The ISO Show

Cyber incidents are on the rise as data shows there was a 20% increase in data breaches from 2022 to 2023. Technology has become an integral part of most businesses, especially post pandemic where many who may have avoided this reliance on tech had no choice but to adapt to survive. As a result, the question of businesses being affected by a cyber incident has become 'when' rather than 'if'. However, there are a number of steps you can take to mitigate risks ahead of any potential incidents. We invited Jack Morris, Account Director at Epiq, to discuss cyber incidents, the importance of being proactive in reducing cyber incident risk and the steps you can take to mitigate these risks. You'll learn · Who are Epiq? · What is a cyber incident? · The importance of being proactive in reducing the risk of an incident · What can organisations do to be proactive in mitigating cyber incident risk? · What are forensic tabletop exercises, and how do they enhance preparedness? · Why might an organisation need to get an incident response retainer? · What role do Information Governance consultants play in reducing cyber risk? Resources · Epiq · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Today Mel is joined by guest Jack Morris, Accoutn Director at Epiq, to discuss how to mitigate cyber incident risk. [02:40] Who are Epiq? – Epic is a global leader in technology enabled legal services. In fact, it supports 90% of the top law firms globally! With over 8000 employees spread over 19 countries, it helps to support corporations, law firms and government agencies across the globe. [04:31] Who is Jack Morris? – Jack joined the industry relatively fresh out of university, starting at an organisation called Kroll where he was focused on data management – including overcoming ransomware infected devices and essentially allowing organisations to get access to data that was previously taken away from them. Kroll was later acquired by Duff and Phelps and went through a turbulent time of many name changes before settling on Kale Discovery. He ended up leaving a year ago and joined Epiq as an Account Director. Jack's role at Epiq includes being a facilitator, introducing law firms, corporations and cyber insurers to best in class people and technology. [06:40] What is a cyber incident?: A Cyber Incident is any unauthorised or unexpected event that compromises the confidentiality, integrity or availability of an organisation's information systems, data or network. Incidents can range from data breaches and malware infections to single mailbox compromises and insider threats. Organisations looking to combat information security risks should consider ISO 27001, as it's key principles include the confidentiality, integrity or availability of your businesses information. [08:29] Why is it important for organisations to be proactive in reducing their risk of an incident, no matter the size of your business? – Let's look at some startling statistics: In 2022, 39% of businesses in the UK identified a cyber attack in the previous 12 months. Of this 39%, 31% of those businesses experienced attacks at least once a week. 48% of Small to Medium Businesses, globally, experienced a cyber incident in the last 12 months, with 61% of all cyber-attacks specifically targeting small business. This is the most shocking of the statistics, and why it's so important for us to be having these kinds of conversations around how business, no matter the size, need to be proactive in mitigating the impact of a cyber incident. 70% of small to medium businesses in the UK believe that they are unprepared to deal with a cyber attack (which excludes those who think they have proper processes in place but ultimately don't). Nearly 60% of businesses that are impacted by a cyber incident go out of business within 6 months following! [12:10] Are there any particular industries that are most at risk from a cyber incident? – Cyber Incidents are not siloed to particular industries, but there are some trends that we see in the market. Looking at Q1 2024: January saw a rise in cyber incidents predominantly affecting retail, education and local government. In February we saw a significant number of breaches, impacting organisations across the full spectrum of markets. All of this to say that regardless of the size of your business and the industry you operate in, the number of cyber incidents are increasing as well as the severity of said incident. [13:35] ISO Standard trends – At Blackmores, we've seen an increase in demand for ISO 27001 and related data privacy standards across the board for all sectors. A stark difference to 10 years ago where it would mostly only be adopted by those in the managed services or tech based industries. [15:30] What can organisations do to be proactive in mitigating cyber incident risk? – Things such as implementing a proactive incident response plan, engaging with law firms and consultancy organisations to become aware of the organisation's requirements and compliance issues arising from a cyber incident. If you were hit with an incident today, you must report any personal data breaches to the relevant regulators within 72 hours of becoming aware of an incident or there can be fines that are implicated. To deal with these types of situations, it's imperative that your organisation has established, sound relationships with law firms and consultants. [17:25] What is the importance of an incident response plan? – Implementing an incident response plan is crucial because it allows organisations to prepare for potential cyber incidents before they occur. By identifying risks, implementing preventive measures, and conducting exercises, organisations can significantly reduce the impact of incidents. Organisations should be aware of both the legal and operational issues that arise from a cyber incident – from regulatory compliance and liability concerns right the way through to loss of systems/data and brand reputation are all key considerations that have an effect on the whole of a business. [18:35] What are forensic tabletop exercises, and how do they enhance preparedness? – Forensic tabletop exercises simulate cyber incidents in a controlled environment. They involve key stakeholders discussing and practicing their roles during an incident. These exercises improve coordination, communication, and decision-making, ensuring a more effective response when a real incident occurs. The workflow here is clearly defined; implement an incident response plan, and then test that plan for robustness – engaging with external providers, like Epiq, to further add to the existing plan and to test how the organisation will manage an active incident. [19:35] Join the isologyhub – Don't miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub [21:45] Links with Business Continuity – Response readiness plans and forensic tabletop exercises both tie into aspects of ISO 22301 – business continuity. In Blackmores' experience, a lot of organisations don't actually test their plans, so when going through the process of implementing ISO 22301, where testing these response plans are a requirement, it's a bit of an eye opener when they realise they're not as resilient as initially thought. It's always better to test these plans in a simulated environment vs a live one, so you can be assured that your plans are up to the task. [23:40] Why might an organisation need to get an incident response retainer? – We're starting to see a number of industries, particularly in regulated verticals, requiring businesses in their supply chain to meet a number of different cyber security requirements. One, which keeps popping up, is to have a plan in place for responding to security incidents. Having a retainer can help meet these compliance requirements. [26:05] What role does Managed Detection and Response (MDR) software play in proactive incident response? – MDR solutions continuously monitor networks, detect threats, and provide real-time alerts. They enhance proactive response by identifying suspicious activities early, allowing organisations to take preventive action before incidents escalate. [27:50] What role do Information Governance consultants play in reducing cyber risk? – : Information Governance (IG) consultants specialise in helping organisation define their Information Governance Strategy encompassing data security and defining compliance policies.. They support organisations in defining: · Data Classification: Identifying Sensitive and PII data and categorising based on their confidentiality or regulatory requirements. · Retention Policies: Defining policies on retention period of records and method of disposition aligned with compliance requirements. · Legal Holds: Ensuring necessary data is preserved for potential litigation, internal investigation or as part of audit process. · Privacy Compliance: Aligning with regulations such as GDPR, DP, DPA, CCPA. [33:30] What are Jack's top tips that the listeners can take away from this podcast session and implement today to begin mitigating their risk? – : Unfortunately mitigating cyber risk isn't a one-size-fits-all response, however I like seeing cyber risk as 3 buckets, that businesses should be aware of and measure their organisation against: Technology & Infrastructure – outdated systems, unpatched software and not fit for purpose IT infrastructure pose risks. These types of vulnerabilities are exploited by attackers, leading to data breaches, malware infections and system disruptions. So, making sure that your technology and infrastructure is fit for purpose, and up to date is a key takeaway. We spoke about Managed Detection and Response solutions earlier in the session, which is a great, cost effective way of adding an additional layer of technology security. Human Factor – for me, this is the number 1 frailty to a business. Business Email Compromise incidents increased by 67% in 2023, with Multi-Factor Authentication (MFA) being bypassed in 29% of these cases. Over recent years, cybersecurity awareness has been the aim of the game. However it is crucial that, as our understanding progresses, we switch our focus to fostering a culture of cybersecurity responsibility among colleagues and employees. Ensuring that your people are aware of cyber incident (perhaps listening to this podcast), and their role in mitigating the risks associated to a cyber incident are crucial in ensuring that your business is secure. Preparation – in just about all walks of life, preparation is key for preventing almost anything. We have spoken today about some of the key preparation themes I'm seeing in the industry, from Response Readiness plans, to MDR, to Incident Response Retainers. Getting sufficient Cyber Insurance coverage is of paramount importance to ensure that your business can respond effectively to an incident, should one occur. If you'd like to learn more about Epiq and how they can help you, visit their website. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Businesses looking to tackle their environmental impact will need to look at how they can reduce their carbon emissions and offset any remaining emissions to ensure that they reach Net Zero. One of the most common ways businesses offset their emissions is through the purchasing of carbon credits that typically go towards planting trees or re-wilding. However, there are a number of new emerging trends following on from the current commodification of nature, resulting in an attitude shift from businesses who are looking to get a lot more involved in the offsetting process. We invited Luke Baldwin, Co-founder and CEO of Nature Broking, back onto the show to explain the latest trends in the carbon market. You'll learn · What are the latest trends in the carbon market? · The importance of high integrity within carbon offsetting · Looking for impactful solutions · Why education around carbon offsetting is key for long-term sustainability commitment · How buying carbon credits now can lead to significant savings Resources · Nature Broking · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Today Mel is joined by guest Luke Baldwin, Co-founder and CEO of Nature Broking, to discuss emerging trends in the carbon market that help businesses tackle their carbon offsetting. [02:50] What are the key trends in the Carbon Market – As of 2024, Luke states the leading trends as: · High Integrity · Impactful solutions · Education · Purchase carbon credits now and save later [04:10] High Integrity – There's now a lot of carbon credits available and due to the nature of the unregulated carbon markets, it's led to an increase in bad actors generating revenue in a bad way. Once example of this is Kariba, a project in Zimbabwe that aimed to tackle deforestation, which was recently exposed in the Guardian and The New Yorker for having incorrect calculations. Credits purchased towards that programme were then called into questions and any associated companies were accused of greenwashing. To avoid this, businesses are now putting a greater focus on high integrity solutions, which involves considerations such as: · Are the credits durable? Will the carbon be stored long term? · Are their significant CO2 benefits? · Are the credits contributing anything besides just removing carbon? i.e. regenerative agriculture or woodland plantation [06:20] Impactful Solutions: The carbon markets offers a lot of fantastic solutions and businesses are moving away from the quick commodification of those solutions, and are instead looking to really understand the impact of how they chose to offset their emissions. It's becoming more of a question of buying carbon credits that align with your values, whether this be social values or sustainability values. They're looking to invest in projects that will have a tangible outcome. Which is exactly what Nature Broking sets out to assist businesses with by tailoring bespoke solutions that adhere to their specific values. [08:10] Education – The need for more education around the carbon markets is crucial. Luke remembers the quote "you can't love what you don't know", which applies as how can a business truly invest in something that they don't fully understand. Sustainability is a mindset, and a cultural shift towards more sustainable practices starts with an education. Carbonology uses an ISO framework, but also provide an education around the carbon reduction plan provided to inspire a mindset shift change towards sustainability. [09:05] Blackmores experience – Blackmores have been implementing environmental and energy Standards for over 18 years, but it's only been in recent years that we've seen a mindset shift in leadership towards sustainability. While people may be aware of Standards such as ISO 14001 or B Corp, but may not be aware of other governance frameworks that can help businesses to manage their carbon footprint and carbon neutrality. [10:20] Join the isologyhub – Don't miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub [12:25] How can you make significant savings when purchasing carbon credits? – A lot of carbon solutions currently are very cost effective, in particualr forestry credits and carbon removal credits. Some of the more technological ones such as direct air capture or bioenergy and carbon capture and storage can be more expensive now because the technology utilised is still so innovative and in it's infancy. However, that will change in time. If you're looking at building a carbon portfolio for your net zero journey, for example, say are going through a science based targets initiative and you've decided that you cannot avoid the 10% of remaining emissions your net zero journey and you need to buy carbon removals - you're much better purchasing carbon removals now than in the future. This is because there will be a supply shortage in future, especially when we see more enforced regulations come into play between 2030 and 2035. This will mean that the price of those carbon credits will rise significantly. What may cost £20-£30 per tonne for carbon removal now may go up to anywhere between £100 - £150 per tonne! So it's worth investing in your carbon portfolio now, especially in the case of tree planting as those tress are going to take a while to grow and actually start storing carbon. If you finance projects now, you will have already made an amazing impact from the start, and will potentially save yourself a lot of trouble and money in future by planning ahead. If You'd like to learn more about Nature Broking and their solutions, check out their website. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

The UK is the first major economy to achieve it's 50% reduction target for Greenhouse Gas Emissions (between 1990 and 2022). However, we've still got a lot of work to do to reach our 2023 target of a 68% reduction. Many businesses are already making great strides to reduce their Impact, and while you can reduce, achieving true carbon neutrality will involve offsetting a certain amount of emissions. One of the biggest challenges for businesses in terms of completing their offsetting is finding a credible carbon offsetting scheme. Mel is joined by Luke Baldwin, Co-founder and CEO of Nature Broking, to discuss credible nature-based solutions for carbon offsetting. You'll learn · Who are Nature Broking? · What is Natural Capital? · How can we restore nature at scale? · Financing transition regenerative agriculture through the sale of natural capital · How have Nature Broking worked with clients to complete their carbon offsetting? · How can you demonstrate a credible carbon offsetting scheme? · What projects are Nature Broking currently working on? Resources · Nature Broking · Isologyhub In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Today Mel is joined by guest Luke Baldwin, Co-founder and CEO of Nature Broking, to discuss credible nature based solutions for carbon offsetting and explore some of the wonderful projects Nature Broking have been involved with. [04:10] What is natural capital? – Natural capital is the idea of creating value from nature. What natural capital does is, it encompasses all the things that we get from nature that we rely on. That could be the shelter in your house all the way through to carbon offsets. [04:55] Who are Nature Broking? – Nature Broking's story starts off on a somber note. Sadly, Luke lost one of his friends in a mountaineering accident, and in his memory, Luke and another friend rewilded one acre of Scottish Borders Woodlands. This is something they make a point to visit every year, to pay tribute and to keep their living, breathing monument of his friends memory alive and well. The experience was an eye opening one. For as lovely as the process was, it was incredibly expensive, and not very easy to do. Luke then realised that philanthropy alone wasn't going to be able to cover the costs of what we required to restore nature. Looking into the matter further he found that 50% of the world's GDP is moderately or highly dependent on nature and that the UK, whilst green and beautiful, sits in the bottom 10%. And so, an idea was sparked. Together his friend and Co-founder Andy started down the nature restoration path and created Nature Broking. [06:20] What is Nature Broking's mission?: Nature Broking have 2 major missions: #1: Help restore nature at scale #2: Help finance a transition to regenerative agriculture [06:34] How can we restore nature at scale? – The UK Government has set targets of halting nature decline by 2030, with a view to increase nature by 2045. The Green Finance Institute has calculated that there is a funding gap of about 56 billion in order for