measure their impact and contribute to environmental sustainability goals. This article examines two leading frameworks: ISO 14064-1:2018 and the GHG Protocol Corporate Standard.

[06:10] What are the similarities between the GHG Protocol and ISO 14064? – GHG Scope Definition: Both frameworks categorise emissions into three scopes: Scope 1 (direct emissions from owned or controlled sources), Scope 2 (indirect emissions from purchased electricity, heat, or steam), and Scope 3 (other indirect emissions throughout the value chain).

In general, the GHG Emissions covered in the GHG Protocol Corporate Standard conform to ISO 14064-1 if significant Sope 3 GHG emissions and GHG removals are both considered.

Quantification Principles: Both emphasize the importance of accuracy, completeness, consistency, transparency, and relevance when quantifying emissions.

GHG Reporting Boundaries: Both require clear definition of the organisational boundaries for which emissions are quantified.

GHG Inventory: Both frameworks guide the development of a GHG inventory, a comprehensive record of all organisational emissions.

[09:15] What are the differences between the GHG Protocol and ISO 14064? – Focus: ISO 14064-1 is a more procedural framework, outlining the steps for quantifying, reporting, and verifying GHG emissions. The GHG Protocol, on the other hand, offers detailed guidance on calculating emissions for various activities and sectors but lacks formal verification requirements.

Level of Detail: The GHG Protocol provides a more comprehensive and detailed approach, including calculation methods, guidance on emission factors, and best practices. ISO 14064-1 offers a less prescriptive approach, allowing organisations to choose calculation methodologies based on their specific needs.

Avoided GHG Emissions: The concept of avoided GHG emissions is not addressed in ISO 14064-1.  However, the GHG Protocol Corporate Standard addresses the quantification of avoided emissions, which are required to be reported separately.

Verification: Verification by a third-party verifier is optional under the GHG Protocol but mandatory for organisations seeking public disclosure or certification under ISO 14064-1. Verification enhances the credibility and reliability of reported emissions data, this could be to schemes like EcoVadis.

Value Chain Emissions: While both frameworks acknowledge Scope 3 emissions, the GHG Protocol offers a dedicated standard - the Corporate Value Chain (Scope 3) Standard - providing specific guidance on quantifying these emissions.

Addressing GHG Emissions and Removals: ISO 14064-1 clearly address GHG emissions and removals for each  category and removals are therefore an inherent part of the GHG quantification. The guidance in the GHG protocol is not as clear but allows for the reporting of removals separately from GHG Emissions.

[13:30] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.

[17:05] Reporting on indirect emissions:  The main challenge for organisations is the reporting of indirect emissions (Scope 3), often leading to confusion based on a lack of clarity and understanding of how granular the data needs to be, combined with challenges extracting data from third-parties. 

ISO 14064-1 is very clear regarding which Scope 3 emissions are to be included, whereas the GHG Protocol standard maybe viewed as more open to interpretation.

In contrast, GHG Protocol standards require the inclusion of Scope 2 (indirect emissions from purchased energy); the inclusion of other indirect GHG Emissions under scope 3 is optional.

The GHG Protocol standard is referred to in various GHG reporting and disclosure initiatives whose requirements for the reporting of the Scope 3 emissions vary.  Whereas ISO 14064-1 has been created and approved by representatives from 61 nations to determine a specification for Scope 3 emissions reporting.

[20:30] Choosing the right Framework: The choice between ISO 14064-1 and the GHG Protocol depends on an organisation's specific needs and goals. Here are some considerations:

·      Is there a need for Verification? i.e. is it a mandatory requirement

·      What level of detail is required? If a detailed approach with extensive calculation guidance is preferred, the GHG Protocol might be more suitable.

·      Resource availability – Do you have the resource to do this yourself or will you need a helping hand?

·      Disclosure reporting requirements – check what you need to comply with as this could determine which framework you use.

[23:30] How can the GHG Protocol and ISO 14064 complement each other? -  This podcast may have you thinking that it has to be one or the other, but in actuality the two frameworks can be used together effectively. Organisations can utilise the GHG Protocol's detailed guidance to develop their GHG inventory and then follow ISO 14064-1's process for verification and reporting.

If you would like some help with GHG reporting or Verification, please get in touch with Carbonology.

We’d love to hear your views and comments about the ISO Show, here’s how:

●     Share the ISO Show on Twitter or Linkedin

●     Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

This episode is the second of our 7-part mini-series explaining our Carbonology service, a 7 step methodology to help companies become Carbon Neutral.

We’re joined by our resident Carbonologist David Algar to talk through the second step of the Carbonology process, Quantify.

What does the Quantify Step entail?

Calculating your emissions : This will be carried out for Scope 1 2 and 3 emissions.

• Scope 1 refers to sources you own, and are direct emissions from combustion or fugitive emissions from systems that contain GHGs, so gases that have escaped from somewhere they shouldn’t have such as an AC system.
• Scope 2 are emissions from imported energy, this refers to electricity for most organisations but can also include steam, heating and cooling. For ISO 14064 and PAS 2060 you’ll need to quantify 100% of the Scope 1 and 2 emissions within boundaries
• Scope 3 refers to all other indirect emissions from sources you don’t own or necessarily have control over. For example business travel in vehicles your staff own. Scope 3 makes up the majority of emissions for most organisations and is generally more complex to gather data for.

What information do you need to quantify your emissions?

You’ll need to collect and process data. This can be:

• Activity or financial data on a specific source. Common examples include utilities bills, meter readings and expense reports for business travel or fright
• Interviews and surveys. For instance a survey to better understand how staff commute to work, or the proportion of staff that work from home.

Why is Transparency so important?

There are 6 key principles of ISO 14064, but one David is particularly mindful of is Transparency.

• Ultimately your work will be made publicly available, and not everyone may agree with your methods, but you’ll need to record all estimates, assumptions, exclusions, and uncertainties associated with your methods. As well as generally being good practice, being transparent allows the end user of the work you produce to make informed decisions with a reasonable degree of confidence.

So what’s the purpose of quantification?

As well as giving you a total footprint for a specific time period, calculating your carbon footprint will enable you to do a few things:

• Firstly you’ll be able to see what are the most emission-intense areas of your organisation, i.e. where the emissions are coming from, whether this is a specific location, or activity or even department

• Secondly, by using this information you will be able to prioritise the areas that need to have their emissions reduced. This will form the basis of your Carbon Footprint Management Plan which we will go into more detail on in the next few episodes.

What are the Outcome and Deliverables?

One outcome of this exercise is a GHG Inventory. This is a requirement of ISO 14064 and put simply, is a big list of categorised emission sources, and the specific GHGs they produce. Here you’ll also list all emission conversion factors you used to turn activity data into tonnes of specific GHGs.

Another useful outcome is that you’ll be able to instantly and credibly respond to any tenders that require you present green credentials. As we’ve mentioned in previous podcasts, in the UK it is now a requirement for most large public sector contracts for the tendering organisation to outline its emissions.

Being able to easily present your carbon footprint to a potential tender could help in winning new business, particularly if you’ve completed this in line with an international recognised standard

Join us next week as we move onto the next step, Commit.

If you need assistance with implementing ISO 14064, PAS 2060, or another standard – Contact us!

David Algar is also available for a free Carbonology consultation until the end of March – Book your slot Here

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Seacourt is the highest scoring B Corp printing company on the planet, they believe in business as a force for good for society.

