Uploaded by kasdjfkafsjnd

qi-fokus-managementsysteme-vol-1 (German)

advertisement
Machine Translated by Google
Incl. special
section on ISO/
IEC 27001 for
information security
The use and effect of
standardized management systems
A study as part of the QI-FoKuS initiative
Vol. 1
Machine Translated by Google
authors
Mona Mirtsch, Dr. Claudia Koch, Dr. Gabriele Dudek (BAM)
Prof. Dr. Knut Blind (Technical University of Berlin)
editor
Federal Institute for Materials Research and Testing (BAM)
imprint
Federal Institute for Materials Research
and Testing (BAM)
Under the Oaks 87
12205 Berlin
+49 30 8104-0
qi-fokus@bam.de
www.qi-fokus.de
www.bam.de
ISBN: 978-3-9818564-3-9
Supported by that
Machine Translated by Google
CONTENTS
QI-FoKuS
4
Summary and Key Findings
5
Introduction
7
11
Questionnaire and methodology
14
use of management systems
Motives for using management systems
19
Effect of management systems
23
A comparison of certified and non-certified companies
27
Special part: ISO/IEC 27001
28
The role of certification, accreditation and customer audits
33
Conclusion
37
glossary
38
abbreviations
39
thanks
39
Notes and References
40
Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE
3
Machine Translated by Google
QI-FOCUS
The national quality infrastructure (QI) as a system of
The development and economic importance of conformity
regulatory frameworks, institutions, processes and instruments assessments in Germany have not been researched to a
is used for quality assurance and thus ensures that
large extent, not least due to insufficient empirical data.
safety, environmental, health and consumer protection
QI-FoKuS – Research for Conformity Assessment and
policy goals are achieved. It uses various elements that take
on different functions and are systematically
on the basis of a recurring survey of companies and
intertwined.
conformity assessment bodies in Germany.
Safety – strives to create a better data basis for research
The national quality infrastructure
accreditation
Creating a database, recognizing trends
QI-FoKuS is intended to make the interaction of elements
conformity assessment
certification
Inspection
Test
of QI easier to understand. With QI-FoKuS it should
calibration
Metrology
requirements
products, processes and services
succeed:
— a database for new scientific discoveries
Information on influencing factors and effects in the
to create conformity assessment and accreditation
standardization
— to identify mechanisms of action — to
recognize necessary changes as a result of technical and
market surveillance
Figure 1: The elements of a national quality infrastructure.
What: BAM / TU Berlin
economic developments at an early stage
— current trends in conformity assessment and
Accreditation and the resulting need for regulation
— political decision-makers,
business and the public through data-based analysis
Conformity assessments play a central role in this
system. For economy and ver
Conformity assessment and accreditation to
they are an important basis for trust and security. Tests,
inform professionally
inspections and certifications can be used to confirm
whether certain requirements for products, services,
The findings derived from the results of the surveys can
processes, systems or people are met and whether
not only serve as decision-making aids for those involved in
contractual agreements and legal or normative requirements
politics, but are also an important support for companies,
for safety, health or environmental protection are complied
conformity assessment bodies and the German Accreditation
with. Accreditation as confirmation that a conformity
Body in order to be able to better assess current and
assessment body has the competence to carry out certain
future challenges and to be able to react to them.
conformity assessment tasks is also an important
pillar of QI.
The QI-FoKuS project was launched in autumn 2019 by the
4
QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS)
Machine Translated by Google
Federal Institute for Materials Research and
Testing (BAM), and the Technical University of
Berlin (TU Berlin), Department of Innovation
Economics under Prof. Dr. Knut Blind initiated.
The project is financed by BAM funds.
QI-FoKuS is supported by the Federal Ministry for
Economic Affairs and Energy (BMWi) and a network of
QI institutions and industry associations.
The survey of companies in Germany on the use of
standardized management systems is the first survey
within the framework of QI-FoKuS. In addition to the
motivation regarding the application of various
Standards that set out requirements for management
systems and the effects are addressed, in particular
the certification for these standards and, linked
to this, the role and function of accreditation – and
thus various components of QI. One focus of this
survey is on the ISO/IEC 27001 standard, which
describes the requirements for information security
management systems (ISMS). The dissemination of
this standard is currently subject to a dynamic that
is influenced by regulatory efforts with regard
to information security. This justifies a special
research interest.
SUMMARY AND HEADQUARTERS
RESULTS
The aim of the QI-FoKuS initiative is to create a
database for new scientific findings on influencing
factors and effects in conformity assessment and
accreditation. At the end of 2019, companies from
various sectors and sizes in Germany were asked
about the use of management systems and their
effects in a first online survey. This included widely
used, standardized management systems such as
ISO 9001 and ISO 14001, as well as systems that
had not been studied until now, such as ISO
50001 or ISO/IEC 27001. 180 questionnaires were
evaluated for the present study. The following key
findings can be derived from this:
1. ISO 9001 is the most widely used
All other management systems examined are
used comparatively less.
2. The certification rates of the different
Management systems differ considerably: The
quality management system according to ISO
9001 is not only the most widespread management
system among those surveyed, the companies
using it are also most frequently certified
according to it (87%). In contrast, users of
the management system for information security
according to ISO/IEC 27001 are comparatively
rarely certified (37%).
3. The simultaneous use of different
management systems is widespread: over two
thirds of the certified companies have more
Management system standard in the sample,
as a management system certification. On
followed by ISO 14001 environmental
average, the certified companies surveyed
management system, ISO 45001
hold 2.6 certificates, with clear differences between
occupational health and safety management
small and
large companies. The survey
systems (BS OHSAS 18001) and ISO 50001 energy management
systems.
Information security management systems
also included management systems that
according to ISO/IEC 27001 are not yet so widespread.
Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE
5
Machine Translated by Google
companies have merely implemented without obtaining a
7. The management system standards fulfill their
certificate. If these are also taken into account, it can be
purpose: In the case of the management systems
seen that the companies have implemented
according to ISO 9001, ISO 45001 (BS OHSAS 18001)
significantly more – namely 3.3 – management
and ISO/IEC 27001, the main effect among those surveyed
systems at the same time on average. The scope of
is seen in improvements in terms of the purpose of the
such joint use and integration of multiple management
systems depends crucially on the characteristics of the
respective standard, i.e. quality, work and health
protection as well as information security. Energy and cost
respective company with regard to industry affiliation or
savings are cited as a key benefit in establishing ISO
size.
50001 energy management systems. The main effects
of the environmental management system according to ISO
14001 is raising employee awareness of environmental
4. ISO 9001 mostly serves as a “basic standard”: The
issues.
analysis of the management systems implemented in
parallel in the respective companies shows that almost all
users of environmental, energy and occupational safety
management systems also have a certified quality
8. Overall satisfaction with the management systems
management system according to ISO 9001. The
varies: The perception of whether certification
least common use with other standardized management
against the respective management system standards is
systems can be found with the ISO/IEC 27001 for
information
a good investment in terms of costs and benefits varies
security.
significantly. The companies surveyed that were
certified according to ISO 9001, regardless of their
size or industry, are significantly more satisfied overall
5. Various main motives for the
than the users of the ISO 14001 environmental
Use of management systems: While with ISO 9001
management system in particular. The overall positive
and ISO 14001 customer requirements as external factors
assessment of the management systems is also
significantly motivate the introduction, occupational
supported by the tendentially more positive assessments
health and safety management systems according to ISO
of the realized effects compared to the original ones
45001/BS (British Standard) OHSAS 18001 and ISMS
Expectations when introducing a management
according to ISO/IEC 27001 increase legal certainty
system.
the main motive. The certification of an energy
management system according to ISO 50001 is
particularly motivated by the prospect of
associated tax breaks. For those surveyed,
9. Competence and its proof are the main
Criteria when choosing the certification body: The
improvements in the sense of the respective
study results clearly confirm the great importance of
management system or corresponding internal company
accreditation, which is the most important criterion for the
processes are not the main driver for the implementation of
selection of the certification body for those surveyed.
any of the management systems.
In addition, 99% state that at least one of their certificates
has been issued by an accredited body. The great
importance of professional competence when choosing the
certifier is also reflected in the fact that professional
6. Non-Certified Users of Management
systems have other motives: In particular in the case
dissatisfaction is given as the main reason for changing the
certification body.
of companies using ISO 9001, it is evident that those
who do not have themselves certified are even more
intrinsically motivated to use such a quality management
system. For them, the corresponding demands from the
6
10. Every second respondent knows the handels
facilitating international recognition agreements
customer are not the top priority, but the goal of internal
for accreditation: If known, great importance is also
improvements.
attached to them.
QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS)
Machine Translated by Google
11. Customer audits have a high relevance in the
Practice: Every second company surveyed states that
they are also audited by customers, especially with regard
– regardless of specific company characteristics such
as industry or size.
— At the moment, the standard still lacks something broader
to their quality management system, but also in terms of
Awareness (29% of non-applying companies do
environmental management and occupational health and
not know them). Among those familiar with ISO/IEC
safety. However, according to respondents, these audits
27001, only one in five companies plans to
cannot replace certifications.
implement it in the future. The low spread is mainly
Overall, customer audits are perceived as stricter
due to a lack of external pressure (legislators
or customers). Concrete hurdles for the introduction in
than audits as part of the certification process.
one's own company are particularly
12. The study provides first cross-industry insights into
the use of ISO/IEC 27001 for information security:
associated effort and a lack of expertise, also in view of
the complexity of the content of the standard. To
support further dissemination of the information
— Among the management system standards in this
security management system, a number of
study, ISO/IEC 27001 has one of the lowest
certification rates: only every third company that uses
it is certified.
of measures considered useful: e.g
The analysis of the main drivers for the introduction of
enterprises (SMEs) or training and financial support.
the standard accordingly shows predominantly
Especially companies certified according to ISO/IEC
27001
intrinsic motives. And also internal effects, ie within the
Guides for action for small and medium-sized
company, especially with regard to prevention
also consider the requirement of proof on the part of
and
customers or the legislator as promoting dissemination.
Security, are dominant
INTRODUCTION
Normed and standardized (hereinafter referred to as
scientifically proven. They not only enable economic benefits
standardized) management systems are a global success: millions
for companies, but also contribute overall to advantages
of companies around the world work according to international
for consumers, environmental protection and
standards in a wide variety of management areas. This does
not only concern
the well-known standards for quality and environmental
occupational safety, minimize risks and thus improve
overall economic welfare.1 There are a large number of ISO
9001 and ISO 14001 in particular Studies that have examined
management ISO 9001 and ISO 14001; The spread of other
and documented the effects of these management system
management systems for special areas such as energy or
standards worldwide.2 However, other management
information security management is gradually increasing.
system standards have so far remained largely
unnoticed, e.g. B. the standards ISO/IEC 27001 for ISMS
and ISO 50001 for energy management systems, which were
The general economic and social
only introduced in 2005 and 2011. In addition
importance of norms and standards
Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE
7
Machine Translated by Google
Managementsysteme
management system standards
A management system includes activities
by which an organization identifies its goals
and determines the process and resources
Standards, e.g. from international
standardization organizations such as ISO, define the
requirements to support organizations in designing and
implementing their specifications and processes to achieve
the respective goals. At ISO alone, there are now more
than 80 management system standards in a wide
variety of areas.4 These standards are designed to be
applicable in different organizations, regardless of industry,
size, type, organizational form, or geographic,
cultural and social conditions .
required to achieve the desired outcomes.3
These goals can refer to a number of
different ones
relate to topics including product or service
quality, operational efficiency, environmental
performance, occupational health and safety,
and many more.
only a few studies cover several management
systems together; most are devoted to just one norm.
