ISO Issues

A quick thanks to all who have commented and contributed to the blog site. To clarify some issues that have arisen, it is beyond the scope of this blog to provide detailed educational training. My vision with this is to get folks started off on a particular topic. Those who have expertise in the topic may not learn something new, but could (and should) contribute and add to what is presented by posting comments. On the other hand, those who are new to the topic can gain an introduction by reading the post and then further pursue the topic by obtaining the relevant study material if they are so inclined. With that stated, let’s move on to this week’s topic – ISO.

ISO (the International Organization for Standardization) has existed for a long time (Feb 23, 1947 to be exact) and caters to a lot of different industry domains and knowledge areas. Headquartered in Geneva, ISO is a non-governmental organization but is well known all over the world with significant influence and power. As its name implies, the organization is primarily concerned with the setting and maintenance of worldwide industrial and commercial standards. ISO provides guidelines for over 17,500 standards. While numerous standards exist that relate to technology, the standards most relevant to this blog site are the ISO 20000:2005 (IT Service Management) and the ISO 27000 (Information Security Management) standards.

As a consultant, I am passionately in favor of standards. One of the most frustrating things for me is to spend my time (and therefore the client’s money) in the attempt to understand the way things are setup and the terminology used at each organization that I consult at. What is fascinating is that each organization has its own “lingo” and way of defining items and resources. One might expect that their processes would differ but the very language they speak differs as well. This is not just inconvenient for a consultant or new employee but leads to confusion and problems/defects when interaction between other organizations is carried out. In today’s age of inter-dependency and outsourcing, it is important that all organizations speak the same language. Other benefits of implementing standards include compliance with governmental and regulatory requirements and the ability to enter global markets (some foreign countries require ISO certifications as a mandatory qualification to enter their market). Last but not least is the organizational efficiency and quality improvements inherent in improving the organization’s processes.

But for standards to work, they have to be implemented. So, how does one go about implementing an ISO standard? First, the decision must be taken and supported at the top management level and then accepted at the organizational level. I have observed too often the adaptation of some standard or methodology by the top brass while the cubicle level folks are dead-set against it. This almost always leads to the failure of the standard being employed. If not all at least a significant majority of the organization’s staff must be in favor of implementation of the standard.

Next, adequate resources must be planned for and set aside for the implementation of the standard. Training should be provide to key players in the implementation and outside consultants brought in as necessary.

If certification is desired, then an independent audit to assess and certify compliance to the standard’s requirements should be obtained.

ISO is a vast organization with a huge body of knowledge and my attempt to bring some of the IT aspects of it to light is a only but a first step in the right direction. Interested readers may pursue the subject in more detail via numerous resources available online.