Fun facts: Seacourt is the winner of the Queens award for sustainable development. They’ve won this three times! In 2017, they were also crowned Europe’s most sustainable SME! No wonder they are recognised as one of the top three leading environmental printers in the world!

Seacourt Managing Director, Gareth Dinnage, joined us for an interview to tell us about Seacourt’s journey and its initiatives. Gareth has been part of Seacourt’s sustainability journey from the very start. He started his journey first as apprentice and then heading up to Sales and Marketing and finally owner and Managing Director.

You’ll learn about:

• Seacourt’s sustainability journey
• Environmental management as a guiding principle for Seacourt and their contributions to the environment
• Seacourt’s journey to understanding their carbon footprint
• Significance of being Net Carbon Zero
• B Corp
• How ISO 9001 and 14001 helps Seacourt run their business
• Understanding your supply chain

Let’s start right back at the beginning of Seacourt’s journey!

Where did Seacourt begin and where did its sustainability journey begin?

Seacourt started in 1946! They were set up as a commercial printing company in Oxford, working with local businesses. Not much changed for them until the mid-90s, when the owners at the time had the good fortune to attend a seminar focused on sustainability.

We know what you must be thinking, whoever put together this seminar must have had incredible foresight, to have looked into commercial impacts and sustainability!

The owners realised that the printing industry is among the fifth largest manufacturing sectors in the UK since 1996…

And that it’s also the fourth worst polluter!

That’s when they decided that they don’t want to be part of the problem, but a part of the solution. This thought marks the moment of a change of goals and priorities for Seacourt. From this point in 1996, the business changed from a linear business model, focusing on outputs, to becoming a value-based business, to considering the impacts on the environment and society, as well as profits.

This marked the magic transformation of Seacourt!

For the last 25 years, their philosophy has been “will this improve the environmental performance of our business. If the answer is “yes!”, then they do it regardless of the financial cost. So, without this fundamental change in mindset, Seacourt would not have been where it is today.

Guiding principle for Seacourt

Environmental management has been a guiding principle for Seacourt for the past 25 years. It’s fundamental and core to the company.

Currently:

• Seacourt runs on 100% renewal energy (and have done so for decades)
• They invented their own printing process called ‘LightTouch’. This has saved them gallons of fresh litres of water
• Seacourt no longer uses water or chemicals in their printing process!
• They have been zero waste to landfill for over a decade.
• They are carbon positive -and that’s scope 1,2 and 3! What this means, for those of you that aren’t familiar with this concept, is that Seacourt sees their impact in every element that they as a business effect. This includes their supply chain, so as a printing industry, they take their impact all the way back to forestry they use for their natural resources. They consider how trees are transported to the papermill, how papermills are run, the energy this it is run on and much more!
• They consider the end-of-life process by producing a natural material that has a massive recycling rate.

So, when you wrap all of this up in its entirety, Seacourt has created a concept called Planet Positive Thinking -which means that they give back more carbon into the atmosphere than they are responsible for consuming.

Seacourt’s journey to understanding their carbon footprint

A lot of businesses are new to the concept of Net Carbon Zero. So, let’s find out how Seacourt went about understanding what their carbon footprint was.

Seacourt does this by unravelling their entire supply chain and ask challenging questions to their supply chain, such as how they power their plants, what is the carbon impact per tonne of paper they are using, how they transport their materials from the forest and much more never before asked questions! They used the amount of paper they have purchased over a 12-month period and worked with their suppliers to get an accurate carbon impact figure. They created their own methodology and matrix, using the same process to identify the carbon impact figure that they used for their paper, for other areas in their operations, for example their ink.

By this point, Seacourt knew their carbon impact holistically for a 12-month period and sought to work on a regenerative project in the Amazonian basin. In this project, Seacourt safeguards 86,000 hectares of endangered forestry and are reforesting 12,000 hectares of deforested lands. They also have a social element where they support a programme with indigenous people. So, this is how Seacourt maintains their Planet Positive Thinking element, as they give back more than they consume in everything they have an impact on.

Significance of being Net carbon zero

Of course, we are conscious of the fact that we are in a lockdown where many businesses are struggling financially. So, this is for those of you thinking “is it going to be really costly for me to be Net Carbon Zero or Carbon positive?”. Gareth emphases the need to understand the impact of sustainability, to have a strategic plan and an idea of what goal you want to reach and how you will achieve it. Otherwise, your business will get left behind! Other business will pick up this leadership agenda and show exactly what business can do. Gareth identifies these businesses as the ones to be the most successful. This is already evident among investors refusing to work with fossil fuel-based business. That’s why business need to act responsibly to stay ahead of the game!

How management systems help Seacourt run their business

Seacourt has been certified to ISO 9001 and ISO 14001 for years. These management tool helps Seacourt set the business up to the highest standards and ensure continual improvement. The quality environmental management system provides a framework for delivering sustainable best practice.

B Corp

Now let’s move on to talk about B Corp!

B Corp is the global movement that aligns businesses who share the same philosophy, which is that businesses can and should be a force for good. Certified B Corps meet the highest standards of verified social and environmental performance, transparency, and accountability. The unifying goal of B Corps is that the main driver is stakeholder value, not shareholder value.  

Understanding your supply chain

For those of you who have not yet looked into their supply chain, Gareth recommends:

• Observing and controlling your building in terms of energy efficiency (make sure its insulated and you use renewable power)
• Then send out supplier surveys to find out what your suppliers are doing or working on that you are not aware of
• Then look at your key supply chain and identify if you can start mapping the carbon impact.

These steps would give you key findings and insights that you can use in your goals and strategy.

Contact details for Gareth, if you have any enquires or would simply like to connect with him, get in contact using one of the ways below:

Email: garethdinnage@seacourt.net

Website URL : www.seacourt.net

Twitter handle: @seacourtltd

LinkedIn handle: Garethdinnage

A crucial part of Implementing any ISO Standard is addressing your risks and opportunities. 

This is a key part of Clause 4 Context of the organisation, which expresses and explicit need to review and assess what internal and external factors could help and hinder in achieving your business goals.

While ISO Standards don’t define a definitive method of doing so, many have adopted the practice of carrying out a SWOT and PESTLE analysis.  

Today Ian Battersby explains what a SWOT and PESTLE analysis is, the key questions you should be asking and the importance of continually reviewing and updating the results as your management system matures.   

You’ll learn

·      What is a SWOT analysis?

·      What is a PESTLE analysis?

·      Examples of questions you should be asking during a SWOT and PESTLE

·      How often should a SWOT and PESTLE be conducted?

·      Examples of SWOT and PESTLE in practice

Resources

·      Isologyhub

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Ian Battersby will be explaining what a SWOT and PESTLE exercise is, it’s role in fufilling key requirements in Clause 4 of any ISO Standard, and the key questions you should be asking during the exercise.  

[02:30] What is a SWOT and PESTLE analysis? – This is one is the tools you can use to look at various factors that affect your organisation.

SWOT standards for:

·      Strengths

·      Weaknesses

·      Opportunities

·      Threats

PESTLE standards for:

·      Political

·      Economical

·      Social

·      Technological

·      Legal

·      Environmental

And in recent years, people have added ethical into PESTLE too. Whether that’s on its own or integrated within the other elements is up to the organisation and how they want to run the exercise.

Both analysis are fundamental in helping organisations understand the benefits and pitfalls of a project, management system implementation included.

[05:05] Where in the Standard is there a need for a SWOT and PESTLE? – Clause 4 in all ISO Standards is known as ‘Context of the organisation’, which you need to establish early on in order to set the foundations for building your management system.

