The ISO Show

Philip Ideson, Founder & Managing Director of Art of Procurement, sheds light on the essential role of procurement in driving ESG compliance. He discusses current trends shaping the procurement landscape and the challenges faced in implementing ESG principles. Philip outlines his mission to 10X the impact of procurement and shares the six principles guiding this transformation. The conversation delves into how procurement can align more closely with sustainability goals, emphasizing the need for collaboration and innovation in the evolving business environment.

Sustainability is an area that affects all businesses, no matter the sector. We are all currently contributing to the climate crisis, from travel and hospitality to manufacturing to those working in an office or from home. You may be surprised to hear that the legal sector is currently one of the leaders in championing sustainability, not just in enforcing new environmental legislation, but also leading by example in the race to net zero. One such stand out leader is today’s guest – Clyde & Co, a global law firm that have made great strides in their sustainability journey. In this episode, Mel is joined by Paddy Linighan, Chief Sustainability Officer at Clyde & Co, to discuss their ambitious net zero targets, sustainability initiatives and their journey towards ISO 14064 Carbon Verification.   You’ll learn What is Paddy Linighan’s role as CSO? Who are Clyde & Co? What are their net zero targets according to their responsible Business report? What sustainability initiatives have Clyde & Co introduced? Why get ISO 14064 verified? What were the challenges with obtaining ISO 14064 verification? What are the benefits of obtaining ISO 14064 Verification?   Resources Clyde & Co Clyde & Co Responsible Business report Carbonology   In this episode, we talk about: [00:25] Episode Summary – We welcome today’s guest, Paddy Linighan, Chief Sustainability Officer at Clyde & Co, to dive into their responsible business report, discuss their net zero ambitions and journey towards ISO 14064 Carbon Verification. [01:40] Introduction to Paddy: Paddy has 30 years experience in the legal sector, and was formerly the Chief Operating Officer for Clyde & Co before transitioning to the role of Chief Sustainability Officer. Paddy is also a Director at the Legal Sustainability Alliance, which is an association committed to supporting the legal sector to measure and manage their carbon emissions to achieve net zero. One lesser-known fact is that Paddy was a Latin and ballroom dancer! [02:30] Who are Clyde & Co? – They are a global law firm with 500 partners, 2700 lawyers and 3216 legal professionals across the world and operating out of 70 offices. They set out to help organisations successfully navigate risk and maximise the opportunity in the sectors that underpin global trade, namely insurance, aviation, marine construction, energy, trade and natural resources. They offer a comprehensive range of contentious and non-contentious legal services and commercially minded legal advice to businesses operating across the world in seamless fashion. Clyde & Co are committed to operating in a responsible way by progressing a diverse and inclusive workforce that reflects the communities and the clients it serves, and provides an environment in which hopefully everyone can realise their potential. They use their legal and professional skills to support communities through pro bono work, volunteering charitable partnerships, and minimisation of environmental impact through the pursuit of sustainability standards. [04:25] What are some of the Net Zero targets highlighted in Clyde & Co’s responsible business report? Near term target: Reduce their scope 1 and scope 2 emissions by 80% by 2030 and scope 3 emissions by 50% by 2030. Long term target: Have a 90% reduction in emissions by 2038  Focused on decarbonizing their operations across the globe. [06:25] What are some of the sustainability initiatives that Clyde & Co have started? All their initiatives can be broadly groups into 3 categories, but ultimately they seek to decarbonize their operations, address resource consumption and offset emissions where possible. They found that 95% of their emissions reside in their scope 3, which is due to their supply chain. A few of their initiatives include rationalizing their supply chain to reduce the impact of purchasing goods and services. They are also supporting their supply chain to measure and reduce their own emissions. Clyde & Co have also incorporated their sustainability requirements into their Procurement Process and Due Diligence Process. One challenging area for a professional services business like Clydo & Co is sustainable business travel. They have adopted a global note on sustainable travel, which trickles down into regional travel policies. Working with travel management companies, they will implement those new policies, in addition to improving the quality of travel data collection and prioritisation of sustainability over cost. Clyde & Co are also making the move to switch direct and in-direct consumption of fossil fuels to renewable energy in the heating and cooling of their buildings. As of summer 2023, all UK offices were on 100% renewable energy! They aim to roll this out on a global scale, but understand that there are significant challenges with doing so. [09:30] How did Clyde & Co celebrate Earth Day? They introduced climate change awareness