The ISO Show

There have been a reported 9,478 publicly disclosed data incidents in 2024 alone, with that amounting to over 35 million known records breached. It has become clear in recent years that information security isn't just a 'nice to have', it's a necessity to ensure you and your client's data are protected. Which is especially the case for those processing personal and financial data, such as today's guest, Mintago. In this episode, Tom Catnach, Head of Product and Information Security Officer for Mintago, explains their journey towards ISO 27001, the challenges faced and benefits felt from certification to the leading Information Security Standard. You'll learn · Who are Mintago? · Who is Tom Catnach? · What was the main driver behind achieving ISO 27001? · What was the biggest 'gap' identified in the Gap Analysis? · What have they learned from the experience? · What are the benefits of certification to ISO 27001? · What does the threat horizon for information security look like? Resources · Mintago · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:15] Episode summary: Today we welcome guest Tom Catnach from Mintago to discuss their journey towards ISO 27001 certification. [02:20] Who are Mintago? – Mintago are an employee benefits company, who work with companies to help their employees be financially better off. They do this in a number of ways, including: · Finding lost pension pots · Help to save money through finding discounts · Retirement planning · Offering various salary sacrifice products · Helping companies to be more financially efficient with pension salary sacrifice or other national insurance savings · Helping people to be more financially literate [05:10] Who is Tom Catnach?: Tom has a split role at Mintago, his primary role being Head of Product and secondary being Information Security Officer. Through both roles he looks after all the products and offerings as well as the information security across the business, he was also the driving force behind achieving ISO 27001. Outside of work, Tom likes to travel via motorbike, preferring to stay away from the screens and enjoying the sights. [06:30] What was Mintago's main driver to Implement ISO 27001?: Mintago, and most other businesses by their nature, are required to hold a lot of sensitive data and so have a responsibility to their clients and employees to ensure it's security. Mintago were looking for a robust framework to base their Information Security around, and what better option that the leading Information Security Standard, ISO 27001. ISO 27001 also offers the assessment of general business practice, and allows for growth and scaling. As a start-up, they wanted to have a solid base for policies, training ect to roll out to new hires as they expand. [08:30] Aligning Standards with core values: Trust is one of Mintago's core values and they want to give their clients the assurance that they can be trusted to protect their data. ISO 27001 can be compared to the likes of Bcorp as it's an on-going process. It doesn't just stop at getting the certificate, you have annual surveillance to ensure you are still compliant year on year. [10:15] What was the scope of Mintago's certification?: For the initial implementation, Mintago opted to just scope in Product and Customer Service. This was because all of the sensitive data is handled in those departments and they don't allow access to any other teams, so it made sense to start there with a view to expand the scope after certification. That being said, they still rolled out Information Security training to all staff, and everything has been set-up to allow for an easy business wide roll-out when they're ready. [11:50] How long was Mintago's certification journey?: They started their journey in September 2023, in fact it was Tom's first project with Mintago! Mintago enlisted Blackmores help to implement ISO 27001, and after nine months they have been successfully certified. Tom attributes their ease of implementation to the fact that they are currently a small business, citing that it's an advantage to implement ISO Standards early while your agile so that your management system grows with you. [14:25] What was the biggest 'gap' identified at the Gap Analysis? Mintago are lucky in the fact that they are a new business so are using modern tech, and don't have the burden a larger site or other physical elements such as rack mounted servers. However, policy, procedure and evidence to ensure they were doing the right thing were lacking at the start of their journey. They did have a good 70% in place and that last 30% was mostly down to having the ability to evidence their compliance. There was also some additional work to do to improve existing policies and procedures. One example of this was having a solid Business Continuity Plan in place. [16:35] Did Mintago experience any significant barriers in addressing identified gaps? Being a smaller business, they were able to adapt a lot quicker than a larger organisation may have been able to. One of the biggest struggles for Tom was getting the necessary technology to aid with Information Security. They needed to show that they had a competent Mobile Device Management Solution (MDM), antivirus and anti-phishing in place. When trying to buy some software solutions, Tom encountered a lot of companies simply not replying to his requests due to Mintago's size. Many organisations sadly prioritize bigger potential clients, and so it took a while to finally get all the required software. [18:45] Engagement is key - Getting everyone involved with the management system is critically important. Especially with information security as the people most often targeted are frontline workers, so they need to be actively engaged in security. Mintago also has the advantage of being a smaller business, so getting communication out isn't a hardship and resulted in high engagement. This was benefitted from a top-down initiative via their 'C-Suite'. Tom also states that you can make any necessary training more lighthearted, team based or interactive, as that's something that people would want to engage in. It's also important to stress that any information security training can be beneficial for personal use too to avoid being a victim of fraud or a scam. It can be something people take away to their family members to ensure they stay safe online. [23:10] Did the adoption of ISO 27001 highlight any issues not already considered by Mintago? - The biggest thing was how their internal process could be improved. For example, looking at the scenario of 'what if our back-ups don't work?', ISO 27001 drilled down to ask specifics such as: · How do we recover from that scenario? · Are we 100% confident in our back-ups? · Will they work near instantaneously? · What's Mintago's availability like in that scenario? · How do we prevent disruption to our clients during that scenario? So, while they did have back-ups they weren't necessarily considering the whole scenario, especially if those back-ups were to fail. ISO 27001 ultimately helped to flesh out existing plans to make a much more robust system. In regards to threat horizons, Mintago do practice OWASP and keep the team informed via e-mail, newsletters and GitHub repositories. [25:00] Internal Auditing – A beneficial tool - Tom found the internal auditing process to be very beneficial for Mintago, currently they do a few monthly on average. Blackmores