The ISO Show

ISO Standards provide a framework to help businesses manage various aspects of their activities. Whether that's quality, risk, environmental or Information Security management, they provide invaluable guidance to establish an effective Management System. However, for those who are new to ISO Standards, the Standards themselves can seem rather intimidating to interpret. Back in 2015, the Annex SL format was introduced to provide a common high-level structure for Management Systems. With 10 clauses now common in most widely adopted ISO Standards, it can still be a bit difficult to understand exactly how these all work together. Today Ian Battersby will explain how ISO Standard clauses work in tandem to create a cohesive cycle, from context of the organisation through to Improvement. You'll learn · What is the high-level structure? · What are ISO Standards structured this way? · How do ISO Standard clauses interconnect? · How does this apply to Quality Management? Resources · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Ian will be discussing the interconnectedness of clauses, which basically just means explaining the key links between the clauses and how that applies to your management system. [02:40] High level structure – 10 years ago, Annex SL was introduced to create a common framework for ISO Standards. Today, Ian will focus on ISO 9001 as that really is the grandfather of all Management System Standards. ISO 9001 includes elements which are applied to most commonly adopted ISO Standards, and sets the scene in terms of how the clauses link together. [03:20] Why are ISO Standards structured this way? – On their surface, ISO Standards can seem very repetitive in the way that they're written, but there is a good reason for that. There are all based around the Plan-Do-Check-Act cycle. [04:10] What is the Plan Do Check Act cycle? – This is a simple process that all Management System Standards adhere to. So you start with a 'Plan' to establish objectives, the resources which you need to deliver results, you identify risks and opportunities. From that point you fulfil the 'Do' part through Implementation and using the Management System. From there you 'Check' so you monitor against the policies, objectives and any other requirements. Basically monitor against what you said you'd do and then you 'Act' if you find anything that needs to change, you make that change and you improve as an organisation and you improve that management system. [05:00] A logical path – Management System Standards are designed in such a way that they flow from one clause to the other. One cannot exist without the other. [05:20] How does Clause 4 Context of the Organisation link with Clause 6 Planning? – As clause 4 Context of the Organisation states: 'external and internal issues relevant to your purpose and strategic direction… …and that affect your ability to achieve intended results' The scope of your management system depends entirely on this. The world in which you operate - what you buy, the people you employ, what you make, who you sell to, the laws you follow… Clause 4 also requires us to identify all interested parties (which we'll address later!). With careful planning, you can align documentation you develop for one clause with other clauses. Clause 4 doesn't tell us how we should work out our context, but it provides some very good clues · NOTE 1 Issues can include positive and negative factors · NOTE 2 Understand the external context by considering issues arising from legal, technological, competitive, market, cultural, social and economic environments So they're not saying how to do it, but they've said what you can consider This sounds a lot like a traditional SWOT/PESTLE analysis… If we skip to Clause 6, Planning, the first thing we must do when we plan is to identify actions to address risks and opps A SWOT will mean you've covered these elements, consider the following = · Weakness = Risk · Threat = Risk · Opportunity = Opportunity We can similarly view the PESTLE in the same light. So you can see that with careful planning, as mentioned you can align documentation for one clause with other clauses. [10:00] How does Clause 6 link with Clause 7 & 8? – Skipping from Clause 6.1 If you've identified what might go wrong (aka - risk), you need to plan to ensure it doesn't happen again. That may involve a single improvement action, which is linked to clause 10 (funnily enough, Improvement) It may be that you need something bigger, involving many steps, over a period of time, say an objective (clause 6.2)? So, the planning of objectives links directly to the context of the organisation, the world in which you operate. It may be that you need an operational control to mitigate risk, a process or procedure that helps to manage the situation as a business as usual situation (clause 7 documented info and clause 8, operation) So the planning of processes and procedures links directly to the context of the organisation, the world in which you operate. In all these circumstances, it's the same for opportunities, except you're putting in place measures to take advantage of the opportunities. [13:05] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [15:10] Clause 7 Support and related links – Moving through the standard, clause 7.4 relates to Communications. You need to determine internal and external communications relevant to the QMS (for 9001). In clause 4, you would have looked at interested parties (i.e. stakeholders). You need to determine who affects the way in which you operate and what they need/expect from you. Parties to consider include: · Customers · Employees · Shareholders · Suppliers · Regulators · Neighbours · Media So, by Clause 7 you will have already identified who's interested and what interests them, so it's only a small step to add to this the communications plan. ISO 9001 doesn't ask for one specifically, but it's a good way to fulfil the requirements of clause 7.3. Clause 7 also mentions Monitoring and measuring resources (7.1.5). This is a very brief clause, but central to establishing the means for demonstrating performance. We need reliable results when monitoring or measuring is used to verify the conformity of products and services to requirements, i.e. do we do what we say we do? Clause 7.5 requires us to document how we do things. Again it's very brief in its requirements (leaves it up to you to decide), but clause 8 is all about operation – which is the way you do things. It's much more specific about understanding what the customer wants, designing it correctly, controlling changes, making it, delivery and addressing issues. This is what you measure: 7.1.5 requires you to ensure you can measure, 7.5 requires you to document how you do things, 8 requires you to do things according to the way you've said you will. [20:10] Clause 9 Performance Evaluation and related links – Moving onto Clause 9, Performance Evaluation, again risk appears. We've already assessed risk right at the start, now we evaluate whether we've successfully controlled risk. We decide what to audit based on the level of risk attached to certain controls (policies, procedures, processes…). We've set objectives based on risks and opportunities and now we must measure performance. We've put in place operational controls to mitigate risk (clause 8) and now we measure whether those controls work. [21:30] Clause 10 Improvement and related links – This one is fairly self-evident. If something goes wrong, find out why and put it right and make sure it doesn't happen again. Look at your system and continually improve based on your evaluations in Clause 9. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

After 5 years of hosting the ISO Show, Mel Blackmore will be taking a step back as she focuses on her sustainability related endeavors. She's passing the baton onto our new host – Ian Battersby. Ian is a Senior isologist at Blackmores, and while relatively new to the team, he has a wealth of Standard and ISO related knowledge to share with you all. Today we Introduce Ian Battersby as the new host for the ISO Show and learn about his background in Standards and ISO. You'll learn · Taking a step back · Introduction to Steph Churchman · Introduction to Ian Battersby · What Standards has Ian worked with? · What Sectors has Ian worked in? Resources · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: After 5 years of the ISO Show, Mel Blackmore is handing the hosting baton over to Ian Battersby [02:25] Interim host – Ian will be the main host going forward, but there will be additions from Blackmores' Communication Manager – Steph Churchman. You may recognise her from recent episode such as: · Top 10 Reasons to use ISO 42001 AI Management · Top ISO Standard Trends in the Data Centre Industry Steph will be sharing findings from our own research, standards updates and conducting interviews with our isologists. [03:35] An Introduction to Ian Battersby – Ian has been working for Blackmores since August 2023. Although he is meant to be part-time, he's had a very busy first few months here! Ian began working in British Aerospace, specifically manufacturing, in 1984. He later decided to return to university to study electrical and electronic engineering, which was promptly dropped. His return to BAE lasted a few years before he moved onto the civil service for the Department of Health, working with them to conduct safety investigations and helped to create a broader risk profile. When he moved to work with the NHS, firstly, with the litigation authority setting up governance and risk standards and then as a risk manager. Surprisingly, after moving up a few levels, he decided to move onto run a restaurant! A Curry House to be specific, but after a year of rather stressful work that ended up costing a lot more than expected, he returned to work within the construction industry which is where he became more involved with ISO Standards. From there he went onto work in manufacturing of high pressure pumps for a while before moving onto an organisation who rant he estate for the Department of Work and Pensions. In the end, Ian left them due to being unable to live the life he wanted to live. [05:15] What Standards has Ian worked with? – He started with ISO 9001, ISO 14001 and OHSAS 18001 (now ISO 45001). [06:00] Digital Nomad – Ian currently splits his time between Leeds in the UK and Malaga in Spain. Having a lot of experience working remotely in previous industries, this leap didn't impede on his work in any way. [07:15] What other Standards has Ian worked with? – He has assisted with ISO 44001 (Collaborative Business Management), but admittedly it was not his favorite ISO Standard to work with. It's one of the rare instances in ISO where the Standard doesn't quite align with others. [08:00] What Sectors has Ian worked in – Ian's extensive work history has afforded him the opportunity to work in a number of sectors, including: · Construction and Fit out · Manufacturing · Estate Management · Private enterprise · Healthcare / NHS · Facilities With this list growing at a rapid pace since his introduction at Blackmores! [09:45] What's a big challenge that Ian's had to overcome in the past? – In terms of ISO, it has to be Leadership. Ian's found that to always be an issue within businesses attempting to implement ISO Standards. A good looking Management System will only go so far without leadership commitment. While working in facilitating Standards for an organisation, you won't be implementing the whole system yourself. It's more a case of delivering through others, the organisation controls and delivers their own processes and improvements, and so it's imperative that Leadership are also embedding and encouraging these actions. Ian will be going more in-depth on this topic in a future episode. