ISO 55001 Doesn’t Guarantee Best Practices
Klaus M. Blache | July 1, 2021
Q: Why should ISO 55001 be used to improve asset management?
A: Asset management is about balancing opportunities, risks, challenges, and costs to enable value creation (defined by your company objectives/goals). This should be done with the entire life cycle of assets in mind.
A benefit of following the ISO 55000 series is that it represents a global consensus on how to implement asset management:
• ISO 55000 Asset Management—Overview, Principles, and Terminology
• ISO 55001 Asset Management—Management Systems—Requirements
• ISO 55002 Asset Management—Management Systems—Guidelines for the Application of ISO 55001.
The intent of ISO standards is to depict the best way to do something. They cover numerous areas including product quality, information security, environment, energy, occupational health and safety, and risk management.
ISO is an independent, non-governmental organization established in 1947. Headquartered in Geneva, Switzerland, it has a membership of 163 national standard organizations across the world. Hundreds of technical committees compile and distribute information to maintain international standards that are voluntary, based on consensus, market relevant, innovative, and targeted to solve global challenges.
Let’s put this in perspective for the United States since ISO certification is much more popular overseas.
According to a 2019 ISO survey (iso.org/the-iso-survey.html), which tallied data counting valid certificates issued by accredited certification bodies worldwide (more than a million ISO certificates representing the top 12 ISO management-system standards), the most popular certificates are ISO 9001 (quality management), ISO 14001 (environmental management), ISO 45001 (occupational health and safety), ISO/IEC 27001 (information security), and ISO 22000 (food safety). ISO 55000, published in 2014, didn’t make the list. On a global perspective, the U.S. is not a large user of ISO standards.
Looking at ISO 9001 (the most popular standard), the U.S. makes up slightly more than 2% of the total of this quality-management standard. I’m asked about ISO 550001 and if it’s worth the effort and expanse. My response is, “it depends.” You need to answer three questions:
• What do you want (specific goals) from your asset-management process?
• How well is your current asset-management process performing to attain those goals?
• How do/will your customers (buying your product or services) view your capability?
The ISO 55000 series of standards can help you frame/improve your process if you can implement a robust process with data integrity. It’s in the implementation, the people side of the equation, where most applications fall short. Implementation can only get you to “best practices” if you plan for and set up a best-practice process.
Some companies become ISO compliant and some achieve ISO certification. ISO compliance is when a company follows ISO standards but has not gone through verification for certification. This saves companies the time and money involved with certification audits.
Being ISO certified means that a third-party company has officially confirmed your practices adhere to ISO standards. It requires audits that verify processes, products, and services meet ISO specifications. Most certifications last three years. Then your facility needs to be re-audited.
One ISO standard receiving increased attention is ISO/IEC 27001: Information Technology—Security Techniques–Information Security Management Systems–Requirements (ISMS). Published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it’s an international standard on how to manage information security.
The ISO/IEC 27001 certification, like other ISO-management-system certifications, usually consists of a three-stage external audit process:
• Stage 1 is a preliminary, informal review of the ISMS, for example checking the existence and completeness of key documentation such as the organization’s information security policy, Statement of Applicability (SoA), and Risk Treatment Plan (RTP). This stage serves to familiarize auditors with the organization and vice versa.
• Stage 2 is a more detailed and formal compliance audit, independently testing the ISMS against the requirements specified in ISO/IEC 27001. The auditors seek evidence to confirm that the management system has been properly designed and implemented and is in operation (for example by confirming that a security committee or similar management body meets regularly to oversee the ISMS). Certification audits are usually conducted by ISO/IEC 27001 Lead Auditors. Passing this stage results in the ISMS being certified compliant with ISO/IEC 27001.
• Stage 3 is ongoing and involves follow-up reviews or audits to confirm that the organization remains in compliance with the standard. Certification maintenance requires periodic re-assessment audits to confirm that the ISMS continues to operate as specified and intended. These should happen at least annually but (by agreement with management) are often conducted more frequently, particularly while the ISMS is still maturing.
I’ve been involved in ISO audits and certifications in automotive facilities and our processes were already primarily in place to achieve best-practice results (people and processes). ISO certification was important because of international recognition to support sales. So, if trying to decide on ISO certification, go back to the three questions posed earlier in this article.
Do you need a better asset-management framework, greater customer confidence, or simply want to enhance one or both? Are you willing to spend the money on internal resources and audits to make it happen? If you expect a best-practice process out of this, you need to develop a best-practice process within ISO (people and process) to implement. Just doing ISO 55001 does not guarantee it. EP
Based in Knoxville, Dr. Klaus M. Blache is director of the Reliability & Maintainability Center at the Univ. of Tennessee, and a research professor in the College of Engineering. Contact him at firstname.lastname@example.org.