Context is the world in which an organisation works, it is the considerations of the internal and external factors that affect what you do.

SWOT and PESTLE, while not specifically referenced in the Standard, is a highly recommended tool as it directly assesses multiple internal and external factors and can fulfil the requirements of any ISO Standard.

[06:20] Addressing Context of the Organisation – Clause 4, Context of the organisation states:

“The organisation shall determine external and internal issues that are relevant to its purpose and its strategic direction, and that affects its ability to achieve the intended results of its management system.

The organisation shall monitor and review information about these external issues.”

There are also 3 additional notes:

#1: Issues can include positive and negative factors or conditions

#2: Understanding the external context can be facilitated by considering issues arriving from legal, technological, competitive, market, cultural, ect

3#: Understanding the internal context can be facilitated by considering Issues related to values, culture, knowledge and performance of the organisation.

So, there’s a lot to consider!

[08:10] How SWOT and PESTLE address Context of the Organisation – Taking a look at SWOT, strengths and weaknesses would refer to factors internal to your organisation, while the opportunities and threats would be external.

Depending on the focus of your management system, you may also want to complete this exercise through a certain lens. That could be information security, health & safety or environmental.

The Standard requires you to align your management system with the strategic direction of the organisation, so even if you are viewing this exercise through a certain lens, don’t do so in complete isolation.

[09:55] How to conduct a SWOT and PESTLE – The people involved in completing this exercise are important, not just the questions you ask.

Senior management should be included as they will have key insight to the strategic direction of the business.

You should also include operational managers or other functional managers as they will have more context for how things actually work in practice.

The point of a SWOT and PESTLE is to ascertain where you stand in terms of your risks and opportunities, and issues relating to resources, people, information, process, technology, equipment, laws, markets, environment, finance, economy ect from both an internal and external lens.

This will give you a solid foundation to build your management system on, which will ultimately help you achieve your intended outcomes and lead to a cycle of continual improvement.

[11:55] Considerations for Strengths – Strengths is an internal factor. Questions you could ask include:

·      What do we control through good processes?

·      What are we known for?

·      What does our marketplace and competitors say about us?

·      What are we good at?

·      What assets do we have?

·      What resources and knowledge do we have readily available?

·      What's the strength in our products and in the processes for delivering those products and the people that run those processes and deliver those products, their skills, their knowledge, their strengths, their weaknesses and their expertise?

·      What areas in our organisation are already at a high standard and don't necessarily need improvement?

·      Do we have objectives and targets that we measure against, i.e. KPIs, metrics, success factors and service level agreements, that demonstrate we're good?

[13:10] Considerations for Weaknesses – Weakness is another internal factor, one that you have to be brutally honest conducting. Questions you could ask include:

·      What could you improve?

·      Where is money being spent poorly, or being lost?

·      What do your competitors do better than you?

·      What resources / knowledge / people / expertise do you lack?

·      What processes do you lack?

·      Where can your products or services be improved?

·      What are the constraints on your ability to meet changes in market need or demand?

·      What does your customer feedback look like?

·      Do your suppliers meet your requirements or the requirements of your clients?

[14:45] Considerations for Opportunities – Opportunities are considered an external factor. Questions you could ask include:

·      What new opportunities are available in your market?

·      What data do you have available on market trends, and how can you leverage that?

·      How changes in compliance requirements in your specific industry or your locality might provide you with opportunity to gain an edge?

·      What are past identified opportunities that we’ve not acted on?

·      What is the competition not taking advantage of that you could?

·      How can you increase customer satisfaction based on both positive and negative feedback received?

[16:00] Considerations for Threats – Threats are also considered an external factor, they are obstacles for you achieving your goals. Questions you could ask include:

·      What new environmental effects may affect you? Note: there is a new climate change amendment added to many commonly adopted ISO Standards, so this is something you will need to address.

·      What competitors are a threat to you?

·      Are other competitors taking advantage of markets that you have not accessed?

·      Why might competitors be getting ahead?

·      Are the habits of customers changing, and if so, how?

·      Are there other interested parties other than customers who present obstacles to you?

·      Are there any foreseeable resource issues? i.e. loss of experienced staff, lack of relevant talent in the pool of available people ect

·      Are you adapting to changes in the world?

[16:00] PESTLE: Addressing political factors – When you’re looking at political factors affecting your intended outcomes, consider the following:

·      What is happening politically in your environment? - That could be international or local on scale

·      What is the impact of policy or tax?

·      What is the impacts of employment trends / trade restrictions / tariffs?

·      What is the impact of unemployment rates on your organisation?

·      What is the impact of workforce shortages that may affect you?

·      Is there any form of Government intervention in your specific market?

·      Would this government intervention be considered an opportunity or threat? i.e. offering grants

[19:20] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.

[21:25] PESTLE: Addressing economic factors – When you’re looking at economic factors affecting your intended outcomes, consider the following:

·      What is the impact of interest rates / exchange rates / inflation?

·      What is economic policy doing to you and your industry and your clients?

·      What are the impacts on wage rates / minimum wage changes /affordable living cost of living?

[21:50] PESTLE: Addressing social factors – When you’re looking at social factors affecting your intended outcomes, consider the following:

·      What's the impact of changes in the cultural landscape?

·      What’s the impact of the expectation of people?

·      What’s the impact on working people’s lives and what their expectations are for working life in general? i.e. working hours and career aspirations

·      What is the and the emphasis on ethics, safety, Environmental Protection and data privacy for your clients / workforce / suppliers?

[22:50] PESTLE: Addressing technology factors – When you’re looking at technological factors affecting your intended outcomes, consider the following:

·      What is happening technology wise which impacts on what you do?

·      How does this affect the equipment you use? i.e. automation, the age of your equipment ect

·      What's the impact of emerging technology?

·      How you decide on the costs and benefits of investing in new technology?

·      How do you use your website / blogs / social media to interact with your marketplace?

·      Have you got intellectual property you need to protect? i.e copyright pins that need consideration.

[23:40] PESTLE: Addressing legal factors – When you’re looking at legal factors affecting your intended outcomes, consider the following:

·      How does the law affect how you do business? i.e company law, health & safety law, HR law, trade law?

·      What changes in legislation have occurred recently that you need to have considered?

·      How do you horizon scan for changes in legislation that affect you in your market?

·      What's the impact on employment on imports, exports, labour departments?

·      Have you considered other compliance obligations, such as certification to certain standards?

[24:50] PESTLE: Addressing environmental factors – When you’re looking at environmental factors affecting your intended outcomes, consider the following:

·      How do environmental aspects impact you, and how does the way you operate affect the environment? This includes consideration for air, water, land, natural resources, flora, fauna.

·      How do changes in the energy and utilities markets affect you?

·      How does your organisation fit in with any carbon reduction targets that your Government may have in place?

·      Are you required to create a carbon reduction plan?

·      Do you need to comply with certain environmental reporting requirements? i.e. here in the UK we have schemes like ESOS and SECR

[24:50] PESTLE: Addressing ethical factors – This one is optional, but many are choosing to include it as part of their PESTLE now. When you’re looking at ethical factors affecting your intended outcomes, consider the following:

·      How do you stay on the right side of the law with respect to the use of money?

·      Have you considered human rights / labour / children in the workforce / slavery / health & safety and well-being of local populations?

·      What charitable contributions do you make as an organisation?