However, this fails to recognize that the
management systems are compatible with each other
and that in practice management systems are
often used in different areas at the same time.
Another aspect is the often very limited view of
existing studies on exclusively
certified companies, while in practice management
systems are often implemented without a certificate
being granted or sought.
In addition, the certification itself often goes unnoticed
in most surveys. This affects both the role of the
certification bodies and their competence, proven
in the form of accreditation.
This report presents the results of a cross-industry
online survey of companies in Germany on
the use of various standardized management systems.
The study not only offers insights into the motives
for implementation and the assessment of the effects;
rather, it also focuses on conformity assessment as
a central element of quality infrastructure (QI). For
this purpose, management system standards
usually prescribe so-called internal audits, which are
carried out by the companies themselves.
Certification by an independent third party is
also widespread. The present study therefore
makes an explicit distinction between companies
that have themselves certified against the implemented
standard and those that apply the standard without
certification.
Reasons for certification are also highlighted
8
such as the criteria for choosing a certification body or
changing it. As it is for notoriety and
Assessing the benefits and effects of accreditation up
to now there has only been little empirical data,
this study is also dedicated to this instrument in
particular.
Furthermore, audits can also be carried out, for
example, by business partners, e.g. B. buyers along
the supply chain (so-called customer or supplier
audits). The present study also confirms the
importance of this form of conformity assessment,
which is widespread in practice, and draws
comparisons with certification.
A special part of the study deals with the
management system standard ISO/IEC 27001 for
information security in detail. There has not yet
been any cross-industry study for Germany on
this standard. Standards in the field of information
security, such as ISO/IEC 27001, and proof of
effective application through certification are
becoming increasingly important, particularly against
the background of advancing digitization and
regulatory initiatives such as the IT Security Act and
the European Cybersecurity Act.
The study contributes to a comprehensive picture
of the use of management systems in Germany and
helps in particular to understand the various facets of
conformity assessments. This study enables
companies that have so far dealt little or not at all
actively with standardized management systems
to gain an insight into the motives and mode of action
other companies. Certification bodies can use the
results to the selection criteria of the
QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS)
Machine Translated by Google
certification body and the reasons for changing a certifier. The
created, for example for the environment, occupational
results of the survey also offer the possibility of deriving
safety, information security and energy.
active strategies for increasing the spread of this standard in the
Surveys of the International Organization for
area of information security.
Standardization (ISO) show that Germany is far ahead
internationally in terms of the absolute number of certificates5
Overall, QI-FoKuS is intended to contribute to a better
issued: only China has more ISO
understanding of the economic and social value and benefits
9001 certificates, for ISO 50001 certificates
as well as the modes of action of conformity assessments
Germany even ranks first and fifth for ISO/IEC 27001 and sixth
for ISO 14001
and accreditation as important elements of QI, and to enlist
relevant stakeholders for this
Rank 6
sensitize.
Even if these figures only contain reported certificates from
accredited certification bodies, they still clearly show the
Growing popularity of normed and standardized
management systems
widespread use of standardized management systems.
The actual application is likely to be much higher,
considering the limitations of the ISO survey7 and the fact
Management systems based on ISO and other standards are
enjoying growing popularity both internationally and in
that many companies have implemented management systems
without being certified.
Germany. Introduced in 1986, over a million companies are
now certified according to the ISO 9001 quality management
system standard. In the course of this success, standards
Table 1: As part of the study, standardized management
were gradually established for other areas of management as
systems and the number of certificates issued in Germany in
well
2018 according to the ISO survey.
Norm/Standard
title
Number of certificates in
Germany (locations)8
ISO 9001
Quality Management Systems - Requirements
47.482 (73.559)
ISO 14001
Environmental management systems - requirements with
8.028 (14.525)
Instructions for use
ISO 50001
Energy management systems - requirements with
6.243 (14.736)
Instructions for use
ISO 13485
Medical devices - quality management - requirements
2.662 (3.249)
for regulatory purposes
ISO/IEC 27001
Information security - IT security procedures -
1.057 (2.003)
Information Security Management Systems
- Requirements
ISO 22000
Food safety management systems
257 (479)
– Requirements for organizations in the
grocery chain
Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE
9
Machine Translated by Google
title
Norm/Standard
Number of certificates in
Germany (locations)8
ISO 45001 (previously
Occupational health and safety management systems
BS OHSAS 18001)
– Requirements with guidance on application
ISO 20000-1
147 (483)
48 (148)
IT Service Management - Part 1: Specification for Service
Management
IATF 16949
Quality management systems - Special requirements when using ISO
Not available in the current
(before
9001 for series and
ISO survey
ISO/TS 16949)
Production of spare parts in the automotive industry
Number of certificates issued in Germany
14.000
70.000
12.000
60.000
10.000
50.000
8.000
40.000
6.000
30.000
4.000
20.000
2.000
10.000
0
2003
2005
2001
1999
1997
1995
1993
2017
2015
2013
2011
2009
2007
2005
2003
2001
1999
1997
1995
ISO/IEC 20000
1993
ISO 9001
Figure 2: Number of certificates issued for selected management system standards in Germany. Source: ISO Survey (2018).
10
QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS)
2007
ISO 13485
2009
ISO 22000
2011
ISO 50001
2013
ISO/IEC 27001
2015
ISO 14001
2017
0
Machine Translated by Google
QUESTIONNAIRE AND METHODOLOGY
The questionnaire
The survey focused on the use and effect of internationally
The questionnaire contained mostly closed and some open-
standardized management systems. The questionnaire was
ended questions. In the former, the respondents were
developed based on interviews with industry
representatives and certification bodies as well as
using a five-point rating scale being used for the
extensive literature research on previous studies on
assessments. Most of the questions, apart from those
management systems and tested in advance with regard
on the number of employees and industry, are not mandatory.
given a selection of possible answers, with scale questions
to the comprehensibility of the questions and the
duration of the survey. While many studies only record
certified companies, a special feature of this survey
is that it also includes those companies that have
The survey was distributed as an online questionnaire as part
implemented standardized management systems
of the newly created QI-FoKuS initiative with the help of
without being certified for them. The questionnaire recorded
multipliers. The German Society for Quality (DQG), the
and differentiated between the two options accordingly. A
Federation of German Industries (BDI), industry associations
particular focus of the survey was on the criteria for
(e.g. the Association of the Chemical Industry (VCI) and the
selecting the certification body and any reasons for a
Association of the Automotive Industry (VDA)) as well as
change.
certification bodies, chambers of industry and commerce and
others
Furthermore, the importance of accreditation as an important
Interest groups drew the attention of their members to the
pillar of QI and of international accreditation agreements
survey in newsletters and on their websites. Participation
was recorded. Finally, a form of conformity assessment that
in the survey was possible from the end of September to the
is widespread in practice but often neglected scientifically
end of December 2019.
and empirically, auditing by business partners, was also
A total of 248 questionnaires were completed, 134 of
addressed in the survey.
them completely. This publication includes the evaluation
of the answers of all 180 participants who filled out
the entire main part of the questionnaire (on the use of
According to the topics mentioned, the questionnaire with
management systems). The statistical evaluation was
a total of 137 questions is divided into the following
carried out by the Federal Institute for Materials Research
sub-areas subdivided:
and Testing together with the Technical University of Berlin.
— Details of the participating company
— Use and importance of management systems
— Motives and effects of management systems
— Special section on information security management
according to ISO/IEC 27001
Participants and sample
— Selection criteria of certification bodies
— Accreditation and importance of international
recognition agreement
In most cases (n=99), the questionnaire was filled out by
the responsible quality managers, followed by the
— Dissemination and importance of supplier and
customer audits
management group (n=30) and the administration (n=26).
Further
Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE
11
Machine Translated by Google
The industry
The industry
21%
Chemical, pharmaceutical, rubber, plastic
9%
other services
7%
Certification, inspection and testing
7%
mechanical engineering
Electrical engineering
7%
metal industry
6%
6%
Miscellaneous
information and communication
4%
health and social care
4%
4%
Vehicle construction (incl. aerospace, ship and boat construction)
medical technology
3%
3%
Professional and academic services
3%
research Institute
3%
Transport and storage
3%
Public administration, defence, social security
Agriculture
2%
2%
plant construction
1%
Universities, clubs, associations
1%
Manufacture of glass, glassware, ceramics, earth and stone processing
1%
Energy and water supply, oil
1%
optics
1%
Trading; Maintenance and repair of motor vehicles
1%
Mining
1%
construction industry
0%
5%
10%
15%
20%
25%
Figure 3: Industry affiliation of the participating companies (N=180).
many of those questioned indicated that they work in the
But also German mechanical engineering and electronics
field of standardization or in education and training.
The technology sector (7.2% each) and the metal industry (6.1%)
Employees from the areas of design, production and manufacturing,
are strongly represented. The second strongest industry
as well as from the export business and marketing, are not
group are other service providers (8.9%). Companies in the ICT
well represented.
sector make up 4.4% of the sample. There were only a few
participants from the construction industry and trade (only 0.6%
each).
93% of the participating companies have their headquarters
in Germany, with one third belonging to an international and
The classification of companies by size follows the definition of the
one fifth to a national group of companies. 44% are sole
European Commission (2003/361/EG) for SMEs, which distinguishes
between — small companies with up to 50
proprietorships.
employees or
maximum turnover of 10 million euros
The assignment of the branch affiliation was carried out
— medium-sized companies with 50 to 250 employees
working and 10 to 50 million euros turnover
according to the statistical classification of economic
branches in the European Community (NACE). Various
sectors were grouped together to show differences, specifically
— large companies with more than 250 employees and
over 50 million euros turnover.
manufacturing/manufacturing and “all others”. More than half
of the participants in the survey come from the
,
Employ
Since very large companies also took part in the survey, very
manufacturing sector. The chemical and pharmaceutical
large companies with 500-999 or more than 1000 employees are
industry in particular is overrepresented (20.6%). This is
also referred to as a separate group in the results.
due to the very successful support provided by a relevant
industry association.