training on Earth Day. It wasn’t mandatory in any way, and included the rolling out of several blogs and videos which were produced by AXA Climate School in Paris. They ran these through Earth Day (April 22nd) to World Environment Day (5th June). Covering topics such as: Financial disclosures Plastic pollution Saving water Beekeeping Composting This led to a campaign called ‘Zero as One’ which helped to create of a network of sustainable champions across their organisation, who help to further raise awareness and where there may be regional issues with reducing resource consumption and energy use. This campaign has continued and is beginning to facilitate a structured, bespoke training programme for all Clyde & Co staff which covers climate awareness to climate competency. It will encourage people to think ‘How can I, as an individual, make a difference?’ [15:30] The Clyde & Co Community Forest – A 6.2 hectare plot of land is shared with 2 other community groups, and is not only being used for reforestation but also biodiversity, focusing on red squirrels in particular. Getting this project set up included: Gauging the appetite of colleagues: They offered increased level of refforestation for every response they had to their annual ‘Have your Say’ survey. For every response received, they would add 2 square metres of forest. So, 5000 people would give them a hectare. It was a knowledge gathering exercise and experience of what a carbon offset project would look like. They know that they’ll never be able to 100% decarbonise their operations, but they hope to get it down to 10% remaining emissions which can be offset with more projects like the community forest. [19:35] What does Paddy think of the sustainability reporting regulatory requirements affecting the legal sector? Not only do lawyers have a key part to play in supporting and advising clients in relation to how they navigate towards a low carbon economy, but they are also a part of many businesses supply chain – meaning they would be included in scope 3 emissions for others. Putting in the work at their end enables them to proactively help and assist clients with their emissions reduction and reporting. The drive in this sector is mostly due to client demand. [21:10] The increase in sustainability targets in North American companies: Paddy highlights that a recent report issued by Climate Impact Partners found that 79% of North American companies now have climate targets, which is up 6% on Asian companies and just shy of European companies. 61% of those North American companies report under ISO 14064. [23:00] What were the drivers behind Clyde & Co getting ISO 14064 verified?: High Transparency: They wanted to ensure that any disclosed information was reliable and that they’d had third-party verification to back that up, making them much more comfortable putting that information out into the public. Financial Benefits: Sustainability and greenhouse gas emission reduction was a part of their main KPI’s to tackle, the main reason being to save money through not only the reduction in energy use but also reduced interest rates as a result of their sustainability efforts. [25:20] What were the main challenges in obtaining ISO 14064 verification?: Clyde & Co are a large organisation, so gathering and quantifying the necessary emissions information was like getting blood from a stone! Nearly 65 – 70 sites only have a small team of 5 people, and getting data from each can be time consuming. Also, the quality of data can vary a great degree with that many sites, especially on a global scale as you need to consider the conversion factors when collating all the data into something verifiable. [26:50] What impact has ISO 14064 verification had on Clyde & Co’s sustainability credentials?: Very simply, it validates Clyde & Co’s claims. With the third-party assessment, it shows that they are actually doing what they say they’re doing, and not simply paying lip service. [27:45] What were the main benefits of getting ISO 14064 verified?: Helping to secure financial benefits: ISO 14064 verification is proof enough for banks to issue discounts on interest rates Ease of process: The audit process introduced for ISO 14064 can be repeated as needed. As a result of getting verified, Clyde & Co found the exercise a good stress test for existing auditing procedures, and found a way to simplify them further. Credibility: Third-party verification adds a level of credibility which is lacking from internal calculation alone. [29:00] Paddy’s top tip for anyone considering ISO 14064 verification: Do not let perfection get in the way of progress. They found that people can become a bit defensive in audits, trying to avoid errors being picked up, however, audits are meant to be constructive. They are opportunities to pick up on areas for improvement. [30:40] Paddy’s book recommendation: The Ministry for the Future by Kim Stanley Robinson [32:10] Paddy’s favourite quote: The greatest threat to our planet, is the belief that someone else will save it – Robert Swan OBE If you would like to learn more about Clyde & Co, and their sustainability initiatives, visit their website. To find out more about verification visit www.carbonologyhub.com We’d love to hear your views and comments about the ISO Show, here’s how: Share the ISO Show on Twitter or Linkedin Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Don’t forget to subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List  

