The Allure of ISO Toolkits
ISO certification can be a truly daunting task especially if you’re only just learning about the world of ISOs. Whether you are doing ISO 9001 for Quality Management, ISO 27001 for Information Security, ISO 14001 for Environmental Management or any of the plethora of other standards; Many companies can lack the internal expertise to implement these standards effectively. Enter the ISO Toolkit! Yaayy woooo! Round of Applause if you please!
These ‘neatly’ packaged sets of templates claim to make your life easy, do the heavy lifting etc. Sounds like a no-brainer. Instead of spending money on consultants just pass this kit over to someone who’s got some spare time, maybe your Ops or Compliance manager (if you even have one) and then get them to fill in the blanks, name of the company here, responsible party there, jobs a good-un and these ready-made policies and procedures will guide you into the wonderful future of being certified. Right?
Nope.
Enter the Harsh reality: One size rarely fits all.
Toolkits simply don’t account for this level of flexibility so even your most basic implementation of any standard needs to be tailored in some degree to your business. This means you will end up having to sink a fair amount of time into reading and understanding the toolkit templates you’ve just bought and then you will still need to know what’s actually applicable to your business and what isn’t.
False Confidence
Toolkits can focus on pushing documentation and not on actual implementation or effective application of the standards. Businesses that end up using kits may come out the other end with a series of laborious documents that do tick all the ISO boxes but don’t actually do much to improve processes, security or quality within the company. Worse still, they may end up getting shoved in a folder somewhere and only have the dust blown off a couple weeks before the next scheduled surveillance visit.
This can create a hazardous illusion of compliance, a false confidence that could come crashing down when it comes to audit time. If an auditor decides to ask your employees how a process actually works and all they can do is point to a document they’ve likely barely read, then it could prove disastrous for your ongoing certification.
The Dark Abyss
We actually ended up having a customer come to us with a toolkit they’d bought from another company. They’d bought this ISO 27001 Toolkit, spent a substantial amount on it along with certification from a seller who turned out to be an unaccredited cert body (unaccredited bodies is a different conversation; and we’ll also ignore the clear conflict of interest from a cert body giving a customer a toolkit they themselves were then going to ‘assess’).
After the money changed hands, our customer had a monstrous toolkit dropped on them. It consisted of approx. 360 documents covering policies, procedures, work instructions and forms. This was a small family run business with 5 staff. The ‘ISMS manual’ that they were given didn’t actually contain any information, each section just referred to a policy document, that policy document then referred you to the procedural document, that then referred you to the work instruction document, and so on.
We eventually dubbed this the Dark Abyss of Toolkits. It was undoubtedly the worst kit I’d ever seen. The kicker though, our customer came to us because they didn’t have a clue how to fill out this toolkit or turn it into a manageable system; they’d initially contacted the sellers and asked for help. The toolkit sellers didn’t have anyone able to help their customer understand the documentation.
That certainly needs underlining and reiterating; the people selling the toolkit either wouldn’t or couldn’t help the buyers in understanding and filling it out.
When the dark abyss crossed my desk, I did my absolute best to help as much as possible. Obviously being a small family run business ourselves I also empathised with their plight.
We only charged a couple days for this job, when I quoted, I had no idea it was 360 documents.
I’d initially thought it would be a straight forward process, filling out the relevant sections for our customer. They stuck with this toolkit because they’d already invested and they had to submit the documentation back to this unaccredited body (our customer was locked into a 5-year contract with this purchase of a toolkit management system and certification).
In reality, I ended up spending 7-8 full days, deep-diving every document, pulling out what was useful and adding the information about my customer that the toolkit demanded. Whilst deep-diving I actually found the company name and Logo of a DIFFERENT toolkit seller buried a few pages in. The people who sold this toolkit to our customer actually also stole this toolkit from another company, tried to rebrand it and sold it without doing a detailed product review (maybe they should try and get some standards in place internally before trying to sell them?).
Final Musings and Takeaways
Do what you can in terms of checking out the people selling these toolkits, read reviews, checkout samples etc. The problem is that businesses often don’t realise they’ve bought a low-quality toolkit until it’s too late. Then you’re already invested in a sub-par system that can easily become a weight on the business, being overly bureaucratic and failing to help improve the business in any meaningful way. ISO certification isn’t just about paperwork; it’s about real operational improvements.
A well-implemented ISO system should in itself be efficient and built around the business in order to lead to better efficiency, improved risk management, and stronger customer trust.
So ultimately, ask yourselves; is a Toolkit really saving your time and money or is it likely to become just an expensive collection of documents taking up space on your hard-drive? The best path to ISO certification isn’t necessarily the easiest; it’s the one that actually helps you to improve your business.
If you’d like any help with your ISO management systems feel free to drop us a message!