45% of the participating companies employ up
12
QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS)
Machine Translated by Google
Company size (sales in million euros) Company size (sales in million euros)
Company size (employees) Company size (employees)
11%
14%
1 - 9 employees
10%
10 - 49 employees
38%
up to 2
12%
50 - 249 employees
2 to 10
53%
250 - 499 employees
10 to 50
500 - 999 employees
23%
over 50
21%
1000 and more employees
6%
12%
Figure 4: Company size by number of employees
(N=180).
Figure 5: Company size by turnover in million
euros (N=160).
10%, in larger companies it is at least 29% on
average (companies with 500-999 employees are
leading with an average of 36%).
250 employees and thus belong to the classic
medium-sized companies, 12% have between 250
and 500 employees. 38% of those surveyed are
companies with more than 1000 employees. Just
over half of the companies (53%) generated sales
of at least EUR 50 million in 2018, 14% a maximum
of EUR 2 million.
second company (56%)).
The innovative activity of the participating
companies was also recorded in the questionnaire: It
was ascertained whether the respective company
brought innovations in relation to products or
services onto the market in 2018 or introduced
noticeably improved processes. If this is the case, the
company is described as innovative in the following.
Of the 180 companies in the sample, 130 are
companies in at least one area
The average export share for small companies with
up to 50 employees is below
(product, process, service) innovative. Specifically,
46% state that they introduced product innovations
in the previous year (especially large companies with
more than 1000 employees and over 50 million
While a third of the companies sell their products and
services exclusively domestically, another third of the
participants state that they generate at least half of
their sales from exports. This applies above all
to companies from the manufacturing sector (every
Average export shares by number of employees Average export shares by number of employees
1000 AND MORE
34%
500 - 999
36%
250 - 499
33%
50 - 249
29%
10 - 49
9%
1-9
2%
0%
5%
10%
15%
20%
25%
30%
35%
40%
Figure 6: Export shares by company
size (measured by the number of
employees (N=137)).
Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE
13
Machine Translated by Google
euros in sales are relatively more active here than
Having introduced process or service innovations.
The groups of export-intensive companies
only 28% state that they have brought product
with export quotas between are relatively
frequently
innovations to the market). 45 or 42% of those surveyed also
state thatinvolved in product innovations
small companies with up to 49 employees, of which
Research Activities Research Activities
Innovation activity Innovation activity
Product innovation
Internal Research
process innovation
External cooperation
service innovation
0%
20%
40%
60%
80%
100%
0%
Yes No
20%
40%
60%
80%
100%
Yes No
Figures 7 and 8: Innovation activities (N=134-137) and research activities (N=86).
10% and 50%, and higher than 50%. In these two
groups, 65% and 62% of respondents say they
have introduced process innovations, compared to
just 25% of non-export companies. 82% of companies
practice this
In the present report, the industry affiliation,
company size, export activity and research and
innovation activities are used as distinguishing criteria
in order to structure the results and to work out
individual special features.
Research and innovation activities are carried out
internally, and 67% state that they also cooperate
with external research institutions.
USE OF MANAGEMENT SYSTEMS
Companies can implement management systems and
also have themselves certified with regard to
the requirements of the relevant standard.
Certification is confirmation from a third party (ie
independent) that the requirements defined in the
applicable standard are met. Certificates are therefore
an important piece of evidence that creates
transparency for customers or other interested parties
and can contribute to a uniform level of quality and
security.10
Certification rate fluctuates significantly:
Applicants of ISO 9001 most frequently, of
ISO/IEC 27001 rarely certified
According to the ISO survey, ISO 9001 for
quality management is the most widespread
management system standard worldwide and in
Germany. This is also reflected in the results of this
survey: 83% of the 180 participants state that they
apply this standard. 130 participants are there
ISO 9001 certified, 20 others apply the standard
without certification. Are widespread in our
14
QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS)
Machine Translated by Google
Also sampled the environmental management system
indicates having relinquished a previous certification.
standard ISO 14001 (total 51%), ISO 45001 (BS OHSAS
While general quality management systems according
18001) for management systems in the areas of
occupational health and safety (41%) and the energy
to ISO 9001 have a certification rate of 87%, only
two thirds of the companies that implement industry-
management system standard ISO 50001 (37%).
specific quality management system standards
(ISO 13485 for medical devices and IATF 16949
Significant differences in the certification rate are
for the automotive industry) are also certified for it. The
noticeable: The survey results for ISO 9001 not only
next chapter examines the respective motifs in more
show a generally wide spread, but also that companies
tend to use it more often
detail.
are certified as users of other management systems.
ISO 9001 in this branch is not certified. The size of
the company also plays a role: the group of small
Simultaneous use of different
Management systems widespread: 70% of
certified companies have more than one
Management System Certification
companies (up to 49 employees) has significantly
lower certification rates than the companies in all
Of the 180 participants in the survey, 169 use at least
comparison groups (63% vs. 90%).
one standardized management system. Of these, 151
Manufacturing companies in particular are comparatively
often certified. Only one interviewed company using
have at least one corresponding certificate.
Companies that implement and certify not just one,
Other standards are often implemented without obtaining
but several different management systems (either
a certificate. While environmental management
simultaneously or successively) can generally benefit from
systems according to ISO 14001 also have a high
various advantages of combined use or integration.
certification rate (81% of users have a certificate),
Possible synergies result, for example, from the
only about every third user of a management system
similar documentation requirements or standard
according to ISO/IEC 27001 for information security can
be certified (37%). And even with management
Check-Act cycle, which many of the standards considered
structures and processes (e.g. the Plan-Do
systems for occupational health and safety
according to ISO 45001 (BS OHSAS 18001), more
have in common). Familiarity with the requirements,
than every second user does without certification.
actions involved in implementing a
working principles, necessary resources and
5% even give here
Number of certificates and certification rate Number of certificates and certification rate
20
0
40
60
35
ISO 45001 or BS OHSAS 18001 (n = 73)
48
16
20
33
36
Other (n = 47)
14
ISO 13485 (n = 21)
4
3
5
7
5
160
1
87%
81%
48%
72%
3
37%
1
10
21
IATF 16949 bzw. ISO/TS 16949 (n = 31)
140
4
34
ISO 50001 (n = 67)
ISO/IEC 27001 (n = 54)
120
20
17
75
ISO 14001 (n = 93)
ISO 22000 (n = 10)
100
130
ISO 9001 (n = 150)
ISO/IEC 20000 (n = 9)
80
77%
1
68%
3
67%
2
40%
1
33%
6
certified
Implemented without certification
Implemented but relinquished certification
Figure 9: Use of selected management systems and proportion of companies that have certification (certification rate).
Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE
15
Machine Translated by Google
number of employees
number of certificates/
n
Sales volume
Pursue
1000 and more
number of certificates/
n
Pursue
3,4
59
over 50
3,1
76
500 - 999
2,6
9
10 to 50
2,2
31
250 - 499
2,4
17
2 to 10
1,7
18
50 - 249
2,1
38
up to 2
1,5
13
10 - 49
1,5
17
not specified
1,5
2
1-9
1,5
11
I do not know
2,4
11
151
total
n
export orientation
total
company form
number of certificates/
number of certificates/
Pursue
international
3,3
151
55
group of companies
no export
2,1
31
EU (outside Germany)
2,6
64
America (excl. USA)
2,5
2
national
2,7
32
1,8
59
n
Pursue
group of companies
one-man business
Miscellaneous
1,8
4
not specified
1
1
total
151
deer
2,8
8
Asia
3,0
9
Africa
1,0
1
not specified
2,9
36
total
151
Table 2: Average number of certificates per company, divided according to the number of employees in the company, turnover (in
million euros), type of company and export orientation (with the respective main export market). The basis is formed by companies
that hold at least one certificate (N= 151).
management systems, companies can facilitate the
Number of employees and turnover: small sub
implementation of another standardized management system.
accept up to a maximum of 50 employees or up to a maximum of 2
million euros in sales have an average of 1.5 certificates,
The study can provide a rare detailed empirical insight into this
while those with more than 1,000 employees have 3.4.
There are also differences in the different types of company:
integrated certification. Even if the degree of integration in the
As expected, individual companies have the fewest
individual companies cannot be derived from the present
certificates, while national and international groups of companies
survey, the survey results nevertheless show that the
have significantly more certifications. On average,
simultaneous use of several management systems is
exporting companies hold more certificates than
widespread. 70% of the certified companies have been
successfully certified against more than one management
non-exporting companies. This is especially true for companies
system standard. If you also look at the implementations
with main export markets in Asia, followed by the US.
without a certificate, then 80% use more than one
standardized management system. The average of all
certified participants is 2.6 certificates per company. There are
If you also take into account all implementations without a
sometimes significant differences: The number of certificates per
certificate, it shows that each participating company uses
company increases with the
an average of 3.3 standardized management systems
(certified and/or only implemented).
16
QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS)
Machine Translated by Google
Number of certifications and implementations per company
Number
certifications
and
(0
simultaneously)
to max.of10
(0 to max.
10implementations
simultaneously)per company
50
45
40
35
30
25
20
15
10
5
0
0
1
2
3
4
certifications
5
6
7
8
9
10
Certifications and Implementations
Figure 10: Number of certifications and implementations of management systems per company (0 to max. 10
simultaneously). Basis: Certified companies (N=151), Certified and/ or implementing companies (N=169).
Every fourth certified participating company has exactly
two certified management systems, 17% have
three, 14% four. Every eighth certified person in our
sample is even certified against at least five different
management systems. Only companies in the
manufacturing sector and in the transport and
warehousing sectors are affected.
In addition, this is primarily the case with very
large companies: All of the at least five times
Those who are certified have a turnover of more
than 10 million euros (84% even more than 50
million euros), with just one exception they all belong
to national or international groups of companies.
Conversely, it is predominantly (59%) individual
companies with mostly fewer than 250
employees who are only certified against a
single management system. The distribution of
sectors is also much more mixed here: two-thirds
do not belong to the manufacturing industry.
The survey also provides insight into which
management systems are shared. This shows that
ISO 9001 serves as the "basic standard" for
the quality management system. Almost all users of
environmental, energy and occupational safety
management systems are also certified against this
ISO standard. Also the environmental and
Energy management systems are very often
shared. This is consistent with previous studies
showing that ISO 50001 is very rarely implemented
and certified when no other management system is
already in place, particularly ISO 14001 and ISO
9001.11 The lowest level of commonality with other
standardized management systems is found
with ISO / IEC 27001 for information security.
Here had itself
has already shown a low certification rate
among users. On the other hand, a joint use of
management systems with other certified
management systems (co-occurrence) can be
seen in occupational health and safety according to
ISO 45001 (BS OHSAS 18001).
The scope of such joint use and integration of
multiple systems depends crucially on the
characteristics of the respective company, e.g. with
regard to industry affiliation or company size. This
is consistent with previous studies in other countries
where similar trends were found. Overall, this
development is also supported by the fact that the ISO
management system standards are compatible due to
the common high-level structure introduced in 2012
(uniform basic structure, requirements and
terms).
Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE
17
Machine Translated by Google
...x% are also certified according to
ISO 9001 ISO 14001 ISO 50001 ISO/IEC 27001 ISO 45001 IATF 16949
ISO 9001 (n=130)
100,0%
56,9%
34,6%
9,2%
26,2%
15,4%
ISO 14001 (n=75)
98,7%
100,0%
53,3%
13,3%
44,0%
22,7%
ISO 50001 (n=48)
93,8%
83,3%
100,0%
14,6%
43,8%
29,2%
ISO/IEC 27001 (n=20)
60,0%
50,0%
35,0%
100,0%
20,0%
20,0%
ISO 45001 (n=35)
97,1%
94,3%
60,0%
11,4%
100,0%
25,7%
IATF 16949 (n=21)
95,2%
81,0%
66,7%
19,0%
42,9%
100,0%
from
those
certified
according
to…
Table 3: Integration of various management system standards: Percentage of companies certified according to two management system standards. The
basis is formed by companies that are certified against the respective standard(s). A total of 151 companies have at least one certificate (N=151).
Big differences in timing
initial certification
At the turn of the millennium (ISO/IEC 20000, ISO 22000, ISO/IEC 27001),
less than half of the companies using them are certified.
Big differences between the various
On average, these certifications are also younger: 47% of those
management systems arose at the time of initial certification. Over 80% of
certified for their ISMS according to ISO/IEC 27001 published in 2005
the companies certified according to ISO 9001 have had their
certification for at least 10 years. Only every eighth company in
Companies are certified for a maximum of 3 years (after initial
our sample has only been certified for the first time in the last 3 years.
certification), 43% state that they have been certified between 4 and 9 years.
Many participating companies have also had quality management
It remains to be seen whether there will be a similar development in the
specifically for the automotive industry according to IATF 16949 (ISO/TS
coming years as with the longer established standards.
16949) and environmental management according to ISO 14001 for more
than 10 years
An exception among the more recent standards is ISO 50001 for energy
management systems, which was only introduced in 2011, but achieved
years (68% and 60% respectively).
a comparatively high certification rate early on (72% of the interviewed
applying companies are certified): every fifth certified company received its
This tends to show that precisely those standards show relatively more
first certificate
certifications that have been available for some time. More recent
standards – for which certification has only been possible for a few years –
in the past 3 years, 75% said they were first certified 4-9 years ago. The
have a lower certification rate. For the standards that only after the
following chapter on the motives for certification shows a clear reason
for this trend.
18
QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS)
Machine Translated by Google
years since initial certification
1. Publication of the
years since initial certification
international standard
0%
10%
20%
40%
30%
60%
70%
90%
80%
106
ISO 9001 (n=127)
3
43
ISO 14001 (n=72)
ISO 45001 or OHSAS 18001 (n=31)
8
2
ISO/IEC 27001 (n=19)
3
12
33
over 10 years
8
4 - 9 years
1996
1996
1999 (2018)
2005
9
2
1987
1999 (2017)
8
5
11
5
3
21
6
ISO 13485 (n=14)
100%
16
13
ISO/TS 16949 (IATF 16949) (n=19)
ISO 50001 (n=44)
50%
9
2011
1 - 3 years
Figure 11: Years since initial certification for various management system standards.
MOTIVES TO USE
MANAGEMENT SYSTEMS
In addition to the primary goal of the respective
ISO 13485 for the field of medical devices, the standard
standardized management system (e.g. increasing the
is seen as a door opener for market access, especially
quality of products and services or increasing
occupational safety), companies use the
according to ISO 50001 (energy management) is the
management systems for various internal and external
reasons. This differs
internal improvements through a standardized
Importance of the motives depending on the management system.
management system is comparatively greatest with
The participants were asked to rate the relevance
ISO 9001 and ISO 45001 (BS OHSAS 18001).
abroad. The most important driving force for certification
goal of realizing associated tax breaks. The desire for
of given motives on a scale from "does not apply at
all" (1) to "fully applies" (5).
Different main motives for the implementation
and certification of
Management systems
Quality management: driven by customer
demands and internal improvement
Customer requirements are the most important reason
for the participants in the survey to implement ISO 9001
While customer requirements are the main driver for the
introduction and certification of ISO 9001 and ISO
14001, with ISO 45001/BS OHSAS 18001 (health
or to be certified against it. This is particularly true for
companies with more
and safety) and ISO/IEC 27001 (information
than 1000 employees (mean value: 4.5). This is for
small companies with up to 49 employees
security) it is the increase in legal certainty. In the case
comparatively less important (mean: 3.3). For them,
of the quality management system
internal company improvements come first
Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE
19
Machine Translated by Google
Motives for applying ISO 9001
4,1
demand from the customer
4,0
Improvement of internal company processes
3,7
Promotion of domestic market access
3,5
Increase employee awareness
3,4
Competitors are certified
3,4
Increased legal certainty
3,3
Fulfillment of corporate management goals
3,3
Promotion of market access abroad
3,3
Marketing and image purposes
1,9
To be the first in the industry to be certified
1,3
Response to a specific incident
2
1
Overall Certified
3
4
5
Non-certified
Figure 12: Average assessment of the motives for implementing the ISO 9001 standard. The basis is formed by responding companies
that implement this standard with (N=92-103) or without certification (N=14-16), total (N=106-119). ).
Evaluation scale: 1 (does not apply at all) to 5 (fully applies).
digit (AV: 3.8), which are the second most important motivation
the latter is by far the most important reason for service providers
for the entire sample.
(AV: 4.2). With the implementation of ISO 9001, they also aim
The export orientation also plays a role: While customer
create legal certainty (AV: 3.6 each).
in particular to increase employee awareness of quality and
requirements are a decisive motivator for companies that
have an export share of more than 50% (AV: 4.6), their
Group requirements and the fulfillment of corporate
importance decreases for companies that are only active
management goals also play a further important role (AV: 3.5)
domestically (AV: 3, 6). The very export-oriented companies
for service providers.
also cite market access abroad and the fact that competitors
are also certified as other important reasons (AV: 4.1
The data also shows that a quality management system is not
and 3.9). Overall, market access abroad is one of the main
implemented as a reaction to specific incidents, but rather
reasons for certification according to ISO 9001 - and is
is a strategic decision based on the above motives.
therefore rated higher than for the domestic market
Since the survey not only covered companies that are certified
market access. However, this is also related to the overall
according to ISO 9001, but also those that use the standard
high export orientation of the participants surveyed.
without certification, differences in motivation can also be
seen here:
While certified companies external customers
Significant differences in the motives for introducing ISO 9001
cite requirements as the main motive (AV: 4.3), companies that
can be seen overall in the various sectors: During the
processing
do not seek certification primarily aim to implement ISO 9001 at
Trade mainly due to customer demands
awareness of quality ( MW: 3.7).
internal improvements (AV: 4.0) and increasing employee
(AV: 4.5), domestic market access (AV: 4.1), and only then
internal improvements (AV: 3.9) motivated
20
QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS)
Machine Translated by Google
Motives for applying ISO 14001 and ISO 50001
Tax Relief (ISO 50001 only)
4,2
demand from the customer
assessment of the
Increase employee awareness
3,2
Weather competitors are certified
Figure 13: Average
3,5
2,0
3,5
motives for implementing
3,4
1,8
the ISO 14001 and ISO
50001 standards. Form the basis
3,2
Improvement of internal company processes
3,3
3,1
Increase in legal certainty
Marketing and image purposes
2,8
Promotion of domestic market access
2,3
Fulfillment of corporate management goals
Promotion of market access abroad
Response to a specific incident
1,1
those standards with or
implement without
2,8
certification (N=10 for
2,2
1,5
1,5
responding companies,
2,7
1,6
To be the first in the industry to be certified
3,9
2,8
ISO 14001 or N=22-26 for
1,6
ISO 50001). Evaluation
1,4
2
1
3
4
5
scale: 1 (does not apply at
all) to 5 (fully applies).
ISO 14001
ISO 50001
In the special case of the quality management system for the
can benefit from tax breaks and some companies are
medical device industry according to ISO 13485, it is
even legally obliged to provide evidence of the use of
shown that market access both at home and abroad is the
decisive criterion for the introduction and certification
an energy management system. This explains the great
importance attached to these motives by the respondents. Only
(AV: 4.9 and 4.8).
then do intrinsic motives follow, such as increasing
However, the small sample size of only nine companies
employee awareness or improving internal processes.
limits the meaningfulness here.
However, the latter is more important for companies
that only implement and do not have themselves
certified (AV: 3.8). Customer requirements or market access
Environmental and energy management: mixed
Motive
do not play a significant role for any of the respondents.
Customer requirements are not only the main motivator
Although the standard is mainly implemented by large
for implementation and certification in quality
companies, primarily from the manufacturing sector, the
management systems. The introduction of an
motives are nevertheless similar across the entire sample.
environmental management system in accordance with ISO
14001 is also being driven by customer requirements, albeit
at a comparatively low level overall. The fact that
competitors are certified also plays an important role
Information security according to ISO/IEC 27001:
here. However, the second main motive is intrinsic: In fact,
Prevention the most important motive
companies want their employees to be more aware of
environmental issues and improve internal company
With the implementation of ISO/IEC 27001, the companies
processes overall with the help of the management system.
surveyed – regardless of industry or size – primarily want to
increase legal certainty or meet legal requirements.
There are no significant differences between
When implementing an energy management system
companies that apply the standard or are additionally certified
according to ISO 50001, however, customer requirements
against it.
play a subordinate role.
Rather, the main drivers are the fulfillment of legal requirements
In terms of the standard, its introduction is intended
and the increase in legal certainty, as well as the
to prevent information security incidents (e.g. hacker attacks),
incentive to save taxes in particular. Certified companies
in Germany
awareness of information security
in particular in a preventative sense, and to raise employee
Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE
21
Machine Translated by Google
Motives
for applying
Motives for applying
ISO/IEC
27001 ISO/IEC 27001
Figure 14: Average
4,2
Increase in legal certainty
assessment of the motives
3,9
Prevention of information security incidents
for implementing the ISO/
3,8
Increase employee awareness
IEC 27001 standard. Form
the basis
3,6
Improvement of internal company processes
3,0
Fulfillment of corporate management goals
answering sub
2,9
demand from the customer
implement this standard
2,7
Marketing and image purposes
2,5
Promotion of domestic market access
with (N=22-25) or without
2,1
Promotion of market access abroad
certification (N=12-15),
2,0
To be the first in the industry to be certified
total (N=34-40). Evaluation
1,9
Contestants are certified
scale: 1 (does not apply
1,5
Response to a specific incident
at all) to 5 (fully applies).
