Compliance to ISO: the world upside down
Jan van Bon
Forget about ITIL or COBIT until you've learned to think the USM way. Reduce your organization's complexity for a sustainable Enterprise Service Management strategy. USM's revolution is ESM's evolution.
The old way of handling ISO standards is built on the idea that complying with requirements would deliver sustainable improvements. It does not. It only nails down the inefficiencies of your practices. Audits normally start at the side of the requirements (i.e. the practices) where they should have started at the other end of the stick: the principles.
These principles should have been laid down in a management system, but they are actually mostly missing. And no ISO standard defines a management system: even 9001 only describes requirements for a management system.
If you look at this traditional approach, you can only confirm that regular ISO auditing is the world upside down. And it does not lead to sustainable improvements.
Turn it around
You now may want to turn this around, next time you start a compliance project: you start at the principles, you define and deploy a management system based on a management architecture, and then you audit the results. Now the audit is simple and only confirms what you already knew: you are delivering your services in a systematic, sustainable way.
The cost of preparing for the auditing is then reduced to a small percentage of what it used to be.
I understand that this may violate the business model of many auditors and tool providers, but it would also open up a new perspective of value creation that would be highly appreciated by their customers, and I’m sure these customers would be willing to pay for it. Such a knife would cut at both sides: value creation in a pure format.
What do you think: is it time to turn this around?
I'm intrigued by the objectives angle, but puzzled at your emphasis on auditing. The ISO management system approach is primarily intended to benefit the organizations that adopt it: auditing and certification is a separate consideration with a different purpose.
Managing Director at Trace Consultancy Ltd - Data Privacy and ISO Guru
4 年As an experienced auditor (BSI & SGS) and consultant delivering outsourced management of ISO standards, I have experience as an auditor and auditee. I can say for certain the standards are not the issue, they are simple enough. Auditors and customers (not all but most) make a meal of it and when I say meal, it is often a drop kicked Saturday night kebab in Sunday morning gutter. Upside down I agree with though, instead of looking at standards and asking how do we implement that, look at what you do already and see how it already complies, then keep better records. Simple.........
Vice President | CISO | Cyber & AI Risk Strategist | Zero Trust & Enterprise Security Architect | AI-Driven Cyber Resilience | Risk & Compliance Leader (CISA, CISM, CRISC, CGEIT, PMP)
4 年If all auditors (both internal and external) get buy-in from leadership and board to test for operational effectiveness than just design, service management flows seamlessly. Service management should be flexible to adopt and adapt operations since operations changes every day or week or month with the nexus of forces. Ex: Pandemic changed every business almost ... if business operations had flexibility to adopt to situations with no compromise on compliance - they are rock stars.
Information Officers Assoc., GDPR Certification Services, AI Governance
4 年Jan van Bon I have always thought we are supposed to focus on the outcomes and work back to what actions need to be controlled and why they should be controlled. The purpose of an ISO management system is to Plan, Do and Check what needs to be controlled for the expected/desired/planned outcome, and Act if the activities aren't effective in delivering the outcome. Earlier versions of ISO management system standards referred to embedding these "controlled" activities within an organisation's operational processes. An ISO management system is a shell until its populated with operational practices that need to be "controlled". If auditors then focus on the effectiveness of the work being done, and not some theoretical set of requirements, the audit will be of value. Compliance with a book of best practices is non-sensical.