assisted with the audits during implementation to ensure they were in the right place for assessment. Of course, the Certification Body audits were a bit more nerve wracking for Stage 1 and 2 as they would determine if they would be certified. Mintago passed their Stage 1 (documentary review) with flying colours, their Stage 2 (evidence checking) highlighted a few non-conformities that were quickly addressed. Following the Stage 2, they were recommended for ISO 27001 certification. [27:20] Minor Non-conformities aren't the end of the line – There's a common misconception that getting a certain number of minor non-conformities during a Stage 2 assessment means you can't be certified, but that's simply not true! If an Assessor is comfortable that you are in a good position for certification, they will recommend you. ISO Standards are all about continual Improvement, which is something Mintago are embracing as they continue to address issues raised at audits. [29:00] Benefits of ISO 27001 certification – Benefits Mintago are already experiencing include: Internal Stakeholders – The Team worked hard to achieve the Standard and have embraced it's core qualities to the benefit of their own Information Security practices. Positive Market Response – Much larger clients who are also ISO 27001 certified now have a mutual understanding of each other's commitment to information security. Gaining certification early – As a start-up, Mintago are agile and will be able to develop and mature their ISMS (Information Security Management System) as they grow. [31:10] Any concerns on the threat horizon?: As the Information Security Officer, Tom is concerned about new emerging trends in AI led scams. They're going to be a lot more sophisticated and harder to spot and deal with. Thankfully, even if they are impacted, it will be rather isolated. Tom raises concerns for vital services such as Air Traffic Control which could have dire consequences if they were to be affected by a data incident. However, with ISO 27001 Mintago are in a good place to keep on-top of their threat horizon and have the processes in place to mitigate potential incidents and continually improve their own security. [34:30] In Summary: Mintago are a shining example of gaining certification for the right reasons. It's not just about getting a badge, they have truly embraced a culture of continual improvement and are utilising ISO 27001 to ensure they have a robust information security management system in place. If you would like to learn more about Mintago and their financial services, check out their website. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Explore the world of greenhouse gas accounting and discover how crucial it is for environmental responsibility. Delve into the leading reporting frameworks: the GHG Protocol and ISO 14064-1. Find out their similarities and key differences, including how they address indirect emissions. Learn how these frameworks can complement each other and the importance of choosing the right one for your organization. This conversation is a must-listen for those navigating the complexities of GHG emissions reporting.

Navigating ESG reporting can be daunting for organizations. Discover how ISO Standards can be the backbone of effective ESG compliance. Learn the significance of aligning ESG strategies with business goals and the evolving world of certifiable standards. Explore the challenges of measuring social value and combating greenwashing. This discussion emphasizes accountability, transparency, and ethical practices, crucial for appealing to future generations and fostering sustainable business operations.

In July 2024, A logic error in an update for CrowdStrike's Falcon software caused 8.5 million windows computers to crash. While a fix was pushed out shortly after, the nature of the error meant that a full recovery of all effected machines took weeks to complete. Many businesses were caught up in the disruption, regardless of if this affected them directly or by proxy due to affected suppliers. So, what can businesses learn from this? Today, Ian Battersby and Steve Mason discuss the aftermath of the CrowdStrike crash, the importance of good business continuity and what actions all businesses should take to ensure they are prepared in the event of an IT incident. You'll learn · What happened following the CrowdStrike crash? · How long did it take businesses to recover? · Which ISO management system standards would this impact? · How can you use your Management System to address the affects of an IT incident? · How would this change your understanding of the needs and expectations of interested parties? · How do risk assessments factor in where IT incidents are concerned? Resources · Isologyhub · ISO 22301 Business Continuity In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Ian Battersby is joined by Steve Mason to discuss the recent CrowdStrike crash, the implications on your Management system and business continuity lessons learned that you can apply ahead of any potential future incidents. [03:00] What happened following the CrowdStrike crash?– In short, An update to CrowdStrike's Falcon software brought down computer systems globally. 8.5 million windows systems, which in reality is less than 1% of windows systems, were affected as a result of this error. Even still, the damage could still be felt from key pillars of our societal infrastructure, with a lot of hospitals and transportation like trains and airlines being the worst affected. [04:45] How long did it take CrowdStrike to issue a fix? – CrowdStrike fixed the issue in about 30 minutes, but this didn't mean that computers affected would be automatically fixed. In many cases applying the fix meant that engineers had to go on site to many different locations which is both time consuming and costly. In some cases Microsoft said that some computers might need as many as 15 reboots to clear the problem. So, a fix that many were hoping would solve the issue ended up taking a few weeks to fully resolve as not everyone has IT or tech support in the field to issue a manual reboot. A lot of businesses were caught out as they don't factor this into their recovery time, some assuming that an issue like this is guaranteed to be fixed within 48 hours, which is not something you can promise. You need to be realistic when filling out a Business Impact Assessment (BIA). [07:55] How do you know in advance if an outage will need physical intervention to resolve? – There is a lesson to be learnt from this most recent issue. You need to take a look at your current business continuity plans and ask yourself: · What systems to you use? · How reliable are the third-party applications that you use? · If an issue like this to reoccur, how would it affect us? · Do we have the necessary resource to fix it? i.e. staff on site if needed? Third-parties will have a lot of clients, some may even prioritise those that pay a more premium package, so you can't always count on them for a quick fix. [09:10] How does this impact out businesses in terms of our management standards? – When we begin to analyse how this has impacted our management systems, we can't afford to say 'We don't use CrowdStrike therefore it did not impact us' – it may have impacted your suppliers or your customers. Even if there was zero impact, lessons can be learned from this event for all companies. Standards that were directly affected by the outage