2
1
Overall Certified
4
3
5
Non-certified
increased and internal company processes improved
Information security in the foreground. It is striking that the less
become. External demands from customers have different levels
innovative companies are more motivated than innovative
of importance depending on the size of the company.
companies with regard to possible internal improvements
While in smaller companies (fewer than 50 employees)
(AV 4.3 vs. 3.4).
demands from customers do not play a major role (AV: 1.7), this
is the most important motive in companies with 250 to 1000
employees (AV 4.0). As expected, the importance of market
Differentiation from competitors generally plays a
access abroad increases with size and export orientation.
subordinate role. When comparing the motives between certified
and non-certified
companies applying this standard, however, it becomes
apparent that the former have competition in their
In smaller companies, on the other hand, there is an
Consider the decision: On the one hand, certified companies
increase in employee awareness in relation to
rate the motive higher than the first
Comparison of motives for management systems
CLAIM CUSTOMER SIDE
5,0
INTERNAL
4,5
IMPROVEMENT
INCIDENT RESPONSE
4,0
3,5
3,0
TO BE THE FIRST TO GET CERTIFIED
MARKET ACCESS ABROAD
Figure 15: Comparison
of the average
BE
2,5
Assessment of the motives
2,0
for the implementation of
1,5
various management
1,0
INCREASE
IMAGE PURPOSES
EMPLOYEE AWARENESS
system standards. ISO 9001
(N=106-119), ISO 13485
(N=8-9), ISO 50001
(N=22-26), ISO 14001
COMPETITORS ARE
DOMESTIC MARKET ACCESS
CERTIFIED
(N=10), ISO/ IEC 27001 (N=35-40).
Evaluation scale: 1 (does
not apply at all) to 5 (fully
FULFILLMENT OF GOALS
INCREASE LEGAL SECURITY
ISO 9001
22
ISO 13485
CORPORATE GOVERNANCE
ISO 50001
ISO 14001
ISO/IEC 27001
QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS)
applies).
Machine Translated by Google
(or as one of the first) to use this management system
The special part of this survey also sheds light on difficulties
in the industry and, on the other hand, the fact that competitors
in introducing ISO/IEC 27001 as well as reasons for not using
are already using this standard.
this management system and possible measures to
increase its spread.
A specific information security incident is for the
participating companies is not a decisive motivator for the
Figure 15 compares the motives for using the various
introduction of a management system according to ISO/
management systems. The effects realized through the
IEC 27001, which again points to an intrinsically motivated,
application of the standards are presented in the following
preventive drive.
section.
EFFECT OF MANAGEMENT SYSTEMS
The individual management systems have very different
effects on the companies concerned. The participants
Use of the management systems according to ISO/IEC
27001 and ISO 9001.
were asked to rate the impacts that they believe have been
realized through the implementation of the respective management
system standards. Also here were before
ISO 9001 achieves the desired effect with
quality improvement
given effects on a scale from 1 (“does not apply at all”) to 5
(“completely applies”).
An improvement in the sense of ISO 9001, i.e. ensuring or
improving the quality of the manufactured products or
services (e.g. lower reject rates or customer complaints),
Management system standards serve their purpose
is confirmed as the strongest effect by the participants.12 In
this sense it is also the stronger Employee awareness of
With the management systems according to ISO
quality issues is a second main effect of the management
9001, ISO 45001 (BS OHSAS 18001) and ISO/IEC 27001,
system according to ISO 9001.
the main benefit is seen in improvements in terms of the
purpose of the respective standard, i.e. quality, occupational
health and safety and information security. Respondents
did not report any notable impact on sales from the management
Also in terms of financial effects, respondents generally
system standards, with the exception of the companies applying
perceive cost savings as one of the most important benefits.
ISO 13485 (quality management for medical devices). Tax
However, ISO 9001 hardly had any impact on insurance
breaks as well as energy and cost savings are in turn the main
premiums in the participating companies.
advantages of the energy management system according to
ISO 50001. Greater awareness among employees is the most
Image improvements are among the main effects, while
important effect in the case of ISO 14001 and also a significant
increases in sales are considered comparatively small. In
effect of the
particular, companies that only sell domestically realized
lower sales effects through ISO 9001 compared to
Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE
23
Machine Translated by Google
Effect of ISO 9001
Effect of ISO 9001
Figure 16: Average
assessment of the
3,9
quality improvement
impact of using the
3,7
Higher employee awareness
management system
according to ISO 9001. Form the basis
3,6
image improvement
responding companies
3,5
Reduction of internal company costs
implementing this
3,3
Greater legal certainty
standard with (N=76-104)
3,1
Increase in sales through reference to certificate
or without certification
2,0
Lower insurance premiums
2
1
(N=14-16), total
3
4
5
(N=90-120). Evaluation
scale: 1 (does not apply at all) to 5 (ful
In total
certified
Non-certified
exporting companies (AV 2.1 compared to 3.2).
For users of an energy management system according
to ISO 50001, however, the financial advantages are
the most important: In addition to the reduction in the
Company characteristics hardly play a role in the
company's internal energy costs, the tax relief that is
perception of the effects of ISO 9001, which are rated
granted with the certification plays a decisive role by far.
similarly by all respondents — regardless of industry,
number of employees, turnover or export orientation.
However, there are differences between the companies
But even non-certified companies benefit: For them, the
increased legal certainty through the
that are certified according to ISO 9001 and those
Application of ISO 50001 the most important main
that have only implemented the standard: for both
effect (AV: 4.8). This is also based on the binding EU
groups, the company-internal improvements through
Directive 2012/27/EU on energy efficiency, according
the quality management system are the most
to which non-SMEs have to carry out an energy audit.
ISO 50001 can support companies in meeting the
important effects. However, those who are not
certified perceive them more strongly than those who are
certified (mean: 4.3 versus 3.9). The increased
requirements of the guideline. In this sense, the
survey results also show that large companies in
particular, as those affected by the EU directive, use the
employee awareness is also rated second with 3.9,
higher than that of the certified. It is also noticeable
ISO 50001 management system. If one takes into
that those who are not certified name increased legal
account their tendentially higher energy consumption,
certainty as the third most important effect (AV: 3.8),
they are also the ones who can benefit above average
while this only ranks 5th for those who are certified
(AV: 3.2). The effects on costs and insurance premiums
from better energy management. Accordingly, the
are estimated to be comparatively lower for both groups.
random sample almost exclusively identified energyintensive processing sectors such as the chemical
industry as the main users of the standard.
Environmental management systems increase
employee awareness – financial advantages as
Main effect of energy management systems
Increased awareness of environmental issues and
ISO/IEC 27001 is often implemented without
certification – increasing security is imminent
foreground
actual improvements in terms of the management system
are the greatest perceived effects among the surveyed
With 20 certified companies and another 33 that have
users of the environmental management
implemented an information security management
system according to ISO 14001. Image improvements
system according to ISO/IEC 27001 without certification,
and cost savings are also important effects.
this standard is one of those with the smallest
certification rates. During the analysis of
24
QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS)
Machine Translated by Google
ISO ISO
14001 and ISO 50001
Effects of ISOEffects
50001
14001ofand
Figure 17: Average assessment
of the impact of using the
Tax relief (only 50001)
4,2
Higher employee awareness
management system according
3,6
3,4
to ISO 14001 and ISO 50001.
Basis
3,5
Improvement in terms of the management system
3,7
3,3
image improvement
2,8
are companies that implement
Reduction of internal company costs
3,2
3,7
Greater legal certainty
this standard with or without
3,0
certification (N=8-10 for ISO
3,5
2,1
Increase in sales through reference to certificate
14001 or N=18-26 for ISO 50001).
1,8
1,8
Lower insurance premiums
Evaluation scale: 1 (does not
1,8
2
1
ISO 14001
5
4
3
apply at all) to 5 (fully applies).
ISO 50001
While the main drivers for the introduction of the standard were
Direct financial benefits in the form of cost savings (due to
primarily intrinsic motives, there is also a focus on internal
fewer information security incidents) or increases in sales only
effects, particularly with regard to prevention.
occur to a small extent as an effect, regardless of company
size, industry or innovation activity. However, there are
differences with regard to a reduction in insurance premiums:
All companies, regardless of size and industry, consider the
larger companies and the manufacturing industry (AV: 3.1
increase in information security in companies to be the most
compared to 1.3 for service providers) register a comparatively
important effect.
Also the risk of information security incidents
high impact through the use of ISO/IEC 27001.
could be reduced.
Increasing employee awareness with regard to information security
In principle, certificates have a signaling function towards
was a main motivation for introducing a management system
interested parties. Certificate holders can show them that they
ISO/IEC 27001 and actually occurs as another
companies that implement the standard but do not hold a
significant effect. An increase in legal certainty – although the
certificate, the certified respondents can also record a higher
main motive for the introduction (AV: 4.2) – is only in fourth
image gain (average: 2.5 compared to 3.4). Overall, however,
place of the realized effects (AV: 3.7).
this effect
meet the requirements of the standard. Compared to the
Effect of ISO/IEC 27001
Effect of ISO/IEC 27001
4,1
Increasing the company's information security
Figure 18: Average assessment of
the impact of using the
4,0
Reduction of risk of information security incidents
management system
3,9
Higher employee awareness
according to ISO/ IEC
3,7
Greater legal certainty
image improvement
Increase in sales through reference to certificate
by companies that implement
2,8
this standard with (N=11-15) or
without certification (N=17-25),
2,7
Reduction of internal company costs
total ( N=28-40).
2,1
Lower insurance premiums
certified
Evaluation scale: 1 (does not
3
1 2
In total
27001. The basis is formed
2,8
4
5
apply at all) to 5 (fully applies).
Non-certified
Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE
25
Machine Translated by Google
Comparison of effects of management systems
Comparison of effects of management systems
Figure 19: Comparison of the
IMPROVEMENT IN THE MEANING OF
MANAGEMENTSYSTEMS
average assessment of the
5,0
HIGHER
EMPLOYEE AWARENESS
4,5
effects of implementing various
4,0
management system standards.
LESS
INSURANCE PREMIUMS
3,5
ISO 9001 (N=90-120) ISO 13485
3,0
(N=5-9), ISO 50001 (N=18-26), ISO
2,5
14001 (N=8-10), ISO/ IEC 27001
2,0
1,5
(N=28-40) . Evaluation scale: 1 (does
1,0
not apply at all) to 5 (fully applies).
IMAGE IMPROVEMENT
INCREASE IN SALES
REDUCTION
INTERNAL COSTS
ISO 9001
GREATER LEGAL SECURITY
ISO 13485
ISO 50001
ISO 14001
ISO/IEC 27001
comparatively lower than with the ISO 9001 or ISO 14001
from “does not apply at all” to “completely applies”). In the
standards. The various effects of the management
case of ISO 13485 (medical products - quality management
systems are shown in Figure 19 for comparison. The following
systems), the respondents are particularly satisfied with
section examines how the participating companies
regard to the cost-benefit ratio (however, the small number of
companies of n=9 must be taken into account).
assess the overall cost-benefit ratio of the certification.
