Ok, you've decided that you're going for ISO certification. Congratulations! We have no doubt that you will look back upon this decision as a hugely positive milestone in your company's journey. Less than 0.5% of companies globally achieve ISO certification to any standard, and it is a wonderful achievement for all your team when it happens.
The only question remaining is, what next? How are you going to do it? At Upscaler our team has seen every possible approach to ISO implementation. We've concluded that there are in fact 7 approaches or roads that you can take to winning bigger deals with ISO certification.
Read on to learn about the good, the bad and the downright terrible.
Buy a fake certificate
Needless to say, we don't condone this and it is not actually a valid 'road to certification' at all! But, it happens, and we want to address this here and now so that you are aware of it and know what to look out for. Once you have made the decision to go for ISO certification the first port of call is usually Google search. Here you'll find many businesses claiming to offer quick ISO certification for $499 (or some arbitrary lowball figure). These businesses are what we in the industry call 'certificate mills'.
Even though most people are not experts in ISO, common sense tends to steer them away from such incredible propositions. After all, if it was that easy wouldn't every company be ISO certified?! Unfortunately, many still fall for the trap and end up engaging with these companies. They'll usually try to sell you consultancy, training and certification all in a nice neat package. Within a few weeks you'll have spent more than the $499 of course, and will be far worse off than when you started.
You see, the certifications that they provide are unaccredited or in simple terms - fake. Real certification bodies are accredited by a higher power, called an accreditation body. They must follow very strict rules on how they conduct their business and how they audit their clients.
For example, they are not allowed to offer any services, other than certification, to the same client to prevent a conflict of interest. The certificate mills on the other hand are answerable to nobody. Their business model is intended to confuse and bewilder unsuspecting buyers. The worst part is not the time and money that you have now wasted. It's the embarrassment of your customer telling you that the certificate you sent them is unaccredited and therefore worthless.
The worst part is the embarrassment of your customer telling you that the certificate you sent them is fake!
Do it yourself
Right, this is the first real road to certification. Although rare, some companies undertake the implementation of ISO on their own and without any outside help. This usually starts with the project owner, full of enthusiasm, going online and buying the standard itself. Next they pay Amazon a visit to buy an 'ISO for dummies' (or similar) book. Then, they clear a few hours in their calendar and make a strong cup of coffee.
What follows the scene above is one of the best examples of how a person's enthusiasm for something can start high and end low. You could almost plot that downward trend line on a chart with pinpoint accuracy. The problem is that there is a considerable amount of work involved in preparing a company for ISO certification.
ISO standards are filled with many complex and demanding requirements. They require a deep understanding and experience of the standard to know what the text and auditor actually expect. Let's assume you are able to decipher and interpret the standard to the level required. You then have to write the many policies, procedures and other documents that are necessary for certification. Is this really the best use of a manager's time?
The DIY approach almost always ends in failure.
This is by far the most long winded, failure prone and painful method of implementing an ISO management system standard. We wouldn't recommend it to our worst enemies! The only time we have ever seen this work is when someone in the company has done it before, with help. This is different and has a greater chance for success. But, even at that, there are still easier, faster and better ways to go about it.
Download template kits
This is a road very often travelled. ISO certification requires you to put a considerable amount of documentation in place. This is so that you can prove that you are meeting the requirements of the standard. This includes various policies, procedures, records, registers and more. Very few people are capable of writing such documents from scratch. This is why there is a thriving market for ISO documentation template kits.
You'll find them all over the internet. From dedicated vendors selling their template kits for about $700 - $1,000, to the same kits on eBay for a fraction of that price. In practice, what you are getting when you purchase one of these kits is a Zip file containing many generic Word and Excel files. You then need to almost completely rewrite these files to fit the needs of a SaaS company. This is because they are written to meet the needs of every kind of company in every industry, which just doesn't work.
We're not suggesting that you write all your documentation from scratch. It would be crazy to think that the wheel has to be reinvented every time a SaaS company takes on ISO certification. But these generic template kits are not the way to go. They end up gathering dust on a drive and are rarely, if ever, the catalyst that helps a company achieve certification.
