Certification Readiness Red Flags

Introduction

Think about the possibilities of investing your budget and your team’s efforts for 6 months into a compliance project only to have an external auditor show up and say the management system is non-compliant within the hour. It is not as far-fetched as it seems. Just recently, we heard of a government agency that hired a consultancy, where the promotion of a guaranteed pass for compliance was under 2 weeks. What they got was a boilerplate manual that had search and replaced errors, including referencing a manufacturing plant instead of a service bureau, and absolutely no processes were implemented. The audit was a train wreck and the agency’s reputation was damaged significantly.

This exposes the compliance industry to a real threat. There is a growing set of standards, such as the ISO 9001, ISO/IEC 27001, and many more, where clients are being externally driven to demonstrate governance. Because of that, a compliance industry is growing where the emphasis is to provide a low-cost solution rather than a value-added service. The compliance certificates are so simplistic that they are not even worth the cost of the paper they are printed on.

Identifying genuine value in an operation and separating it from a mere exercise in progress is critical for the organisation’s compliance and strategy management. Authentic certifications go beyond look-good credentials; they demonstrate sustainable, effective, and reliable operational processes. This article aims to bring some clarity to the vendor selection process by focusing on certification readiness issues that prompt the need for further explanation, or perhaps even disengagement from the vendor.

Identifying Certification Readiness Risks

Over the last few years, the market for certification readiness services has rapidly expanded due to the increasing prevalence of certified tender requirements for government contracts with certified information security (ISO/IEC 27001) and occupational health and safety (ISO 45001) regulations.

While it is generally a good thing that customers can select from a wide range of options, the negative ramifications of this, especially the variability of quality, are substantial. Many organisations, especially in the para-statal and private sectors, promise results, yet deliver very little. With so many players in the marketplace, it is difficult to find legitimate sellers of quality products, and it is even more difficult to find quality sellers. Automatic compliance reporting? An ISO certification in a weekend? These types of advertising claims make it nearly impossible to find real sellers and not frauds, lying to customers.

A failed audit costs an organisation in more ways than just the cost of the audit. There is also the opportunity cost from not being able to apply for tenders, the cost to employee morale from the failed project, the cost of having to build the system again and of course, the cost of having to build the system right after the audit. The more knowledge you have regarding the industry, the more you can keep yourself from making costly mistakes.

What Real Certification Readiness Looks Like

To determine if there are any warning signs, you must first understand what actual certification readiness is. It is not just a matter of making a collection of documents. The true state of readiness is when an organisation has developed, documented, and implemented a management system that is in compliance with the requirements of the ISO 9001 (Quality) Standard or the ISO 31000 (Risk Management) Standard, among others.

In the industry, the term readiness includes the Plan-Do-Check-Act (PDCA) cycle. You plan the system, do (execute) the processes, check (audit) that they work, and you act to remedy problems. An advisor, or a tool, that prepares you should be walking you through this entire cycle. If they are just giving you the Plan part (the documents), and skipping the Do and Check, you are not ready for certification. You are just ready to audit and fail.

A big myth is that the auditor should explain how to run your business. This is incorrect. The auditor’s role is to ensure that you have made the necessary changes to your business processes to be compliant with the standard. This is the area most readiness frauds take advantage of.

Organisations that rely solely on template documentation without customisation or staff training face a 40% higher risk of major non-conformances during Stage 2 audits. An auditor looks for evidence of practice, not just policy.

— Industry Analysis on Compliance Trends

Ready for Certification? Avoid These Pitfalls

In both the corporate and government spaces, an emerging issue is compliance. Resources are scarce, the time available is short, risk appetite is low, and predatory behaviours increase. We face Point of Conflict between the Consultant and the Certifier. Some firms offer to build your system, and then self-certify it. This totally ignores the independence and self-regulation bias of the accrediting bodies, yet many clients go for the ease of the one-stop-shop, only to discover their certificate is ignored by principal tenders and international clients.

Another significant issue is the Software Savior complex. Organisations spend money on expensive GRC (Governance, Risk and Compliance) software and, instead of thinking, the software is the compliance. They waste time for months, tuning the software to find their constituents not using it, and that their operational reality does not match the digital workflows of the software. The result is that the software becomes a dust collector, and not an efficiency tool.

Lastly, we come to the Template Trap. Large agencies struggle with management systems that clearly are not written for them. They are stuck in irrelevant size- and risk-profile- bureaucratic procedures that are the result of some consultant cutting and pasting generic templates into their intranet. This leads to operational paralysis: the rest of the staff ignore the rules because the rules do not make sense, and thus a culture of non-compliance is fostered.

Certification Readiness Checklist

The above mentioned pitfalls are understandably overwhelming. Considering the promise and due diligence paradox vendors who all say they are the best, fastest, and cheapest is maddening. The desire to comply is reasonable. The business needs to move and it is understandable to not want the compliance red tape to slow down the operation.

However, the necessary mindset shift is recognizing that cheap, fast and easy is risky and likely to be of no value. You want a partner, not a magician. The challenges of a rigorous implementation of the Information Security Management System (ISMS) certification to ISO/IEC 27001 or the Privacy Information Management System (PIMS) certification to ISO/IEC 27701 are real, and the complexity of these standards is protective of value.

The first step is learning how to recognise certain deal-breaking characteristics during the sales pitch and proposal phases of contracts. Then you can filter out the options which present the highest risks prior to signing any agreements. This helps you formulate difficult inquiries that illustrate the superficiality of a provider’s offerings.

Red Flags to Avoid in Certification Readiness

In order to best protect your organisation, your roadmap for assessing potential readiness partners should include the following details regarding the red flags of certification readiness, along with a benchmark of what good practice entails.

Red Flag 1: The One Week Promise If any provider promises full certification readiness for complicated standards like ISO 45001 or ISO/IEC 27001 in a week, run. Implementing such standards requires a shift in the organisational culture, training the staff, and establishing a robust record maintenance system. One week is not even close to enough time to adequately review the relevant documentation, let alone to implement any part of it.

Red Flag 2: We Do It All For You No consultant can do it all. Leadership is required to show visible and sustained commitment. Staff must be familiar with the relevant policies. Any consultant who claims that you won’t need to do anything is setting you up for a system that you will be incapable of comprehending and, therefore, unable to sustain it.

Red Flag 3: Conflict of Interest Any business or organisation that both consults (helps fix issues) and certifies (audits issues) has a conflict of interest, which breaches international accreditation standards regarding conflict of interest. A genuine readiness partner assists in preparing, but then refers to an independent Certification Body for the final review.

Red Flag 4: The One-size-fits-all Approach The use of a template can be a starting point, but dumping a template is not a solution. A provider that gives a generic manual, without probing deeply into the specific context, risks, and scope of your situation, is providing a service that is destined to fail.

Readiness Approaches Compared

The Importance of Independence in Assurance

At RACERT our operation is based on our unwavering belief in accredited integrity and the fundamentals of strict assessment. As a Certification Body, we are on the audit side of the fence. We do not offer consultancy services, as that would compromise our independence. But we do care a great deal about the success of organisations. When it’s time for certification on your end, our job is to ensure that your management system is assessed in a fair, transparent, and thorough manner. We prioritise evaluations that show consistent compliance and ethical practices. We recommend you utilise the above-mentioned red flags to choose a reputable outside consultant or internal team to ready your system. Once you are confident in your preparedness – and have refrained from taking the easy and quick options – RACERT is ready to recognise your effort with a certification that is internationally defensible. We are your partner in demonstrating excellence, not in just issuing certificates.

Certification Readiness FAQs

Recent Post