[27:15] Assigning significance  – The next part of a SWOT and PESTLE requires you to assign significance to the various factors affecting your organisation.

So, make sure you document every factor and how those factors affect your ability to achieve what you intend. Ensure that this all remains in alignment with the strategic direction of the business, as ultimately, you want your Management System to help drive those goals forward.

[30:25] Frequency of a SWOT and PESTLE: This isn’t just a one-off exercise. You should be continually monitoring these internal and external factors, and only updating the exercise during a management review meeting will do you a disservice.

This is an ever-changing world, it’s the one in which you operate, and you need to ensure you’re keeping up with it.

You could look at various factors in monthly or even weekly meeting with the appropriate parties, and see if circumstances have changed.

[31:25] Examples of why you should continually update your SWOT and PESTLE: Ian recounts an experience he had with a client where they had failed to disclose where they had switched to a digital system for competence related documentation, but it had not met their needs and so they needed to return to manual documentation.

This switch made finding the required documentation for internal audits difficult. None of this was recorded in their SWOT and PESTLE.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

●     Share the ISO Show on Twitter or Linkedin

●     Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

The Energy Savings Opportunity Scheme (ESOS) is a legal requirement for organisations of a certain size or value. The scheme is designed to make companies look at how they use energy with a view to improving performance.  If your organisation qualifies for ESOS, you have until December 5^th to comply or complete your phase 3 reporting.

Over the last few episodes we’ve explored two routes to compliance: Energy Audits and ISO 50001. As we explained, ISO 50001 goes above and beyond ESOS requirements and ensures you don’t have to gather an evidence pack every four years to prove compliance.

However, there are many more benefits to ISO 50001 than just it’s compliance with ESOS requirements. Join Mel this week as she dives into the other benefits ISO 50001, including real world examples from some global brand names.

You’ll learn

●      Why Implement ISO 50001?

●      What are the benefits of ISO 50001?

●      Who has found success with ISO 50001?

Resources

·       ESOS

·       ISO 50001

In this episode, we talk about:

[00:35] Watch our previous episodes to learn more about Energy Audits and ISO 50001

[01:41] Benefit #1: Cost savings – By Improving your energy efficiency and reducing energy consumption, you can save a startling amount. ISO 50001 helps you to put a system in place that will allow optimisation of your energy usage.   

[02:20] Benefit #2: Compliance – ISO 50001 can help you comply with the likes of ESOS and SECR. Carbon reporting and legal requirements in relation to it are global, any countries lagging behind on these requirements will soon adopt or create their own in response to the limited time we have left to reduce the effects of the climate crisis.

[02:45] Benefit #3: Reduce your environmental Impact – By reducing energy usage and switching to more energy efficient means, you will reduce your carbon emissions. ISO 50001 also acts as a complementary tool to ISO 14001 (Environmental Management) that many already have in place.  

[03:10] Benefit #4: A coordinated approach  – Companies, especially large ones, may have multiple systems in place to manage energy. ISO 50001 helps to create a universal framework that can be applied to a whole business.

[03:25] Benefit #5: External Incentives -  There may be external benefits that can be gained by proving that you are taking steps to reduce your environmental impact. This could include tax benefits, insurance ect

[04:25] Benefit #6 Informed funding – There is a lot of funding out there to help companies with new green technology. Having ISO 50001 in place will give you a consistent overview of your energy usage, so you’ll be able to make informed funding choices based on where more savings can be made in terms of emissions and general costs.

[04:55] Benefit #7 Track Objectives – ISO 50001 can help you set Objectives and then set policies and procedures to help make those a reality. Those familiar with ISO Standards will know that it’s all about continual Improvement, so you’ll always be making progress. 

[05:30] Benefit #8 Credibility – ISO 50001 is an internationally recognised Standard, and is a mark of your credibility. This can be used in marketing materials, displayed on your website, used in Case Studies ect.   

[06:35] You don’t have to be a large brand or organisation to Implement ISO 50001. It can be implemented for a business of any size where energy is a significant environmental Impact.

[07:05] Hilton’s success with ISO 50001:  One of the world’s largest hotel chains, Hilton was the first global hospitality company to achieve portfolio-wide certification to ISO 50001. The savings have been significant, reducing Hilton’s energy intensity by 20.6% and its carbon intensity by 30.0% from a 2008 baseline.

[07:55] Bentley’s success with ISO 50001: Reduced energy usage by two-thirds for each car produced and by 14% overall for the entire plant, delivering savings of 230 GWh of energy – enough to power 11,500 houses for a year!

[09:37] Hitachi’s success with ISO 50001: Following the Japanese earthquake disaster in 2011, Hitachi decided to introduce “the smart next-generation factory plan”. Following implementation of ISO 50001, the plant reduced 23 % of the contract electricity, 15 % of CO2 emissions and 5 million yen/month of electricity costs.

[10:12] Toyota’s success with ISO 50001: Implementation of ISO 50001 resulted in a reduction in electricity usage which has translated into cost-savings of more than R4.8 million (Over £210,000!) over a two-year period. The company also generated energy savings of GWh 8.15 across its 14 plants, and reduced its GHG emissions by 7,804 tons.

[10:50] Schneider Electric’s success with ISO 50001: The company adopted ISO 50001 certification in order to maximise energy performance. Following the certification, the business’ energy performance increased by 10.5%, with savings totaling £26,500 over 3 years.

[12:15] Want more info on ISO 50001? – Head on over to the isologyhub to get access to a wealth of ISO 50001, and energy management tools

For those interested in ISO 50001, we’re offering  a free copy of the Standard to anyone who signs up for Implementation with us before the 16^th June.

We’d love to hear your views and comments about the ISO Show, here’s how:

●      Share the ISO Show on Twitter or Linkedin

●      Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

This episode is Part 6 of our 7-part mini-series explaining our Carbonology service, a 7 step methodology to help companies become Carbon Neutral.

This time, our resident Carbonologist David Algar is talking through the sixth step of the Carbonology process, ‘Offset’.

David explains what companies can do to offset emissions, how offsetting works in relation to PAS 2060, and the importance of picking the right Offset provider.

You’ll learn

• Different types of Offsetting.
• How Offsetting works in relation to PAS 2060.
• How long Carbon Offsetting Credits last.
• What to consider before buying an Offset.
• The importance of picking the right Offset provider.

Resources

• UK Woodland Carbon Code
• United Nations Offset Platform
• The Gold Standard
• Greenhouse Gas Protocol
• ISOlogy Hub
• Blackmores

In this episode, we talk about:

[01:43] The five steps before you go down the route of Offsetting.

[02:12] Why Offsetting is a controversial topic.

[03:03] How Offsetting works in PAS 2060.

[03:41] What Offsetting is and how Carbon Credits work.

[04:59] Credible Offsetting schemes in the UK.

[07:58] Key considerations you need to consider when buying a Carbon Offset.

[10:48] How PAS 2060 helps companies prove they really are carbon neutral.

[12:20] How Carbonologists help their clients know which schemes meet the requirements of PAS 2060 and which don’t.

If you need assistance with implementing ISO 14064, PAS 2060, or another standard – Contact us!

If you’d like to book a free consultation with our Carbonologist, David Algar, feel free to book a slot Here.

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

The UK is the first major economy to achieve it’s 50% reduction target for Greenhouse Gas Emissions (between 1990 and 2022). However, we’ve still got a lot of work to do to reach our 2023 target of a 68% reduction.

