The ISO 27001 & ISO 22301 Blog

Dejan Kosutic

How to use ISO standards to address a pandemic

There is no doubt that each pandemic causes damage to businesses worldwide – not only is there the problem of a decrease (or, in some cases, a sharp increase) in demand for products or services, but there is also the problem of how to organize a company to deliver their products and services in a very different way.

Challenges with pandemics in a modern business world

blogpost-banner-22301-en

So, what is a pandemic? According to the Merriam-Webster dictionary, a pandemic is “an outbreak of a disease that occurs over a wide geographic area and affects an exceptionally high proportion of the population.” From the business operations point of view, for most companies this means (1) your customers or employees cannot reach you, or (2) your customers or employees can reach you but are afraid for their own health.

To address the first problem, companies start reacting in the following ways: they overcome the lack of physical contact with customers and employees by using electronic means of communication; they ask their employees to use alternative places to work, mostly from their homes or other remote locations; and they use alternative channels for delivery of their products through outsourced logistics services. However, by making these changes, companies face several challenges: by drastically changing the way their business operates, the continuity of their operations is endangered. By accessing data from employees’ private devices and their homes, and by processing data through various cloud service providers and logistics partners, the security of information is also endangered. Finally, this new way of doing business requires different types of skills from both employees and partners in the supply chain, so the quality of delivering products and services is endangered.

To address the second problem – health & safety – companies are starting to require protective equipment for their staff and introduce rules for social distancing. However, the problem is that they do not know if this is being done adequately, and they do not know if this would satisfy their customers and partners.

But there is some good news: ISO standards can help you address these challenges.

Addressing continuity of operations

ISO 22301 is the standard that describes how to develop the Business Continuity Management System – it defines that you have to assess the risks that might disrupt your operations and your supply chain, analyze how quickly you need to recover to avoid high damage, and which resources you need for a recovery. Based on this information, you need to look for solutions that will enable you to recover and to develop a business continuity plan for a pandemic.

So, to successfully continue your operations, you would need to analyze which people, equipment, data, raw materials, third parties, etc. you need and how quickly you need them, define how to obtain them, and describe the steps to start using them. For that purpose, you need to perform risk assessment and business impact analysis, develop the business continuity strategy, and write the pandemic plan for your business. You can find all the necessary documents in this ISO 22301 Documentation Toolkit.

How to use ISO standards for pandemic plans for businesses

Addressing security of communications and data

ISO 27001 is the standard that describes how to develop the Information Security Management System – it defines that, first, you have to find out which potential incidents might happen, and then define which kinds of safeguards you need to implement in order to prevent data breaches.

So, for employees who are working from home, you need to analyze which kinds of incidents can happen to the data stored on their computers and communicated over the Internet. Once you know this, only then can you decide whether your employees will be required to use VPN, complex passwords, encrypt data, use only pre-approved cloud services, regularly back up the data, etc. Finally, you should document those rules through policies and procedures – here you can see a sample of an IT Security Policy.

Addressing quality of products and services

ISO 9001 is the standard that describes how to develop the Quality Management System – among other things, it defines that you have to train your staff adequately for the job they are performing, and you need to select your suppliers and partners very carefully.

So, you should analyze which kinds of skills are necessary for operating your business in this new situation, and systematically start training your staff – this could be related to new communication channels you’re using with your customers or internally with your colleagues, how to work remotely in an effective and secure way, how to work on-site while complying with the social distancing rules, etc.

For suppliers and partners, you have to develop clear criteria in order to be able to select only those that will not jeopardize your supply chain – for example, select only those that have strict rules for health & safety, that have trained people in social distancing, that have developed online communication channels, etc. – see here a sample of a Procedure for Purchasing and Evaluation of Suppliers.

Addressing health & safety

ISO 45001 is a standard that describes how to create an Occupational Health & Safety Management System (OHSMS) that helps you go beyond simply meeting the health & safety laws and regulations and work towards improvement of the health & safety in your workplace.

Probably the most important aspect of ISO 45001 requirements that can help in a pandemic is identifying hazards and their associated risks, so that they can be controlled to improve health & safety. This hazard identification is best done using the knowledge of your workforce to find the best solutions. Utilizing your people will make them confident, so that they won’t be afraid of working on the company’s premises, but this trust will also be reflected to your customers, who won’t be afraid of getting in touch with your employees.

You can start with a brainstorming session, such as “what are the hazards that we face in each process, and where can we reduce these hazards in this crisis?” During a pandemic, this can help with the rapid identification and implementation of the changes you need to make to stay safe on the job, such as social distancing in the workplace, cleaning tools, removing papers or tablets to avoid multiple people coming in contact, and preparing replacements to be able to perform new roles or new jobs in case someone has to stay at home.

When people feel safe, they will work better – in some cases, the productivity will be even better than before the pandemic; this positive approach will also be felt by the customers, and they will start to prefer such company over its competitors.

ISO standards provide you with the know-how

A pandemic does not happen very often, and one would expect that in such unpredictable circumstances the rules have to be invented on the go – however, ISO 22301, ISO 27001, ISO 9001, and ISO 45001 are ready-made frameworks that can be applied effectively even in adverse situations.

After all, more than 3 million companies worldwide have already implemented some of the ISO management standards and, out of those, about 1.5 million got certified. So, ISO standards are the most widely adopted frameworks that help companies organize better – and they can help also in the face of a pandemic.

To see the documents that are required for business continuity, download this free white paper: Checklist of ISO 22301:2019 mandatory documentation.


About the author:

Dejan holds a number of certifications, including Certified Management Consultant, ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, and Associate Business Continuity Professional. Dejan leads our team in managing several websites that specialize in supporting ISO and IT professionals in their understanding and successful implementation of top international standards. Dejan earned his MBA from Henley Management College, and has extensive experience in investment, insurance, and banking. He is renowned for his expertise in international standards for business continuity and information security – ISO 22301 & ISO 27001 – and for authoring several related online tutorials, documentation toolkits, and books.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

OUR CLIENTS

OUR PARTNERS

  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.