us to achieve our legally binding environmental targets. That's a hefty sum to put on public money and philanthropy, which is where private markets and business can make a big impact. Frameworks like PAS 2060 (ISO 14068) help businesses invest in nature, and with the creation of carbon credits, carbon has been commodified to make it more accessible for businesses to contribute to carbon offsetting. [08:20] How can we help finance transition regenerative agriculture through the sale of natural capital? – Regenerative agriculture is about restoring the soils, restoring nature back to its original level. Modern farming techniques, while fruitful, use tools such as fertilisers and mechanised farming that have damaged the soils biome. That's going to take time and a concerted effort to fix. Now obviously, we can't just stop farming, we need food, so not all land can go back to nature. Currently, 70% of the UK is farmed, so the agricultural sector will play a big part in being more regenerative. However, the current incentives aren't great, so there's a lot of work that needs to be done in terms of financing the mechanisms behind it, i.e. funding and subsidies ect. One way we could do this is by ulitilising the carbon markets, as regenerative agriculture can lead to significant carbon sequestration. [12:20] How do Nature Broking work with clients? – They make sure to work within the bounds of the business itself, as every business is different.. They don't do off the shelf solutions, preferring to work closely with their clients and help them to really spend time in nature at the place where their carbon credits are being implemented. It's ultimately about education on the different solutions available, including asking important questions like: · What impact do you want to have? · What are the challenges with each solution? · What do you need to watch out for? Each solution is tailored to your business. So, if you'd prefer to work in woodland restoration over regenerative agriculture, then Nature Broking would be happy to work with you to achieve that. Carbon credits include their own set of challenges, one of the main ones being that science changes, so the solutions offered through carbon credits will also change. It may be a case of purchasing credits that tackle different solutions over a large area rather than pooling them all into planting trees for example. Nature Broking are here to help advise and facilitate this. [15:30] Join the isologyhub – Don't miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub [17:45] How can Nature Broking demonstrate credible carbon offsetting? – Nature Broking are at their heart transparent with how they operate. By taking clients to see the actual physical results of their carbon credits, they can educate and help others form a genuine connection to nature. They want clients to truly understand the full impact of their efforts. The second element is due diligence, which can be displayed by utilising one of the many carbon related frameworks now available, such as B Corp and Sylvera. Though these don't always work within a UK setting, so Nature Broking are working towards creating frameworks that do fit within the overall market view. Lastly, they ensure that the standard they're using is of high integrity, using frameworks such as the Integrity Council for the voluntary market, which analyses different standards. The 2nd is understanding the quality of the project developer, so looking at their technical expertise, looking at their financial ratings, and then evaluating the individual project itself in terms of potential risks. [21:50] What are some of the projects that Nature Broking are currently working on? – A broad view of what's available in terms of schemes include: · The Woodland Carbon Code · The Peatland Carbon Code – This is run by the IUCN, which is the International Council for the Conservation of Nature. They are both defined and funded by DEFRA. These are some of the first carbon codes to move into the UK, however there is a lack of available carbon credits, which should change in future. Other's include: · Wilder Carbon – A carbon code focused on rewilding, run by The Wildlife Trust. · Carbon Code of Conduct - A regenerative agriculture code, so it focuses on analysing the full sequestration and full emissions potential of a whole landholding. [25:00] Carbon Credits in practice – There's a current project called Bank Farm in Kent, which is being used as a test site for regenerative agriculture. This includes the likes of agroforestry, which is where you integrate trees into fields which provide shade for animals and store carbon. So, you're not removing those fields from production, simply adapting them to be more sustainable. They're also practicing mob grazing, which is all about using herbivores to maxmise the amount of carbon stored in the soil. You can do this by moving, say cows for example, around a field to graze quickly on small areas before moving them on. [27:05] Mel's conclusion – There's a huge opportunity in the management of agriculture that can be utilised within carbon credit schemes. In addition to helping our economy by creating new jobs within this new approach to tackling emissions and storing carbon. Hopefully we'll see larger corporations investing in these sorts of schemes both here in the UK and abroad. If You'd like to learn more about Nature Broking and their solutions, check out their website. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

The UK recently hit a huge milestone, according to the Department for Energy Security and Net Zero (DESNZ), the UK have reduced their Greenhouse Gas Emissions by 50% between 1990 and 2022. The UK are the first major economy to achieve this, however we've still got a lot of work to do to meet our 2030 target of a 68% reduction. Over the past few years there have been a number of schemes aimed at businesses to help tackle their impact, specifically their energy consumption. Here in the UK, ESOS (The Energy Savings Opportunities Scheme) was introduced as an implementation of the EU Energy Efficiency Directive and has been a mandatory undertaking for large organisations that fit the criteria. Recently, that scheme has been updated and a number of changes have come into effect for Phase 3. Ian Boylan, Chief Executive Officer at ISO Baseline, joins Mel to explain the recent changes to ESOS, how they affect organisations in the UK and EU and how ISO Baseline's software can help businesses consistently manage their energy consumption in alignment with ISO 50001 (The Energy Management Standard). You'll learn · Who are ISO Baseline? · What is the Energy Savings Opportunities Scheme (ESOS)? · What are the changes to ESOS? · How do the changes affect those who currently comply using ISO 50001 · What are the changes to the ESOS eligibility requirements? · How can ISO Baseline help businesses with their ISO 50001 and ESOS compliance? Resources · ISO Baseline · Isologyhub · ISO 50001 In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Today Mel is joined by guest Ian Boylan, Chief Executive Officer at ISO Baseline, to discuss the changes to The Energy Savings Opportunities Scheme (ESOS), and how the changes will affect the European Directive on energy management and energy reporting. [03:20] Who is Ian and ISO Baseline? – Ian has been involved with ISO Standards for a number of years, starting with the technical aspects of building Management Systems, to working with Certification Bodies as an auditor for Management Systems. From this experience, Ian really got to understand the challenges that organisations face when implementing ISO Standards. Challenges such as maintenance to ensure they are achieving their requirements and objectives. Which is where the concept for ISO Baseline was born. Targeted specifically towards the Energy Management Standard ISO 50001, ISO Baseline's software allows organisations to manage their energy processes and provide evidence that you are meeting your energy objectives. [05:30] What features are included in ISO Baseline's software? – Features include: Energy reporting: Information can be displayed in graph or Sankey diagrams to help visualize your energy performance. Identification of opportunities: Any opportunities for improvement found in the provided energy report will be recorded in an 'Opportunities Register' Financial Assessments: Work out life-cycle costs for assets, which can be used as a guide to establish possible savings by implementing suggested improvements. [07:25] What is ESOS?: ESOS was introduced when we were still a part of the European Union, when there was a European Directive on energy efficiency. It placed a requirement on member states in the EU to put together schemes for ensuring that large organisations undertake energy audits on a regular 4 yearly basis. In the UK this was adopted as the ESOS regulations. For many years, if a business's ISO 50001 certification scope covered all of its energy usage, then your business was considered compliant with ESOS. If you didn't have an ISO 50001 Management System in place, you would have to undertake energy audits once every 4 years, and have that reviewed, approved and signed off by a lead ESOS assessor. At the time, this had to cover 90% of your energy usage. One of the more updated inclusions into these regulations was the introduction of transport as a source of energy consumption. ESOS also included the requirement to identify significant energy consumption and propose a logical way to reduce energy consumption to improve energy performance. [11:30] Main changes to ESOS: Accounting for your energy consumption – Instead of accounting for 90% of your total final energy consumption, you're now required to account for 95% of your total final energy consumption. The de minimis component