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Can you believe we've been publishing the ISO Show for 5 years now! We certainly can't! The ISO Show began back in 2019, following a trip to Cumbria by the host Mel Blackmore. She was, and still is, an avid fan of podcasts and while listening to a few of her favourites on the 4 hour trip, she got to wondering if there were any podcasts about ISO Standards. As it happened, there wasn't at the time, and so the idea for the ISO Show was born. Not more than a few months later the first episode went live, and the rest is history. For the past 5 years, we've had the honour of sharing our team's combined 18 years of knowledge, including amazing insights from our clients and industry experts along the way. Today Mel Blackmore will reflect on the ISO Show so far and share it's next evolution as we introduce a new host. You'll learn · Why was the ISO Show created? · Why is Mel taking a step back? · What will be the focus for the future? · An introduction to the new host(s) Resources · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: After 5 years of the ISO Show, it's hitting a turning point as we introduce a new host. [02:25] An amazing journey – It's been an amazing 5 years of digging deep into some of the most pressing issues we've faced, sharing tips and dispelling myths about ISO Standards. We've explored a lot of topics over the years, including: · Sharing our ISO 22301 (Business Continuity) knowledge when COVID hit, to help people with future and current response plans. · Transitioning to new versions of Standards, such as ISO 27001:2022 · Interviewing leaders within the ISO space, such as Kit Oung, who helped to develop the UK's current energy and climate change regulations. [04:05] Mel's sustainability journey – why she's taking a step back as host – Mel's made it no secret that her passion lies with Sustainability Standards. This podcast has helped to amplify their importance within our space, but she wants to take this a step further. Going forward, Mel will be dedicating herself full-time to researching the crucial role of carbon standards in achieving Net Zero emissions by 2050. [05:00] An evolution for the ISO Show – All this to say, the ISO Show isn't going anywhere, rather we are introducing a new main host – Ian Battersby! [05:05] Who is Ian Battersby? – Ian is a senior Isologist here at Blackmores. Ian brings a wealth of knowledge, expertise and a passion for helping businesses raise their game with ISO standards. He's a bit of a digital nomad, splitting his time between working from Span and England, he works part-time at Blackmores. So he is very much involved in the day-to-day understanding of challenges of ISO Management, This includes the frustrations that businesses face and also how ISO standards support the achievement of greater productivity and profitability. Ian will be introducing himself fully on the next episode 😊 [06:25] Thank you for making the ISO Show such a success! – We've now got a few thousand subscribers, with a global reach, we honestly never expected to have so many listeners when we started. So whether you're a regular or occasional listener, thank you for being here with us, we truly hope that our knowledge has helped you on your own journey to continual improvement within your own organisation. [07:25] A long journey – A lot has happened over the past 5 years. In addition to being the CEO of Blackmores, Mel has also developed the isologyhub – an on-line learning platform which helps to raise awareness and understanding of ISO Standards. She has also founded Carbonology – a sister company that specialises in carbon related Standards, which will be where focuses her main efforts over the next few years. [07:44] Stepping back – but not gone – While you will be hearing less from Mel, she won't be completely absent. She will be joining us at least once a month to explore how ISO Standards are shaping the landscape of Net Zero. She will be sharing her journey to achieve net zero based on academic research, including primary and secondary research on how the various carbon related standards support the Sustainable Development goals and achieving net zero. This will primarily be diving into Standards such as ISO 14064 (Carbon Verification) and ISO 14068 (Net Zero), in relation to how they support the Sustainable Development Goals, help to create a level playing field, providing transparency, reliability, accountability and without a doubt, credibility. [09:20] Why the focus on sustainability? – Mel will be studying a masters by researching the role of Carbon Standards Verification in contributing to achieving Net Zero. This focus hasn't appeared out of the blue. Mel founded Carbonology with the goal of tacking Net Zero, one business at a time. They've already had great success over the past few years' but there's still so much more to do when it comes to understanding Greenhouse Gas emission verification, carbon removals, reductions and offsetting. [10:10] Another big thank you – The ISO Show has been running for the past years with the assistance of Blackmores Communication Manager – Steph Churchman. Starting from humble beginnings of recording using a mic housed in a shoebox, to being stuffed in a cupboard to combat our offices' terrible acoustics. We've thankfully since upgraded our set-up to something much more comfortable. Along the way we've experienced our fair share of technical issues, as you can't really go 5 years of recording without something going wrong. However, there wasn't much we couldn't work around in some way or another. As Steph has helped in researching topics we've discussed over the years, she will also be joining Ian on hosting the ISO Show in future episodes. [12:45] On to the next chapter – It's not goodbye from Mel, but rather see you later. We'll be bringing you all along on this next chapter of the ISO Show, so make sure you subscribe to stay up-to-date with our latest episodes. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Data Centres could be considered the powerhouse of thousands of businesses globally. Long gone are the days of small physical servers being housed on-site, instead we rely on data centres to keep all our critical data safe and secure. But how do we know they are doing just that? Many hold certifications to security-based Standards such as SOC 2 or NIST to display their commitment to data security. However, many also hold various ISO certifications that cover other aspects of the business outside of information security. Today Steph Churchman, Communications Manager at Blackmores, will be sharing the top ISO Standard trends within the UK Data Centre industry. You'll learn · Why did we look into the Data Centre industry specifically? · What are the top 5 ISO Standard Trends in Data Centres? · Why are these ISO Standards essential for Data Centres? · Other commonly adopted ISO Standards within the data centre space Resources · Isologyhub · ISO 27001:2022 Transition Gameplan In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:25] Episode summary: We'll be taking a look at the top ISO Standard Trends within the UK Data Centre Industry [02:30] Why did we look into the Data Centre industry specifically? – In the mid 2010's, we noticed an influx in enquiries from Data Centres in regard to Implementation of ISO Standards. That prompted a research project that led to Blackmores working with some of the top UK Data Centres. Now in 2023 and 2024 we're starting to see a similar push for ISO Standards within the same industry. So, we revived the project to get a grasp on the modern ISO landscape, and took a look at the top 100 Data Centres within the UK. [03:34] #1: ISO 27001 Information Security – Out of the 100 data centres sampled 72% of them were certified to ISO 27001. Security is of upmost importance to data centres, and the great thing about ISO 27001 is that it considers security for not only the digital environment, but also for people and physical security. This Standard is also, in most cases, a stakeholder requirement. Certification to ISO 27001 indicates that you're adhering to best practice in information security, and through the creation of an ISO 27001 compliant Management system, you will have documentation in place such as an information security policy and data retention policy, that often get requested by potential clients. If you'd like to learn more about the Implementation process for ISO 27001, we've got a helpful 3-part podcast series that summarises the entire process from Gap Analysis to Assessment preparation. anyone currently certified to ISO 27001:2013 that you have just over 1 more year to complete your transition to ISO 27001:2022. If you don't do so by October 31st 2025, you'll risk losing your ISO 27001 certification. That's not the only reason you should be transitioning though. The new version of the Standard includes 11 new controls, which cover some newer technologies which really weren't around when the 2013 version was published. So regardless of the risk of losing your certification, it's in your best interest to