were: · ISO 22301 – Business Continuity: Recovery times RPO and RTO; BIA; Risk Assessments · ISO 27001 – Information Security: Risk Assessment; Likelihood; Severity; BCP; ICT readiness · ISO 20000-1 – IT Service Management; Risk Assessment of service delivery; Service continuity; Service Availability Remember, our management systems should reflect reality and not aspiration [11:30] How do we use our Management Systems to navigate a path of corrective action and continual improvement? – First and foremost an event like this must be raised as an Incident – in this case it would no doubt have been a Major Incident for some companies. This incident will typically be recorded in the company's system for capturing non-conformities or continual improvement. You could liken this to how ISO 45001 requires you to report accidents and incidents. From the Incident a plan can be created which should include changes to be considered or made to the management system. The Incident should lead us to conducting a lessons learned activity to determine where changes and improvements need to be made. We are directed in all standards to Understanding the Organisation and its context The key requirement here is to determine the internal and external issues that can impact your management system, and prevent it from being effective. Whatever method a company uses for this, perhaps a SWOT and PESTLE; the CrowdStrike/Microsoft Outage should be included in this analysis as a threat and/or Technical issue. [15:15] What are the lessons learned from our supply chain? – In many ISO Standards, such as ISO 9001 and ISO 27001, there is a requirement to review your suppliers and the effectiveness of the service they're delivering. So you could send them an e-mail to ask how they have dealt with the issue, what actions did they take and how long did it take to fully restore services. This is a collaborative process that you can factor into your own risk assessments, as you can make a better judgement on future risk level if you are privy to their recovery plans. Many people still think of that requirement only in relation to goods and products. i.e. has my order been delivered ect. However, it relates to services such as IT infrastructure as well. You rely on that service, so evaluate how well it's being delivered. [17:35] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [19:50] Once you have established lessons learnt, what's next? – The Standards provide a logical path to work through. One of the first steps is to conduct a SWOT and PESTLE, and doing so after a major incident is recommended, as your threats and weaknesses may have changed as a result. Do not simply put the sole blame on a third-party who an incident may of originated from. This is about your response and recovery, your plans coming into effect to deal with the situation, not about who is at fault. One such finding may be your lack of business continuity plans, in which case, looking at implementing aspects of ISO 22301 may be an action to consider. It's also important to note down any positives from the incident too. You may have dealt with something very fast, communicated the issue effectively and worked with clients to ensure that their level of service was minimally impacted. If a team dealt with a situation particularly well, they should be recognised for that, as it really does go a long way. [23:55] The importance of revisiting your SWOT and PESTLE: These exercises shouldn't just be a one time thing. You should be addressing these after incidents and any major changes within the business. Ideally, you should be looking at these in all your meetings, as many actions may need to be escalated to a strategic level. If you'd like to learn about how one of our clients embraced SWOT and PESTLE, and used it to their advantage, check out episode 53. [25:20] How has our understanding of the needs and expectations of Interested Parties been changed? - How has the Outage impacted the needs and expectations of interested parties? Understanding this might lead companies to ask questions about the robustness and effectiveness of different parts of the management system: · Risk Assessment · BIA for BCP · Recovery Plans · DR plans · Service Continuity [27:50] What should you be considering with your risks assessments? - Risk Assessments, if they follow the traditional methodology, with have Likelihood and Impact/Severity scores an in the light of this outage, and any event, the likelihood and Impact scores should be updated. If a company has set the likelihood as 'once every 5 years' it should seriously consider changing this to 'once every 6 months' or 'once every year' to understand if this poses any new risks to the business. The likelihood score would of course be updated every year until it has recovered to 'once every 5 years'. The impact is important to look at. If a company has been impacted by this outage, what has it cost the company to recover – talk to finance and other departments to understand the cost and change the scoring accordingly. [33:20] Why should a business carry out a risks assessment as part of lessons learnt? - Our risk assessments are not a one-off, but should be living documents that reflect the status of threats to the business. In ISO 27001 there is a statement to identify the 'Consequences of unintended changes,' and it could be argued that an Outage on the level of the CrowdStrike/Microsoft outage was an 'unintended change that led to consequences in many businesses. So, use your risk assessments as live tools to report on the reality facing the organisation. Similarly, BIA assessments for BCP should be reviewed to determine if the assumed impact reflects the real impact; also look at the recovery plans to see if they are effective. If a recovery plan has stated that this type of incident could be recovered in 48 hours, and in reality it has taken 2 weeks, it means that recovery times in terms of RPO and RTO should be reviewed. Remember - your management system should reflect reality and not aspiration. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Continual Improvement is at the heart of every ISO Standard. The cyclical nature of ISO Standards lends itself to regular review and update of your Management System, to ensure it's working efficiently and to address any issues or opportunities that inevitably crop up. However, Integrating these improvements can be challenging, even for mature systems. Today Ian Battersby explains the concept of Improvement as defined in ISO Standards, how to find root cause for non-conformities and integrating improvement actions from multiple sources. You'll learn · What is meant by 'Improvement' in ISO Standards? · Common misconceptions about Improvement in ISO Standards · How to address non-conformities in your Management System · Finding the root cause of a non-conformity · Integrating Improvement actions Resources · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Ian Battersby will be explaining what Improvement means in relation to ISO Standards, how to address non-conformities and integrating the required Improvement actions. [02:30] What is meant by 'Improvement' in ISO Standards? – One of the requirements of all Management System standards is to determine and select opportunities for improvement (Clause 10). This is the fundamental aim of Management Systems: to make things better In the words of the standards, it is so that an organisation