Many businesses are already making great strides to reduce their Impact, and while you can reduce, achieving true carbon neutrality will involve offsetting a certain amount of emissions.

One of the biggest challenges for businesses in terms of completing their offsetting is finding a credible carbon offsetting scheme.

Mel is joined by Luke Baldwin, Co-founder and CEO of Nature Broking, to discuss credible nature-based solutions for carbon offsetting.

You’ll learn

·      Who are Nature Broking?

·      What is Natural Capital?

·      How can we restore nature at scale?

·      Financing transition regenerative agriculture through the sale of natural capital

·      How have Nature Broking worked with clients to complete their carbon offsetting?

·      How can you demonstrate a credible carbon offsetting scheme?

·      What projects are Nature Broking currently working on?

Resources

·      Nature Broking

·      Isologyhub

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: Today Mel is joined by guest Luke Baldwin, Co-founder and CEO of Nature Broking, to discuss credible nature based solutions for carbon offsetting and explore some of the wonderful projects Nature Broking have been involved with.

[04:10] What is natural capital?  – Natural capital is the idea of creating value from nature. What natural capital does is, it encompasses all the things that we get from nature that we rely on. That could be the shelter in your house all the way through to carbon offsets.

[04:55] Who are Nature Broking? – Nature Broking’s story starts off on a somber note. Sadly, Luke lost one of his friends in a mountaineering accident, and in his memory, Luke and another friend rewilded one acre of Scottish Borders Woodlands. This is something they make a point to visit every year, to pay tribute and to keep their living, breathing monument of his friends memory alive and well.

The experience was an eye opening one. For as lovely as the process was, it was incredibly expensive, and not very easy to do. Luke then realised that philanthropy alone wasn't going to be able to cover the costs of what we required to restore nature.

Looking into the matter further he found that 50% of the world's GDP is moderately or highly dependent on nature and that the UK, whilst green and beautiful, sits in the bottom 10%.

And so, an idea was sparked. Together his friend and Co-founder Andy started down the nature restoration path and created Nature Broking.

[06:20] What is Nature Broking’s mission?: Nature Broking have 2 major missions:

#1: Help restore nature at scale

#2: Help finance a transition to regenerative agriculture

[06:34] How can we restore nature at scale?  – The UK Government has set targets of halting nature decline by 2030, with a view to increase nature by 2045.

The Green Finance Institute has calculated that there is a funding gap of about 56 billion in order for us to achieve our legally binding environmental targets. That’s a hefty sum to put on public money and philanthropy, which is where private markets and business can make a big impact.

Frameworks like PAS 2060 (ISO 14068) help businesses invest in nature, and with the creation of carbon credits, carbon has been commodified to make it more accessible for businesses to contribute to carbon offsetting.

[08:20] How can we help finance transition regenerative agriculture through the sale of natural capital? – Regenerative agriculture is about restoring the soils, restoring nature back to its original level.

Modern farming techniques, while fruitful, use tools such as fertilisers and mechanised farming that have damaged the soils biome. That’s going to take time and a concerted effort to fix.

Now obviously, we can’t just stop farming, we need food, so not all land can go back to nature. Currently, 70% of the UK is farmed, so the agricultural sector will play a big part in being more regenerative.

However, the current incentives aren’t great, so there’s a lot of work that needs to be done in terms of financing the mechanisms behind it, i.e. funding and subsidies ect. One way we could do this is by ulitilising the carbon markets, as regenerative agriculture can lead to significant carbon sequestration.

[12:20] How do Nature Broking work with clients? – They make sure to work within the bounds of the business itself, as every business is different..

They don’t do off the shelf solutions, preferring to work closely with their clients and help them to really spend time in nature at the place where their carbon credits are being implemented. It’s ultimately about education on the different solutions available, including asking important questions like:

·      What impact do you want to have?

·      What are the challenges with each solution?

·      What do you need to watch out for?

Each solution is tailored to your business. So, if you’d prefer to work in woodland restoration over regenerative agriculture, then Nature Broking would be happy to work with you to achieve that.

Carbon credits include their own set of challenges, one of the main ones being that science changes, so the solutions offered through carbon credits will also change. It may be a case of purchasing credits that tackle different solutions over a large area rather than pooling them all into planting trees for example. Nature Broking are here to help advise and facilitate this.

[15:30] Join the isologyhub – Don’t miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub

[17:45] How can Nature Broking demonstrate credible carbon offsetting? – Nature Broking are at their heart transparent with how they operate. By taking clients to see the actual physical results of their carbon credits, they can educate and help others form a genuine connection to nature. They want clients to truly understand the full impact of their efforts.

 The second element is due diligence, which can be displayed by utilising one of the many carbon related frameworks now available, such as B Corp and Sylvera. Though these don’t always work within a UK setting, so Nature Broking are working towards creating frameworks that do fit within the overall market view.

Lastly, they ensure that the standard they’re using is of high integrity, using frameworks such as the Integrity Council for the voluntary market, which analyses different standards. The 2nd is understanding the quality of the project developer, so looking at their technical expertise, looking at their financial ratings, and then evaluating the individual project itself in terms of potential risks.

[21:50] What are some of the projects that Nature Broking are currently working on? – A broad view of what’s available in terms of schemes include:

·      The Woodland Carbon Code

·      The Peatland Carbon Code – This is run by the IUCN, which is the International Council for the Conservation of Nature.

They are both defined and funded by DEFRA. These are some of the first carbon codes to move into the UK, however there is a lack of available carbon credits, which should change in future.

Other’s include:

·      Wilder Carbon – A carbon code focused on rewilding, run by The Wildlife Trust.

·      Carbon Code of Conduct - A regenerative agriculture code, so it focuses on analysing the full sequestration and full emissions potential of a whole landholding.

[25:00] Carbon Credits in practice – There’s a current project called Bank Farm in Kent, which is being used as a test site for regenerative agriculture. This includes the likes of agroforestry, which is where you integrate trees into fields which provide shade for animals and store carbon. So, you’re not removing those fields from production, simply adapting them to be more sustainable.

They’re also practicing mob grazing, which is all about using herbivores to maxmise the amount of carbon stored in the soil. You can do this by moving, say cows for example, around a field to graze quickly on small areas before moving them on.

[27:05] Mel’s conclusion – There’s a huge opportunity in the management of agriculture that can be utilised within carbon credit schemes. In addition to helping our economy by creating new jobs within this new approach to tackling emissions and storing carbon. Hopefully we’ll see larger corporations investing in these sorts of schemes both here in the UK and abroad.

If You’d like to learn more about Nature Broking and their solutions, check out their website.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

●     Share the ISO Show on Twitter or Linkedin

●     Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

This episode is Part 5 of our 7-part mini-series explaining our Carbonology service, a 7 step methodology to help companies become Carbon Neutral.

This time, our resident Carbonologist David Algar is talking through the fifth step of the Carbonology process, ‘Re-quantify’.

David explains why it’s important to recalculate your emissions after measures have been put in place from the Reduce stage, what to do if you're not hitting your targets, and how the ‘Re-quantification’ stage can help your public image.

You’ll learn

• What ‘Re-quantification’ is.
• Why ‘Re-quantification’ is so important.
• Ways to identify how specific areas of your business have performed.
• What to do if you’re not hitting targets.
• How to follow a carbon reduction plan while in a state of growth.
• How the ‘Re-quantification’ stage can help your public image.

Resources

• isology Hub
• Blackmores

In this episode, we talk about:

[01:05] The seven steps of carbonology.