Did you know that only a third of the emissions reductions required to achieve the country’s 2030 target are currently covered by credible plans? As a result, we can expect to see more mandatory and voluntary regulations that require carbon emissions reporting to verify your ESG and net zero claims. In this episode, Mel closes out the ESG Reporting Disclosures series by explaining what Corporate Sustainability Due Diligence Directive (CSDDD) is, it’s key emissions reporting requirements, the verification requirements and who qualifies for CSDDD. You’ll learn ·      What is CSRD? ·      Key requirements of CSDDD ·      Key emissions reporting requirements ·      the emissions verification requirements for CSRD? ·      Who qualifies for CSDDD? ·      The likely impact of CSDDD   Resources ·      Carbonology ·      Carbonology LinkedIn ·       Carbonology Instagram ·       CSDDD   In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:10] Episode summary: Mel closes out the series on ESG reporting requirements by diving into CSDDD. [03:10] What is CSDDD? – The Corporate Sustainability Due Diligence Directive (CSDDD) is a new EU directive that promotes sustainable and responsible corporate behaviour in companies’ operations and across their global value chains. Purpose: It aims to promote sustainable business practices, protect human rights, and address environmental challenges. The CSDDD was adopted by the European Commission on the 23rd of February 2022 and approved by the Council of the European Union on the 24th of May 2024. The new rules ensure that companies in scope identify and address adverse human rights and environmental impacts of their actions inside and outside Europe. The CSDDD is expected to start affecting companies from 2027 at the earliest once the directive has been transposed into national legislation. [05:10] What are the key requirements of CSDDD?: ·      Human rights due diligence: Companies must identify, prevent, and mitigate adverse human rights impacts within their value chains. ·      Environmental due diligence: They must assess and manage risks related to climate change, biodiversity loss, and pollution. ·      Disclosure obligations: Companies must disclose their due diligence processes, findings, and any remedial actions taken. [06:20] What are the Emissions Reporting Requirements? Under the CSDDDD, companies are required to report on their greenhouse gas (GHG) emissions within a climate transition plan. This includes considerations for Scope 1, 2 and 3. These were explained in more detail in a previous episode on CSRD, so go check that out if you want to learn more about the individual scope requirements. What if you fit the requirements of both CSRD and CSDDD, do you have to double report on emissions? In short – No! The climate transition plan required by the CSDDD will be reported within CSRD reporting, as organisations just need to adhere to the CSDDD’s implementation requirements for the transition plan. [10:10] What are the Emissions Verification Requirements? More definitive guidance on verification requirements is expected closer to 2027. Companies will more than likely need to verify the emissions data reported through CSDDD, as the directive mandates a climate change transition plan that aligns with the Corporate Sustainability Reporting Directive (CSRD), which does require companies to verify their emissions data. [09:55] Who qualifies for CSDDD? The Corporate Sustainability Due Diligence Directive (CSDDD) applies to both EU and non-EU companies depending on their workforce size and revenue: EU and non-EU companies (or the ultimate parent company of a group):   ·      With more than 1,000 employees and a global net turnover of at least €450 million in the last fiscal year; or ·      Which have franchising or licensing agreements in the EU in return for royalties with more than €22.5 million generated by royalties in the EU and have a net worldwide turnover of over €80 million in the last financial year. [11:10] What is the possible impact of this new directive? Similar to the other ESG disclosures I’ve covered over the past few weeks in this series on reporting disclosures, the impact of the CSDDD will result in 3 key impacts:- ·      Increased transparency: This directive will provide stakeholders with a clearer picture of companies' sustainability efforts, to combat greenwashing. ·      Enhanced accountability: Companies will be held accountable for their environmental and social performance. ·      Stimulation of sustainable business practices: The directive will encourage companies to adopt more sustainable practices, including regular reporting. If you would like to learn more about CSDDD or inquire about the related course, please get in touch with Carbonology. We’d love to hear your views and comments about the ISO Show, here’s how: ●     Share the ISO Show on Twitter or Linkedin ●     Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

The push for Net Zero by 2030 is causing a major rethink in how businesses report their carbon emissions. The Corporate Sustainability Reporting Directive (CSRD) takes center stage, outlining new obligations for emissions reporting and verification. Companies must understand their eligibility under these regulations to ensure compliance. This discussion shines a light on the impacts of CSRD on ESG reporting, revealing what stakeholders need to know as sustainability standards evolve.