can: "Implement any necessary actions to meet customer requirements and enhance customer satisfaction These shall include: a) improving products and services to meet requirements as well as to address future needs and expectations; b) correcting, preventing or reducing undesired effects; c) improving the performance and effectiveness of the management system." An organisation going through certification for the first time may never have had in place a system for planning improvements. Some organisations are dealing with improvements, but not necessarily through a single, consistent route. While you can meet the requirements of the standards without a single route, the standard is not prescriptive in how you go about this. [04:45] Common misconceptions about non-conformities – the standard does go on to cover nonconformity and corrective action (10.2); is it suggesting these as the main source of non-conformities (NC). It isn't really explicit about other sources, other than specifically including customer complaints as a form of NC. However, there's a strong argument for consolidating data from different sources, so it's worth considering how complaints data is handled. Other sources of non-conformities can include your Internal Audit findings, addressing where you may not be meeting client expectations, addressing failure to meet legal obligations ect. As a reminder, ISO 9000 (Fundamentals and vocabulary) includes the definition of nonconformity: non-fulfilment of a requirement: need or expectation that is stated, generally implied or obligatory i.e. Legal / client expectation. [10:00] Addressing non-conformities – You need to evaluate the need for action to eliminate the cause of the nonconformity, to ensure that the issues doesn't recur, or pop-up elsewhere. When a non-conformity does occur, you need to: · Determine the causes · Determining if similar nonconformities exist, or could potentially occur; Any corrective actions should be appropriate to the effects of the nonconformities encountered. So, you don't need to commit a huge amount of resource to minor issues. [11:40] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [13:40] Finding the cause of non-conformities – Without removing the cause, repetition may occur, and this is where integrating improvement data from multiple sources comes into its own. The idea of Common cause is - a single cause may manifest itself in very different outcomes. For example, a lack of competence could lead to a process being delivered wrongly, leading to reducing level of quality in service or product, which would be picked up as an NC. Competence is an area which can also lead to NC's, through the result of a helath & safety incident or environmental incident if people aren't trained to use equipment or follow set procedures. It can also lead to a customer complaint where the failed process is apparent to a customer. If a product NC isn't spotted until after the product delivered/in service it could lead to a warranty claim Or even a claim for damages should it lead to harm/loss to the customer It could lead to regulatory breach or even enforcement or legal action Some of these outcomes may not be apparent until they have impacted upon a customer or other interested party, so would not be recorded internally through a nonconformity system. All this to say, finding the root cause will require looking in a lot of different places. Having a common methodology in place to address non-conformities, including considerations for different types of issues, makes life a lot easier. [15:55] Integrating Improvements from multiple sources: There are many sources which can highlight opportunities for Improvement, including: Internal Audit – This is a conformity assessment, so any gaps or issues identified will be NC's that need addressing. Surveillance Audit / Certification Audit – Your Certification Body will also be conducting a third-party conformity assessment, which may highlight something you've missed in your own internal audits. Supply Chain Audit – Auditing your supply chain can also highlight NC's that you can encourage them to address, both for your benefit and theirs. Client Audit – You may be audited by clients, especially where there may be specific technical industry related issues. Management Review – This is the perfect platform to identify Opportunities for Improvement. You can highlight NC trends from Internal Audits here and define if they need to be addressed separately. You will often have members of senior management present at a Management Review, so there is a greater chance for you to plan tangible actions to address issues, especially if they are business critical. SWOT / PESTLE – This usually happens early on in the Implementation phase, but there's no reason why you can't repeat the exercise on an annual basis. This exercise directly identifies your risks and opportunities, both from internal and external sources. Getting input from all levels of staff as they may also shed light on potential NC's and opportunities other departments may not even be aware of. Accident reporting / Safety observations – Any incident should be viewed as an opportunity to improve. Some accidents are unavoidable, but many are a result of someone not following instructions, equipment being left unattended or in the wrongs location ect. Addressing these will help you to ensure a safer environment. Site inspections – Just walking around your site can yield new insights. Ask other departments that may not visit your area to do a sweep and report any findings. Sometimes all you need is a fresh pair of eyes to highlight issues you've missed. Complaint / Other customer feedback – Allow clients and stakeholders to have input. Regulatory requirements – You may discover you are breaching a regulation, which needs to be addressed ASAP. Consider a legal register to keep track of all your legal and regulatory requirements. Enforcement (HSE, EA, professional body) – You may have opportunities for improvement enforced by professional bodies such as the HSE or Environment Agency. Management Action – Any management meetings should take opportunity suggestions from both management and the general workforce. Product NC's – If you're in the manufacturing industry, you likely already have a system in place for monitoring any product related non-conformities. This process can be applied on a broader scale, as it embodies the same principles: Identify the problem, find the root cause, address the root cause, put preventative measures in place to stop recurrence. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

