Earlier this week, Infosecurity ran a news story which claimed that thousands of ISO certifications may be at risk as auditors from certification bodies may not have been able to attend organizations’ premises to conduct essential re-certification audits due to COVID-19 lockdowns.
As August would mark the six month re-certification deadline for those certifications achieved in February this year, this could be the start of a series of suspensions. The issue was raised by InfoSaaS, whose co-founder Peter Rossi claimed that “an average of 2500 UK certifications per month could be at risk of lapsing due to the break in audit activities” and this could lead to an unwanted decline in standards.
As a result of running this news, Infosecurity received a number of emails from people claiming that the issue was not as significant as had been claimed. In the original press release, InfoSaaS cited current UKAS guidelines, which were issued in August 2016 and had not been changed, which state: If [a] re-certification assessment cannot be undertaken within six months [of the anniversary of the certificate being issued] the certificate should be suspended, and a new initial assessment will be required.”
However, Brian Honan, CEO of BH Consulting, said he had not seen any reduction in surveillance audits or certification audits among his global client base, and “all the audits have continued on for all our clients by the various certification bodies.”
He did say that the significant change brought about by the pandemic is audits moving from being on-premises to being carried out remotely. “Remote audits bring interesting challenges, particularly around presenting evidence and of course the auditing of the physical domain of the standard,” he explained.
“However, good planning and preparation on behalf of the auditor and those being audited can overcome these issues. Companies that are facing financial challenges and looking at cost savings may be considering letting their certification lapse. However, this step should be taken very carefully as being no longer certified to ISO 27001 may give those outside the organization the impression that the company is less secure than before.”
Also, Arti Lalwani, ISO practice lead at A-LIGN, said those who are embarking on the ISO 27001 certification have been granted a level of leniency, and should not be in danger of lapsing because an auditor hasn’t visited the organizations’ premise during the pandemic.
“We are currently working with our clients by using ANAB’s Blending Audit Approach, which per HU 450 allows the use of ICT (Information and Communication Technology – ex. Teleperformance) to audit activities when they cannot be completed in person,” Lalwani said. “Instead, any activities that cannot be completed through ICT can be completed on-site later in 2020, or added to the 2021 audit.”
She commended the accreditation bodies “during these challenging times” who she said are being “as flexible as possible to ensure organizations maintain continual compliance.”
“Remote audits bring interesting challenges, particularly around presenting evidence”
Speaking to Infosecurity, Rossi said he stood by the news release, which highlights “the possibility of valuable, hard-earned ISO certifications lapsing as a consequence of the COVID-19 pandemic, and that is a real possibility.”
He claimed every type of organization – accreditation bodies, certifying bodies and certified organizations – have been vulnerable to the impact of the pandemic, whether by the need to work from home, and the impact on staff, while across the various policy documents referenced (including IAD ID3 and TPS62), the maximum, one-time-only extension remains six months.
“Given the disruption factors that affect all parts of the ecosystem, it’s actually implausible to think that every certified organization is going to be in a position to be audited, remote or in person, within the various ‘exceptional circumstances’ windows permitted,” he said.
“Therefore, some certifications will, under current rules, lapse. The only question is the scale of the problem and, frankly, no-one knows yet what that may be. That certification lapses have not occurred at scale yet is not the point: we're barely five months since the start of lockdown, and there also remains a general expectation of a [worse] second wave still to come, for example. What will happen then?”
He also pointed out that just extending a deadline doesn't mean that an organization is actually compliant, and asked: who bears responsibility in that scenario? “Some organizations have had to rapidly change working practices – for example, sending their staff home to work en masse. Will all of those organizations really have taken all the necessary steps to ensure they continue to comply with ISO 27001?”
“The only question is the scale of the problem and, frankly, no-one knows yet what that may be”
To clarify the accuracy of the wording in the UKAS guidance, Infosecurity contacted the service, and a spokesperson explained that its role “is to assess certification (and testing, inspection and calibration) organizations for competence against internationally recognized standards. Effectively, if certification bodies are the checkers, then UKAS checks the checkers, so UKAS is one link further up the assessment chain.”
In the case of this guidance, the document is titled Management of Extraordinary Events or Circumstances Affecting UKAS Accredited Certification Bodies and their Certified Organizations (TPS62). However, since the onset of COVID-19, it said UKAS has been working as part of the International Accreditation Forum (IAF) to allow existing certificates to be maintained during the COVID-19 situation, whilst ensuring that high standards of auditing are sustained.
As a result, “UKAS Policy on Accreditation and Conformity Assessment During the COVID-19 Outbreak’’ (TPS 73) was published at the beginning of April 2020, and this reflects IAF advice on certification during COVID-19 and effectively replaces the provisions of TPS 62 for UKAS accredited Certification Bodies (CBs) in the current COVID-19 pandemic.
In particular, “clause 4.6 of TPS 73 deals with delays in re-certification. This states that ‘management system re-certification audits are normally expected to be completed and re-certification decisions made prior to expiration to avoid loss of certification. IAF ID3 allows for the extension of the certification for a period not normally exceeding six months beyond the original expiry date providing that sufficient evidence has been collected to provide confidence that the certified management system is effective.”
It went on to state that given the unprecedented nature of the COVID-19 outbreak, and the uncertainty over the potential impact this will have on the imposed time restrictions relating to travel and social contact, “it is anticipated that six months may not provide sufficient opportunities for certifying bodies to conclude re-certification audits.
“As a consequence, the UKAS policy for this outbreak is that the decision on re-certification must be made within three months of the lifting of restrictions (e.g. travel) that were preventing the on-site audit taking place. However, if this time frame exceeds 12 months, then the certificate should be withdrawn, and a new initial audit will be required.”
Commenting, Rossi welcomed those who questioned the research, and UKAS putting in place provisions to prevent mass disruption of certifications.
Specifically regarding TPS 73, Rossi said he was aware of it and said it “describes leeway,” but, fundamentally, it states that there is a ticking clock for audits, and that the maximum extension is 12 months “and it remains true that we may – as far as anyone knows – still [be] in the early stage of the pandemic.”
However, even with the provisions of TPS 73, certifications could still lapse. “For sure, it's wildly unpleasant to countenance the possibility of things returning to the way they were in April – or, possibly, far worse – but that shouldn't stop us, all of us, from thinking about it and how it would affect our professional worlds,” he said.
There’s no doubt that what InfoSaaS published stirred some people into reaction. In a Twitter poll, Infosecurity asked if lockdown has impacted the ability to renew ISO certifications. The results of 34 votes showed the following results:
Are those who certified in danger of being invalid, or are we set for a new era where remote auditing and self-certification become a reality? The conversation on this subject may have only just started.