Does everyone hate ISO?
Photo by Wesley Tingey on Unsplash

Does everyone hate ISO?

Most of the time, any mention of ISO is met with a general disdain. It’s gotten a reputation, at least in a lot of GovCon circles, as just a useless paperwork drill to get a certification. That’s not actually true.

ISO can help your organization or program… but only if it’s setup in the right way. I’m sharing these thoughts to hopefully help someone avoid all the time I’ve wasted over the years on misguided ISO efforts.

The first time I heard about ISO it was described to me as, “It’s a process standard or something. It’s lame, but you need the certification for some government contracts.” I accepted that view, and it was reinforced by most of the corporate implementations that I saw. From my vantage point in Ops, someone would show up to ask me a few questions and then tell me there were new forms I had to fill out. Those forms generally had no real value to me, and probably not to anyone else, but were labeled as “necessary for ISO.”

Anything that’s necessary for a quality standard but doesn’t provide any actual value certainly feels pretty lame. I didn’t start to change my view of ISO until I was directly involved in the scoping and implementation. The big myth here is that ISO tells you how to do something. It doesn’t tell you how to do anything… it offers best practice governance on how to make sure you’re following what you already decided to do that’s important to your program or business. That’s where it usually goes wrong.

Why ISO is often implemented “wrong”

All ISO standards are intended to provide you with value. They accomplish this by establishing control mechanisms to help you verify that you’re following the processes, procedures, and policies that you’ve defined as critical to your organization. The problem arrives when ISO is assumed to show up like “Value in a Box.” I’ve been involved in a lot of ISO implementations that were architected by the quality team with no engagement from Ops, the program, or the business. Now, it isn’t because the quality team wants it that way… it’s because those teams have been conditioned to think ISO won’t help them or out of a lack of general understanding of the ISO standards.

This sets up a scenario where the ISO standard asks for your process for an area of your business: Let’s say organizational training. Sounds boring? Well, that’s the topic that asks how you verify the people that you’re hiring are qualified for their role. That seems like something that’s probably important.

The Lame Way – Here’s how that topic often gets setup when there’s no correlation to real value

·????????Aim organizational training at the training provided by the company to all employees

·????????All employees have different jobs so there isn’t really a common theme to train everyone

·????????Quality creates an “Organizational Training Plan” that requires an annual update (probably with no value)

·????????The Organizational Training Plan says that there needs to be an annual assessment of upcoming training requirements (this has to be documented and there’s no real value)

·????????The assessment needs a forecast of what skillsets the company plans to hire over the next year. A real forecast compared to the pipeline would take a massive effort so there’s a minimally compliant effort completed based on the types of people hired last year

·????????The Organizational Training Plan is updated by the quality team for those kinds of jobs and they do some theoretical analysis and documentation

·????????This process is repeated every year and is purely pushing paper around

Outcome: You’ve wasted days of productive time writing plans that don’t help your business and then finding ways to track a useless plan. No one is happy that they are working on something that’s useless.

A Better Way – Here’s how that same requirement can be setup to actually provide value

·????????Aim organizational training at your IT organization, at your annual compliance training, and at the certified positions on your contracts.

·????????Document what you want your IT team to know (think cyber skills), what you have to deliver to be compliant with state/federal laws and rules (Timesheet guidance, proper use of government data, workplace ethics), and maintain your facility clearance (foreign travel, insider threat)

·????????Consolidate those requirements into your training plan that now protects your organizational interests and complies with mandatory guidelines

·????????Establish internal auditing to verify adherence to the plan – this means that you’ll know if you’re behind on security training before you get a visit from your government security audit team

Outcome: Now you’ve got someone helping you keep track of your real training requirements and making sure you’re on track to achieve your mandatory and discretionary training goals. You’re also ISO compliant and you’re compliant in a way that didn’t make anyone create useless paper and forms.

This is just a start.

This is just my introduction to using ISO to add value to your business. Some key areas of value include:

Scaling – As your organization grows, you’re going to run into new challenges. Moving from individuals performing a function to a department full of people requires coordination and control. ISO processes can help you by offering governance and maturity.

Critical Actions – There are some things in your organization that absolutely must be done and done correctly. ISO doesn’t care what those things are, but it provides checks and controls so that whatever you defined as critical is done correctly and verified by someone.

Protecting your organization – There are lots of ways to lose information. Version control problems. Cyber threats. Simply never writing down the answer and having to develop it again. ISO has guidance and controls to help you handle those threats and verify that they are being addressed.

?It would take way more words than anyone would likely want to read to walk through an integrated implementation of all the ISO standards. Over the next few posts, I’ll address the key business value areas of several ISO standards with strategies to implement them with minimal effort and maximum value to your company, organization, or program including:

·????????ISO9001 – Foundational Quality

·????????ISO20001 – IT Service Management

·????????ISO27001 – Risk & Security Management

·????????ISO44001 – Collaborative Business Relationship Management

·????????ISO56001 – Innovation Management

Patrick Gardill

Business Development, Strategy, PTW/PTE, Capture

2 年

Sometimes ISO crazy implementing these standards..... You are correct, if implemented for the sake of implementation they can be detrimental.

要查看或添加评论,请登录

Adam McNair的更多文章

  • Time to ditch the sneakers and go to the office?

    Time to ditch the sneakers and go to the office?

    Is everyone going back to work in person? Like most complex situations with Government… my answer is “Kinda, but not…

    22 条评论
  • ACT/IAC ELC 2023 Thoughts

    ACT/IAC ELC 2023 Thoughts

    Imagine Nation ELC 2023 is in the books. Every conference is a different experience, and even the same conference can…

    2 条评论
  • Pipeline Tools & AI Analysis

    Pipeline Tools & AI Analysis

    AI Pipeline Tool Analysis – Who needs Me? I’ve had a few similar conversations recently, “What should I use for my…

    4 条评论
  • Getting Started in GovCon

    Getting Started in GovCon

    Getting Started in GovCon I received multiple questions over the last week on how to get into government contracting…

  • 4 Ways to Communicate to Your Value to Your Company

    4 Ways to Communicate to Your Value to Your Company

    I’ve been helping several people recently with resume updates and job searches, which led to these observations. There…

  • CIOSP4 Update from the RFP Groundhog

    CIOSP4 Update from the RFP Groundhog

    CIOSP4 Update from the RFP Groundhog If you aren’t familiar with CIOSP4… it’s the follow on a major government contact…

    4 条评论
  • Wired? Why just 1 bid?

    Wired? Why just 1 bid?

    Now that I’ve returned from my tour of sunny central Florida, I’ve been getting back into the routine of reading the…

    7 条评论
  • What's the timesheet code for Wintry Mix?

    What's the timesheet code for Wintry Mix?

    When you’re in school a wintry mix means different things depending on where you live. If you live in Upstate New York…

    6 条评论
  • Happy New Year - You have 903 overdue actions.

    Happy New Year - You have 903 overdue actions.

    The End of the Year as a COO Maybe I never do anything on New Year's Eve because I'm worn out from all the end of year…

    3 条评论
  • A One Act Play - ISO44k & ISO56k

    A One Act Play - ISO44k & ISO56k

    The COOL ISOs 44 and 56 The last two ISO models that I’ll be talking about for a while are 44001 and 56000. I’ve found…

    4 条评论

社区洞察

其他会员也浏览了