In the workplace, everyone is responsible for safety. It's not just for managers or senior management to worry about where legislation is concerned, everyone from the top to the bottom needs to be actively ensuring the safety of others. ISO 45001 highlights the importance of this in its most recent iteration, which includes a specific requirement for the consultation and participation of workers. But, how does this work in practice? Today Ian Battersby explains what consultation and participation of workers in ISO 45001 is, and how you can incorporate elements of reactive and proactive hazard reporting to meet that requirement. You'll learn · What is consultation and participation of workers in ISO 45001? · What is the identification of hazards? · What's the difference between reactive and proactive hazard reporting? · Common approaches to reactive and proactive hazard reporting · Proactive hazard reporting in action Resources · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Ian Battersby will be explaining reactive and proactive hazard reporting, and how this relates to the consultation and participation of workers (clause 5.4) requirement in ISO 45001. [02:30] What is 'Consultation and Participation of workers? – ISO 45001's clause 5.4 states: "The organization must have a process for consultation and participation of workers at all levels and functions, and their representatives in the development, planning, implementation, performance evaluation and actions for improvement of the OH&S management system." ISO 45001 expects occupational health and safety aspects to be fully embodied within the organisation structure. All workers should be aware of their responsibilities, and work together to meet the organisation's health and safety goals. Everyone is responsible for safety. Consultation implies two-way communication, so workers can provide feedback to be considered by the organisation before taking a decision. This is important; the organisation has to consider workers' feedback before making decisions Participation implies the contribution of workers, including non-managerial workers, to decision-making related to OH&S performance and to proposed changes. [05:50] Hazard Identification – A specific issue which must be considered is the identification of hazards: · Identifying hazards and assessing risks and opportunities (Clauses 6.1.1 and 6.1.2); · Determining actions to eliminate hazards and reduce OH&S risks There are numerous sources for consideration when it comes to hazards · How work is organised · Routine/non-routine activities · Past incidents · Emergency situations · People · Processes · Workplace design · Equipment · Change [07:35] What's the difference between proactive and reactive hazard reporting? – Proactive is about spotting hazards in advance and putting in place measures to minimise the chances of them materialising and causing harm (eg, through an accident) Reactive is in response to an event which has already occurred, such as an accident; a hazard existed without being spotted already and dealt with. [08:20] A common approach to proactive hazard reporting – Risk Assessment. Consider hazard sources (i.e. people, processes, equipment, workplace etc) and consider what may happen; what could go wrong. Then consider what controls could be put in place to try and prevent that happening. Risk assessment can help you to demonstrate worker consultation and participation by including those affected: · Involved in or affected by an activity · Those delivering a process · Using equipment · Occupying a workplace Those people have valuable knowledge and understanding, sometimes moreso than someone in a supervisory / managerial role. And an absolute must: recording that all employees have read, understand and are committed to the controls included in Risk Assessments; that process may also give rise to workers' further involvement – through querying, suggesting change etc This also helps the culture of hazard spotting and promotes engagement among the workforce, both of which are vital in driving a proactive approach [11:10] A common approach to reactive hazard reporting: Accident reporting systems is the obvious choice. However, there are ways you can make this more proactive. There are various levels to accident reporting. Traditional systems wait until an accident occurs before recording and acting upon it. Some organisations also record near misses: where an event has occurred, but no harm has been caused. This approach in itself can be very valuable; and it provides an opportunity to act before any harm has occurred. However, we can go a step further and allow the workforce to observe what's happening; their surroundings and listen to what they feel may present a hazard to them and their colleagues (remember, everyone is responsible for safety). [13:00] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [15:30] Proactive hazard reporting in action: Ian recounts his experience in a previous company where their proactive hazard reporting led to meaningful change. This took place in a large manufacturing plant, but there was also significant office-based activity as well. Because of the nature of the work, many people would not have access to online systems so there was both online and paper systems; this is important; if everybody is responsible, everybody needs access and engagement is vital. In addition to the traditional accident/near miss system, there was a safety observation card (all data ended up in the same database). It was simple to fill out, would have only taken about 5 minutes at most. In an organisation of 500ish, we received 2200 observation cards per year by the time I left. When combined with accidents/incidents, there's a predictable cycle: more reports, poor quality, more accidents, better quality, improved actions, fewer accidents. [17:30] Creating an observation card: It should be easy to understand and record what's necessary, recommended content includes: · Date / Time · Who was involved – employee / contractor / visitor ect · Location of hazard / incident · Description of hazard / incident (ideally in 10 words or less) You could get more granular and include: · Identification of an unsafe condition or unsafe act · Type of hazard or incident: slip, trip or fall / exit obstructed / machinery being used unsafely / unsafe structure / not using PPE You could also include an option for actions taken if you decide to inform a manager of the issue, if you've corrected someone on the use of equipment or PPE ect. [21:15] The Importance of peer inspections: Often they would have supervisors from one area, checking a different one. This fresh pair of eyes may offer new insight into something that you usually miss! Note that you should also encourage any site visitors to do the same. The fact that you'd ask them to report any incident also displays that you take safety seriously, and are open to feedback to improve. [22:40] Hazard scoring: In order to judge that quality, they went a step further and graded all observations from 1-3: 1. Saw something but didn't act 2. Saw it, acted to put it safe there and then 3. Saw it, acted to prevent it happening again This allowed them to judge how effective hazard spotting is in removing cause and filters out points-scoring. [22:45] The results speak for themselves: Increasing number of observations Increasing number of participants Increasing quality of observations Reducing number and severity of accidents. Over five years, they increased the number of observations per employee ten-fold. As a result, they reduced lost time accidents over 75% This was a superb example of a personal safety campaign and a great demonstration of consultation and participation, It's not difficult to do, but it needs leadership commitment, constant and clear comms, user-friendly systems and effective analysis / reporting. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

