Achieving ISO certification with an integrated management system

Barry Higgins

Managing Director at OSS

Digital Octopii helped On-Site Scanning certify for ISO 9001, 27001, 22301 and BS 10008 in just nine months through the creation of an integrated management system (IMS).

Achieved certification for all four standards

Completed in just nine months

Implemented fully functional integrated management system

About On-Site Scanning

Based in Port Glasgow, Scotland, On-Site Scanning (OSS) offers multiple services to UK organisations that need help with their documents, either with storing, scanning or managing them electronically. These services are available to the private sector and also the public sector, primarily the NHS. 

The business has always specialised in document scanning. Prior to embarking on the implementation of multiple ISO standards, OSS already worked to an ISO level of quality through its compliance with BS 10008:2020 Evidential Weight and Legal Admissibility of Information Stored Electronically.   

On-Site Scanning’s directors have a clear vision and want to grow their business in the public sector, particularly with the NHS, by helping their customers realise and unlock the potential and value of their documents. To achieve this, OSS knew they needed to become further certified so they could get onto public sector frameworks that required more certification than they currently held. 

What certification did OSS need?

The decision was taken to certify to ISO 27001 (Information Security), ISO 9001 (Quality), ISO 22301 (Business Continuity), and BS 10008 (Legal Admissibility). Rather than operate each management system in isolation from each other, OSS wanted to implement an Integrated Management System (IMS) covering all four standards. This would save them time and money when it came to both internal and external audits.  

Joint Managing Director of OSS, Barry Higgins, knew these standards would allow them to get on their desired frameworks, meeting public sector and corporate client requirements. By being on par with already certified companies, OSS could tender for the same jobs and expand the business offering. 

Barry explains they were already complying with certain standards as the business required so he was very familiar with compliance and governance, however now OSS needed to be certified and verified by a third party.

‚ÄúIt used to be that complying with these certifications, i.e. self-certifying, was sufficient; whereas now we actually need to be externally certified. So, it was quite a change for us but something we knew we had to do.‚ÄĚ

The company’s objectives in attaining certification in all four areas were:

  1. Being comparable to the competition in terms of work they could carry out.
  2. Being accepted onto certain frameworks so they could tender for work in the public sector.
  3. Meeting clients’ enhanced security requirements in terms of personal data and cyber security.  

OSS set themselves a target of 12 months to achieve those objectives. Obtaining 4 certifications in one year is a very tall order! To achieve this, the business created a new Compliance Officer role with a dedicated employee. Kirn Darroch was brought in to manage the standards implementation project and run their eventual on-going compliance.

How Digital Octopii helped them achieve ISO and BS certification and create an integrated management system

When OSS initially began working towards ISO certification, they were trying to go it alone, without a consultant. They had made some progress over several months but eventually realised the extent and complexity of work required to implement four standards at the same time, within a year. Finding an expert to properly guide them to their end goals sooner and more efficiently made sense. 

They found that Elisabeth Belisle, Digital Octopii’s Founder and ISO consultant, has been the perfect consultant to meet their objectives. OSS was introduced to Elisabeth after a close working partner, Ricoh, informed them of their work with Elisabeth and Digital Octopii that helped them achieve several standards.  

After initiating work with Digital Octopii, both parties quickly set a working pattern of weekly calls with intense workload in between. Together Kirn and Elisabeth worked through the requirements of the standards, the different controls to implement, and produced the documentation and evidence required to get ready for external audit by official certification bodies, the British Assessment Bureau (for ISO 9001, 27001 and 22301) and LRQA (for BS 10008).  

Coaching OSS on how to achieve certification

The early to mid-stages of certification were heavily dependent on Digital Octopii. Still, as the weeks went by, OSS, and Kirn, in particular, felt more confident in their understanding and ability to modify and maintain the controls and requirements of the standards. Although they are not fully there yet and still have regular meetings with Digital Octopii, they’re in a much better position than before they started. 

‚Äú[Elisabeth] would set me a task of a document to create or a process to put in place, something like that. And then on a weekly basis, we would review it. She would give me something else. And slowly but surely, that's how I gained the skills to be able to manage [all the standards through the integrated management system].‚ÄĚ

After starting work with Digital Octopii, OSS obtained the first two certifications (ISO 9001 and ISO 27001) in two months; then came BS 10008 a month later, and they achieved ISO 22301 six months on. We helped them achieve all four ISO certificates in nine months.   

Understanding their business better through the process of certification

One of the most significant benefits for OSS is how it’s improved the running of the business. The process transformed aspects of the company, allowing OSS to improve its operations. They became better organised, more streamlined and more efficient. Creating an Integrated Management System enhanced their reporting and monitoring, which has proven vital to their business. 

‚ÄúOn a personal note, I was quite new to the business. By digging deeper into these processes, I then had to spend time with all the different managers, different departments, gathering information. I learned a lot. It also helped the business overall because we were then able to really drill into the processes, to see what the flaws were and how we had to tighten up. We learned about the business itself, about individuals, about competencies and how to measure [everything].‚ÄĚ

‚Äú[The standards] Helped us on reporting and monitoring and everything that goes with running the business, it genuinely, genuinely helped and it's made us want to carry it on because that was always my big fear of doing all this hard work ‚Äď you get your initial certificate, but you have to keep it going like day on day, month on month, year on year‚Ķ but the benefits outweigh that.‚ÄĚ

The result: certified in 9 months for ISO 27001, ISO 9001, ISO 22301 and BS 10008 with a functional integrated management system. 

ISOs create continuous pathways to improvement

In the end, OSS has been successfully certified for the standards it set out to achieve, well-within the 12-month deadline it had set itself. They’re not yet completely independent and self-sufficient in maintaining their recertifications every three years, but they are very close to it. In the process, they learned a great deal about their business that they may not have otherwise and have greatly improved all their operations internally and externally.

Introducing a formal risk management system into the business has helped prevent problems and ensure their operations run smoothly.

‚ÄúThe standards definitely have helped, and the benefit is that it's making me a lot more comfortable that we're following everything to the letter and everyone's trained on what they need to do and why.‚ÄĚ

‚ÄúBecause of the operational efficiency gains, there has been little impact on most people's workload, at most an hour or two per week. On top of that, because of the number of standards and size of our operations, the IMS requires the equivalent of a full-time person to cover the duties of Compliance Officer and Internal Auditor.‚ÄĚ

No matter what phase your ISO project is in, we can support you.

As Associate Consultants of the British Standards Institute, we are recognised experts in this field. We will help you become compliant with one of the above standards; whether you want to obtain certification by BSI or another UKAS-accredited body ‚Äď or whether you just want to improve your current practices.¬†

BSI associate consultant logo

Not sure which standard is best for you or where to start?