Hire a consultant
Hiring a consultant to help with the implementation of ISO is what the majority of companies approaching ISO for the first time end up doing. The level of engagement with a consultant can vary considerably. From occasional training delivered remotely, through to onsite development and implementation of the entire system. The market is awash with ISO consultants and for each standard. The greatest challenge is finding a good one that understands your sector and whose aim is to minimise, not maximise, their time with you. Does such a person exist?
Let's get straight to the point. We don't have a problem with consultants per se, and for some time poor and cash rich SaaS companies there may even be a place for them. But we do believe that hiring a consultant is a sub optimal solution for a growing SaaS company. They come at a high cost, and you are often left with a manual Word/Excel based system with reduced sense of internal ownership. This last part is important.
When you bring in an outside consultant there is a subconscious (or sometimes fully conscious!) shift of responsibility for project success to the consultant. This is not a good thing. Experience has shown that this can destroy your chances for successful certification and recertification. It can also ruin any opportunity that you have to benefit from ISO beyond a box ticking exercise. Remember, with ISO certification you are audited every six months indefinitely. You cannot farm this out to someone who'll be gone before you know it. You have to own it internally.
Find some software
Ah, technology - surely this is the road we need to take? Not so fast! Software applications that meet some of the requirements of ISO standards do exist. Within the SaaS sector the emphasis is on information security for obvious reasons. In the last couple of years several vendors have come to market with applications that address specific elements of ISO 27001 / SOC 2 compliance.
Some of these products are actually quite useful. They address some elements of relevant security standards using technical solutions. These include access control, employee onboarding, vendor control and infrastructure scanning. They tend to be strong in their integrations with a SaaS companies technology stack. But, there are very many requirements that they do not address and which you are still left to figure out on your own.
What concerns us the most is how these applications are being marketed. Many of them claim to be a one stop shop for ISO compliance. Yet, none of them provide you with the overarching management system that you actually need for certification. On one such vendors homepage they claim that you can achieve ISO certification in a few weeks using their tool. But in the FAQ in their support site they say it will take 12 months! The phrase 'over-promise and under-deliver' comes to mind.
Wait a minute, isn't Upscaler a software solution? Yes it is and more, but we see ourselves in a different category so we'll cover Upscaler a little further down.
Combination of the above
In practice, the road that almost every company ends up going down is all of the above. Assuming you don't get lured by the fake certificates, your starting point will be to see if you can do it yourselves. This brief encounter with delusion is quickly followed by the purchase of a template kit. Upon being faced with a zip folder filled with complex office documents your immediate next port of call is a consultant. A lengthy and expensive consulting engagement ensues. This is then followed by a frantic search for some magical software that is somehow going to make it all better.
We've seen it time and time again. In taking this approach you end up with a mishmash management system 'of sorts'. It may be enough to get you certified, but is highly inefficient, costly and time consuming to implement and maintain. It is this very outcome and the process of getting there, that is so off-putting for the vast majority of SaaS companies. It's why so many struggle to make it happen.
Partner with Upscaler 🚀
You knew there would be one more road to take, didn't you?! The truth is that we built Upscaler because we have all been up and down the above roads countless times and they are wholly unsatisfactory. It shouldn't have to be this hard and so we started Upscaler to make it easier on us all.
Let's talk about Upscaler and why this is not only the best road that a SaaS company should take, but the only road that makes sense. Upscaler is a 'management system' in the truest sense of the term. This means that it comes preloaded with all of the policies, procedures, forms, records and workflows needed to address all of the requirements of relevant ISO standards. We've built Upscaler especially for SaaS companies so you can be confident that it has your specific needs in mind.
You just need to tweak and customise the system to align with your own operations. And then you start using the system according to the guidance and support that we provide. Speaking of support, this is where we excel. We provide solid, reliable support with informed answers to all your questions, whether technical or compliance related. Using Upscaler, you can achieve ISO certification in the least amount of time. And you'll do it with less effort, less cost and less confusion than any other solution in the market.
If you have any questions or would like to learn more about Upscaler don't hesitate to contact our team. We love to talk with SaaS companies and help them on their journey in any way that we can.