[01:32] Why it’s so important to ‘re-quantify’.

[02:31] The real purpose of the ‘re-quantification’ stage.

[05:16] How to feel if you’re not hitting your targets.

[05:50] The importance of consistency, accuracy, and transparency in ISO 14064 and PAS 2060.

[07:20] How to follow a carbon reduction plan while in a state of growth.

[08:34] The key outcomes and deliverables in your ‘Re-quantification’ stage.

[09:30] Our free carbon neutral checklist.

Download your free Carbonology Checklist here

If you need assistance with implementing ISO 14064, PAS 2060, or another standard – Contact us!

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud

Data Centres could be considered the powerhouse of thousands of businesses globally. 

Long gone are the days of small physical servers being housed on-site, instead we rely on data centres to keep all our critical data safe and secure. But how do we know they are doing just that?

Many hold certifications to security-based Standards such as SOC 2 or NIST to display their commitment to data security. However, many also hold various ISO certifications that cover other aspects of the business outside of information security.

Today Steph Churchman, Communications Manager at Blackmores, will be sharing the top ISO Standard trends within the UK Data Centre industry.

You’ll learn

·      Why did we look into the Data Centre industry specifically?

·      What are the top 5 ISO Standard Trends in Data Centres?

·      Why are these ISO Standards essential for Data Centres?

·      Other commonly adopted ISO Standards within the data centre space

Resources

·      Isologyhub

·      ISO 27001:2022 Transition Gameplan

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:25] Episode summary: We’ll be taking a look at the top ISO Standard Trends within the UK Data Centre Industry

[02:30] Why did we look into the Data Centre industry specifically? – In the mid 2010’s, we noticed an influx in enquiries from Data Centres in regard to Implementation of ISO Standards. That prompted a research project that led to Blackmores working with some of the top UK Data Centres.

Now in 2023 and 2024 we’re starting to see a similar push for ISO Standards within the same industry. So, we revived the project to get a grasp on the modern ISO landscape, and took a look at the top 100 Data Centres within the UK.

[03:34] #1: ISO 27001 Information Security – Out of the 100 data centres sampled 72% of them were certified to ISO 27001.

Security is of upmost importance to data centres, and the great thing about ISO 27001 is that it considers security for not only the digital environment, but also for people and physical security.

This Standard is also, in most cases, a stakeholder requirement. Certification to ISO 27001 indicates that you’re adhering to best practice in information security, and through the creation of an ISO 27001 compliant Management system, you will have documentation in place such as an information security policy and data retention policy, that often get requested by potential clients.

If you’d like to learn more about the Implementation process for ISO 27001, we’ve got a helpful 3-part podcast series that summarises the entire process from Gap Analysis to Assessment preparation.

anyone currently certified to ISO 27001:2013 that you have just over 1 more year to complete your transition to ISO 27001:2022. If you don’t do so by October 31st 2025, you’ll risk losing your ISO 27001 certification.

That’s not the only reason you should be transitioning though. The new version of the Standard includes 11 new controls, which cover some newer technologies which really weren’t around when the 2013 version was published. So regardless of the risk of losing your certification, it’s in your best interest to ensure that you’re adhering to the latest version.

If this is all news to you, then you can also go back and check out episodes 128 through to 133. This was a little mini-series we did to summarise the key changes to ISO 27001 and what actions you need to take to transition. We also have a Transition Gameplan available on the isologyhub if you’d like a more guided approach, including document templates and training videos covering those new controls.

[06:25] #2: ISO 9001 Quality Management – The Quality Management Standard is as popular as ever, even within the data centre space, with 51% of the 100 sampled data centres being certified.

ISO 9001 is considered the leading ‘Quality mark’ for businesses and is often the starting point for many diving into the world of ISO implementation. ISO 9001 creates a well-rounded base Management system to help you manage your risks and opportunities, as well as ensuring you drive a culture of continual Improvement. Its guidance can help you establish your core policies, processes and procedures to ensure everyone is singing from the same song sheet.

The fact that this one is popular among data centres isn’t too much of a surprise, it’s a universally adopted Standard that isn’t limited by industry or organisational size. Currently, there are over 1 million ISO 9001 certificates issued worldwide, and that trend shows no signs of slowing down.

[08:25] #3 ISO 14001 Environmental Management  – A surprising 25% of the sampled data centres were certified to ISO 14001.

From an objective point of view, it makes sense for data centres to consider their environmental footprint. But a lot of that would fall under energy usage rather than just general environmental management, so this likely means it’s mainly driven by stakeholder requirements.

ISO 14001 is being requested more and more for the likes of large Government contracts, so If you want a chance at bidding for these, ISO 14001 is a must.

Now don’t get me wrong, I’m sure a lot of data centres have implemented this Standard in an earnest effort to monitor and measure their impact holistically. After all ISO 14001 asks businesses to consider how they can prevent environmental impacts such as pollution and degradation of nature. And the additional guidance provides some helpful starting points for those that may not be sure where to start, for example making commitments to recycling, protection of biodiversity and climate change mitigation.

For data centres specifically, this may come into effect when we think of the amount of electronic waste that they could potentially produce. Obviously, this can’t just be thrown out in a standard green lidded bin, it’ll need to be taken to a dedicated electronic waste facility for processing, disposal and recycling. Racking, shelving and cables will all also need to be replaced at some point, and it’s up to each data centre to ensure they have the appropriate processes and policies to ensure this is done correctly and more importantly legally, which again, is where ISO 14001 can help put those frameworks in place.

[10:30] Join the isologyhub and get access to limitless ISO resources  – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo.

[12:45] #4: ISO 50001 Energy Management – With just 13% of the 100 sampled data centres certified! This one is a shocker because, typically, data centres highest cost is in relation to their energy usage. They require enormous amounts of energy to keep their facilities running and to cool down their equipment 24/7. Which I imagine they’d be quite keen to reduce if only to save on running costs.

This is where ISO 50001 can come in, to help create a structured approach to effectively monitor that energy usage, so you can identify key trends and opportunities to reduce overall energy consumption, which in turn will save a lot of money.

With a healthier proportion being certified to ISO 14001, it seems a shame that so many are missing out on the additional benefits that ISO 50001 can bring, especially when it can very easily be integrated with ISO 14001. In fact, if you’re already certified to ISO 14001, then you’ve already done half the work to implement ISO 50001. Both frameworks are based on that Annex SL format, and both have a lot in common in terms of what documentation is required.

It can also help with compliance with some UK and EU based energy initiatives. For example, here in the UK we have ESOS (The Energy Savings Opportunities Scheme) which applies to large organisations that fit within its criteria. They’re usually required to provide a report once every 4 years, however as of 2023, Phase 3 now requires organisations to provide an Energy Action Plan which details what actions they plan to take to reduce their energy consumption.

There are likely a few data centres that would fall into ESOS’s criteria, and if you’re sick of going through the ESOS song and dance every few years, then ISO 50001 may be the answer for you, as being certified means that you’re going above and beyond ESOS’s requirements and will be considered compliant. Meaning no more pesky reporting, or having to locate an ESOS assessor to sign off on those reports.

[15:10] #5 ISO 22301 Business Continuity Management – With 12% of the 100 sampled data centres being certified.

ISO 22301 is the Standard for Business Continuity, and provides a basis for planning to ensure your long-term survivability following a disruptive event.

That 12% may not be truly reflective of all the data centres that have business continuity plans in place however, as according to a recent Business Continuity institute survey, 56% of surveyed businesses use ISO 22301 as a framework but aren’t certified to it.