ensure that you're adhering to the latest version. If this is all news to you, then you can also go back and check out episodes 128 through to 133. This was a little mini-series we did to summarise the key changes to ISO 27001 and what actions you need to take to transition. We also have a Transition Gameplan available on the isologyhub if you'd like a more guided approach, including document templates and training videos covering those new controls. [06:25] #2: ISO 9001 Quality Management – The Quality Management Standard is as popular as ever, even within the data centre space, with 51% of the 100 sampled data centres being certified. ISO 9001 is considered the leading 'Quality mark' for businesses and is often the starting point for many diving into the world of ISO implementation. ISO 9001 creates a well-rounded base Management system to help you manage your risks and opportunities, as well as ensuring you drive a culture of continual Improvement. Its guidance can help you establish your core policies, processes and procedures to ensure everyone is singing from the same song sheet. The fact that this one is popular among data centres isn't too much of a surprise, it's a universally adopted Standard that isn't limited by industry or organisational size. Currently, there are over 1 million ISO 9001 certificates issued worldwide, and that trend shows no signs of slowing down. [08:25] #3 ISO 14001 Environmental Management – A surprising 25% of the sampled data centres were certified to ISO 14001. From an objective point of view, it makes sense for data centres to consider their environmental footprint. But a lot of that would fall under energy usage rather than just general environmental management, so this likely means it's mainly driven by stakeholder requirements. ISO 14001 is being requested more and more for the likes of large Government contracts, so If you want a chance at bidding for these, ISO 14001 is a must. Now don't get me wrong, I'm sure a lot of data centres have implemented this Standard in an earnest effort to monitor and measure their impact holistically. After all ISO 14001 asks businesses to consider how they can prevent environmental impacts such as pollution and degradation of nature. And the additional guidance provides some helpful starting points for those that may not be sure where to start, for example making commitments to recycling, protection of biodiversity and climate change mitigation. For data centres specifically, this may come into effect when we think of the amount of electronic waste that they could potentially produce. Obviously, this can't just be thrown out in a standard green lidded bin, it'll need to be taken to a dedicated electronic waste facility for processing, disposal and recycling. Racking, shelving and cables will all also need to be replaced at some point, and it's up to each data centre to ensure they have the appropriate processes and policies to ensure this is done correctly and more importantly legally, which again, is where ISO 14001 can help put those frameworks in place. [10:30] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [12:45] #4: ISO 50001 Energy Management – With just 13% of the 100 sampled data centres certified! This one is a shocker because, typically, data centres highest cost is in relation to their energy usage. They require enormous amounts of energy to keep their facilities running and to cool down their equipment 24/7. Which I imagine they'd be quite keen to reduce if only to save on running costs. This is where ISO 50001 can come in, to help create a structured approach to effectively monitor that energy usage, so you can identify key trends and opportunities to reduce overall energy consumption, which in turn will save a lot of money. With a healthier proportion being certified to ISO 14001, it seems a shame that so many are missing out on the additional benefits that ISO 50001 can bring, especially when it can very easily be integrated with ISO 14001. In fact, if you're already certified to ISO 14001, then you've already done half the work to implement ISO 50001. Both frameworks are based on that Annex SL format, and both have a lot in common in terms of what documentation is required. It can also help with compliance with some UK and EU based energy initiatives. For example, here in the UK we have ESOS (The Energy Savings Opportunities Scheme) which applies to large organisations that fit within its criteria. They're usually required to provide a report once every 4 years, however as of 2023, Phase 3 now requires organisations to provide an Energy Action Plan which details what actions they plan to take to reduce their energy consumption. There are likely a few data centres that would fall into ESOS's criteria, and if you're sick of going through the ESOS song and dance every few years, then ISO 50001 may be the answer for you, as being certified means that you're going above and beyond ESOS's requirements and will be considered compliant. Meaning no more pesky reporting, or having to locate an ESOS assessor to sign off on those reports. [15:10] #5 ISO 22301 Business Continuity Management – With 12% of the 100 sampled data centres being certified. ISO 22301 is the Standard for Business Continuity, and provides a basis for planning to ensure your long-term survivability following a disruptive event. That 12% may not be truly reflective of all the data centres that have business continuity plans in place however, as according to a recent Business Continuity institute survey, 56% of surveyed businesses use ISO 22301 as a framework but aren't certified to it. There will be a fair few data centres in our sample list that fall under that category. Why should this Standard be a priority for Data Centres? Well, the answer should be simple, if a disaster were to knock out a data centre, that has a massive knock-on effect. Many house servers used by hundreds if not thousands of businesses and users. If they're unable to provide services, that will in-turn cause multiple other businesses to grind to a halt. The true cause of failures at data centres can be many things such as hardware failure, human error or a disaster such as flooding or fires. However, the advantage of utilising ISO 22301 is the ability to be able to effectively deal with these incidents and restore services, which is essential for an industry which is quite literally the powerhouse for millions of other business and people. If you fail to plan, you plan to fail Having a robust business continuity plan should be a top priority for any business, especially data centres, seeing as so many rely on them to keep their own services running. Even if you don't want to go through the full certification process, it's worth grabbing a copy of the Standard, as it provides a lot of helpful guidance. If you'd like to learn more about ISO 22301 in general, go back and check out episode 42 where we go over the Standard in more detail and it's many benefits. [17:45] Runner up: ISO 20000 Service Management – Saw 11% of our sample data centres certified to this Standard. This actually used to be known specifically as the IT Service Management Standard, so that probably clues you into why this would be adopted by many with in tech spaces. However, it truly is applicable to any business offering services. The aim of ISO 20000 is to provide a framework for an effective end-to-end service management system which encompasses the entire lifecycle of a service from concept and design, through to service removal and end-of-life. [18:55] Runner up: ISO 27017 information security controls for cloud services – With just 5% of our sampled Data Centres certified. This one is fairly self explanatory in it's relation to data centres, which operate solely on cloud based services. This Standard was introduced after the 2013 version of ISO 27001 was published, as the main standard didn't really address cloud security controls specifically. Mostly because cloud computing and its related security weren't as widely adopted as they are now. So ISO 27017 was created to try and bridge those gaps. In the latest 2022 version of ISO 27001, there's now a new control for cloud security. So, we may see less interest in ISO 27017 certification going forward. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Working towards a sustainable future is going to require a joint effort from everyone if we're to reach our 2030 and 2050 targets. Several initiatives have come out in recent years to try and address one of our biggest challenges, energy consumption. Many of us in the UK will be familiar with ESOS (The Energy Savings Opportunities Scheme), which involves regular reporting from those that fit its criteria. It's also recently updated to include a stipulation to include an ESOS Energy Plan, which requires you to detail a route to reduce your energy consumption. However, many businesses would prefer a more consistent approach to energy management, such as today's guest – Daisy Corporate Services. Today Mel is joined by Damian Edwards, ISO Standards Manager at Daisy Corporate Services, to discuss why they Implemented ISO 50001, what they've learned from the experience and the benefits gained from implementing an Energy Management System You'll learn · Who is Damian and who are Daisy Corporate Services? · Why did they decide to Implement ISO 50001? · What was the biggest gap identified during their Gap Analysis? · What lessons did they learn from Implementing ISO 50001? · What benefits did they gain from ISO 50001 certification? Resources · Isologyhub · Daisy Corporate Services · Daisy Corporate Services ESG In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:30] Episode summary: Mel is joined by guest Damian Edwards, ISO Standards Manager at Daisy Corporate Services, to discuss their journey towards ISO 50001 certification. Daisy are not strangers to ISO Standards, already having achieved: ISO 9001, ISO 14001, ISO 27001, ISO 45001, ISO 20000 and ISO 22301! They have also recently won the Sustainability and Tech Awards 2024 and the Green Shoots Awards too. [04:15] Who is Damian Edwards? – Damian has worked at Daisy as their ISO Standards Manager for the past year. A little known fact about Damian: He listens to classical music as a way to focus. [05:25] Who are Daisy Corporate Services? – The are primarily a provider of IT and Communications. They currently supply a range of services including: · Unified Communications · Connectivity · Modern Workplace · Cyber Security · Cloud services · Managed Services · Operational Resilience [06:25] What were the main drivers behind obtaining ISO 50001 Certification? – In addition to the office spaces Daisy controls, they also have a number of data centres, which use massive amounts of energy. Finding ways to monitor, measure and potentially reduce that energy use, and subsequently cost, was essential. The second main driver is mainly for commercial reasons. Without Standards like ISO 50001, you can't bid for larger contracts or Government frameworks. [08:30] Daisy's commitment to ESG – Daisy have a made a solid commitment to ESG, explained further on their website as they break it down into 10 key focus areas. Energy Management is one of the logical steps to tackle reducing carbon emissions. Data centres can be very inefficient, so being able to consistently monitor, measure and improve their energy consumption is a key part of tackling some of their ESG related goals. Also being certified means you have the certificate to back up your claims. It's not you just making a statement, it has to be verified by a third-party. [10:30] How long did it take to Implement ISO 50001? – It took between 8 – 11 months. For a Standard like ISO 50001, it's important to do it properly. Some organisations may request it in 6 months, but for larger organisations, that would be a tough ask, and you run the risk of rushing into certification without having those processes embedded in. [11:45] Did having existing ISO Standards make the process smoother? – Yes, as it was a case of integrating ISO 50001 with our existing systems rather than starting from scratch. Though, having so many ISO's can water the message down a bit, to combat that we've got a single statement that gets across everything you need to know about Daisy. [12:55] What was the biggest gap identified during the Gap Analysis? – Because we already have so many ISO's, we can be a bit big headed and say there weren't many gaps at all, however, there were still some things we could do. One of the biggest areas for improvement was Clause 7, Documentation, as all ISO Standards have their own required documentation. Another was putting in place a plan for monitoring and measuring our energy usage. We have a Property Director who did do that, but he wasn't really documenting it, so we've put in place some proper processes to help show that we're actively monitoring it, looking at the trends and putting in actions to reduce and improve on that. [14:55] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [17:10] Did closing those gaps make a big difference? – We did have a lot of help from Blackmores in order to address those gaps. Out consultant advised us to combine elements of out Management Review with out monthly Team Meetings, as our Director is involved with those, and we avoid another meeting for meeting's sake. We now also produce a pack of all the monitoring and measuring that's done throughout the month, which makes it easy for us to analyse and identify trends in energy use. Any actions from reviewing this are then recorded and followed up on. So, in essence it's just made everything a lot smoother. [19:55] What did Daisy learn from Implementing ISO 50001? – It takes a team to achieve this – you can't do it on your own. You also can't rush it! Another key take away is that the whole project needs to be driven by top management, without all of those elements combined, it's probably not going to work (or be a lot slower and more painful!) It's also really helped with our commitment and messaging around ESG too. So within those monthly Management Review meetings we have a representative from the energy efficiency team, the ESG team and our bids team. They're then all communicating what the customer message is, that they expect of us, in turn they're kept in the loop about our energy usage and related actions and can communicate that outwards. [21:15] What other benefits are there from achieving ISO 50001? – Having our management system verified by a third-party means that we can confidently say we're adhering to best practice. It also just validates that we are doing things correctly! It also means that we can monitor opportunities for improvement. If we identify more gaps in future, we have the processes in place to address them. ISO 50001 has also helped to put some context behind the energy data we're collecting. Thanks to the new processes we can accurately identify key trends and explain why energy usage may be going up and down. [23:25] Damian's top tip – Ensure that your project is driven by top management. They're involvement means it's a lot easier to communicate that message that you're doing the right thing. Also, ISO 50001 helps with your regulatory compliance too. If you're a larger organisation, then you likely have to adhere to schemes like SECR or ESOS. If you're certified to ISO 50001, then you're already complying with both. [24:35] Damian's book recommendation – Beryl in search of Britain's greatest athlete. [26:45] Damian's favorite quotes – "Hard work beats talent when talent doesn't work hard" and "You miss 100% of the shots you don't take." If you'd like to learn more about Daisy Corporate Services, visit their website. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

In February 2024, the ISO and IAF issued an unprecedented change to 31 commonly adopted ISO Standards, such as ISO 9001, ISO 14001 and ISO 27001. This change saw the addition of a new 'Climate Change Amendment', which was applied in part due to the ISO's resolution in support of the ISO London Declaration on Climate Change. So what does this mean for ISO certified businesses? Join Mel as she discusses what this new ISO Climate Change Amendment is, why it was introduced, what are the consequences if you don't address it and the benefits of its introduction. You'll learn · What is the ISO Climate Change Amendment? · Why was it introduced? · What are the consequences if you do not address the change? · What are the benefits of the Climate Change Amendment? Resources · Isologyhub · ISO Climate Change Amendment Workshop In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:30] Episode summary: We break down the new ISO Climate Change Amendment, including why it was introduced and why you should address it ahead of your next Certification Body visit. [02:55] Join our Workshop– If you're not sure where to start with addressing this amendment, join our interactive workshop taking place on the 20th May (14:00 – 16:00 GMT). There we will explain how you can integrate the new changes into your existing ISO Management System. Register your place here. [04:30] What is the new ISO Climate Change Amendment? – A key clarification before we go into more detail, this is not a new version of a Standard i.e. ISO 27001:2022, where you must transition to a new version. So, what is it? In February 2024, the International Organization for Standardization (ISO) introduced a groundbreaking amendment to integrate climate change considerations into various management system standards. The amendment doesn't assign specific actions. Instead, it adds text to existing clauses in 31 standards (including ISO 9001, 14001, 27001) requiring organizations to consider: · Relevance of climate change: Organizations must assess if climate change is a relevant issue for their operations and context (Clause 4.1). · Stakeholder expectations: Note added: Relevant Interested Parties can have requirements related to climate change (Clause 4.2). As we've learned from our sister company, Carbonology, it is often Stakeholders driving forward that need to verify a business's carbon footprint and take steps towards Net Zero. [09:30] Why was this change Introduced? – This change was in part due to ISO's resolution in support of the ISO London Declaration on Climate Change. The aim is making climate change considerations an integral part of management systems, their guiding policies and practises – not simply as an afterthought. As we all know, climate change will affect everyone, and should be a concern that every business fully considers to ensure they are resilient and adaptable enough to deal with climate related risks. This amendment means businesss will need to address these risks where relevant, and integrate them into strategic objectives and look what can be done from a risk mitigation perspective. The global business community will be one of the driving forces for paving a way to a more sustainable future – It all starts with changing the way we work, making the shift towards embedding environmental consciousness into the very heart of your business. ISO Standards are widely adopted, and this change offers a catalyst for meaningful climate action on a global scale. [11:00] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [13:20] What are the consequences for not addressing this change? - Certification bodies will be asking you about these amendments effective immediately. If you've not addressed them ahead of your next certification body visit, you could run the risk of getting a non-conformity. The amendment added to Clause 4.1 especially states 'Must' – so there's no getting away with simply ignoring it. [14:50] What are the benefits of this change? – Some of the benefits will likely already be felt by those with existing environmental standards such as ISO 14001 and ISO 50001 in place. So, let's take a look at how you can benefit from addressing this amendment: · Reduced Environmental Footprint: By integrating climate change considerations, businesses can identify and implement practices that lower their carbon emissions and resource consumption. · Enhanced Sustainability: Addressing climate change demonstrates a commitment to sustainability, which is increasingly important for attracting environmentally conscious customers and investors. · Cost Savings: Climate-conscious practices can lead to cost savings through improved resource efficiency, reduced waste, and potentially lower energy bills. · Resilience and Risk Management: By considering climate-related risks (e.g., extreme weather events, resource scarcity), businesses can proactively develop strategies to mitigate these risks and ensure operational continuity. · Innovation: Focusing on climate change can lead to innovation in areas like cleaner technologies or sustainable product development, giving businesses a competitive edge. · Positive Brand Image: Demonstrating proactive action on climate change can enhance a company's brand image and reputation among environmentally conscious stakeholders. This is a particularly important issue to younger generations who are becoming the dominant buying power from a commercial perspective. · Stronger Stakeholder Relationships: By considering stakeholder expectations around climate change, businesses can build stronger relationships with customers, investors, and regulators. · Holistic Approach to sustainability: Integrating climate change considerations strengthens a businesses' overall management system by fostering a more comprehensive and future-proof approach. · Continual Improvement: The amendment emphasizes continual improvement, encouraging businesses to constantly seek ways to reduce their environmental impact, leading to long-term sustainability benefits. If you'd like to learn about what actions you can take to integrate the ISO Climate Change Amendment into your ISO Management System, join our live event on the 20th May – register here. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

