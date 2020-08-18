Hundreds of thousands of ISO certifications are in danger of lapsing because auditors haven’t been able to visit organizations’ premises during the pandemic, according to InfoSaaS.

The international standards at risk of suspension include ISO 27001, which covers rigorous best practices for information security management systems, as well as ISO 27017 and ISO 27018 (enhanced security control sets for cloud services), ISO 9001 (quality management) and ISO 45001 (health and safety risks).

Re-certification audits must be undertaken within six months of the anniversary of an ISO certificate being issued or else it should be suspended and a new assessment required, according to the UK Accreditation Service (UKAS).

However, auditors usually have to visit premises in person, especially if organizations are still using manual spreadsheet-based processes for compliance. InfoSaaS argued that this approach requires face-to-face explanation and cross-referencing.

As of 2018, around 1.3 million ISO certificates were granted to global organizations, including thousands in the UK.

If no special dispensation is granted due to COVID-19, these ISO-holders may find themselves being forced to pay as much as three-times their anticipated outlay this year on restoring certifications, as well as devoting extra time and resources to the project, InfoSaaS claimed. In the meantime, they would be forced to remove any ISO accreditation messaging from marketing materials.

Peter Rossi, co-founder of InfoSaaS, argued that around 2500 ISO certificates could be at risk of lapsing each month among its UK customers alone, and related to just three standards: ISO 9001, ISO 27001 and ISO 4500.

“The uncomfortable truth is that, under current circumstances, some organizations may decide not to be re-audited and simply to let their ISO certifications lapse,” he added.

“Any such de-prioritization may, in turn, lead to an unwanted decline in standards for the likes of information security, environmental management, health and safety and quality management. This is not a good outcome for anyone.”