There will be a fair few data centres in our sample list that fall under that category.

Why should this Standard be a priority for Data Centres? Well, the answer should be simple, if a disaster were to knock out a data centre, that has a massive knock-on effect. Many house servers used by hundreds if not thousands of businesses and users. If they’re unable to provide services, that will in-turn cause multiple other businesses to grind to a halt.

The true cause of failures at data centres can be many things such as hardware failure, human error or a disaster such as flooding or fires. However, the advantage of utilising ISO 22301 is the ability to be able to effectively deal with these incidents and restore services, which is essential for an industry which is quite literally the powerhouse for millions of other business and people.

If you fail to plan, you plan to fail

Having a robust business continuity plan should be a top priority for any business, especially data centres, seeing as so many rely on them to keep their own services running. Even if you don’t want to go through the full certification process, it’s worth grabbing a copy of the Standard, as it provides a lot of helpful guidance.

If you’d like to learn more about ISO 22301 in general, go back and check out episode 42 where we go over the Standard in more detail and it’s many benefits.

[17:45] Runner up: ISO 20000 Service Management – Saw 11% of our sample data centres certified to this Standard.

This actually used to be known specifically as the IT Service Management Standard, so that probably clues you into why this would be adopted by many with in tech spaces. However, it truly is applicable to any business offering services.

The aim of ISO 20000 is to provide a framework for an effective end-to-end service management system which encompasses the entire lifecycle of a service from concept and design, through to service removal and end-of-life.

[18:55] Runner up: ISO 27017 information security controls for cloud services – With just 5% of our sampled Data Centres certified.

This one is fairly self explanatory in it’s relation to data centres, which operate solely on cloud based services.

This Standard was introduced after the 2013 version of ISO 27001 was published, as the main standard didn’t really address cloud security controls specifically. Mostly because cloud computing and its related security weren’t as widely adopted as they are now. So ISO 27017 was created to try and bridge those gaps.

In the latest 2022 version of ISO 27001, there’s now a new control for cloud security. So, we may see less interest in ISO 27017 certification going forward.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

●     Share the ISO Show on Twitter or Linkedin

●     Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

After 5 years of hosting the ISO Show, Mel Blackmore will be taking a step back as she focuses on her sustainability related endeavors.

She’s passing the baton onto our new host – Ian Battersby. Ian is a Senior isologist at Blackmores, and while relatively new to the team, he has a wealth of Standard and ISO related knowledge to share with you all.

Today we Introduce Ian Battersby as the new host for the ISO Show and learn about his background in Standards and ISO.    

You’ll learn

·      Taking a step back

·      Introduction to Steph Churchman

·      Introduction to Ian Battersby

·      What Standards has Ian worked with?

·      What Sectors has Ian worked in?

Resources

·      Isologyhub

In this episode, we talk about:

[00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo.

[02:05] Episode summary: After 5 years of the ISO Show, Mel Blackmore is handing the hosting baton over to Ian Battersby   

[02:25] Interim host – Ian will be the main host going forward, but there will be additions from Blackmores’ Communication Manager – Steph Churchman.

You may recognise her from recent episode such as:

·      Top 10 Reasons to use ISO 42001 AI Management

·      Top ISO Standard Trends in the Data Centre Industry

Steph will be sharing findings from our own research, standards updates and conducting interviews with our isologists.

[03:35] An Introduction to Ian Battersby – Ian has been working for Blackmores since August 2023. Although he is meant to be part-time, he’s had a very busy first few months here!

Ian began working in British Aerospace, specifically manufacturing, in 1984. He later decided to return to university to study electrical and electronic engineering, which was promptly dropped.

His return to BAE lasted a few years before he moved onto the civil service for the Department of Health, working with them to conduct safety investigations and helped to create a broader risk profile.

When he moved to work with the NHS, firstly, with the litigation authority setting up governance and risk standards and then as a risk manager.

Surprisingly, after moving up a few levels, he decided to move onto run a restaurant! A Curry House to be specific, but after a year of rather stressful work that ended up costing a lot more than expected, he returned to work within the construction industry which is where he became more involved with ISO Standards.

From there he went onto work in manufacturing of high pressure pumps for a while before moving onto an organisation who rant he estate for the Department of Work and Pensions.

In the end, Ian left them due to being unable to live the life he wanted to live.

[05:15] What Standards has Ian worked with? – He started with ISO 9001, ISO 14001 and OHSAS 18001 (now ISO 45001).

[06:00] Digital Nomad – Ian currently splits his time between Leeds in the UK and Malaga in Spain.

Having a lot of experience working remotely in previous industries, this leap didn’t impede on his work in any way.

[07:15] What other Standards has Ian worked with? – He has assisted with ISO 44001 (Collaborative Business Management), but admittedly it was not his favorite ISO Standard to work with. It’s one of the rare instances in ISO where the Standard doesn’t quite align with others.

[08:00] What Sectors has Ian worked in – Ian’s extensive work history has afforded him the opportunity to work in a number of sectors, including:

·      Construction and Fit out

·      Manufacturing

·      Estate Management

·      Private enterprise

·      Healthcare / NHS

·      Facilities

With this list growing at a rapid pace since his introduction at Blackmores!

[09:45] What’s a big challenge that Ian’s had to overcome in the past? – In terms of ISO, it has to be Leadership. Ian’s found that to always be an issue within businesses attempting to implement ISO Standards.

A good looking Management System will only go so far without leadership commitment.

While working in facilitating Standards for an organisation, you won’t be implementing the whole system yourself. It’s more a case of delivering through others, the organisation controls and delivers their own processes and improvements, and so it’s imperative that Leadership are also embedding and encouraging these actions.

Ian will be going more in-depth on this topic in a future episode.

If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour.

We’d love to hear your views and comments about the ISO Show, here’s how:

●     Share the ISO Show on Twitter or Linkedin

●     Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Happy New Year! We at Blackmores hope you all managed to have a break over the holiday season and are gearing up for many challenges and successes in 2023.

As a reminder, we signed off last year by highlighting the top 5 podcasts as dictated by you, the listeners.

Before we dive into a brand-new year full of top tips, expert advice with industry leaders and client interviews, we’d like to take a step back and let the host share her reflections on 2022.

Join Mel as she shares her personal top 5 ISO Show episodes from last year.   

You’ll learn

• What are Mel’s top 5 episodes of 2022?

Resources

• ISO Show Archive
• Isologyhub

In this episode, we talk about:

[00:30] A reminder to listen to our last podcast, covering the top 5 podcasts as dictated by the listeners.

[01:21] #1 Episode 102 – What’s in a name? This episode features our Senior Isologist, Sarah Ball, as she explains the importance of giving a meaningful name to your Management System. 

[03:40] What’s in a Name snippet – Full episode available in the ISO Show Archive   

[08:01] #2 Episode 94 – The 7 Steps of Carbonology_ Reduce – Part 4 of the 7 Steps of Carbonology series, featuring our Carbonologist, David Algar. This episode delves into the creation and communication of a carbon reduction plan, and the benefits of reducing your footprint rather then relying on offsetting alone.