ISO 42001 was published in December of 2023, and is the first International Standard for Artificial Intelligence Management Systems. It was introduced following growing calls for a common framework for organisations who develop or use AI, to help implement, maintain and improve AI management practices. However, its benefits extends past simply establishing an effective AI Management System. Join Steph Churchman, Communications Manager at Blackmores, on this episode as she discusses the top 10 reasons to adopt ISO 42001. You'll learn · What is ISO 42001? · What are the top 10 reasons to use ISO 42001? · What risks can ISO 42001 help to mitigate? · How can ISO 42001 benefit both users and developers of AI? Resources · Isologyhub · ISO 42001 training waitlist In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:30] What is ISO 42001?: Go back and listen to episode 166, where we discuss what ISO 42001 is, why it was introduced and how it can help businesses mitigate AI risks. [02:45] Episode summary: We take a look at the top 10 reasons why you should consider implementing ISO 42001. [02:55] #1: ISO 42001 helps to demonstrate responsible use of AI. – , ISO 42001 helps ensure fairness, non-discrimination, and respect for human rights in AI development and use. Remember, AI can still be bias based on the fact that AI models are typically trained on existing data, so any existing bias will carry over into those AI models – an example of this is the existing lack of representation for minority groups. We also need to take care in the use of AI over people, as staff being replaced by AI is a very real concern and should not be treated lightly. We've already seen a few cases where this has happened, especially across the tech support field where some companies mistakenly think that a chatbot can replace all human staff. We also need to consider the ethics of AI content. It's predicted that 90% of online content will be AI generated by 2026! A lot of this generated content includes things like images, which poses a real concern over the values we're translating to people. The content we consume shapes the way we think and if all we have is artificial, then what message is that conveying? An example of this is Dove's recent advert, which showed an example of AI generating images of very unobtainable ideals of a beautiful face. Which were predictably absolutely flawless, almost inhuman and something that can only be achieved through photo editing. If the internet was flooded with this sort of imagery, then that starts to become the expectation to live up to, which can be tremendously damaging to people's self-esteem. They then went on to show actual unedited people, in all their varied and wonderful glory and stated that they will never use AI imagery in any of their future marketing or promotional material. Which sends a very strong message – AI definitely has its place, but we need to fully consider the implications and consequences of it's use and possible oversaturation. [05:20] #2: Traceability, transparency and reliability - Information sourced via AI is not always correct – It collates information published online, and as many of us are aware, not everything on the internet is correct or accurate. Data sets carelessly scrapped from online sources may also contain sensitive or unsavoury content. We've had cases where people have managed to 'break' Chat GPT, causing it to spew out nonsense answers which also contained sensitive information such as health data and personal phone numbers. While not usually accessible when requested, it does not stop the risk of this data being dug up through exploits. AI is like any other technology, and is not infallible. So, it's up to developers to ensure that the data used to train models is safe and appropriate for use. It should be expected that data sets will be scrutinised from a legal standpoint – either as a result misuse of AI or a mandatory exercise as a part of future legislation. There's also research that suggests data sets can be potentially poisoned to produce inaccurate results – which is another consideration for developers using live data sets, who will need to stay on top of these risks to ensure the integrity of their tools. ISO 42001 provides specific guidance that covers how developers can ensure transparency and explainability within sample training data. [06:45] #3: It's a framework for managing risks and opportunities – AI, like any other new technology, is going to create new risks and opportunities. Risks include the likes of inaccurate data being used, existing bias in data training sets, plagiarism, information security risks and data poisoning. If you're simply using AI to gather information, it's also a good exercise to ensure that the information is coming from a reputable source. One easy way to so this is to simply ask for the source to be cited when pluging in a prompt into tools like Chat GPT and Gemini. You can then verify how legitimate that source is. For web developers and SEO specialists, Google has recently updated it's algorithm to punish those with a lot of AI generated content on their websites. So those within the SEO space may see some interesting trends over the course of 2024. Another unfortunate risk is that of more complex scams being implemented through the use of AI. An example of this involves those who may use an AI assistant in their systems, which can be affected by malicious emails that contain prompt injections which could be used to send data from a victims machine to outside sources. This is only touching on a few risks, but as you can see, there's a lot to consider and I've no doubt that more complex risks will make themselves known as the technology evolves. However, there are a lot of opportunities to be found with AI use. There's a huge potential for AI to be utilised to tackle mundane and routine tasks which could be automated. AI also has the capability to scan masses of data and provide suggestions based on it's findings. Obviously, humans can't possibly compete with the sheer volume of data that AI can process, and so we can utilise it to help us make better more informed decisions. A lot of commonly used software has already integrated various AI tools which offer great quality of life updates and help make a lot of tasks quicker. Which in turn means our time is better spent elsewhere on tackling the more complex issues that require a more human touch. ISO 42001 can help you balance out these risks and opportunities by helping you build a robust management system to manage and mitigate risks, and drive forward opportunities through continual improvement. [10:35] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [12:50] #4: Demonstrate that introducing AI is a strategic decision with clear objectives - Businesses looking to integrate AI should not make this decision lightly. I know it's tempting to play with the newest toy, but we should take care to look at any possible risks, and that it aligns with both your company objectives and ethics before rushing to utilise something. For example, allowing your staff to use ChatGPT for content creation. You need to consider a few things: You need to make sure Staff aren't putting in any confidential or sensitive information into publicly available AI tools. Also, ensuring that Staff understand that content provided by the likes of ChatGPT and Gemini could be plagiarised if used as is. You need to build, adapt and change the content so it's something unique. It's all well and good introducing AI technology if it truly is going to be beneficial to your employees and to the business as a whole, however if you're just introducing it because everyone else seems to be, then you really have to question if it's worth it. If it's not actively making your work lives easier and helping you to achieve your objectives, then is it really worth the potential cost and effort to implement? It may also be worth looking into how the AI tool you're using was created. There is sadly still a lot of exploitation involved in the development of new technology, so it's up to you to ensure that the tools you're using were created in an ethical way. Ultimately, ensure that you are using AI safely, ethically and that it aligns with your businesses established objectives. This will need to be communicated clearly to everyone in the business. ISO 42001 is, at its heart, a Management system standard. Like many other ISO Standards, it includes guidance on setting objectives and communicating these to your wider business. [15:24] #5: ISO 42001 helps to implement safeguards – Certain features of AI may require safeguards to help protect businesses against the extra risks they pose, such as the increased potential of more sophisticated cyber attacks or compromised training data. This can be applied within a particular process or an entire system. Examples of features that may require these safeguards include: · Automatic decision making · Data analysis, insight and machine learning · Continuous learning Something you need to consider: Cyber scams are going to become a lot more complex with the help of AI, so you need to ensure you're staff are both aware of this and how they can avoid falling prey to them. Safeguards may simply involve more training on these new risks, or updating to a more robust security software that is able to detect possible AI