Hundreds of thousands of ISO certifications are in danger of lapsing because auditors haven’t been able to visit organizations’ premises during the pandemic, according to InfoSaaS.
The international standards that the firm said are at risk of suspension include ISO 27001, which covers rigorous best practices for information security management systems, as well as ISO 27017 and ISO 27018 (enhanced security control sets for cloud services), ISO 9001 (quality management) and ISO 45001 (health and safety risks).
Auditors usually have to visit premises in person, especially if organizations are still using manual spreadsheet-based processes for compliance, the software company added. It argued that this approach requires face-to-face explanation and cross-referencing.
As of 2018, around 1.3 million ISO certificates were granted to global organizations.
In the UK, special dispensation has been given to ISO-holders, although it's unclear if IT organizations elsewhere in the world will be treated similarly.
If not, they may find themselves being forced to pay more on restoring certifications, as well as devoting extra time and resources to the project, InfoSaaS claimed. In the meantime, they would be forced to remove any ISO accreditation messaging from marketing materials.
“The uncomfortable truth is that, under current circumstances, some organizations may decide not to be re-audited and simply to let their ISO certifications lapse,” argued InfoSaaS co-founder, Peter Rossi.
“Any such de-prioritization may, in turn, lead to an unwanted decline in standards for the likes of information security, environmental management, health and safety and quality management. This is not a good outcome for anyone.”
However, on publication of this article several experts have since stepped up to question the claims made by InfoSaaS. Infosecurity will be writing a follow-up to address these concerns.
Update, 21/08/2020: A clarification statement has been published by UKAS, which explains: Certification Bodies now have to complete the audit either three months from when the relevant restrictions that prevented the audit from taking place (e.g travel, social distancing) are lifted, or 12 months from the due audit date (whichever comes first). Failure to do so within those revised timescales means the Certification Body should withdraw the certificate and conduct a new audit at a later date.