Nov 19, 2020

An Extensive A-Z Guide on Recertification of the Primary International Standards

What are the terms of ISO and other basic international standards certification, and how often the company should recertify to prove compliance with ISO 27001, ISO 14001, ISO 9001, GDPR, IT-Grundschutz, and others?
iso certification

There are many reasons why businesses choose to start their compliance journey: whether to secure their processes and assets, improve operational efficiency, or prove credibility. On average, a company must have certifications of international standards, which cover security, quality, and data privacy. 

International standards you must take into account

The standards and regulations to align with depend on the business, strategy, market, and industry demand. While some regulations are a must for companies to ensure security, data privacy, and credibility, others are a matter of choice and financial capacities. 

Security standards help companies build effective ISMS and protect from external and internal hazards, ensuring all organizations’ operations are secure. The most in-demand security standards are as following:

  • ISO 27001 and IT-Grundschutz
  • ISO 15408 (security of testing and integration of software and hardware products)
  • NIST (cybersecurity)

Depending on sustainable development trends, companies align with the standards like:

  • ISO 22301 (business continuity)
  • ISO 14001 (building environmental management system)
  • ISO 9001 (quality management system)
  • ISO 26000 (voluntary guidance on social responsibility)
  • ISO/TC 268 (sustainable cities and communities)

Companies dealing with collecting, storing, or processing personal data regarding EU citizens need to undergo GDPR compliance certification (CCPA is a data privacy regulation for the USA).  

Some companies may get certified with industry-specific standards and regulations; to name just a few:

  • Automotive: TISAX (cross-company recognition of information security assessments in the automotive industry), ASPICE (process model that defines best practices for software and embedded systems development for the automotive industry), ECE-TRANS-WP29-2020-079 (Automotive, regulation for vehicles in regards to cyber-security);
  • Food industry: ISO 22000 (food safety management), PAS 96 (food and beverage defense practices), HACCP (food safety specification for physical, chemical, and microbiological hazards), GHP (acceptable hygiene practices), etc.
  • Energy sector: ISO/IEC TR 27019 IS (ok energy utility industry), ISO 50001 (energy management system (EnMS), CIP-013 (obligatory for critical infrastructures in the USA).
  • Medical sector: ISO15189 (Medical laboratories: particular requirements for quality and competence), ISO 13485 (medical devices).
iso certification
ISO survey of certifications to management system standards (as of September 2020). Source

Two essential things to keep in mind about standards

Depending on the industry and company specifics, the number of required standards may vary. It will be enough for some organizations to follow two standards to prove reliability, sustainability, and quality, while others have to implement four or even more. It is crucial to remember:

  • Certification is not a one-time occurrence. Each standard has its validity term, so you have to apply for recertification or prove your compliance once in a certain period.
  • Standards get updated. Most certification institutions reissue the standards and regulations, adding new requirements, controls, or other terms.

Essential standards to monitor: Checklist

We have created a shortlist for you, including the terms of certificate validity, the need for internal audits, and recertification for some of the most widely used standards. 

Information security standards:

ISO 27001

The most popular standard implemented for IT Security.

  • Recertification term: 3 years
  • Update: every 3 years
  • Crucial or high-risk processes should be audited perhaps quarterly or twice a year. Low-risk processes can be audited just once a year or every other year. Taking into account the current situation with pandemics, you can carry out remote audits, too.

BSI IT-Grundschutz

IT-Grundschutz offers a systematic approach to information security that is compatible with ISO/IEC 27001.

  • Certification validity: 2 years
  • Upgrade of IT-Grundschutz: annually
  • Internal audits: annually

GDPR

There are no explicitly set conditions and validity of the certification. From May 2018, all eligible companies for the data privacy law must follow the GDPR recommendations and carry out regular internal audits to ensure their compliance.

  • Audits: regularly. There are no clearly set terms, so you have to be ready to provide information to the regulator upon request.
  • An organization is obliged to maintain a regular inventory of the data they collect and store at any given moment.