Businesses are coming under increasing pressure to monitor, report and reduce their energy use and carbon emissions to meet net zero targets. As a result, we’re seeing an increase in both mandatory and voluntary regulations that require carbon emissions reporting to verify your net zero claims. In this episode, Mel continues the ESG Reporting Disclosures series by explaining what The International Sustainability Standards Board Climate-related Disclosures (ISSB S2) are, the emissions reporting and verification requirements and who qualifies for ISSB S2. You’ll learn ·      What is ISSB S2? ·      What is the scope of ISSB S2 ·      What are the emissions reporting requirements for ISSB S2? ·      Emissions verification requirements ·      Who qualifies for ISSB S2?   Resources ·      Carbonology ·      ISSB S2     In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:10] Episode summary: Over the course of September, Mel will be exploring the latest climate change regulations that may affect your organisation. In this episode she dives into The International Sustainability Standards Board Climate-related Disclosures (ISSB S2). [03:20] What is ISSB S2? – The International Sustainability Standards Board Climate-related Disclosures (ISSB S2) is a new global standard that mandates entities to provide comprehensive information about climate-related risks and opportunities. The ISSB S2 was issued by the International Sustainability Standards Board on the 26th of June 2023 and is effective for annual reporting periods beginning on or after the 1st January 2024. The new standard ensures that companies disclose physical and transition risks and their potential impact on the move towards a low carbon economy. [04:20] Further learning with Carbonology: Carbonology have created a half-day course which walks you through all of the various carbon reporting disclosures and sustainability disclosure reporting requirements. If you would like to learn more, get in touch with Carbonology. [07:00] What does ‘Acute and Chronic Physical risks’ mean in the context of ISSB S2? Climate related physical risks are risks resulting from climate change that could be event driven, so an example of an acute physical risk could arise from weather related events like storms, floods and heatwaves, which are increasing in frequency. These could have a knock-on effect to businesses, taking a heat wave as the example, you will need to consider: ·      Can your IT systems and datacentres cope with it? ·      Have you got resilience built in to your operations to be able to deal with that sort of disruption to your organisation? Chronic physical risks arise from longer term shifts in climatic patterns, including changes in precipitation and temperature, which could lead to sea level rises and reduced water availability and changes in soil productivity. These risks could carry a weighty financial burden either through direct damage to assets, or indirectly through supply chain disruption. [09:35] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [11:43] What does ‘Transition risk’ mean in the context of ISSB S2? This is looking for a climate related transition plan, which should include targets, actions and resources for the transition towards a lower carbon economy. This would include actions such as reducing greenhouse gas emissions. [12:30] What is the scope of ISSB S2? This Standard applies to: ·      climate-related risks to which the organisation is exposed, which are: ·      climate-related physical risks; and (ii) climate-related transition risks; and ·      climate-related opportunities available to the entity. Climate-related risks and opportunities that could not reasonably be expected to affect an organisation’s prospects are outside the scope of this Standard. ·      The Standard covers:- ·      Governance ·      Strategy ·      Climate related risks and opportunities ·      Business Model and Value Chain ·      Financial position, financial performance and cash flows ·      Climate resilience ·      Risk Management [14:10] What are the emissions reporting requirements for ISSB S2? -  Under ISSB S2, companies are required to measure and disclose their greenhouse gas (GHG) emissions across three scopes: ·      Scope 1 Emissions: Direct emissions from owned or controlled sources. For example, emissions from combustion in owned or controlled boilers, furnaces, vehicles, etc. ·      Scope 2 Emissions: Indirect emissions from the generation of purchased energy. This includes emissions from the production of electricity, steam, heating, and cooling consumed by the company.   ·      Scope 3 greenhouse gas emissions: Indirect greenhouse gas emissions (not included in Scope 2 greenhouse gas emissions) that occur in the value chain of an entity, including both upstream and downstream emissions. Scope 3 greenhouse gas emissions include the Scope 3 categories in the Greenhouse Gas Protocol Corporate Value Chain (Scope 3) Accounting and Reporting Standard (2011). [16:20] Emissions verification requirements -  Under ISSB S2, companies are required to have their reported greenhouse gas (GHG) emissions data verified. Verification can provide users of financial reports confidence that the information is complete, neutral and accurate. Disclosure of inputs to Scope 3 greenhouse gas emissions needs to disclose information about the measurement approach, inputs and assumptions it uses. [18:30] Who qualifies for ISSB S2? - ISSB S2 applies to all entities that are required by law, regulation, or administrative provision to prepare financial statements. This includes, but is not limited to: ·      Publicly listed companies ·      Large private companies ·      Financial institutions such as banks and insurance companies ·      State-owned enterprises Entities are encouraged to adopt the ISSB S2 voluntarily, even if they are not mandated by law or regulation. Early adoption is permitted and encouraged to enhance transparency and accountability in climate-related disclosures.   If you would like some help with your carbon emissions reporting, please get in touch with Carbonology. We’d love to hear your views and comments about the ISO Show, here’s how: ●     Share the ISO Show on Twitter or Linkedin ●     Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Businesses face growing pressure to monitor energy use and carbon emissions to meet net zero targets. The discussion highlights various regulations, including Streamlined Energy and Carbon Reporting (SECR) and its significance in ESG reporting. Key topics include who qualifies for SECR, its reporting requirements, and how it complements other carbon management strategies. With the urgent climate crisis, understanding these regulations is essential for companies aiming for transparency and sustainability.