ESG compliance has fast become a focus for many organisations looking to address their wider sustainability profile. However, its broad framework has left many scratching their heads on exactly where to start with evaluating and addressing various elements of Environmental, Social, and Governance compliance. For those looking for some direction, you may already have a solid foundation in place if you're certified to one or many ISO Standards. Today Steph Churchman will explain what ESG is, how it can be scored and what role ISO Standards can play in ESG compliance. You'll learn · What is ESG? · What scoring systems are available for ESG? · How can ISO Standards support ESG compliance? · What ISO Standards can support each pillar of ESG? Resources · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Steph will be breaking down what ESG compliance means, how ISO Standards can support ESG compliance and give some examples of what ISO Standards can support each pillar of ESG. [02:50] What is ESG? – ESG stands for Environmental, Social, and Governance. Analysis and evaluation against these three elements help organisations to consider different areas within their overall sustainability profile. The Environmental section looks at issues surrounding climate change and actions to address an organisation's environmental responsibility. This includes monitoring and management of your energy consumption, waste management and pollution. It also seeks to tackle how organisations can address, reduce and mitigate their overall environmental impact. The Social aspect is based around the relationships an organisation has with its stakeholders. This is focused on employees and looks at a broad range of topics including employee wellbeing, fair and competitive pay, benefits and human resource related policies. Considerations can also include wider business relationships such as supplier relations, local community and government work. Governance criteria focuses on creating a business environment that is fair, transparent, and accountable. Considerations in this area include board composition, fairness in pay structures and executive compensation, business ethics and risk management. [04:15] An evolution of CSR – CSR (Corporate Social Responsibility) is very similar to ESG, but is less sustainability focused. It also lacked substance in the form of effective and accountable scoring systems that held businesses to account. This is where ESG differs, with many scoring systems, certifications and even mandatory requirements driving businesses to address their compliance. [04:45] ESG scoring – There are many schemes, scoring systems and certifications available for ESG, some of which are specific to industry sectors and company sizes. What one you pick will be up to you (note that some many be mandatory in select countries), however, here are a few examples: The S&P Global ESG Score – This assesses a company's performance and management of ESG risks and opportunities using a combination of company disclosures, media analysis, and industry-specific questionnaires. A score of 0-100 is given based on their findings and are relative within a company's industry sector. Fitch Ratings ESG Relevance Scores - Fitch Ratings assigns ESG Relevance Scores alongside their traditional credit ratings. These scores assess how ESG factors could impact a company's creditworthiness. Their scores range from 1-5, with 5 indicating the highest ESG relevance to credit risk. MSCI – They offer ESG ratings for a broad range of companies, it's not really limited by sector or size. They use a letter grade system, going from AAA-CCC, to assess a company's relative ESG risks and opportunities compared to its peers. The scoring for this one assigns companies as either an ESG leader, average or laggard within their industry. [06:10] How can ISO Standards support ESG Compliance – It's important to clarify that there's no single ISO standard that guarantees ESG compliance because ESG is a broad framework. However, ISO standards provide a strong foundation for implementing many aspects of an ESG strategy. [06:35] Supporting ESG – Structure and Framework: ISO standards offer a structured approach to managing environmental, social, and governance practices. This helps companies identify key areas for improvement and develop a systematic plan to address them. [07:10] Supporting ESG – Improved Performance: By following ISO standards, companies can demonstrably improve their environmental performance, social responsibility, and governance structures by putting in frameworks that align with best practice standards [07:30] Supporting ESG – Transparency and Credibility: Achieving certification to a relevant ISO standard involves a third-party audit, which verifies that a company's systems and processes meet the standard's requirements. This certification acts as a credible signal to stakeholders such as your investors, customers, regulators, that you're committed to ESG principles. [07:55] Supporting ESG – Risk Management: Proactive management of ESG risks is a key component of any ESG strategy. Many ISO standards focus on risk identification and mitigation. For example, ISO 37001 (Anti-Bribery Management Systems) helps identify and address bribery risks, which can have significant financial and reputational consequences. Or ISO 45001 health and safety management, which requires risk assessments to be carried out to ensure the safety and well being of your employees on site locations, which would fall under the social aspect of ESG. [08:30] Supporting ESG – Competitive Advantage: Strong ESG performance is increasingly sought after by investors and stakeholders. Implementing ISO standards can help companies demonstrate their ESG commitment and gain a competitive advantage in the marketplace. You'll also feel the benefit of gaining multiple badges, through ISO certification and possibly an ESG score if you choose to go through one of the official scoring schemes. [08:55] Think of ISO standards as building blocks. They provide the foundation and structure for a strong ESG strategy. By implementing relevant standards and achieving certification, you can demonstrate a dedicated commitment to ESG principles. [09:50] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [11:55] What ISO Standards can support the Environmental aspect of ESG Compliance?: · ISO 14001: Environmental Management - This provides a framework for managing environmental impacts, reducing waste, and improving your resource efficiency. · ISO 50001: Energy Management – this helps companies monitor and optimize their energy use with the aim to help reduce greenhouse gas emissions. · ISO 20400: Sustainable Procurement – This will help you to adopt sustainable procurement principles and practices within your organisation, by looking at how you can reduce waste, choose more sustainable options for required resources, how you can extend the life of resources available through remanufacturing and recovery of waste, and encourages the use of more innovative products and services. · ISO 20121: Sustainable Event Management – This Standard is mostly applicable to the events sector, and aims to help reduce the amount of waste produced during events, either through potential energy savings and the production and recycling of resources used during an event. It's recently had an update, so check out our latest episode to find out what the changes are. · ISO 14064: Greenhouse Gas Verification – This provides a framework for measuring and managing greenhouse gas emissions. This is a crucial step if you're working towards Net Zero, as you need to know what your baseline is before you can work on reducing and offsetting remaining emissions. · ISO 14068: A framework for helping businesses achieve Net Zero, this