cyber scams. Developers are also going to need to keep on top of any data being fed into their tools. Public live data tools especially will be more susceptible to being poisoned and tampered with, so it's up to them to monitor and ensure the integrity of their data. ISO 42001 provides guidance in it's annexes for users and developers to implement these necessary safeguards. [16:30] #6: ISO 42001 Supports compliance with legal and regulatory Standards – More AI focused legislation is an inevitability, with the new EU AI Act being a perfect example. It's important to ensure that you are prepared to comply with legislation as it's released, or you may be held liable and be subject to fines. Currently, the UK has no plans to introduce a new regulator for AI, instead relying on existing technology based regulators like the Information Commissioners Office (ICO), Ofcom and FCA. ISO 42001 includes specific considerations for any potential applicable legislation. [17:06] #7: ISO 42001 Can enhance your reputation – ISO Standards are internationally recognised and ensure you are complying with best practice. Gaining certification to ISO 42001 will show you are confident in your AI related claims, and are happy to have this verified by a third party. [17:30] #8: ISO 42001 Encourages innovation within your business – For as much as we've stressed the potential risks AI could expose your business to, ultimately AI is here to help make our lives easier. We just need to ensure we're responsible when applying it. ISO 42001 ensures you can safety integrate AI tools and systems within your business. It's there to help guide the adoption of this new technology, and drive continual improvement as your management system matures. [17:55] #9: ISO 42001 Can be easily integrated with existing systems – ISO 42001, like many ISO Standards, is based on the Annex SL format and can be easily integrated with existing ISO Management Systems such as an ISO 9001 (Quality management) or ISO 27001 (Information Security management) system. Risks addressed in ISO 42001 include security, privacy and quality among others, and can help to enhance the effectiveness of your Management system in those areas. [18:25] #10: ISO 42001 Does not require an existing Management System to implement – While ISO 42001 would make a great addition to any ISO Management System, it's important to note that this can be implemented independently. It is also not intended to replace or supersede any existing quality, safety or privacy Standards / existing management systems. We'll be releasing a suite of ISO 42001 related training content on the isologyhub, if you'd like to get notified as soon as this becomes available, please register your interest on our waitlist. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Nearly 60% of businesses that are impacted by a cyber incident go out of business within the 6 months following. With our heavy reliance on technology to keep both businesses and services running, it's imperative that everyone take cyber risk seriously. However, incidents will inevitably happen and it's up to you to ensure that your business is prepared to ride out the wave, and hopefully make a full recovery! We invited Jack Morris, Account Director at Epiq, back onto the show to discuss the consequences of not being prepared for a cyber incident and the key steps businesses should take in the event of an incident. You'll learn · Who are Epiq? · What does the current cyber incident landscape look like? · What are the consequences if a business does not respond to a cyber incident effectively? · How can a business detect if they're being attacked? · How should businesses respond in the event of a cyber incident? · What role does a legal team play in incident response? Resources · Epiq · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Today Mel is joined by guest Jack Morris, Account Director at Epiq, to discuss how businesses should respond to a cyber incident. [03:00] Who are Epiq? – Epic is a global leader in technology enabled legal services. In fact, it supports 90% of the top law firms globally! With over 8000 employees spread over 19 countries, it helps to support corporations, law firms and government agencies across the globe. [04:35] What constitutes a cyber incident and why is it so important to respond effectively? – A cyber incident refers to unathorised access or attempted access to an organisation's IT systems. Types of incident include breaches, malicious attacks (e.g. Ransomware), and accidental events (e.g. Fire Damage). Responding effectively is crucial to minimize damage and protect sensitive data. [05:40] What does the cyber incident landscape currently look like, and what challenges will organisations face in responding to an incident? : The cyber incident landscape is ever evolving, but here are some key trends we saw in 2023: Attacks on the rise – the number of organisations posted on ransomware and data theft sites increased by over 70% year-on-year. Business Email Compromise (BEC) incidents surged by 67% in 2023 – these events are where people within an organisation fall victim to phishing or similar – clicking on malicious links which ultimately compromise your mailbox. For me, there are 3 main challenges that organisations face when responding to a cyber incident: · Day-to-day management – balancing the technical aspects of the incident with broader business continuity, communications, financial and legal considerations. This can be hugely difficult for an organisation, during and already high stakes situation. · Expertise and support – navigating the complex legal, technical and operational aspects of an incident · Data-focused impact – understanding and assessing the risk to data after resolving an incident. [10:00] What are the solutions to these challenges? – Understanding the various external expertise and support available to a business, whether that be engaging with a law firm, a cyber incident response expert and cyber insurer will give you access to support with both the day-to-day management of an incident, as well as the legal, operational and commercial impact of said incident. [12:10] What are the consequences for an organsiation that does not respond effectively to a cyber incident? – : Failing to respond effectively to a cyber incident often leads to a variety of sever complications for a business, such as; · Operational Issues: operational disruptions will occur due to prolonged exposure of sensitive information, and if Ransomware has infected systems, the organization will not have access to potentially crucial business information. Financial losses and higher costs to incident response can come as a result of poor planning. · Additional Data Breaches: if an organization doesn't respond effectively to a cyber incident, taking steps to gain control over their systems, additional data breaches can occur from threat actors gaining further access to the organisation's systems. · Financial losses: cyber incidents affect a business' bottom line. Costs including incident investigations, recovery, legal fees and potential fines. Further, knock on effects such as lost business opportunities and damaged investor confidence come from poorly managed cyber incidents. · Damage to Reputation and Trust: Public perception matters for a business. A poorly handled cyber incident damages an organization's reputation. Customers, partners and stakeholders lost trust, affecting long-term relationships and market position. · Legal Consequences: Regulatory fines and potential follow on litigation arise from non-compliance with data protection laws. Organisations failing to report breaches promptly face penalties. Legal battles can be costly and time consuming. [16:25] How can organisations detect if they are being attacked? – signs will vary depending on the type of cyber incident, but organisations and end users could expect to experience; slow systems, locked accounts (no access to mailboxes etc), inability to access documents or shared drives, ransom demands and unusual emails from organisation domains are all tell-tale signs of a cyber incident. If an organisation has invested in Managed Detection and Response software for their end-points, this will proactively scan your environment and provide alerts to potential and actual cyber incidents. [17:40] What are the key steps an organization must take in responding to a cyber incident? – It's a great question, and these key steps will be implemented during a cyber incident response plan – an impacted organization should: · Triage: Assess the severity and impact of an incident (organisations can instruct a first response organization to shut the doors, and assess the damage) · Identify: Understand what is happening to a business post incident? Things like locked accounts, no access to business systems etc. · Resolve: take technical actions to mitigate the incident – shutting off access to accounts – closing the door · Report: Notify relevant stakeholders, including legal obligations. · Learn: analyse the incident to then take retrospective action to prevent further incidents. [21:23] Join the isologyhub – Don't miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub [23:48] How does Cyber Insurance play a pivotal role in Cyber Incident Response? – like with most walks of life, insurance plays a crucial role in supporting organisations in effectively responding to disasters. · Response Funding: Insurers cover costs related to incident response, including professional services. · Response Time: Insurers bring in experts promptly, improving incident resolution. · Affordability: For small to medium businesses, insurance may be the only way to afford a response team. [26:10] What role do vendors like Epiq do to support the incident response lifecycle? – Just like Law firms providing legal advice and support in responding to a cyber incident, cyber incident response providers support with the operational response to a cyber incident. Initially, vendors like Epiq support with the incident identification and forensic investigations. Essentially finding the open door and closing it. Further investigation on how the threat actor (baddie) got into the open door is conducted to prevent other doors from opening too. Following this, the operational partner will support in understanding the extent of the incident, whether that be identifying impacted entities, notifying them of the incident and providing remediation, as