Satisfaction with ISO 9001 overall is also quite high, regardless
of company size or industry (AV: 3.9). The ISO 14001
certification has the lowest level of satisfaction (AV: 3.4).
Overall, there are no significant differences in satisfaction
Cost-benefit ratio highest in the
with regard to industry, company size, research and
innovation activities, or use with or without a certificate.
quality management systems
Finally, the participants were asked whether the
Overall certification is a good investment in terms of costs
and benefits (on a 5-point scale
management systems good investment?
management systems good investment?
0%
10%
20%
30%
40%
50%
60%
Figure 20: An
70%
80%
90%
100%
MW n
ISO 13485
4,6 9
ISO 45001
44
assessment of whether,
all in all, the
management systems
mentioned represent a
3,9 116
ISO 9001
3,8 36
ISO/IEC 27001
ISO 50001
3,7 26
ISO 14001
3,4 10
good investment in
terms of costs and
benefits for the company.
Rating scale: 1
(does not apply at all)
to 5 (applies fully).
Doesn't apply at all1
26
2
3 4 Fully agree5
QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS)
Machine Translated by Google
Differences between the motivation to introduce
management systems and the effects
actually achieved
13485 and ISO 14001 this is the case with image
The overall positive results in terms of overall
The situation is different, however, when it comes to
rated higher than for motivation. For ISO 9001, ISO
enhancement.
satisfaction are further supported if one compares the
increasing legal certainty through the use of
effects that actually occurred with the initial motives.
standardized management systems: although this is rated
In particular, with ISO/IEC 27001 and ISO 13485 (quality
as an important main effect in many systems, there is
management for medical devices), the company-
still a negative deviation compared to the original
internal improvements become clear in their actual effect
motivation. Here the actual effect falls short of the
apparently high expectation.
Deviations between motives for introduction and actually perceived effects (based on
Deviations between motives for introduction and actually perceived effects
the respective
average
(related
to the respective
average values)
values)
0,8
0,6
0,5
0,6
0,4
0,3
0,3
0,4
0,2
0,2
0,2
0,1
0,1
0,1
0,0
-0,2
0,0
0,0
-0,1
-0,1
-0,4
-0,4
-0,6
-0,5
ISO
9001
ISO
14001
ISO
50001
ISO/
IEC
27001
Corporate Improvement
Increase employee awareness
Increase in legal certainty
image purposes
Figure 21: Deviations in the assessment of the effects actually perceived from the original assessment of the motives (based on the
respective mean values). ISO 9001: N=90-120, ISO 14001: N=8-10, ISO 50001: N=18-26, ISO/ IEC 27001: N=28-40.
CERTIFIED AND NON-CERTIFIED
COMPANY COMPARISON
The analysis of the certification rates has already
are exclusively or mainly active in Germany.
shown clear differences between the individual
management systems.
The data also indicate that for both standards,
manufacturing companies tend to
A closer look shows that especially large and very
comparatively often do without certification.
are certified than those in the service sector, which
export-oriented companies
Not only implement management systems according
to ISO 9001 and ISO 14001, but are also more likely to
If one looks at the motives and realized effects, there are
sometimes clear differences between certified and only
be certified accordingly than small companies and those that implementing companies
Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE
27
Machine Translated by Google
perceive the quality management system as the most
evident. Non-certified companies tend to be even more
intrinsically motivated
important effect; However, they rate non-certified higher than
as certified. For example, in the case of ISO 9001 or ISO
certified. Similar patterns can also be seen in employee
50001, they are primarily motivated by internal
improvements and an increase in employee awareness, while
awareness. Legal certainty that has been gained is also
used by non-certified persons
external customer requirements are the main drivers for those
tends to be rated higher than by those who have been certified
who are certified, in addition to internal improvements. And even
– for both ISO 9001 and ISO 50001.
with ISO/IEC 27001, competitors play a greater role as an
As expected, image gains are much more pronounced among
external factor than with non-certified companies.
those who have been certified than among those who
implement a management system without obtaining a certificate
(observed in particular with ISO/IEC 27001).
Especially with ISO 9001 it also shows that both
Group corporate improvements
SPECIAL PART: ISO/IEC 27001
background
High increase in ISO/IEC 27001 certificates
worldwide – use mainly in the ICT sector
In the course of digitization, information security is playing
an increasingly important role in companies. Since 2005,
ISO/IEC 27001 has made it possible to implement a
According to the latest ISO survey, there were 31,910 worldwide
as of December 31, 2018, after a steady increase since 2006
corresponding internationally standardized management
valid ISO/IEC 27001 certificates.13 With 1,057
system. Certification according to international standards
certificates at 2,003 locations (sites), Germany is in fifth place
worldwide. For about 40% of the
Standards such as ISO/IEC 27001 are also gaining in importance
Certificates in Germany were sectoral data in
in light of the latest European and German regulatory initiatives,
collected as part of the ISO survey. According to this, in 2018
e.g. within the framework of the IT security catalog and
every second ISO/IEC 27001 certificate was in the IT sector,
within the framework of the Cyber security Act (EU 2019/881
followed by the service sector with 23% and mechanical and
on the certification of cyber security of information and
plant engineering with 5%.
communication technology ).
Despite the high growth rates for the certs
As a result of the clarifications, this standard has not been
So far, however, there have only been very few scientific
as widespread in Germany and worldwide as might be
surveys of use in companies worldwide.
expected given the ongoing digitization and the associated
No cross-industry data is available for Germany yet. This
importance of the information security of digitally stored data.
survey thus provides the first insight into the implementation
For this reason, the survey not only asked about the motives
and certification according to ISO/IEC 27001.
and the effect, but also about hurdles in the introduction and
potential measures to promote the use of the
28
QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS)
Machine Translated by Google
Definition of information security
ISO/IEC 27001
As information security, reference is made to the
Standard DIN EN ISO/IEC 27000:2017 the upright
The international standard ISO/IEC 27001 is part of the
maintaining the confidentiality, integrity and availability of
information. With the help of
International Electrotechnical Commission (IEC) at the
end of 2005, and specifies the requirements for the
Confidentiality of information is to ensure that information is
establishment, implementation, maintenance and
not made available to unauthorized persons. Integrity ensures that
continuous improvement of information security
ISO/IEC 27000 family, published by ISO jointly with the
the information is correct and complete and is not changed without
management system (ISMS). After implementing an
authorization. Availability, on the other hand, describes the
ISMS based on ISO/IEC 27001, organizations can also be
property that information can be accessed and used by the
certified if they wish.
authorized person.
Management system according to ISO/IEC 27001 in
Germany.
not use this management system. Of these 114 companies, more
than one in four stated that they did not know the standard at
all (29%).
Lack of external pressure Main reason not to implement
Of the companies that are familiar with the standard, one in five
ISO/IEC 27001
plans to use it in the future. Most of those who do not plan to do
so say that customers or the legislator do not require an ISMS.
The motives for implementing ISO/IEC 27001 and the effects
Few respondents justify non-application of the ISO/IEC
achieved have already been highlighted in the main part of
27001 standard with the fact that ISO 9001 already covers
the report. However, the survey also targeted those
information security. Good
companies that
Why is ISO/IEC 27001 not used? Why is ISO/IEC 27001 not used
42%
My customers don't ask for it
30%
The legislature does not require it
28%
The top management sees no need or has rejected it
25%
Haven't really thought about it yet
No staff to introduce one
Information security management system available
23%
22%
IT is outsourced to a service provider
19%
Costs outweigh benefits
11%
ISO 9001 covers information security sufficiently
11%
My company is not a potential victim of an attack
0
5
10
15
20
25
30
Figure 22: Reasons for not implementing the ISO/ IEC 27001 standard. The basis is formed by companies that know this standard but do not apply
it, N=64 (multiple answers possible).
Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE
29
Machine Translated by Google
ISO/IEC 27001
Reasons for non-certification ISO/IEC 27001 Reasons for non-certification
Customers don't ask for it
Figure 23: Reasons for waiving
4,0
certification according to ISO/ IEC
27001. The basis is formed by companies,
3,8
Costs outweigh benefits
who apply this standard, however
3,6
Legislators don't require it
are not certified to do so
(N=16-17). Evaluation scale: 1
3,4
Deviation from the norm possible due to waiver
(does not apply at all) to 5 (fully
No competitive advantages
applies).
3,4
High bureaucracy
3,2
2,0
Disturbance of normal operation due to audit
1
2
3
4
5
one in ten respondents, on the other hand, gives the reason
The time required is seen as the greatest difficulty, followed by
that their own company is not a potential victim of an attack.
the high costs. This is followed by the necessary external
However, large and innovative companies in particular do
advice, which can also be seen in connection with the other
see the danger here: innovative companies never justify
difficulties - the complexity of the standard content and the lack of
non-application with a lack of risk - on the contrary, 60% of them
name a lack of pressure from customers as the reason.
internal expertise on the part of the IT staff.
Almost every fourth respondent gives as a reason for not
The high costs and the lack of internal expertise (in the form of
using ISO/IEC 27001 that the top management does
not see the need to implement the management system.
qualified personnel) are
Manufacturing considered higher hurdles than
The lack of qualified personnel is also
in the other industries. In most cases, the hurdles are rated higher
mentioned by many companies as an obstacle to the
by companies using this standard without being certified for it.
introduction. A quarter of the companies have not yet
This applies in particular to the low motivation of the employees
thought about implementing the ISO/IEC 27001 standard
and the lack of commitment from the top management level.
and 22% state that they have outsourced their own IT to external
service providers.
Companies that use the standard but do not get certified for it
Various measures can help with the
dissemination
cite that the main reasons are that customers do not require
certification, the cost of certification is too high and that the
If dissemination of the ISO/IEC 27001 standard is actively
legislator does not require certification.
sought, various measures can contribute to this. The
participants were able to assess the suitability of possible
measures that could promote the use of the ISO/IEC 27001
standard in Germany. All of the proposed measures (with
Effort and expertise major difficulties in
implementing ISO/IEC 27001
mean values between 3.6 and 4.1) are rated as sensible
by the companies applying the standard. The provision of
guidelines for action, especially for SMEs, is considered to be
Companies that have implemented an ISMS according
particularly helpful. see SMEs
to ISO/IEC 27001 or are certified in this regard were asked about
the obstacles to implementation.