standard will replace PAS 2060 in November 2025, so anyone looking into PAS 2060 now may be better off going with ISO 14068 as it includes more guidance on purchasing credible carbon credits. [14:15] What ISO Standards can support the Social aspect of ESG Compliance?:– · ISO 26000: Social Responsibility – which offers guidance on integrating social responsibility practices throughout your organization. · ISO 45001: Occupational Health and Safety Management - which helps companies create a safe and healthy work environment. It provides a robust set of requirements designed for improving workplace safety in organisations and supply chains, with the aim of reducing workplace injury and illness. · ISO 45003: Psychosocial Health & Safety Management aka Mental health in the workplace. For the last 4 years or so, work related stress, depression and anxiety has been the leading cause for work related ill-health cases and lost working days. That's according to the annual HSE reports, which clearly highlights a big issue that many more need to consider and address. [14:15] What ISO Standards can support the Governance aspect of ESG Compliance?:– · ISO 9001: Quality Management – this is the leading global 'quality mark' for businesses and designed as a vital business improvement tool. It's quite simply A blueprint for running your business successfully. · ISO 22301: Business Continuity Management - Which provides a basis for planning to ensure your long-term survivability following a disruptive event. This is a Standard that many align with, but don't always certify to, and for good reason as it provides some invaluable guidance for establishing robust Business Continuity Plans. · ISO 27001: Information Security – This is a Standard that is common place for most sectors now, given how reliant we all are on tech. ISO 27001 will help you to implement an Information Security Management System (ISMS), which is a systematic approach to managing sensitive company information, ensuring it remains secure and available. It encompasses people, processes and IT systems. · ISO 37001: Anti-Bribery Management Systems - It's the International Standard that allows organizations of all types to prevent, detect and address bribery by adopting an anti-bribery policy, appointing a person to oversee anti-bribery compliance, training and carry out risk assessments. · ISO 44001: Collaborative Business Management – This was originally a British Standard that had been created to provide a framework for creating and managing collaborative business relationships between organisations. The standard promotes the best way for businesses to work together, thus effectively developing and managing their interactions with each other for maximum benefit to all. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

ISO 20121:2012, the Standard for Sustainable events management, was originally created and launched in coordination with the London 2012 olympics. 12 years on, it seems only fitting that its next revision would applied to the 2024 Paris Olympic Games. 10 Years on from it's original release, the Standard has received a substantial update to not only bring it in-line with other ISO Standards, but to also address additional elements within event management, such as human rights and legacy. Today Steph Churchman will explain the changes to ISO 20121:2024, what certified companies must do to transition and the consequences of not doing so before the deadline. You'll learn · What is ISO 20121? · What are the changes to ISO 20121:2024? · What steps should certified companies take to complete their transition? · What should you be updating? · What are the consequences for not completing your transition ahead of the deadline? Resources · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Steph will be discussing the changes to the Sustainable Event Management Standard, ISO 20121:2024, in addition to outlining what you should be updating ahead of your transition to the latest version of the Standard. [02:30] What is ISO 20121? – . The Standard for Sustainable events management was originally created and launched in coordination with the London 2012 olympics. When it came to planning the 2012 Olympic Games, they took a step back and considered the impact of required development and construction would have on biodiversity, as well as how they could reduce their Greenhouse Gas emissions and general waste in the preparation and running of the event. 12 years on, it seems only fitting that it's next revision would applied to the 2024 Paris Olympic Games. ISO 20121 specifies the requirements for an Event Sustainability Management System to improve the sustainability of events. The standard applies to all types and sizes of organisations involved in the events industry – from caterers, lighting and sound engineers, security companies, stage builders and venues to independent event organisers and corporate and public sector event teams. [04:45] A high-level overview of the changes to ISO 20121:2024 – One of the biggest and most welcomed changes is the fact that the Standard is now aligned with the familiar High Level Structure that many other ISO's follow. This means it will be easier to integrate with other Standards like ISO 9001 and ISO 14001. Next, there is a bigger focus on climate change, legacy and human rights. These elements weren't necessarily missing from the previous version, but they weren't a key focus either. [05:10] Climate Change in ISO 20121:2024 – , ISO 20121:2024 now explicitly requires considering climate change and its impact on your event and stakeholders. So, this might involve carbon emission reduction strategies and adapting to potential climate-related disruptions. Biodiveristy may also fall under this, especially if your events require construction, or take place in an outside venue such as a park or field. A quick reminder that 31 common ISO Standards also received a Climate Change Amendment, so if you haven't addressed that yet, check out our podcast episode and workshop recording to learn about what you need to do. What does this focus on climate change mean for certified companies?: · It provides an opportunity for event professionals and event organisers to demonstrate leadership in taking action around climate change · Certified organisations are required to ensure that any carbon offsetting completed via carbon credits are credible · ISO 20121:2024 Standard facilitates the process of taking credible action and aligns ISO 20121 with big changes relating to climate change [06:55] Human Rights in ISO 20121:2024 – The new version also expands beyond environmental concerns to encompass human and child rights, social impact (including mental health and diversity), and digital responsibility. Your management system will need to address these aspects throughout the event lifecycle. What does the increased focus on human rights in ISO 20121 mean for certified organisations?: · Certified organisations will need to demonstrate and adhere to UN Guiding Principles on Business and Human Rights. · The revised standard also now references social impact in its definitions – primarily in the definition for Sustainable Development and Stewardship. · A new Annex has been added – Annex D: Guidance on Human and Child Rights. · Added guidance states that event organisers should consult with Human and Child Rights experts and conduct a Human Rights Assessment to identify potential risks