There have been a reported 9,478 publicly disclosed data incidents in 2024 alone, with that amounting to over 35 million known records breached. It has become clear in recent years that information security isn’t just a ‘nice to have’, it’s a necessity to ensure you and your client’s data are protected. Which is especially the case for those processing personal and financial data, such as today’s guest, Mintago. In this episode, Tom Catnach, Head of Product and Information Security Officer for Mintago, explains their journey towards ISO 27001, the challenges faced and benefits felt from certification to the leading Information Security Standard. You’ll learn ·      Who are Mintago? ·      Who is Tom Catnach? ·      What was the main driver behind achieving ISO 27001? ·      What was the biggest ‘gap’ identified in the Gap Analysis? ·      What have they learned from the experience? ·      What are the benefits of certification to ISO 27001? ·      What does the threat horizon for information security look like?   Resources ·      Mintago ·      Isologyhub     In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:15] Episode summary: Today we welcome guest Tom Catnach from Mintago to discuss their journey towards ISO 27001 certification. [02:20] Who are Mintago? – Mintago are an employee benefits company, who work with companies to help their employees be financially better off. They do this in a number of ways, including: ·      Finding lost pension pots ·      Help to save money through finding discounts ·      Retirement planning ·      Offering various salary sacrifice products ·      Helping companies to be more financially efficient with pension salary sacrifice or other national insurance savings ·      Helping people to be more financially literate [05:10] Who is Tom Catnach?: Tom has a split role at Mintago, his primary role being Head of Product and secondary being Information Security Officer. Through both roles he looks after all the products and offerings as well as the information security across the business, he was also the driving force behind achieving ISO 27001. Outside of work, Tom likes to travel via motorbike, preferring to stay away from the screens and enjoying the sights. [06:30] What was Mintago’s main driver to Implement ISO 27001?: Mintago, and most other businesses by their nature, are required to hold a lot of sensitive data and so have a responsibility to their clients and employees to ensure it’s security. Mintago were looking for a robust framework to base their Information Security around, and what better option that the leading Information Security Standard, ISO 27001. ISO 27001 also offers the assessment of general business practice, and allows for growth and scaling. As a start-up, they wanted to have a solid base for policies, training ect to roll out to new hires as they expand. [08:30] Aligning Standards with core values: Trust is one of Mintago’s core values and they want to give their clients the assurance that they can be trusted to protect their data. ISO 27001 can be compared to the likes of Bcorp as it’s an on-going process. It doesn’t just stop at getting the certificate, you have annual surveillance to ensure you are still compliant year on year. [10:15] What was the scope of Mintago’s certification?: For the initial implementation, Mintago opted to just scope in Product and Customer Service. This was because all of the sensitive data is handled in those departments and they don’t allow access to any other teams, so it made sense to start there with a view to expand the scope after certification. That being said, they still rolled out Information Security training to all staff, and everything has been set-up to allow for an easy business wide roll-out when they’re ready. [11:50] How long was Mintago’s certification journey?: They started their journey in September 2023, in fact it was Tom’s first project with Mintago! Mintago enlisted Blackmores help to implement ISO 27001, and after nine months they have been successfully certified. Tom attributes their ease of implementation to the fact that they are currently a small business, citing that it’s an advantage to implement ISO Standards early while your agile so that your management system grows with you.   [14:25] What was the biggest ‘gap’ identified at the Gap Analysis?  Mintago are lucky in the fact that they are a new business so are using modern tech, and don’t have the burden a larger site or other physical elements such as rack mounted servers. However, policy, procedure and evidence to ensure they were doing the right thing were lacking at the start of their journey. They did have a good 70% in place and that last 30% was mostly down to having the ability to evidence their compliance. There was also some additional work to do to improve existing policies and procedures. One example of this was having a solid Business Continuity Plan in place. [16:35] Did Mintago experience any significant barriers in addressing identified gaps?  