of it has been reduced by 50% [012:30] Main changes to ESOS: Activity Metrics – All organisations will be required to develop activity metrics and as part of your audits you'll be required to submit those activity metrics. The aim of this is to allow the UK to effectively assess organisations over established periods (i.e. from Phase 3 to phase 4) to see if and how they are actually reducing their energy consumption. This could potentially lead to benchmarking, where organisations can be measured against each other. [14:45] Main changes to ESOS: Submitting Actions Plans – Previously, you just had to submit your completed audits and overall savings potential, now you will be required to submit a proposed Action Plan to improve your energy performance. You will also be required to report annually on your progress towards that Action Plan. So no longer can companies coast on simply paying to complete an Energy Audit exercise once every 4 years, now you will have to produce publicly available information that will hold organisations to account. Essentially a name and shame for organisations that choose to do nothing. [16:55] Making Actions Plans publicly available – Incidentally, it always has been a requirement that everything that has been reportable regarding resources should be accessible, but previously you were not required to produce Action Plans. So essentially now that will also become part of the publicly available information. [17:30] Making ESOS fit for purpose – When ESOS was introduced, there was already so much other legislation around in the UK, so the main focus then was to align them with one another and to ensure that they were all working towards a common purpose. In this update, it hasn't ultimately required you to determine your energy savings potential in carbon reduction, but quite obviously that would be a little bit ludicrous if an organisation went down this route and not to look at it from a carbon perspective, as It's only a tiny little additional step when you're doing it from a money perspective and an energy perspective to figure out what the carbon impact is. [18:30] Do you need help with your Carbon Reporting? – If you need assistance with GHG emission or SECR reporting, contact our sister company Carbonology®. [19:20] Join the isologyhub – Don't miss out on a suite of over 200+ ISO tools, templates and training, sign-up to become a member of the isologyhub [21:25] Main changes to ESOS: Confirming your compliance – There are different approaches that you will need to be aware of when submitting your evidence of compliance, and which one you use will depend on which route you're taking. For the full ISO 50001 route, you will need to complete the Annex 1 approach, which is a reduced reporting requirement where you do not need to use an ESOS lead Assessor to submit it on your behalf, the organisation can do it themselves. If you going down either the energy audit route or do not have 100% of your energy consumption covered by ISO 50001 – you will be reporting using the Annex 2 approach. This is where you still require a lead ESOS Assessor to work with you and provide final sign-off on that reporting. [24:15] Are there any changes in the eligibility requirements? – There aren't any major changes in ESOS's eligibility requirements. They have now updated the turnover amounts from Euro to Pound Sterling following our exit from the EU. [25:35] How will these changes impact organisations? – Organisations will have to adapt to a more proactive approach towards their energy reporting and management. No longer can you get away with doing an energy audit once every 4 years and then forgetting about it until the next Phase. You need to start looking at it from the perspective of annual reporting, as all this information is going to be publicly available every year, which is going to be scrutinized if you're seen to not be taking any significant action. Large organisations will be compared against each other, and if one is taking action every year to reduce its impact and another is doing nothing for 4 years, which do you think will gain a more favorable reputation? This level of accountability is long overdue, and will be of benefit to organisations in terms of potential cost savings through reduction of energy use, and also more importantly to the environment. [30:00] How can ISO Baseline ISO 50001 help organisations with their ESOS compliance? – ISO Baselines tools and software are going to be the most benefit to organisations that have a real objective to improve energy performance. If you're just doing the bare minimum to meet requirements, then it's no for you. ISO Baseline ISO 50001 is a tool to help systemise your organisations approach to energy management. It can help to avoid a lot of the bureaucracy that can hold up progress, so you can spend your time focusing on the objectives and what the Management System is meant to lead to. Their software will guide you through the required processes involved with ISO 50001 Energy Management, including Internal Audit planning and completion, Management review, logging and addressing non-conformities and corrective actions. If You'd like to learn more about ISO Baseline and their software, check out their website. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

According to the ISO Survey, there's been a 82.9% increase in worldwide ISO 22301 certificates issued following 2020. Business Continuity is a must have for businesses who want to ensure long-term survivability following a disruptive event. Many turn to ISO 22301 to help put a framework in place, including today's guest – Lifelong Learner. However, what usually takes businesses a minimum of 6 months, Lifelong Learner managed to accomplish in just 4 months across an international organisation! That is no small part due to the tremendous effort of Lifelong Learner's Manager of Information Security, Governance, Risk and Compliance, Lauren Taylor. Lauren joins Mel on this weeks' episode to share her journey and explains the challenges associated with implementing a Business Continuity Management System in just 4 months. You'll learn · Who are Lifelong Learner? · Why did they decide to Implement ISO 22301? · What did they learn from implementing ISO 22301? · What was the biggest challenge with Implementation? · What are the benefits of implementing ISO 22301? Resources · Isologyhub · Lifelong Learner · PSI Testing Excellence · Talogy In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Today Mel is joined by guest Lauren Taylor who is the Manager of Information Security, Governance, Risk and Compliance at Lifelong Learner Holdings LLC. Lifelong Learner and it's brands represent a fusion of comprehensive workforce solutions, with a human-first focus of changing lives through assessment. This includes helping people advance in educational and career aspirations, earning or maintaining licensing or certifications, or providing the tools to develop future leaders. Lauren has helped Lifelong Learner accomplish a massive milestone, and that's the implementation of the Business Continuity Standard ISO 22301 across an international organisation, which she managed to do in just 4 months! She's here to share her journey and lessons learned from implementing ISO 22301. [03:30] Not many people know this about Lauren – She had previously trained to be a mental health counsellor. [04:05] Who are Lifelong Learner LLC? – Lifelong Learner is the parent company of two subsidiaries: PSI Testing Excellence: a leading provider of assessment solutions for the licensing and certification markets, to Educational Testing Services. Talogy: A market leader in the talent management space whose core purpose is helping organizations achieve their potential. They manage the talent management side of the business. So what they'll do is they'll put together psychometric tests that help companies find the right person for the right job, and will assist with skills development. [05:00] Adding to Lifelong Learner's ISO Collection: Lifelong Learner already have an impressive ISO Library, being certified to: · ISO 9001 – Quality Management · ISO 14001 – Environmental Management · ISO 27001 – Information Security Management [05:20] What was the main driver behind obtaining ISO 22301? – The main driver, as with most companies, is usually a client contractor requirement, but business continuity has been something that we've wanted to look further into for a while, just because there's elements of ISO 27001 that cover the business continuity. While we were able to get through the audits with what we had, we just felt that it just needed a little bit more building out. Business Continuity is a requirement in part of ISO 27001, but for Stakeholders that want assurance that a business has robust business continuity plans in place, ISO 22301 is the next step. [06:10] The Implementation Timeline – In October 2023, we began with the context workshop where we could kind of get a better idea of the scope of the management system. This was followed by a number of SWOT and PESTLE workshops to help identify what the perceived risks would be. Next came the Business Impact Analysis (BIA) - So essentially what you're needing to find out from these workshops is, the core activities that each of the teams perform on the day-to-day basis. You also need to understand what their systems are that they use, if they have any dependencies, and essentially it all comes down to understanding that if the business cannot perform those activities, what would be the impact overtime if those activities were to stop. Once you have all that information, the next step was to map it across into a risk assessment, which really helps you to understand the granular risks to your business when it comes to business continuity planning. This risk assessment