well as supporting with any follow on litigation or mass claim. [27:25] What are the legal obligations that exist after a cyber incident, especially in related to personal data breaches? – the legal obligations are clear – an organisation must report personal data breaches within 72 hours of awareness, unless the risk to individuals' rights is unlikely. This quick turnaround is why it's imperative that organisations have an established cyber incident response plan, and know who they should be talking to regarding the legal and operational implications. [28:45] What support is there out there for organisations that are victim to a cyber incident? – On the previous episode, we discussed what organisations can do to be proactive in mitigating the risks associated to a cyber incident, we discussed the important of Cyber Incident Response plans, as they outline what external support an organisation should seek in the event. Having playbooks and relationships with law firms, cyber providers like Epiq, and cyber insurance coverage are 3 key focuses for every business. [30:35] What role does a legal team play in incident response? – Legal support and advice is critical during an incident. As mentioned, they will help support with report the incident to the regulatory bodies required. · Breach Notification – legal support ensures compliance with data breach disclosure laws and regulatory requirements. · Breach Counsel – law firms act as a breach counsel for organisations, enabling them to support and advise on the legal implications of a cyber incident. Most law firm cyber practice groups will have relationships with external vendors, like Epiq, to support with the operational response. They can co-ordinate with these external vendors to ensure compliance. · Privacy Law Compliance – they guide handling of personal data and privacy implications to ensure no further issues. [32:30] What role do vendors like Epiq do to support the incident response lifecycle? – Just like Law firms providing legal advice and support in responding to a cyber incident, cyber incident response providers support with the operational response to a cyber incident. Initially, vendors like Epiq support with the incident identification and forensic investigations. Essentially finding the open door and closing it. Further investigation on how the threat actor (baddie) got into the open door is conducted to prevent other doors from opening too. Following this, the operational partner will support in understanding the extent of the incident, whether that be identifying impacted entities, notifying them of the incident and providing remediation, as well as supporting with any follow on litigation or mass claim. [36:00] What should an organisation do in future to prevent further incidents? – Benjamin Franklin's famous quote is so true here – 'by failing to prepare, you are preparing to fail'. The key point here is to learn from your mistakes. There may have been numerous reasons that the organisation wasn't ready for a cyber incident, but they should learn from what led to the incident previously, and proactively address this to prevent further incidents. 67% of organisations that get hit by a cyber incident are subject to further attacks within 1 year. It's important to reduce your attack surface, and ensure you have cyber security themes running throughout the business. [37:45] What are Jack's top 3 tips to take away from this session to help them respond effectively to an incident? – · Establish an Incident Response Plan – we spoke through IR plans during the first episode, but creating a plan that outlines roles, responsibilities and communication channels during an incident is key. Once implemented, regularly testing the plan and simulating these incidents is key to ensuring effective response. · Engage external experts early – during this session we identified 3 critical external support pillars to an incident – having legal advice, operational and response support and insurance is key. · Prioritise business continuity – enabling the external experts to support you through the incident will free your bandwidth to ensure that you minimise damage and downtime to your business. If you'd like to learn more about Epiq and how they can help you, visit their website. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Cyber incidents are on the rise as data shows there was a 20% increase in data breaches from 2022 to 2023. Technology has become an integral part of most businesses, especially post pandemic where many who may have avoided this reliance on tech had no choice but to adapt to survive. As a result, the question of businesses being affected by a cyber incident has become 'when' rather than 'if'. However, there are a number of steps you can take to mitigate risks ahead of any potential incidents. We invited Jack Morris, Account Director at Epiq, to discuss cyber incidents, the importance of being proactive in reducing cyber incident risk and the steps you can take to mitigate these risks. You'll learn · Who are Epiq? · What is a cyber incident? · The importance of being proactive in reducing the risk of an incident · What can organisations do to be proactive in mitigating cyber incident risk? · What are forensic tabletop exercises, and how do they enhance preparedness? · Why might an organisation need to get an incident response retainer? · What role do Information Governance consultants play in reducing cyber risk? Resources · Epiq · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Today Mel is joined by guest Jack Morris, Accoutn Director at Epiq, to discuss how to mitigate cyber incident risk. [02:40] Who are Epiq? – Epic is a global leader in technology enabled legal services. In fact, it supports 90% of the top law firms globally! With over 8000 employees spread over 19 countries, it helps to support corporations, law firms and government agencies across the globe. [04:31] Who is Jack Morris? – Jack joined the industry relatively fresh out of university, starting at an organisation called Kroll where he was focused on data management – including overcoming ransomware infected devices and essentially allowing organisations to get access to data that was previously taken away from them. Kroll was later acquired by Duff and Phelps and went through a turbulent time of many name changes before settling on Kale Discovery. He ended up leaving a year ago and joined Epiq as an Account Director. Jack's role at Epiq includes being a facilitator, introducing law firms, corporations and cyber insurers to best in class people and technology. [06:40] What is a cyber incident?: A Cyber Incident is any unauthorised or unexpected event that compromises the confidentiality, integrity or availability of an organisation's information systems, data or network. Incidents can range from data breaches and malware infections to single mailbox compromises and insider threats. Organisations looking to combat information security risks should consider ISO 27001, as it's key principles include the confidentiality, integrity or availability of your businesses information. [08:29] Why is it important for organisations to be proactive in reducing their risk of an incident, no matter the size of your business? – Let's look at some startling statistics: In 2022, 39% of businesses in the UK identified a cyber attack in the previous 12 months. Of this 39%, 31% of those businesses experienced attacks at least once a week. 48% of Small to Medium Businesses, globally, experienced a cyber incident in the last 12 months, with 61% of all cyber-attacks specifically targeting small business. This is the most shocking of the statistics, and why it's so important for us to be having these kinds of conversations around how business, no matter the size, need to be proactive in mitigating the impact of a cyber incident. 70% of small to medium businesses in the UK believe that they are unprepared to deal with a cyber attack (which excludes those who think they have proper processes in place but ultimately don't). Nearly 60% of businesses that are impacted by a cyber incident go out of business within 6 months following! [12:10] Are there any particular industries that are most at risk from a cyber incident? – Cyber Incidents are not siloed to particular industries, but there are some trends that we see in the market. Looking at Q1 2024: January saw a rise in cyber incidents predominantly affecting retail, education and local government. In February we saw a significant number of breaches, impacting organisations across the full spectrum of markets. All of this to say that regardless of the size of your business and the industry you operate in, the number of cyber incidents are increasing as well as the severity of said incident. [13:35] ISO Standard trends – At Blackmores, we've seen an increase in demand for ISO 27001 and related data privacy standards across the board for all sectors. A stark difference to 10 years ago where it would mostly only be adopted by those in the managed services or tech based industries. [15:30] What can organisations do to be proactive in mitigating cyber incident risk? – Things such as implementing a proactive incident response plan, engaging with law firms and consultancy organisations to become aware of the organisation's requirements and compliance issues arising from a cyber incident. If you were hit with an incident today, you must report any personal data breaches to the relevant regulators within 72 hours of becoming aware of an incident or there can be fines that are implicated. To deal with these types of situations, it's imperative that your organisation has established, sound relationships with law firms and consultants. [17:25] What is the importance of an incident response plan? – Implementing an incident response plan is crucial because it allows organisations to prepare for potential cyber incidents before they occur. By identifying risks, implementing preventive measures, and conducting exercises, organisations can significantly reduce the impact of incidents. Organisations should be aware of both the legal and operational issues that arise from a cyber incident – from regulatory compliance and liability concerns right the way through to loss of systems/data and brand reputation are all key considerations that have an effect on the whole of a business. [18:35] What are forensic tabletop exercises, and how do they enhance preparedness? – Forensic tabletop