Being a smaller business, they were able to adapt a lot quicker than a larger organisation may have been able to. One of the biggest struggles for Tom was getting the necessary technology to aid with Information Security. They needed to show that they had a competent Mobile Device Management Solution (MDM), antivirus and anti-phishing in place. When trying to buy some software solutions, Tom encountered a lot of companies simply not replying to his requests due to Mintago’s size. Many organisations sadly prioritize bigger potential clients, and so it took a while to finally get all the required software. [18:45] Engagement is key -  Getting everyone involved with the management system is critically important. Especially with information security as the people most often targeted are frontline workers, so they need to be actively engaged in security. Mintago also has the advantage of being a smaller business, so getting communication out isn’t a hardship and resulted in high engagement. This was benefitted from a top-down initiative via their ‘C-Suite’. Tom also states that you can make any necessary training more lighthearted, team based or interactive, as that’s something that people would want to engage in.   It’s also important to stress that any information security training can be beneficial for personal use too to avoid being a victim of fraud or a scam. It can be something people take away to their family members to ensure they stay safe online. [23:10] Did the adoption of ISO 27001 highlight any issues not already considered by Mintago? -  The biggest thing was how their internal process could be improved. For example, looking at the scenario of ‘what if our back-ups don’t work?’, ISO 27001 drilled down to ask specifics such as: ·      How do we recover from that scenario? ·      Are we 100% confident in our back-ups? ·      Will they work near instantaneously? ·      What’s Mintago’s availability like in that scenario? ·      How do we prevent disruption to our clients during that scenario? So, while they did have back-ups they weren’t necessarily considering the whole scenario, especially if those back-ups were to fail. ISO 27001 ultimately helped to flesh out existing plans to make a much more robust system. In regards to threat horizons, Mintago do practice OWASP and keep the team informed via e-mail, newsletters and GitHub repositories. [25:00] Internal Auditing – A beneficial tool -  Tom found the internal auditing process to be very beneficial for Mintago, currently they do a few monthly on average. Blackmores assisted with the audits during implementation to ensure they were in the right place for assessment. Of course, the Certification Body audits were a bit more nerve wracking for Stage 1 and 2 as they would determine if they would be certified. Mintago passed their Stage 1 (documentary review) with flying colours, their Stage 2 (evidence checking) highlighted a few non-conformities that were quickly addressed. Following the Stage 2, they were recommended for ISO 27001 certification. [27:20] Minor Non-conformities aren’t the end of the line – There’s a common misconception that getting a certain number of minor non-conformities during a Stage 2 assessment means you can’t be certified, but that’s simply not true! If an Assessor is comfortable that you are in a good position for certification, they will recommend you. ISO Standards are all about continual Improvement, which is something Mintago are embracing as they continue to address issues raised at audits. [29:00] Benefits of ISO 27001 certification – Benefits Mintago are already experiencing include: Internal Stakeholders – The Team worked hard to achieve the Standard and have embraced it’s core qualities to the benefit of their own Information Security practices. Positive Market Response – Much larger clients who are also ISO 27001 certified now have a mutual understanding of each other’s commitment to information security. Gaining certification early – As a start-up, Mintago are agile and will be able to develop and mature their ISMS (Information Security Management System) as they grow. [31:10] Any concerns on the threat horizon?:  As the Information Security Officer, Tom is concerned about new emerging trends in AI led scams. They’re going to be a lot more sophisticated and harder to spot and deal with. Thankfully, even if they are impacted, it will be rather isolated. Tom raises concerns for vital services such as Air Traffic Control which could have dire consequences if they were to be affected by a data incident. However, with ISO 27001 Mintago are in a good place to keep on-top of their threat horizon and have the processes in place to mitigate potential incidents and continually improve their own security. [34:30] In Summary: Mintago are a shining example of gaining certification for the right reasons. It’s not just about getting a badge, they have truly embraced a culture of continual improvement and are utilising ISO 27001 to ensure they have a robust information security management system in place. If you would like to learn more about Mintago and their financial services, check out their website.   We’d love to hear your views and comments about the ISO Show, here’s how: ●     Share the ISO Show on Twitter or Linkedin ●     Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Explore the world of greenhouse gas accounting and discover how crucial it is for environmental responsibility. Delve into the leading reporting frameworks: the GHG Protocol and ISO 14064-1. Find out their similarities and key differences, including how they address indirect emissions. Learn how these frameworks can complement each other and the importance of choosing the right one for your organization. This conversation is a must-listen for those navigating the complexities of GHG emissions reporting.