helped to highlight some weaknesses that we hadn't considered before, and gave us a point in the right direction as to what we needed to work on to bridge those gaps. Next was the creation and revamping of documentation inline with ISO 22301 requirements. Thankfully, due to the other ISO's we hold, we already had a lot in place. Same goes for Internal Audits, so this was more a case of integrating ISO 22301 into our existing Management System. Once we had all the documentation, we conducted a ransomware test exercise, which we also documented all the findings from. Then we were we were ready for stage 1! [09:15] What were the biggest gaps Lifelong Leaner needed to address?: Following the BIA and Risk Assessment, we were able to see where we needed response plans because business continuity is always your Plan B. So in our minds, we had an idea of what kind of response plans we would need in terms of i.e. a malware response plan, a ransomware response plan, those sorts of things. But until we actually looked at the BIA we released we needed a few more. [10:25] What difference did addressing those gaps make? – For us it was understanding the real risks to our business. We already had ISO 27001 in place, and we figured if there were to be another pandemic for example, that we'd be covered. However, it wasn't until we did those exercises did we realise that there was a lot we could improve on. [13:25] What did Lauren learn from Implementing ISO 22301? – How much people underestimate the importance of a good business impact analysis. After going through this in a very, very short space of time, I realised that it is actually the driving force behind a good business continuity management system. Also, it highlighted just how many people believe business continuity is just all about IT and physical security, they completely loft out the human element. An example of this is having a single point of failure, which is where if somebody left there would be a gap. [14:40] What benefits have Lifelong Learner experienced since implementing ISO 22301? – Lauren has noticed that more clients are requesting to see their Business Continuity Plans. It's helped with the introduction of the latest ISO 27001:2022 controls – as these too also focus on elements of business continuity. [15:50] Lauren's top tips for implementing ISO 22301 – Definitely give yourself longer than 4 months! Logically think about how everything links together, the clauses all have purpose and flow in a logical pattern to help create a Management System. Your Management Review can be your best friend. It's your opportunity to really engage with senior management and help them understand what your risks are to the business, how your internal audit is coming along, how you manage your nonconformities and it can be all neatly wrapped up in that nice management review bow. [18:00] Lauren's book recommendation – The Matthew Perry Autobiography, Friends, Lovers and the Big Terrible Thing. [19:30] Lauren's favorite quote – "You catch more flies with honey than vinegar." If You'd like to learn more about Lifelong Learner, check out their website. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

There's no escaping it, AI is here to stay. Over the course of 2023 we've seen more general and public use of popular AI tools such as ChatGPT and Gemini (previously Google Bard). It's now even being integrated into everyday applications such as Microsoft Word and Teams. There is no doubt that there are a lot of benefits to using AI, however, with new technology comes new risks. So how do we address the growing concerns around AI development and use? That's where the new Standard for AI Management Systems, ISO 42001 comes in! Join Mel this week as she explains exactly what ISO 42001 is, who it's applicable to, why it was created and how ISO 42001 can help businesses manage AI risks. You'll learn · What ISO 42001 AI Management Systems is · Who it's applicable to · Why it was created · How ISO 42001 can help businesses manage AI risks Resources · Isologyhub · ISO 42001 Webinar registration In this episode, we talk about: [00:30] Join the isologyhub – To get access to a suite of ISO related tools, training and templates. Simply head on over to isologyhub.com to either sign-up or book a demo. [02:05] Episode summary: Today we're touching on a very topical subject – AI, and more specifically the brand new AI Management System Standard – IS0 42001. We'll also be exploring who it's applicable to, why it was created and how it can help businesses manage AI risks. [03:30] What is AI? – AI – otherwise known as Artificial intelligence, as it's most simplest description is the science of making machines think like humans. We've seen a lot of AI tools be released to the public over the last year or so, tools such as ChatGPT and Google Bard. It's already being integrated with some of the most commonly used apps and programs like Microsoft word and Teams. In short, AI integration is here to stay, so we may as well get to grips with it and make sure we're using it responsibly. [05:10] What is ISO 42001? – , ISO 42001 is the first International Standard for Artificial Intelligence Management Systems, designed to help organisations implement, maintain, and improve AI management practices. It was jointly published in December 2023 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The emphasis of ISO 42001 is on integrating an AI Management System with an organisations existing management system – i.e. ISO 9001 or ISO 27001 compliant management systems. Interestingly, a lot of the specific mentions of Artificial Intelligence and Machine Learning are within the Annexes rather than the body of the Standard. The Standard itself is very similar to ISO 27001 in that it's mostly about what organisations should be doing to manage computer systems regardless of any AI components. [08:00] The 4 Annexes of ISO 42001: Annex A: This acts as a Management guide for AI system development, with a focus on trustworthiness. Annex B: This provides implementation guidance for AI controls, with specific measures for Artificial intelligence and Machine Learning – if you'd like to learn more about the difference between the two, go back and listen to episode 135. Annex C: Which addresses AI-related organisational objectives and risk sources. Annex D: This one is about the domains and sectors in which an AI system may be used. It also addresses certification, and we're pleased to see that it actively encourages the use of third-party conformity assessment. This just ensures that your AI claims have more validity. [09:15] Who is ISO 42001 applicable to? – Those annex descriptions may have you assuming that this Standard is only applicable to organisations developing AI technology but in actuality it's applicable to any organisation who is involved in developing, deploying OR Using AI systems. So if you're a company who is only utilising AI in your day to day activities, it's still very much applicable to you! [10:20] Join the isologyhub and get access to limitless ISO resources – From as little as £99 a month, you can have unlimited access to hundreds of online training courses and achieve certification for completion of courses along the way, which will take you from learner to practitioner to leader in no time. Simply head on over to the isologyhub to sign-up or book a demo. [12:25] Why was ISO 42001 created?: · To address the unprecedented rapid growth of AI and all the risks that come with this new technology. · To ensure that AI development and use are trustworthy and above all, ethical. · The public are also reasonably wary of this new technology, so ISO 42001 aims to help build more public trust and confidence in the future use of AI . · ISO 42001 acts as guidance for organisations on exactly how to integrate AI Management controls with their existing systems. [14:05] AI risks you should be aware of – This isn't an exhaustive list, as the technology develops, more risks will become known. However, as of the start of 2024, you should be aware of: Inaccurate information – Many of the chat bots and public AI tools are trained on publicly available information, and as we all know, not everything on the internet is true. So the output from these chat bots will need to be checked and verified by a person before being used or published. AI bias – Studies have proven that AI results can still be bias. As all the data fed into it is all based on existing information, it still presents the issue of a lack of information from underrepresented groups, or existing bias based on existing data. Time sensitivity – Not all AI use live data sets. Google Bard does, however Chat GPT is only accurate up until 2021. So double check whichever tool you're using to make sure the information it produces is up-to-date. Plagiarism – Data gathered using AI came from somewhere! If you simply copy and paste information provided by AI platforms, there's a chance you may be plagiarising existing content. Be sure to just use AI as a starting point! Security risks – Use of AI can expose you to additional security risks, For example, malicious actors could send someone an email with a hidden prompt injection in it. If the receiver happened to use an AI virtual assistant, the attacker might be able to manipulate it into sending the attacker personal information from the victim's emails. Data Poisoning – AI uses large data sets to train its models, and we currently rely on these data sets being relatively accurate. However, researchers have found that it's possible to poison data sets – so in future, AI may not be very reliable if preventative measures aren't put in place by AI developers. [17:45] How can ISO 42001 help business manage these risks? – Above all, it provides a structured approach to identify, assess, and mitigate AI risks. ISO 42001 includes the guidance needed to put this in place from the start to ensure you don't fall prey to the risks mentioned, with a view to monitor and update to address new risks in future. It promotes transparency and accountability throughout the AI life cycle. It helps ensure fairness, non-discrimination, and respect for human rights in AI development and deployment. It will help minimise potential legal and ethical liabilities associated with AI. The UK's current GDPR and Data Protection Act can loosely cover aspects of AI, depending on how the terminology is applied, but there are already dedicated AI based regulations being developed within the EU which will likely be adopted by the UK. It can foster innovation and accelerate adoption of responsible AI practices. And lastly, it provides a common language and framework for collaboration on AI projects. [21:35] Don't miss out on our ISO 42001 webinar – We're partnering with PJR to bring you a 2-part webinar series on ISO 42001. Catch the first part on the 5th March 2024 at 3pm GMT, register your interest here. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