30
QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS)
Machine Translated by Google
Difficulties with ISO/IEC 27001
Difficulties with ISO/IEC 27001
3,5
High expenditure of time
3,0
High costs
2,9
Required external advice for implementation
2,8
Complexity of the standard content
2,7
In-house expertise not sufficient
2,4
uncertainty about benefit
2,3
Few advisory services available
2,3
Difficult determination of scope
2,3
Low motivation of employees
2,0
Lack of commitment from top management
2
1
In total
certified
3
4
5
Non-certified
Figure 24: Average assessment of the difficulties in implementing and certifying an ISMS according to ISO/ IEC
27001. The basis is formed by companies that use this standard without certification (N=19-23) and with certification
(N=12-14). Evaluation scale: 1 (does not apply at all) to 5 (fully applies).
a high financial hurdle when introducing an ISMS
according to ISO/IEC 27001. As expected, they consider
financial support especially for this target group
to be very useful. This applies both to financial
support for consulting services (AV 4.3 versus 3.4 for
large companies) and for certification and its maintenance.
guidelines for action are particularly high, followed
by training courses and financial support. On the other
hand, they rate demands from customers or the
legislator as less conducive to dissemination than those
companies that already use the ISO/IEC 27001
standard.
With mean values of 3.6 or even 3.9, the demand for
proof from the legislator or the customer is also
considered a sensible measure by everyone
companies to varying degrees
surveyed using ISO/IEC 27001 companies, with no
major differences in terms of company size or industry.
All participating companies were asked whether there
had ever been an incident that affected the confidentiality,
availability or integrity of important information. A
quarter of respondents answered yes, although
there are differences by company size. While only
However, companies certified according to ISO/IEC
27001 consider this to be a more sensible measure
overall than companies that apply this standard without
certification (AV 4.2 vs. 3.3 when required by
legislators and AV 4.5 vs. 3.5 when required by
Customers).
Companies that are familiar with ISO/IEC 27001 but
do not use it evaluate the benefits of a
affected by information security incidents
one in ten small companies answered yes to this
question, this is the case for more than one in two
large companies.14
Comparing the groups of users and
Non-user of a management system according to ISO/
Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE
31
Machine Translated by Google
Measures to disseminate ISO/IEC 27001
Measures to disseminate ISO/IEC 27001
Figure 25: Evaluation of
4,1
Guidelines for action, especially for SMEs
4,5
measures to promote the spread of
3,9
Practice-oriented training materials
the ISO/ IEC 27001 standard in
Germany. base form sub
4,3
3,9
Financial SME support for advice
assume that apply this standard
4,2
(N=35-40) and companies
3,9
Customer requests proof
3,0
who know this standard, but not
apply (N=10-12). Evaluation scale:
3,9
4,0
Increasing awareness of the standard
1 (not useful at all) to 5 (very
3,8
Financial SME support for certification
useful).
4,2
3,7
3,6
Best practice exchange between companies
3,6
Legislators require proof
3,0
2
1
Users ISO/IEC 27001
5
4
3
Non ISO/IEC 27001 users
IEC 27001 shows that users report being affected by
Conclusion and Outlook
information security incidents more frequently than those who
do not use this ISMS standard. While only one in four nonusers reported an incident in the
In view of the growing importance of information
security and the increasing risk of potential attacks that
could endanger information security,15 ISMS in
Companies in the past reported that 38% of the group of
accordance with ISO/IEC 27001 are implemented very
companies using ISO/IEC 27001 do so. In this context,
cautiously in Germany. The survey was able to provide initial
however, the motives behind the implementation of the
insights into motives, effects and hurdles. The results indicate
management system according to ISO/IEC 27001 have
that although the standard is known to many, there is often no
shown that specific incidents are not a significant driver for
the
need to implement it, as this is not (yet) actively
demanded by interested parties. Also the one with the
respondents are, but rather strategic motives are present.
Occurrence of information security incidents
Occurrence of information security incidents
Figure 26: Occurrence of incidents
In total
27%
56%
that compromised the confidentiality,
17%
availability or integrity of important
information (cyber attack, intrusion,
insiders, data protection). Basis:
user
38%
43%
19%
all survey participants, N= 161 (users
of an information security
management system according to
non-user
24%
16%
61%
ISO/ IEC 27001 (N=42) and non-users
(N=119)).
0%
20%
40%
60%
80%
100%
Yes No Don't know
32
QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS)
Machine Translated by Google
The effort involved in introducing it is viewed as
Dissemination is seen both in financial and informational
a hindrance.
measures as well as through demands for proof from customers
or the legislator.
However, an analysis of the impact of ISO/IEC 27001 shows
that the ISMS can help
Increase information security in the company
and to reduce the risk of information security incidents, including
Special study on ISO/IEC 27001
by increasing employee awareness of information security.
Based on the first findings of this survey, 125 companies
Overall, the general satisfaction with the cost-benefit ratio of
ISO/IEC 27001 is high among the certified companies surveyed.
certified according to ISO/IEC 27001 were surveyed
separately at the beginning of 2020.
The results of this study will be published in a separate QIFoKuS Report (Vol. 2).
ways to support others
THE ROLE OF CERTIFICATION,
ACCREDITATION AND CUSTOMER AUDITS
Certificates can help companies to signal the fulfillment of
requirements for products or working methods and
Competence and its proof Main criteria when
choosing the certification body
processes in the form of management systems and thus reduce
information asymmetries between market participants.
By far the most important criterion for the participants in
this survey when selecting the certification body is its
accreditation. Through accreditation, certification bodies can
have their competence confirmed by an independent
Companies usually have the choice of which certification
accreditation body. This great importance is also reflected in
body they want to be certified by.
the actual certification practice: 99% of the respondents state
So far, however, there have only been a few studies on the
that at least one of their certificates is from an accredited Zerti
criteria that companies use. The present study has
addressed such criteria for the most widespread management
system standard ISO 9001 as well as for ISO/IEC 27001 for
certification body has been issued.
information security. The participating companies were asked to
rate the given criteria on a scale from “not at all important” (1) to
Following on from this, the second most important criterion
“very important” (5) according to the importance they attach
when selecting the certification body is the
to them. The following section examines the results in detail.
professional competence of the auditors, followed in the
case of ISO 9001 by the reputation of the certification body.
Specialist knowledge of the respective customer's industry
also plays a comparatively large role.
Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE
33
Machine Translated by Google
Criteria for choosing the certification body
Criteria for choosing the certification body
4,6
Certification body is accredited
3,9
4,2
Competence of the auditors
3,7
4,0
Reputation (image) of the certification authority
3,2
3,9
Specific knowledge of the industry
3,3
3,7
Easy and quick implementation
3,0
3,5
Possibility of an integrated audit
3,7
3,5
International orientation of the certification body
3,0
3,1
Low certification authority fees
3,2
3,0
Low travel and ancillary costs (auditor)
2,8
2,2
Third Party Recommendation
1,4
2,2
Specification by the top management level
1,5
1,6
Specification/request from the customer
1,4
1
2
3
4
ISO 9001 ISO/IEC 27001
Figure 27: Average evaluation of the criteria when choosing certification bodies for the ISO 9001 (N=76-87) and ISO/ IEC 27001 (N=12-13)
standards. Rating scale: 1 (not important at all) to 5 (very important).
While it is also important to the participants that the certification
give different reasons. 45% of the 104 participants
is carried out quickly and easily, the costs of the certification
who provided information on this had already changed
(fees of the certification body and ancillary and travel
certification bodies in the past. The reason given most
costs) are less important. Especially strongly export-oriented
frequently by the participants was dissatisfaction with the
companies with more than half of their sales abroad, which
professional performance of the certifier. Close behind is
are certified according to ISO 9001, rate the international
the desire to bundle the certifications in the company to
orientation of the certification body as particularly important (AV:
one provider. Although cost is not one of the most important
reasons for choosing a certification authority as described
4.2 compared to AV of 2.5-3.4 for comparison groups).
above, it can still be a reason for switching: 40% of
The participants attach the least importance to the recommendation
or specification of third parties when choosing the
certification body.
Respondents name this. For 17%, different interpretations of the
requirements from the relevant management system
standard by the auditors offered a reason to change the
Companies often use different ISO management systems in
certification body.
parallel. In particular, companies using ISO/IEC 27001
name the possibility of an integrated audit as an important
criterion when choosing their certification body. 60% are already
certified according to ISO 9001, every second according to
Great importance of accreditation and
international recognition agreements
ISO 14001.
Especially in the international movement of goods
With integrated audits by a certification body, companies can
benefit from uniform structures, pool resources and use
mutual recognition of certificates an important trade
synergies.
facilitation. Recognition agreements for accreditations
therefore play an important role. However, only every second
respondent knows this tool (56% of n=138). However, only
Professional dissatisfaction main reason for
Change of certification authority
64% can confirm whether there is a recognition agreement for
their certificates, with around 18% denying this or saying they
don't know. The
For changing a certification authority, it can
34
QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS)
5
Machine Translated by Google
Certification
authority
in Certification
authority
in
past
changed
past changed
Reasons for changing certification authority Reasons for changing certification authority
Dissatisfaction with the professional performance of the
23
certifier
22
Bundling to one provider for certification
45%
55%
19
cost reasons
Different interpretation of the requirements by different providers
8
3
Lack of accreditation of the certification body
Lack of recognition of the certificate (due to
1
reputation of the certification body)
Yes No
0
10
5
20
15
25
Figures 28 and 29: Percentage of participants who have already changed certification bodies in the past (left, N=104) and number of reasons
given for changing certification bodies (right), N=47 (multiple answers possible).
Every second survey states that it is also audited by customers.
Respondents, however, confirm the effect of such
agreements: 78% of 40 respondents agree that they contribute
This is particularly the case with the quality management
to better recognition of certificates abroad.
standards: In addition to ISO 9001 (51 participants), this
also applies to the industry-specific management systems
in the medical device sector and the automotive industry (12 and
15). Environmental management systems according to ISO
Customer audits with high relevance in practice
14001 and occupational health and safety management
In addition to conducting internal audits (first side) and
also audited by customers of the companies surveyed (20
auditing by independent external parties (third side/certification),
and 15 cases).
systems according to ISO 45001 (BS OHSAS 18001) are
companies are often also audited by their customers (second
In most cases, customer audits replace this
side). From 134 participating companies our
no certificates, but 27% of the
Accreditation and International Recognition Agreements
Accreditation and International Recognition Agreements
Has one of your certificates been issued by an accredited certification body?
108
1
Have you ever heard of international recognition agreements for the
56
71
accreditation of certification bodies?
Does your certification have an international recognition agreement in terms of
42
12
11
12
accreditation?
0
20
40
60
80
100
120
140
160
Yes No Don't know
Figure 30: Number of participants who state whether their company holds a certificate issued by an accredited certification body
(N=109), whether they are aware of international recognition agreements for accreditation (N=138) and whether their companies
have a certification international recognition agreement exists (N=66).
Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE
35
Machine Translated by Google
The international recognition agreement contributes to
to be recognized
Theabroad
international recognition agreement makes it easier for certificates
Certificates are more easily recognized abroad
%
5% 5%
0%
13%
10%
23%
20%
30%
55%
40%
50%
Doesn't apply at all1
2
60%
70%
80%
100%
90%
3 4 Fully agree5
Figure 31: Assessment of whether recognition agreements help to ensure that certificates are more easily recognized abroad (N=40).