Navigating ESG reporting can be daunting for organizations. Discover how ISO Standards can be the backbone of effective ESG compliance. Learn the significance of aligning ESG strategies with business goals and the evolving world of certifiable standards. Explore the challenges of measuring social value and combating greenwashing. This discussion emphasizes accountability, transparency, and ethical practices, crucial for appealing to future generations and fostering sustainable business operations.

In July 2024, A logic error in an update for CrowdStrike’s Falcon software caused 8.5 million windows computers to crash. While a fix was pushed out shortly after, the nature of the error meant that a full recovery of all effected machines took weeks to complete. Many businesses were caught up in the disruption, regardless of if this affected them directly or by proxy due to affected suppliers. So, what can businesses learn from this? Today, Ian Battersby and Steve Mason discuss the aftermath of the CrowdStrike crash, the importance of good business continuity and what actions all businesses should take to ensure they are prepared in the event of an IT incident. You’ll learn ·      What happened following the CrowdStrike crash? ·      How long did it take businesses to recover? ·      Which ISO management system standards would this impact? ·      How can you use your Management System to address the affects of an IT incident? ·      How would this change your understanding of the needs and expectations of interested parties? ·      How do risk assessments factor in where IT incidents are concerned?   Resources ·      Isologyhub ·      ISO 22301 Business Continuity     In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Ian Battersby is joined by Steve Mason to discuss the recent CrowdStrike crash, the implications on your Management system and business continuity lessons learned that you can apply ahead of any potential future incidents.   [03:00] What happened following the CrowdStrike crash?– In short, An update to CrowdStrike’s Falcon software brought down computer systems globally. 8.5 million windows systems, which in reality is less than 1% of windows systems, were affected as a result of this error. Even still, the damage could still be felt from key pillars of our societal infrastructure, with a lot of hospitals and transportation like trains and airlines being the worst affected. [04:45] How long did it take CrowdStrike to issue a fix? – CrowdStrike fixed the issue in about 30 minutes, but this didn’t mean that computers affected would be automatically fixed. In many cases applying the fix meant that engineers had to go on site to many different locations which is both time consuming and costly. In some cases Microsoft said that some computers might need as many as 15 reboots to clear the problem. So, a fix that many were hoping would solve the issue ended up taking a few weeks to fully resolve as not everyone has IT or tech support in the field to issue a manual reboot. A lot of businesses were caught out as they don’t factor this into their recovery time, some assuming that an issue like this is guaranteed to be fixed within 48 hours, which is not something you can promise. You need to be realistic when filling out a Business Impact Assessment (BIA). [07:55] How do you know in advance if an outage will need physical intervention to resolve? – There is a lesson to be learnt from this most recent issue. You need to take a look at your current business continuity plans and ask yourself: ·      What systems to you use? ·      How reliable are the third-party applications that you use? ·      If an issue like this to reoccur, how would it affect us? ·      Do we have the necessary resource to fix it? i.e. staff on site if needed? Third-parties will have a lot of clients, some may even prioritise those that pay a more premium package, so you can’t always count on them for a quick fix. [09:10] How does this impact out businesses in terms of our management standards? – When we begin to analyse how this has impacted our management systems, we can’t afford to say ‘We don’t use CrowdStrike therefore it did not impact us’ – it may have impacted your suppliers or your customers. Even if there was zero impact, lessons can be learned from this event for all companies. Standards that were directly affected by the outage were: ·      ISO 22301 – Business Continuity: Recovery times RPO and RTO; BIA; Risk Assessments ·      ISO 27001 – Information Security: Risk Assessment; Likelihood; Severity; BCP; ICT readiness ·      ISO 20000-1 – IT Service Management; Risk Assessment of service delivery; Service continuity; Service Availability Remember, our management systems should reflect reality and not aspiration [11:30] How do we use our Management Systems to navigate a path of corrective action and continual improvement? – First and foremost an event like this must be raised as an Incident – in this case it would no doubt have been a Major Incident for some companies. This incident will typically be recorded in the company’s system for capturing non-conformities or continual improvement. You could liken this to how ISO 45001 requires you to report accidents and incidents. From the Incident a plan can be created which should include changes to be considered or made to the management system. The Incident should lead