We have over 18 years experience of implementing various ISO's, covering a wide range of topics such as Quality, Sustainability, Information Security and Risk. With a 100% success rate, we're confident in our consistent approach to implementing ISO's, so much so that we've coined our own unique methodology. Our regular listeners may be familiar with the term 'isology' from previous episodes referencing our online platform – the isologyhub. But what is isology exactly? Put simply, isology is our 7-step method for implementing any ISO Standard. Join Mel this week as she breaks down each of the 7 steps, including the planning, creation and review of an ISO Management System. You'll learn · Our experience implementing ISO's · The origin of isology · What is isology? · The seven steps of isology Resources · Isologyhub · Isology synopsis In this episode, we talk about: [00:25] Episode Summary – Mel Blackmore will be explaining our world leading methodology to implement any ISO Standard, which we've affectionately named 'Isology'. [00:45] The creation of isology: We've been implementing ISO Standards for 18 years, starting with ISO 9001 and have since expanded our repertoire to over 20 ISO Standards covering risk, sustainability, quality and Information Security. The creation of the isology methodology has been a team effort from all of the consultants who have worked with Blackmores over the years, and is primarily built on best practice. [01:35] Step 1: Plan – Get a copy of the Standard, determine your scope, timescales, leadership commitment, resources and selecting a Certification Body. Timescales: This is typically around 6 months, but could be longer or shorter depending on your specific requirements. Resources: As an example, if you were looking to obtain ISO 14001 certification, you may need to appoint a sustainability champion. For ISO 27001 you'll need a representative from the IT department. Selecting a Certification Body: Ensure whichever Certification Body you choose is UKAS accredited. You can check this on the UKAS website. International listeners will need to verify on your country's national accreditation body website. [03:45] Step 2: Discover – Time to understand what you have in place already and what you're missing – this is done through a Gap Analysis. This will often involve an initial meeting with the leadership team to establish what you already have in place, i.e. relevant policies and procedures or any relevant objectives. We break this down step-by-step and document it all in a Gap Analysis, which will deduce your current level of compliance. From this an action plan can be created to indicate what needs to be done to become fully compliant, including assigning roles to assist with the Implementation. [05:30] Step 3: Expose - This is where we look at risks and opportunities related to your desired Standard (both internally and externally). This is typically done through a SWOT (Strengths, Weaknesses, Opportunities and Threats) and PESTLE (Policital, Economic, Social, Technological, Legal and Ethical). In this stage you will also need to understand the key requirements of any relevant stakeholders, so this can include clients, subcontractors, regulatory bodies ect. A Risk Register may be created to capture the findings to be addressed later. Some ISO's require a Risk Register, others don't, but in our experience it's beneficial to have one regardless. Companies are also encouraged to create a Legal Register to keep track of all their statutory, regulatory and contractual requirements. [07:50] Step 4: Create – Time to review the requirements of the Standard in terms of documentation – and create what's needed. This includes capturing your way of working with documented Procedures, so make sure you have the relevant staff involved in their creation. Something to remember, you can have additional policy statements that aren't required by the Standard. If they are important to you, add them in! We're in a modern age now, gone are the days of paper manuals gathering dust on an office shelf. Software and applications may be where the bulk of your Management System documentation lives. For example, at Blackmores we use a combination of Monday.com and SharePoint to manage all of our day-to-day activities, including our own ISO 9001 compliant Management System. The key here is to make your Management System accessible for everyone. [10:20] Step 5: Launch – Once the Management System has found its home, you need to communicate it. Consider the type of launch you want and who will be involved. Make sure you encourage engagement with the Management System. Why should you Launch your Management System? Quite simply, there isn't much point in having controls in your business if no one knows about them! We have 2 key ways of supporting you with the launch of your Management system: 1) We can run an awareness session on your Management System either in person or via Teams. It can then be recorded and used as refresher / induction training. 2) Get access to the isologyhub – out online platform with a suite of over 200 ISO courses, training, tools and templates. [12:15] Step 6: Engage - After the launch you want to ensure that employees are fully engaged and they actually not only are aware of the policies and procedures that you've got in place, but they're actively using them. The only way to verify this is through Internal Audits – that's not just our opinion, that's a mandatory requirement of any ISO Standard. We can assist with conducting these Internal Audits, which double up as a dummy run ahead of your assessment visits. These audits are essentially a show and tell exercise to gather evidence that you're doing what you say your doing. [13:55] Step 7: Review - Time to take a step back and look at what's been achieved and what's been highlighted as areas for improvement through your Internal Audits. This is done at what we call a Management Review. These are typically conducted as meetings, but they don't have to be a meeting specifically. We've done a podcast covering other ways to conduct this review. At this Management Review you will collate data on the performance of your business in relation to the ISO Standard. The minutes must be recorded, as your Assessor will expect to see these as it's a mandatory requirement of any ISO Standard. If you'd like to learn more about what's involved with a Stage 1 and 2 Assessment, go back and listen to a previous episode. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

The deadline is looming over the horizon as October 2025 marks end of the validity of ISO 27001:2013 certificates. Have you made a start on your transition journey? If not, you really should make a start in 2024 to ensure you're all set well before that final deadline. The first step is to decide if you want to do it yourself or enlist the help of a professional consultant. For those that want to tackle it yourselves, you're in luck! As we have just the tool to help: The ISO 27001:2022 Transition Gameplan. In this weeks' episode, Steph Churchman, Communications Manager at Blackmores, explains why you need to transition to the 2022 version of the Standard and outlines the 7-step ISO 27001:2022 Transition Gameplan available on the isologyhub. You'll learn · Why do you need to transition to ISO 27001:2022? · What happens if you don't transition? · What is the ISO 27001:2022 Transition Gameplan? · An overview of the 7-step Gameplan Resources · Isologyhub · ISO 27001 Transition Gameplan In this episode, we talk about: [00:25] A different host – Steph Churchman, Communications Manager at Blackmores, steps in to cover today's episode. She's heavily involved with the development and updating of the isologyhub, and will be explaining one of the latest Gameplan's: The ISO 27001:2022 Transition Gameplan [01:15] Why do you need to transition to ISO 27001:2022? The October 2025 deadline is fast approaching, so you really should be making a start in 2024 if you've not already. [01:45] Who needs to transition to ISO 27001:2022? – Basically, anyone who is currently certified under ISO 27001:2013 will have to transition to the updated Standard. One of the main reasons why we recommend getting a head start on this is , Certification Bodies will undoubtedly have a large demand for transition audits in 2025, when everyone's rushing to get it done last minute. This results in a shortage of resources from the CB's, and you may end up struggling to get booked in time. [02:35] What happens if you don't transition in time? – The harsh truth is you will lose your ISO 27001 certification. This then means you'll be required to go through another Stage 1 and 2 Assessment against