to the people as a result of an event and its surrounding activities. · You should publish a Human Rights Policy to ensure that Human Rights consideration is embedded in the whole lifecycle of an event. [08:40] Legacy in ISO 20121:2024 – An added focus on Legacy provides an opportunity to event organisers to focus, not only on the few days of event delivery, but also supports in creating enduring results for the hosting community. For example, creating an economic impact for the local population, by providing the opportunity to acquire new skills, to share best practices on how to do events in a more sustainable way or by improving a public place close to the event. [09:20] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [11:30] A strengthening of Stakeholder Engagement – The Standard now emphasizes demonstrating sustainability throughout your supply chain. This might involve you requesting proof of sustainability practices from vendors and incorporating ethical sourcing practices. The definition of stakeholders has also now been expanded to include partners and sponsors. So, you'll need to consider how their sustainability practices align with your event's goals. The policy clause now requires reporting on your sustainability achievements and lessons learned. Building a system for tracking and reporting these aspects will be crucial, and will likely involve a lot more communication between your stakeholders to gather any necessary data for reporting purposes. [12:35] alignment and flexibility – The updated standard aligns with other management system standards thanks to the high level structure update, making integration easier for organizations with existing systems. The revised standard also caters to events of all sizes and complexities, allowing for adaptation to your specific needs. There's now alignment with Global Frameworks, like the UN Sustainable Development Goals (SDG's) and the Paris Agreement. If you'd like to learn more about the SDG's, check out a few previous podcast episodes: 106, 107 & 108. [13:30] Transition Deadline – What happens if you miss it? – Anyone certified to the 2012 version of the Standard will have until the 31st March 2027 to transition to the 2024 version. If you don't, you'll risk losing your certification, and you'll have to go through the whole Stage 1 and 2 Assessment again to get that certificate back, which is obviously quite costly. [14:15] What do you need to do to transition? – Here's a very high-level of the steps you should take: · Review and conduct a Gap Analysis: This is to compare your existing system against the new standard's requirements to identify areas needing improvement. · Update your Policies and Procedures: specifically your event sustainability policy to reflect the broader range of sustainability issues and incorporate reporting requirements. · Develop a plan to engage with a wider range of stakeholders, including sponsors and partners, on sustainability initiatives. · Review your Supply Chain Management: This will involve establishing or updating procedures for assessing and integrating sustainability practices throughout your vendor network. · Training and Awareness: Any and all changes should be communicated. Educate your team on the new standard's requirements and integrate them into event planning and execution processes. · Carry out Internal Audits: Once you've implemented the changes, audit against the new Standard and ensure you're compliant. Then you'll need to prepare for your Certification Body Transition visit. [15:30] What Specific actions can you take to update your ISO 20121 Management System? Here are some suggested actions to address Human Rights and Children's Rights: · Update your event sustainability policy to explicitly state your commitment to respecting human rights and children's rights throughout the event lifecycle. · Update your Risk Assessments as you're going to need to identify potential human rights risks associated with your event, such as discrimination in hiring or unfair labour practices within the supply chain. · Review your Supplier Management as you'll need to ensure your suppliers uphold human rights standards. · Engage with relevant stakeholders like human rights organizations or local communities to understand potential human rights concerns and incorporate their feedback into your planning. A few other actions you could do include: · Partnering with organizations promoting fair labor practices and human rights. · Including human rights clauses in contracts with suppliers and partners. · Conduct training for staff on identifying and mitigating human rights risks. · Implementing a grievance process for reporting potential human rights violations. [17:00] What further actions can you take to address Legacy?: · Integrate legacy planning into the early stages of event development. Consider aspects like infrastructure, also workforce development (for example training opportunities for local communities), and universal accessibility for people with disabilities. · Develop metrics to measure the positive legacy of your event. This could involve tracking the number of jobs created, increased accessibility measures implemented, or infrastructure donated to the community. · Consider the potential to partner with local organizations to ensure the event's legacy benefits the community in the long term. This might involve collaborating on infrastructure projects or workforce development initiatives. · You should also Conduct a post-event impact assessment to evaluate the event's legacy. [18:00] Reporting on the social, economic and environmental impacts – The first step should be to develop a Reporting Framework: This framework should consider relevant metrics for social (e.g., job creation, diversity), economic (e.g., local business involvement), and environmental (e.g., carbon footprint, waste generation) impacts. Next, you need to Implement a system for collecting and analyzing data related to your event's social, economic, and environmental performance. And lastly, choose appropriate communication channels for your sustainability report, such as your website, annual reports, or dedicated sustainability reports. You could look at specific reporting software or get help from a third-party such as Blackmores. We'd recommend purchasing a copy of the Standard so you can review the specific changes yourself, in addition to reviewing the updated guidance provided in the Annexes. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Ian Battersby, an expert in ISO Standards, dives deep into the crucial role of leadership in effectively implementing management systems. He discusses how strong leadership motivates teams towards common goals and the direct impact of their engagement on organizational success. Battersby highlights the responsibilities of leaders, the necessity of aligning quality objectives with business strategies, and the importance of communication and continuous improvement. He also introduces valuable resources like the iSology Hub to support professionals in enhancing compliance.

Mel Blackmore, an expert in Greenhouse Gas emissions reporting, discusses the growing need for businesses to report on GHG emissions, the difference between certification and verification, and the benefits of ISO 14064-1. Topics include why GHG emissions reporting is crucial, the importance of verifying GHG statements, and how ISO standards can benefit businesses.