us to conducting a lessons learned activity to determine where changes and improvements need to be made. We are directed in all standards to Understanding the Organisation and its context The key requirement here is to determine the internal and external issues that can impact your management system, and prevent it from being effective. Whatever method a company uses for this, perhaps a SWOT and PESTLE; the CrowdStrike/Microsoft Outage should be included in this analysis as a threat and/or Technical issue. [15:15] What are the lessons learned from our supply chain? – In many ISO Standards, such as ISO 9001 and ISO 27001, there is a requirement to review your suppliers and the effectiveness of the service they’re delivering. So you could send them an e-mail to ask how they have dealt with the issue, what actions did they take and how long did it take to fully restore services. This is a collaborative process that you can factor into your own risk assessments, as you can make a better judgement on future risk level if you are privy to their recovery plans. Many people still think of that requirement only in relation to goods and products. i.e. has my order been delivered ect. However, it relates to services such as IT infrastructure as well. You rely on that service, so evaluate how well it’s being delivered. [17:35] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [19:50] Once you have established lessons learnt, what’s next?  – The Standards provide a logical path to work through. One of the first steps is to conduct a SWOT and PESTLE, and doing so after a major incident is recommended, as your threats and weaknesses may have changed as a result. Do not simply put the sole blame on a third-party who an incident may of originated from. This is about your response and recovery, your plans coming into effect to deal with the situation, not about who is at fault. One such finding may be your lack of business continuity plans, in which case, looking at implementing aspects of ISO 22301 may be an action to consider. It’s also important to note down any positives from the incident too. You may have dealt with something very fast, communicated the issue effectively and worked with clients to ensure that their level of service was minimally impacted. If a team dealt with a situation particularly well, they should be recognised for that, as it really does go a long way. [23:55] The importance of revisiting your SWOT and PESTLE: These exercises shouldn’t just be a one time thing. You should be addressing these after incidents and any major changes within the business. Ideally, you should be looking at these in all your meetings, as many actions may need to be escalated to a strategic level. If you’d like to learn about how one of our clients embraced SWOT and PESTLE, and used it to their advantage, check out episode 53. [25:20] How has our understanding of the needs and expectations of Interested Parties been changed? - How has the Outage impacted the needs and expectations of interested parties? Understanding this might lead companies to ask questions about the robustness and effectiveness of different parts of the management system: ·      Risk Assessment ·      BIA for BCP ·      Recovery Plans ·      DR plans ·      Service Continuity [27:50] What should you be considering with your risks assessments? - Risk Assessments, if they follow the traditional methodology, with have Likelihood and Impact/Severity scores an in the light of this outage, and any event, the likelihood and Impact scores should be updated. If a company has set the likelihood as ‘once every 5 years’ it should seriously consider changing this to ‘once every 6 months’ or 'once every year’ to understand if this poses any new risks to the business. The likelihood score would of course be updated every year until it has recovered to ‘once every 5 years’. The impact is important to look at. If a company has been impacted by this outage, what has it cost the company to recover – talk to finance and other departments to understand the cost and change the scoring accordingly. [33:20] Why should a business carry out a risks assessment as part of lessons learnt? - Our risk assessments are not a one-off, but should be living documents that reflect the status of threats to the business. In ISO 27001 there is a statement to identify the ‘Consequences of  unintended changes,’ and it could be argued that an Outage on the level of the CrowdStrike/Microsoft outage was an ‘unintended change that led to consequences in many businesses. So, use your risk assessments as live tools to report on the reality facing the organisation. Similarly, BIA assessments for BCP should be reviewed to determine if the assumed impact reflects the real impact; also look at the recovery plans to see if they are effective. If a recovery plan has stated that this type of incident could be recovered in 48 hours, and in reality it has taken 2 weeks, it means that recovery times in terms of RPO and RTO should be reviewed. Remember - your management system should reflect reality and not aspiration. If you’d like to book a demo for the isologyhub, simply contact us and we’d be happy to give you a tour. We’d love to hear your views and comments about the ISO Show, here’s how: ●     Share the ISO Show on Twitter or Linkedin ●     Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List