the latest version of ISO 27001, which can be costly. Another key reason is the latest version of ISO 27001 also considers a lot of new technologies that weren't around back when the last version was published. You can imagine now that there are a lot more cybersecurity risks to consider with all the latest technology that has been released in that time. Put simply, it's for the benefit of your Information Security to ensure you are adhering to the most recent best practice Standards. [03:40] What is the ISO 27001:2022 Transition Gameplan? This Gameplan will walk you through the stages of transition, which align to our proven isology® approach. Isology being our methodology for implementing any ISO Standard, based on our 18+ years of experience. In this Gameplan we provide training videos on the changes to ISO 27001, along with specific training videos covering each of the new Annex A controls that you will need to be familiar with, along with templates and workbooks to take you through the process from beginning to end. [04:20] Step 1: Plan – Before you begin on your journey, it's advised to understand the main changes to the standard. We've summarised the high-level changes in a previous podcast, and included a quick summary in the first step of the Gameplan. In this first step, you'll also find guidance on how to prepare for your Certification Body visit. You really do need to do this early on to help establish a realistic timeline to complete your transition work. [04:55] Step 2: Discover – At this stage, you need to get to grips with the changes to the Standard. There have been a number of controls changed, and 11 completely new ones added. We did cover a select few of these new controls in a few previous podcasts: #111, #112, #113, #114 In this Discover step we provide a number of awareness videos to explore these new controls and changes in detail, including how they may apply to your business. We've also included a downloadable PDF guide to these changes, in case you'd like to share this information internally. [05:40] Step 3: Expose - In this step we've included an ISO 27001:2022 transition workbook, which will act as a guide for all your transition activities. The first being the conducting of a Gap Analysis against the latest version of the Standard. After completing this, you will have a much better idea of where your main gaps and vulnerabilities are, so you can start putting the necessary controls in place to ensure compliance with ISO 27001:2022. We've also included a summary of the main Management System documentation that will need to be updated ahead of your transition visit. [06:20] Step 4: Create - This is the step where you will be implementing those changes as a result of your Gap Analysis. This will also be guided by that workbook, and we have provided some additional templates and resources to aid you. These include: · A Statement of Applicability Template · Annex A Control Mapping · ISO 27001 Management Review Template [07:15] Step 5: Launch – It's not just about updating your documentation, you will obviously need to communicate these changes to the wider business. In this step we go over a few options for your launch plan – including guidance for both a soft launch and an all-in launch. To help you decide which one would be the best fit for you, we've included a full summary of each method in addition to a pro's and con's list for each. [08:30] Step 6: Engage – The last stages are all about gathering evidence of compliance against new and updated clauses and controls. In this step we provide some insight into what's required from your Internal Audits and Management Review ahead of your transition visit. If you wanted to get some more tips on carrying out internal Audits within your business – we also offer a full Internal Auditor course on the hub that covers the core skills needed to complete those. If you become a member of the hub, you'll get access to our whole library of resources – which includes a wealth of ISO related tools, templates and training videos. [09:20] Step 7: Review – This last step will help you prepare for the transition visit with your certification body. We touch on what you should expect from your Certification Body ahead of the transition visit, and include guidance on carrying out a final Document and evidence check to make sure you're all good to go. If you'd like to book a demo for the isologyhub, simply contact us and we'd be happy to give you a tour. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Did you know that in the UK alone, 22 million pieces of furniture are discarded each year, the majority of which goes directly to landfill. That amounts to an estimated 670,000 tonnes of furniture wasted, where a significant portion could be recycled and reused. (Source) It's clear to see the need for a more sustainable approach to furniture design, manufacture and lifecycle, which is where today's guest, Design Conformity, come in. Design Conformity live and breathe circular design, the process for creating products sustainably from the beginning, and offer a Life Cycle Assessment Certification Process which has already led to significant carbon reductions. Mel is joined by Adam Hamilton-Fletcher, Founder and Director at Design Conformity, to discuss the application of circular design within the furniture manufacture industry and explain how their Life Cycle Assessment certification process can help businesses reduce their carbon footprint. You'll learn · Who are Design Conformity? · What is circular design and how does it help companies reduce their carbon footprint? · What are the benefits of Design Conformity's certification? · Can sustainability be of financial and environmental benefit to businesses? · Examples of circular design in practice Resources · The ISO Show · Design Conformity · Carbon Calculator · Circular Design Guide In this episode, we talk about: [00:25] Introducing today's guest – We welcome Adam Hamilton-Fletcher, Founder and Director at Design Conformity, onto the show. Design Conformity are currently setting the standard in retail sustainability, particularly in relation to the furniture industry. [01:30] Who are Design Conformity? Adam worked in the manufacturing industry for about 15 years, designing lighting systems for major retailers like boots, Next, Marks & Spencers and Morrisons. He worked primarily with the lighting used in displays, and had been tasked with selling lighting products. In order to do so, he needed to develop a specification to help understand customer requirements, which would then be used to develop their ideal solution. The problem: There were little to no Standards in UK and Europe for the retail display industry. Which directly led to the creation of Design Conformity – who started out as an electrical and lighting Standard certification company, that developed into a full carbon certification company. They aim to become the gold Standard for sustainable furniture design. [03:10] What is Circular Design? – Circular design is born out of this principle of a circular economy. To compare, a linear economy is when we take a raw material, use it, process it, and then it's just disposed of, usually straight to landfill. Whereas, circular economy is where we take that waste product and we design it so that it can be repurposed and refreshed and reused. Those materials can then eventually be recycled – so the goal is to not use any raw materials at any point. Circular design is the intent to minimise environmental impact, to design equipment that could be reused and repurposed, and then at the end of its life be recycled. [04:05] How do Design Conformity operate? – Design Conformity look at the way that companies design their furniture and then take them through a learning process (online course). They help businesses to understand how to design a product in such a way where it can be repurposed or reused, where raw material usage can be reduced and where the shipping requirements can be reduced. They provide guidance and advice on recommended materials, including the provision on an online carbon calculator. They also provide reporting in alignment with existing carbon standards, such as ISO 14064, for product evaluation. [06:55] How can the Carbon Calculator help? By selecting a product of a particular type, you can use the estimator by entering the details of where and what you're manufacturing, and then it will give you a carbon footprint for that, which you can use to compare that against other industry designers. It displays these other designers anonymously, but you can get a feel for if your product is above or below the average for carbon emissions. [08:55] An example of the Carbon Calculator in practice – Design Conformity recently worked with Costa Coffee, who were looking to reduce the environmental impact of their of their shops and coffee lounges. The beginning of that process is to work with their manufacturers, to identify the environmental impact of the furniture that they've got. They used the Carbon Calculator to help create an initial benchmark, which highlighted key indicators that can lead to carbon reductions. [09:35] Design Conformity's Certification – They've borrowed the concept used by existing Energy Performance Certificates, by having a carbon efficiency index, ranging from C1 – C7. Their score is a bit more unique however as it incorporates elements of circular design. Their score is based on a products total carbon emissions, divided by it's size and total lifespan. An Ecolabel is then awarded based on the final score. [11:45] What are the benefits of Design Conformity's certification?:- · It's a mix between carbon reporting and a carbon rating. · It's easier for consumers to understand the benefits in comparison to companies that advertise compliance with ISO 14064 and PAS 2060. · Not just a green label, as reporting is a key component of gaining certification. · It provides a cradle to cradle analysis on a products carbon footprint and translates that into something that is recognisable. [14:15] Are businesses right to be skeptical about the value of the cost versus the value of environmental certification?