exercises simulate cyber incidents in a controlled environment. They involve key stakeholders discussing and practicing their roles during an incident. These exercises improve coordination, communication, and decision-making, ensuring a more effective response when a real incident occurs. The workflow here is clearly defined; implement an incident response plan, and then test that plan for robustness – engaging with external providers, like Epiq, to further add to the existing plan and to test how the organisation will manage an active incident. [19:35] Join the isologyhub – Don't miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub [21:45] Links with Business Continuity – Response readiness plans and forensic tabletop exercises both tie into aspects of ISO 22301 – business continuity. In Blackmores' experience, a lot of organisations don't actually test their plans, so when going through the process of implementing ISO 22301, where testing these response plans are a requirement, it's a bit of an eye opener when they realise they're not as resilient as initially thought. It's always better to test these plans in a simulated environment vs a live one, so you can be assured that your plans are up to the task. [23:40] Why might an organisation need to get an incident response retainer? – We're starting to see a number of industries, particularly in regulated verticals, requiring businesses in their supply chain to meet a number of different cyber security requirements. One, which keeps popping up, is to have a plan in place for responding to security incidents. Having a retainer can help meet these compliance requirements. [26:05] What role does Managed Detection and Response (MDR) software play in proactive incident response? – MDR solutions continuously monitor networks, detect threats, and provide real-time alerts. They enhance proactive response by identifying suspicious activities early, allowing organisations to take preventive action before incidents escalate. [27:50] What role do Information Governance consultants play in reducing cyber risk? – : Information Governance (IG) consultants specialise in helping organisation define their Information Governance Strategy encompassing data security and defining compliance policies.. They support organisations in defining: · Data Classification: Identifying Sensitive and PII data and categorising based on their confidentiality or regulatory requirements. · Retention Policies: Defining policies on retention period of records and method of disposition aligned with compliance requirements. · Legal Holds: Ensuring necessary data is preserved for potential litigation, internal investigation or as part of audit process. · Privacy Compliance: Aligning with regulations such as GDPR, DP, DPA, CCPA. [33:30] What are Jack's top tips that the listeners can take away from this podcast session and implement today to begin mitigating their risk? – : Unfortunately mitigating cyber risk isn't a one-size-fits-all response, however I like seeing cyber risk as 3 buckets, that businesses should be aware of and measure their organisation against: Technology & Infrastructure – outdated systems, unpatched software and not fit for purpose IT infrastructure pose risks. These types of vulnerabilities are exploited by attackers, leading to data breaches, malware infections and system disruptions. So, making sure that your technology and infrastructure is fit for purpose, and up to date is a key takeaway. We spoke about Managed Detection and Response solutions earlier in the session, which is a great, cost effective way of adding an additional layer of technology security. Human Factor – for me, this is the number 1 frailty to a business. Business Email Compromise incidents increased by 67% in 2023, with Multi-Factor Authentication (MFA) being bypassed in 29% of these cases. Over recent years, cybersecurity awareness has been the aim of the game. However it is crucial that, as our understanding progresses, we switch our focus to fostering a culture of cybersecurity responsibility among colleagues and employees. Ensuring that your people are aware of cyber incident (perhaps listening to this podcast), and their role in mitigating the risks associated to a cyber incident are crucial in ensuring that your business is secure. Preparation – in just about all walks of life, preparation is key for preventing almost anything. We have spoken today about some of the key preparation themes I'm seeing in the industry, from Response Readiness plans, to MDR, to Incident Response Retainers. Getting sufficient Cyber Insurance coverage is of paramount importance to ensure that your business can respond effectively to an incident, should one occur. If you'd like to learn more about Epiq and how they can help you, visit their website. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Businesses looking to tackle their environmental impact will need to look at how they can reduce their carbon emissions and offset any remaining emissions to ensure that they reach Net Zero. One of the most common ways businesses offset their emissions is through the purchasing of carbon credits that typically go towards planting trees or re-wilding. However, there are a number of new emerging trends following on from the current commodification of nature, resulting in an attitude shift from businesses who are looking to get a lot more involved in the offsetting process. We invited Luke Baldwin, Co-founder and CEO of Nature Broking, back onto the show to explain the latest trends in the carbon market. You'll learn · What are the latest trends in the carbon market? · The importance of high integrity within carbon offsetting · Looking for impactful solutions · Why education around carbon offsetting is key for long-term sustainability commitment · How buying carbon credits now can lead to significant savings Resources · Nature Broking · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Today Mel is joined by guest Luke Baldwin, Co-founder and CEO of Nature Broking, to discuss emerging trends in the carbon market that help businesses tackle their carbon offsetting. [02:50] What are the key trends in the Carbon Market – As of 2024, Luke states the leading trends as: · High Integrity · Impactful solutions · Education · Purchase carbon credits now and save later [04:10] High Integrity – There's now a lot of carbon credits available and due to the nature of the unregulated carbon markets, it's led to an increase in bad actors generating revenue in a bad way. Once example of this is Kariba, a project in Zimbabwe that aimed to tackle deforestation, which was recently exposed in the Guardian and The New Yorker for having incorrect calculations. Credits purchased towards that programme were then called into questions and any associated companies were accused of greenwashing. To avoid this, businesses are now putting a greater focus on high integrity solutions, which involves considerations such as: · Are the credits durable? Will the carbon be stored long term? · Are their significant CO2 benefits? · Are the credits contributing anything besides just removing carbon? i.e. regenerative agriculture or woodland plantation [06:20] Impactful Solutions: The carbon markets offers a lot of fantastic solutions and businesses are moving away from the quick commodification of those solutions, and are instead looking to really understand the impact of how they chose to offset their emissions. It's becoming more of a question of buying carbon credits that align with your values, whether this be social values or sustainability values. They're looking to invest in projects that will have a tangible outcome. Which is exactly what Nature Broking sets out to assist businesses with by tailoring bespoke solutions that adhere to their specific values. [08:10] Education – The need for more education around the carbon markets is crucial. Luke remembers the quote "you can't love what you don't know", which applies as how can a business truly invest in something that they don't fully understand. Sustainability is a mindset, and a cultural shift towards more sustainable practices starts with an education. Carbonology uses an ISO framework, but also provide an education around the carbon reduction plan provided to inspire a mindset shift change towards sustainability. [09:05] Blackmores experience – Blackmores have been implementing environmental and energy Standards for over 18 years, but it's only been in recent years that we've seen a mindset shift in leadership towards sustainability. While people may be aware of Standards such as ISO 14001 or B Corp, but may not be aware of other governance frameworks that can help businesses to manage their carbon footprint and carbon neutrality. [10:20] Join the isologyhub – Don't miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub [12:25] How can you make significant savings when purchasing carbon credits? – A lot of carbon solutions currently are very cost effective, in particualr forestry credits and carbon removal credits. Some of the more technological ones such as direct air capture or bioenergy and carbon capture and storage can be more expensive now because the technology utilised is still so innovative and in it's infancy. However, that will change in time. If you're looking at building a carbon portfolio for your net zero journey, for example, say are going through a science based targets initiative and you've decided that you cannot avoid the 10% of remaining emissions your net zero journey and you need to buy carbon removals - you're much better purchasing carbon removals now than in the future. This is because there will be a supply shortage in future, especially when we see more enforced regulations come into play between 2030 and 2035. This will mean that the price of those carbon credits will rise significantly. What may cost £20-£30 per tonne for carbon removal now may go up to anywhere between £100 - £150 per tonne! So it's worth investing in your carbon portfolio now, especially in the case of tree planting as those tress are going to take a while to grow and actually start storing carbon. If you finance projects now, you will have already made an amazing impact from the start, and will potentially save yourself a lot of trouble and money in future by planning ahead. If You'd like to learn more about Nature Broking and their solutions, check out their website. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List