[10:14] The 7 Steps of Carbonology - Reduce snippet – Full episode available in the ISO Show Archive   

[16:48] #3: Episode 117 PMC’s journey and ongoing success with ISO 27001– This is an interview with Philip Bailey, the Managed Services Director at PMC Retail, talking about their ISO 27001 journey. Philip shares his lessons learned and gives some top tips for anyone considering implementing the Information Security Standard  

[17:58] PMC’s journey and ongoing success with ISO 27001 snippet – Full episode available in the ISO Show Archive 

[24:00] #4: Episode 100 How to get the most out of your Management Review – Featuring Rachel Churchman, Managing Consultant here at Blackmores, this episode explores how added value can be gained from doing a Management Review. Mel and Rachel discuss various ways you can conduct a Management Review and what should be your key inputs and outputs.   

[26:14] How to get the most out of your Management Review snippet – Full episode available in the ISO Show Archive   

[30:41] #5: Episode 108 How to align your Management System with the Sustainable Development Goals– Following on from the Sustainable Development Goals summary episodes, Mel shares how you can align your Management System right now without the need for any ISO certification.  

[32:37] How to align your Management System with the Sustainable Development Goals snippet – Full episode available in the ISO Show Archive 

We look forward to bringing you even more amazing content in 2023, so stay tuned! 😊

We’d love to hear your views and comments about the ISO Show, here’s how:

• Share the ISO Show on Twitter or Linkedin
• Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Often seen as the poor cousin to ISO 9001, ISO 20000 Service Management largely gets ignored in favor of the more popular Quality Management Standard.

To be fair, it’s title may have done it a disservice in the past. Being known as the IT Service Management Standard prior to 2018, it was often perceived as only applicable to IT service providers, when in actuality it could be adopted by any business!

So, what is ISO 20000 exactly? The aim of the standard is to provide a framework for an effective end-to-end service management system which encompasses the entire lifecycle of a service from concept and design, through to service removal and end-of-life.

It’s best adopted by businesses who provide a service, particularly those that operate a help / service desk system.

In this weeks’ episode, Steve Mason joins Mel to discuss what ISO 20000 is, who can use and benefit from the Standard and how it fits in with other more widely adopted ISO Standards.

You’ll learn

●      What is ISO 20000?

●      Who is ISO 20000 designed for?

●      What are the benefits of ISO 20000?

●      A brief overview of the Standard

●      How ISO 20000 integrates with other ISO Standards

Resources

●      isologyhub

●      ISO 20000

In this episode, we talk about:

[00:50] Why are we talking about this Standard? We’ve had a lot of interest in a few of our informative videos available on YouTube over the past year, with ISO 20000 content constantly ranking in our top 5 most watched videos every month.

[01:00]  ISO 20000-1 was previously known as the ‘IT Service Management Standard’, but since it’s most recent update in 2018, it’s simply known as the ‘Service Management Standard’ now.

[03:10] Why is ISO 20000 one of Steve’s favourite Standards? – It takes some of the aspects of quality a step further and actually gives you much clearer detail on how you can improve your management systems. So, if you've got a Service Management System in any way, shape or form, this is the standard to go.

It's also one of the easiest standards to audit because there's some very simple questions to ask that can highlight some very obvious weaknesses. This can lead to significant improvement when compared to the likes of ISO 9001.

[04:05] What Is ISO 20000? –  ISO20000-1:2018 is a Service Management standard which has evolved from the IT industry and the ITIL Framework for Service Management; but today it can be used in all types of Service Industries particularly where there is a need for a Help Desk / Service Desk system.

Some may ask, isn’t this what ISO 9001 can do? In short, no. ISO 9001 will give you a bare framework of how to create a Quality Management System, but it won't give you the fundamental details of how to improve that Service Management System, and that's where ISO 20000 comes in.

[05:39] Who is ISO 20000 applicable to? – Any business that provides a service, but more specific examples include: IT Service provider, call centres, gas / electricity providers, retail ect.

[07:15] A high level overview of ISO 20000 – This Standard follows the Standard structure that many other ISO Standards follow. The first 3 clauses are all informative, starting from clause 4 we have:

·       4.0 Context of the Organisation

·       5.0 Leadership

·       6.0 Planning

·       7.0 Support of Service Management System

·       8.0 Operation of the Service Management System

·       9.0 Performance Evaluation

·       10.0 Improvement

Clause 8.0 is where ISO 20000 fills in the gaps for other Standards, as it covers topics such as:

·       Service Portfolio

·       Relationship and Agreement

·       Supply and Demand

·       Service Design, Build and Transition

·       Resolution

·       Service Assurance

[08:20] Familiar to some – Those in Service Management may recognise some of those terms, but may not use that exact wording. For example ‘relationships and agreements’ may be more commonly known as Service Level Agreements and Operating Level Agreements – which can be a business critical area for some.

[10:45] What are the benefits of ISO 20000? -  Improve the planning and introduction of services: This standard would help you understand what it is you need to do to introduce that new service, go through the planning, testing through a proper change management system and launch through a release and deployment management system.

SLA’s and OLA’s - Achieve Service Level Agreements (SLAs) and Operating Level Agreements (OLAs) will be achieved consistently month on month.

Reduce Stress - It will help to reduce employee stress as service request, incident and problem queues become manageable. Knowledge articles can be created to document incidents and solutions for future reference.

Improved quality of service through continual improvement gained from Incidents and Problem fixes resulting in both time and financial savings.

[12:30] ISO 20000 to the rescue -  Steve recounts an experience he had at a company that had an outstanding issue ticket queue of 800. With the introduction of elements of ISO 20000, they we able to reduce this ludicrous amount down to 30!

[14:05] A top recommendation -  We’d highly recommend that you consider doing a Gap Analysis against ISO 20000. Even if you have no plans to implement it, you can still benefit from the findings.

[14:40] Further resources -  You can purchase the Standard directly from the ISO website.

We also have a number of short courses covering specific clauses in ISO 20000, available in the isologyhub.

[15:55] How does ISO 20000 fit in with other ISO Standards?-  ISO20000-1:2018 has now been remodelled using the High Level Standard (HLS) framework so that clauses 4 to 7 and 9 to 10 can all be interconnected with only minor differences due to the nature of each standard.

Essentially, if you already have ISO9001:2015 or ISO27001:2013 most of the framework for ISO20000-1:2018 will have already been done; all that would be required is to address the service aspects in those six clause before tackling the main work in clause 8.

[18:20] Business Continuity -  ISO 20000 specifies a section on ‘service continuity management’ which can neatly slot in with ISO 22301 – the Standard for Business Continuity. While ISO 22301 focuses on the bigger picture, the ISO 20000 element focuses on how a service can continue for a customer during an incident or accident occurring.

We’d love to hear your views and comments about the ISO Show, here’s how:

●      Share the ISO Show on Twitter or Linkedin

●      Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.

Subscribe to keep up-to-date with our latest episodes:

Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

One of the most crucial steps to gaining your ISO certification is the completion of a Stage 1 and Stage 2 assessment, conducted by an accredited Certification Body. A quick reminder - your certification doesn’t mean much if you haven’t received certification from an accredited Certification Body – so make sure you do your research!

Businesses going through their final Assessments to gain ISO certification may see any decisions made by Certification Body Assessors as infallible, however there’s still a very human aspect which can lead to some common pitfalls.

Last week we dived into the requirements of ISO 17021 – the Conformity Assessment Standard designed for Certification Bodies, and more specifically the requirements in relation to you as a client.

In this weeks’ episode, Steve Mason joins Mel once again to share some issues raised by Blackmores’ clients against Certification Bodies, and explains the related rules in ISO 17021 which Certification Bodies should abide by.  

You’ll learn

●      What is ISO 17021?