Other standards

ISO 22301

This standard is utilized for building business continuity management systems (BCMS) to ensure the company will operate in case of disruptive incidents.

  • Recertification term: 3 years
  • Regular internal audits: annually
  • Last update: ISO 22301:2019

ISO 14001

It is an optional sustainability standard used by companies to improve their environmental impact management.

  • Recertification term: 3 years
  • Regular internal audits: annually
  • Last update: ISO 14001:2017

ISO 9001

This is the most popular standard used for building quality management system (QMS).

  • Recertification term: 3 years
  • Regular internal audits: annually
  • Last update: ISO 9001:2018

Industry-specific standards

TISAX (Trusted Information Security Assessment Exchange)

An assessment and exchange mechanism for enterprises’ information security and allows recognition of assessment results among the participants.

  • Certification validity: 3 years
  • Certification audits: every 3 years via ISA (the Information Security Assessment)
  • Updates: No specifically defined term of updates to TISAX.

ASPICE

It is a software & hardware design and development framework explicitly created for the automotive industry based on ISO 15504. This established data security method is aimed to help improve processes about the safety of mechatronic systems. Unlike most industry regulations, ASPICE isn’t a pass/fail assessment but defines certification levels from L1 to L5.

  • How often to apply for assessments: not more often than once a year.
  • Updates: No specifically defined term of updates to ASPICE.

ISO/IEC TR 27019

  • Recertification term: 3 years
  • Audits: every 2 years (e.g., safety audits, certifications, penetration tests)
  • Last update: ISO/IEC 27019:2017

ISO 50001

  • Recertification term: 3 years
  • Audits: annually
  • Last update: ISO 50001:2018

Post-certification challenges

After companies get certified, they should take care of the required measures and documentation permanently. Yet, most may face these challenges:

  • Continuous maintenance of the requirements and implementation of controls. After the stringent period of certification preparation, numerous audits (some standards require more than just one), companies may forget about compliance-related procedures. This may result in increased workload and even the possibility of failing the next audit.
  • Transition to the updated version of the standard is often done manually. ISO reviews its standards every three-five years to check that they remain useful and relevant to businesses. During a revision, the ISO committee tweaks the standards to keep up with the challenges businesses face. In their turn, companies have to continuously keep track of these changes and adapt their ISMS, EMS, or QMS to the current requirements.

How to Migrate to a Standard Update: Use Case IT-Grundschutz 2019 to 2020

Regulatory authorities review the issued standards once in a while and publish updates to them. With every new update to a standard, companies should transition to the new version. Besides being time-consuming if handled manually, this is a matter of attentiveness and the ability to do everything on time. After an update to a standard is published, organizations have a particular deadline to comply with it entirely. Otherwise, their certification may be withdrawn.

Modern GRC solutions offer compliance officers the possibility to transition to a new version automatically without the need to spend time with piles of spreadsheets. The Standards Compliance Manager’s users can migrate from IT-Grundschutz 2019 to IT-Grundschutz 2020 and other pre-integrated standards in the solution in a few clicks saving the existing database, assets, and requirements with respective visual notifications and comments about changes or differences available in the Compliance Check grid.

Final word

As you can see, there is no single recipe for maintaining compliance and avoiding fines. Once certified, organizations need to monitor their activities and documentation continuously to comply with the chosen standard or regulation.

If you are still using tools like Excel, be ready that you have to do everything from scratch. Today, various GRC solutions allow you to upload all your assets and controls if you manage multiple standards and automatically migrate all your databases to newly upgraded standards.

Request a trial

Try it!

Benefit of free usage of the Infopulse SCM for 3 months to find out how the solution can optimize and streamline your compliance management. Please fill out this form, choose the standards and features you are most interested in. Our consultants will be glad to deliver a personalized webinar for you explaining step by step all the benefits of the SCM adoption.