– 100%! It's not uncommon for eco labels to be more of a marketing tool rather than a tool for tangible carbon reduction. A lot of them out there are unregulated and are contributing to green washing. That's where Design Conformity's differs, as they actually collate and process real data to provide tangible value and add credibility to their claims. [16:10] Will there be a time where sustainability can be of financial and environmental benefit to businesses? – Yes, absolutely! And if there is a way to do that, it's through Circular Design. As an example, if you're a manufacturing company that's producing shelving, you need to buy in steel, which can fluctuate a lot in price at any given time. But you don't need to buy more steel every time, where instead you could get your original product back, reprocess and redistribute. Adam has experience of suppliers who are practicing this, they purchase their products back at 40%-50% of the price, saving a lot of money in raw material! [19:00] Examples of companies who have embraced circular design – Tesco: They've introduced a policy whereby they purchase metal shelving, use it for 5 years, then take it back out of the store to get powder coated, cleaned and reintroduced to the store. That reduces the carbon footprint by 70% in comparison to buying a new shelving set! Boots: Their beauty halls wanted to introduce a lot of new brands, which meant a lot more displays were needed. Boots started working with Design Conformity towards earning their certification, specifically in relation to the lighting they used in stores. With Design Confomity's help, they managed to reduce the carbon footprint at selected stores by 39%! [21:20] Circular Design Guide – 14 people were involved in creating this guide, which is designed to give you an introduction to and overview of circular design. Access it over on their website. If you'd like assistance with any ISO Standards, get in contact with Blackmores and we'll be happy to help 😊 We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

For those in the ISO Space, you may be very familiar with the term 'Certification' in relation to ISO Standards. However, for certain ISO Standards there is a different type of terminology you need to be aware of. The demand for a more unified and structured approach to reduce carbon emissions has resulted in a few carbon related ISO Standards to be published over the last few years. Standards such as ISO 14064 (Carbon Verification) and ISO 14068 (Climate Change Management) use the term 'Verification' rather than 'Certification'. So, what's the difference between the two? Join Mel in this weeks' episode as she explains the key differences between the terms 'Certification' and 'Verification' in relation to ISO Standards. You'll learn · What is Certification? · What is Verification? · What is the difference between certification and verification? · What's involved with Verification? · Is there a demand for Verification in the UK and overseas? Resources · The ISO Show · Carbonology In this episode, we talk about: [00:25] Episode summary – Listeners familiar with the world of ISO will know of the term 'Certification', however the release of new Carbon related Standards such as ISO 14064 and ISO 14068 has brought in a new term: 'Verification' This episode, we'll explain the difference between the two. If you'd like to learn more about ISO 14064 and ISO 14068, check out episode 72 and episode 158. [02:00] What is Certification? – Quiet simply, Certification is for businesses who wish to certify an ISO Management system – so a company wishing to implement a Quality Management system to ISO 9001, would get the ISO System certified by an accredited Certification Body. [02:25] What is Verification? – Verification is the confirmation of a claim, through the provision of objective evidence, that specified requirements have been fulfilled. Therefore ISO 14064 the carbon footprint verification standard is a standard that is verified not certified. The 'claim' or 'statement' is typically the QES 'Qualifying Explanatory Statement'. If you'd like to find out more about this, then checkout Episodes 91 to 97, where David Algar, Principal Carbonologist at Carbonology explains in more detail. [03:35] Setting the record straight – Some organisations (and even Certification Bodies!) have been stating they have been certified to PAS 2060 or ISO 14064 – which is technically incorrect. As a certificate is not issued and they're not certified. [04:30] Think of Verification as an MOT: A simple analogy for Verification is a car MOT. This is an annual check to verify that a claim is correct, much like an MOT, someone must inspect evidence and check that everything is as claimed – not unlike checking under a car bonnet and checking tires to see if everything is in working order. [05:20] What is the difference between accreditation for certification and verification bodies? – For ISO Certification, certification bodies must adhere to ISO 17021:2015. This standard basically provides a requirements for bodies providing audit and certification of management systems, and applies to CB's like BSI or NQA. There are many others here in the UK, simply visit the UKAS website to find a list of accredited CB's. In other countries, simply go to your national accreditation body website to find a full list. [06:40] Accreditation for Verification Bodies – Verification Bodies need to adhere to ISO 17029, which was a Standard first published in 2019. That standards title is: Conformity assessment, general principles and requirements for validation and verification bodies. Both Standards provide structure and governance to basically ensure that standards are either certified or verified to a level playing field. [07:20] Watch out for the cowboys – Unfortunately, there are some fake third party so-called certification and verification bodies that offer certification and verification. They do not adhere to either ISO 17025 or ISO 17029, and instead play by their own rules. Which results in utterly worthless (and very expensive) 'certificates' that won't hold up under scrutiny in tendering applications. So please ensure you use an Accredited Certification or Verification Body! [07:48] What are the differences between Certification and Verification? Certification in more detail – Certification of an ISO Management System means of providing assurance that the organisation has implemented a system, so they've got the policies, procedures and controls in place against the relevant activities for their products and services to be delivered. Certification for management system provides that independence, that impartiality that the company is actually doing what they say that they're doing, and that it's effectively implemented. If you want to get certified, you need to undertake an Assessment. Typically this is done in two parts – A Stage 1 Assessment is a document review and Stage 2 Assessment is the evidence to prove that the companies following its policies and procedures. [09:35] What are the differences between Certification and Verification? Verification in more detail – There are actually 2 definitions for Verification: 1: The process for evaluating a statement of historical data and information to determine the statement is materially correct and conforms to criteria in 3.6.10. 2: It's a confirmation of a claim through a provision of objective evidence that specified requirements have been fulfilled. There are a couple of notes with this one, including: · Verification is considered to be a process for evaluating a claim based on historical data and information to determine whether the claim is materially correct and conforms with specified requirements. · Verification is applied to claims regarding events that have already occurred are results that have already been obtained, confirmation of truthfulness. [11:30] Avoiding Greenwashing – Now more than ever is the time to actually have systems in place to be able to verify that claims are factually correct. A key thing to note with both Verification definitions is that they state you can only make a claim for a certain period – again, much like an MOT. [12:55] What's involved with Verification? – There are a few ways to gather the historical data needed for verifiers, here's a few: · Observation; · Inquiry; · Analytical testing; · Confirmation; · Recalculation; · Examination; · Retracing; · Control testing; · Estimate testing; · Cross-checking; · Reconciliation From those terms alone, you can tell that this is a much more analytical approach than compared with Certification. [14:30] What's the current status of Verification in the UK and overseas (as of 2024) – In addition to being the Managing Director of Blackmores, Mel is also CEO of Carbonology – a sister company dedicated to Carbon Standards. Across both companies, we're seeing a lot of interest in Sustainability Standards such as ISO 14001 and ISO 50001. At this current time, there is not so much of a demand for Verification and as such, there's not a demand for third-party verification at this stage. There is however, a demand for an impartial second-party Verification to back up an organisations' claims. [16:15] Need any help with ISO 14064 or ISO 14068? – Get in contact with Carbonology and speak to our expert Carbonologists. If you'd like assistance with other ISO Standards, get in contact with Blackmores and we'll be happy to help 😊 We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List