Participants that certificates at least partially replace customer
audits. For 69% of the respondents, an existing certification
tend to be described as more stringent than certification: 63%
simplifies the customer audit process. The requirements of the
audits go beyond the requirements of the certifier.
of those surveyed state that the requirements of customer
customer audits
Customer audits and certificates
Customer audits and certificates
mean values
Customer audits replace certificates
Certificates replace customer audits
22
The requirements in the customer audits go beyond the requirements of the certifier.
10
8
5
Certificates simplify the customer audit process
8
51
6
16
20
11
9
5
24
9
3
9
21
1,4
2,6
20
3,7
21
3,8
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Doesn't apply at all1
2
3 4 Fully agree5
Figure 32: Relationship between customer audits and certification (N=64-66). Evaluation scale: 1 (does not apply at all) and 5 (fully applies).
36
QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS)
Machine Translated by Google
CONCLUSION
The study examines the use and effects of management
systems in Germany with a focus on conformity
assessment. The participating companies were asked
about the most widespread standardized management
systems. The survey thus provides insights not only
into the established standards such as ISO 9001 or
ISO 14001, but also to more recent ones such as ISO
50001 for energy management systems and, for the first
time across all sectors, ISO/IEC 27001 for information
security management systems. The data shows that the
use of two or more management systems is widespread
and companies appear to be of
synergies can be used. Not only does a differentiated
picture emerge of the various main motives and effects,
but the data also allow a systematic differentiation
between the assessments of certified and non-certified
companies.
For the still little used management system
The companies using the ISO/IEC 27001 standard for
information security are satisfied with it
increase business and the risk of
reduce information security incidents. However, hurdles
are seen in particular in the effort associated with
implementation. If further dissemination of this
management system standard is desired, the
measures that the participants consider useful can be
taken, which are aimed in particular at providing more
information and financial support for implementation
and certification, especially for SMEs.
One focus of the study is the consideration of the various
parties who can carry out the conformity
assessment. The results underscore the great
importance of competent certification bodies and
the important role of accreditation in this area –
even if it turns out that many of the participants in
the survey are not familiar with the underlying
mechanisms, such as the international
recognition agreements for accreditation. Furthermore,
the important position of supplier and customer audits
in business practice is confirmed.
lich of their contribution, the information security in the
Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE
37
Machine Translated by Google
GLOSSARY
— Accreditation: In the accreditation procedure,
conformity assessment bodies prove to an
independent accreditation body that they carry out
their activities in a technically competent manner, in
compliance with legal and normative requirements
and at an internationally comparable level.
The accreditation body appraises and monitors the •
management system and the competence of the staff
employed by the conformity assessment
body.16 —
Recognition agreement: The mutual recognition
of the services and results of accredited bodies
worldwide contributes to reducing technical
barriers to trade and international acceptance of
accredited assessment services without costly
Increase multiple accreditations. This
procedure follows the principle: “Once checked,
accepted everywhere”. To this end, national
accreditation bodies can enter into multilateral
agreements with the European and international
accreditation organizations (EA MLA, IAF MLA and
ILAC MRA).
17
— Audit: systematic, independent, documented process
for obtaining records, statements of fact or other
relevant information and evaluating them
objectively to determine the extent to which
specified requirements are met (ISO/IEC
17000).
— Conformity assessment: Demonstration that
specified requirements relating to a product,
process, system, person or body are met (ISO/
IEC 17000). Conformity assessments can
be performed by many people, including the
provider of a product or service, its purchaser and
other parties that may have an interest, such as
insurance companies and regulators:
— Internal audit (first side/first party): through
Led by the person or organization offering the
subject of conformity assessment.
38
— Supplier (or customer) audit (second party):
carried out by a person or organization that
has an interest in the subject of the
conformity assessment as a user (e.g. buyer
or user of a product ).
— External audit (third party): through
led by a person or entity controlled by the person
or organization responsible for the
subject of the conformity assessment and of
interests as a user of this
object, is independent (e.g.
•certification).
— Management system: A management system
includes activities by which an organization
identifies its goals and determines the process
and resources required to achieve the desired
outcomes.18 These goals can refer to a number
of different ones
Relate to topics including product or service
quality, operational efficiency, environmental
performance, occupational health and safety,
and many others. Standards, e.g. from the
International Organization for Standardization
ISO, specify the requirements or guidelines to
support organizations in the design and
implementation of their policies and processes to
achieve these goals.
— Quality Infrastructure: The system that comprises
the organizations (public and private) together
with the set of rules, the relevant legal and
regulatory framework and the actions needed
to support and improve the quality, safety and
environmental performance of goods, services and
processes . It is based on standardization, •
Conformity assessment, • Accreditation, metrology
and market surveillance.19 — Certification:
Confirmation by an
independent third party that specific requirements for a
product, process, system or person are met (ISO/
IEC 17000). When certifying standardized
management systems • confirms a
QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS)
Machine Translated by Google
independent, external auditor, whether the
so that the organization meets the requirements
documented procedures of the respective
specified in the management system standard.20
organization are appropriate and followed in practice,
ABBREVIATIONS
DAkkS: German accreditation body
ISMS: Information Security Management System
IEC: International Electrotechnical Commission
SMEs: small and medium-sized enterprises
(International Electrotechnical Commission)
MV: mean
ICT: Information and
communication technology
QI:
quality infrastructure
ISO: International Organization for Standardization
(International Organization for
Standardization)
THANKS
The authors would like to thank the many people who
We would also like to thank the German Society for
supported this study. In particular, Philipp Hess (TU
Berlin) for helpful tips on questionnaire design and
Quality (DGQ) and the associations VCI, VDA and the
umbrella organization BDI as well as various
evaluation, Jonas Haas for statistical support,
certification bodies for announcing the survey among
Petra Keitzl and Susanne Stobbe for project
their members and customers. Thanks are also due to
management and correction, and Olaf Mätzner for
the interviewees who prepared the survey.
technical support. The BMWi and Dr. We thank Michael
Nitsche (BAM) for the general support of the project.
Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE
39
Machine Translated by Google
NOTES AND REFERENCES
1
certified companies with a transitional period until 2021.
Blind, K. (2015). From standards to quality infrastructure A review of impact studies and an outlook. In: P.
Delimatsis (Hrsg.), The law, economics and politics of
7
international standardization; Cambridge University Press.
The ISO survey only records certifications that are reported
Vgl. Castka, P., & Corbett, C. J. (2015). Management
lead to distortions, as can the fact that certificates from
by the accredited bodies. Possible reporting errors can also
2
Systems Standards: Diffusion, Impact and Governance of
non-accredited bodies are not taken into account. See ISO
ISO 9000, ISO 14000, and Other Management Standards.
(2019), The ISO Survey, available at: https://
Foundations and Trends in Technology, Information and
www.iso.org/ the-iso-survey.html
Operations Management, 7, 161-379 sowie Power, D., &
8
Terziovski, M. (2007). Quality audit roles and skills:
See ISO Survey (2019). The decrease in the number of
Perceptions of non-financial auditors and their clients.
valid certificates recorded in 2018 compared to the
Journal of operations management, 25(1), 126-147.
previous year can be explained by a change in the collection
method as part of the annual ISO survey.
3
ISO 9000:2015
9
Hereinafter referred to as "manufacturing industry".
4
www.iso.org/ management-system-standards
10
The survey relates to the number of valid certificates of
See Blind, K., & Mangelsdorf, A. (2016). Certification in
German companies - between competitive advantage
selected ISO management standards issued by certification
and cost factor. In: R. Friedel & EA Spindler (Eds.),
5
bodies accredited by members of the International
Certification as a success factor: Sustainable management
Accreditation Forum (IAF).
with trust and transparency (pp. 23-32), Springer.
11
Vgl. Karcher, P., & Jochem, R. (2015). Success factors and
6
As far as the relative number of the respective certifications is
organizational approaches for the implementation of
concerned (i.e. the certifications related to the number
energy management systems according to ISO 50001. The
of companies in the country), Germany is well behind
TQM Journal, 27(4), 361-381. doi:10.1108/ TQM-01-2015-
countries such as Italy or Spain (see Herasÿ
0016 sowie Wulandari, M., Laskurain, I., Casadesús, M., &
Saizarbitoria, I., & Boiral, O. (2013) . ISO 9001 and ISO
Heras-Saizarbitoria, I. (2015). Early Adoption of ISO 50001
14001: towards a research agenda on management
Standard: An Empirical Study. In A. Chiarini (Ed.), Sustai
system standards. International Journal of Management
nable Operations Management: Advances in Strategy and
Reviews, 15(1), 47-65.) For quality management
Methodology (pp. 183-202). Cham: Springer International
specifically for the automotive industry according to IATF
Publishing.
16949 (previously ISO/ TS 16949). no data from the ISO
12
Survey 2018 available, as it has been an IATF
This effect is experienced even more strongly by
(International Automotive Task Force) standard since
users of the quality management system for medical devices
2016. In the area of occupational health and safety
according to ISO 13485 (4.1). These generally tend to
management, the figures only refer to the ISO 45001
determine stronger effects than users of general quality
standard, which has been the BS (British Standard) OHSAS 18001 standard
sinceaccording
2018 - buttofor
management
ISO 9001. This applies
40
QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS)
Machine Translated by Google
especially the positive effects on sales (both the
strongest effect with 4.7 for ISO 13485 and the highest
difference to ISO 9001 with only 3.0); (n=5-9).
13
Due to a change in the survey method, from 2018 the valid
ISO certificates can no longer be compared with previous
years (ISO, 2019).
14
Similarly, as part of the 2018 cyber security survey by
the Alliance for Cyber Security, 43% of large and 26% of
medium-sized companies stated that they had been
affected by cyber security incidents in 2018. See
Federal Office for Information Security (BSI). (2018).
Cyber security survey 2018: Cyber risks & protective
measures in companies. Retrieved from: https://
www.allianz-fuer cybersecurity.de/ SharedDocs/ Downloads/
ACS/ cyber Sicherheits-umfrage_2018.pdf?
__blob=publicationFile&v=9
15
ibid
16
https:// www.dakks.de/ content/ was-ist-akkreditierung
17
https:// www.dakks.de/ content/ internationales-netzwerk
18
ISO 9000:2015
19
UNIDO. (2018). Quality Infrastructure - UNIDO‘s unique
approach. Abgerufen unter: https:// www.unido.org/ sites/
default/ files/ files/ 2018-08/ UNIDO_QI_CASE_FINAL_ON
LINE_2.pdf
20
See Castka, P., & Corbett, CJ (2015).
Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE
41
Machine Translated by Google
Machine Translated by Google
Machine Translated by Google
202000661
-BAM
Media
Team
Federal Institute for Materials Research
and Testing (BAM)
Under the Oaks 87
12205 Berlin, Germany
Info@bam.de
www.bam.de
Download