Machine Translated by Google Incl. special section on ISO/ IEC 27001 for information security The use and effect of standardized management systems A study as part of the QI-FoKuS initiative Vol. 1 Machine Translated by Google authors Mona Mirtsch, Dr. Claudia Koch, Dr. Gabriele Dudek (BAM) Prof. Dr. Knut Blind (Technical University of Berlin) editor Federal Institute for Materials Research and Testing (BAM) imprint Federal Institute for Materials Research and Testing (BAM) Under the Oaks 87 12205 Berlin +49 30 8104-0 qi-fokus@bam.de www.qi-fokus.de www.bam.de ISBN: 978-3-9818564-3-9 Supported by that Machine Translated by Google CONTENTS QI-FoKuS 4 Summary and Key Findings 5 Introduction 7 11 Questionnaire and methodology 14 use of management systems Motives for using management systems 19 Effect of management systems 23 A comparison of certified and non-certified companies 27 Special part: ISO/IEC 27001 28 The role of certification, accreditation and customer audits 33 Conclusion 37 glossary 38 abbreviations 39 thanks 39 Notes and References 40 Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE 3 Machine Translated by Google QI-FOCUS The national quality infrastructure (QI) as a system of The development and economic importance of conformity regulatory frameworks, institutions, processes and instruments assessments in Germany have not been researched to a is used for quality assurance and thus ensures that large extent, not least due to insufficient empirical data. safety, environmental, health and consumer protection QI-FoKuS – Research for Conformity Assessment and policy goals are achieved. It uses various elements that take on different functions and are systematically on the basis of a recurring survey of companies and intertwined. conformity assessment bodies in Germany. Safety – strives to create a better data basis for research The national quality infrastructure accreditation Creating a database, recognizing trends QI-FoKuS is intended to make the interaction of elements conformity assessment certification Inspection Test of QI easier to understand. With QI-FoKuS it should calibration Metrology requirements products, processes and services succeed: — a database for new scientific discoveries Information on influencing factors and effects in the to create conformity assessment and accreditation standardization — to identify mechanisms of action — to recognize necessary changes as a result of technical and market surveillance Figure 1: The elements of a national quality infrastructure. What: BAM / TU Berlin economic developments at an early stage — current trends in conformity assessment and Accreditation and the resulting need for regulation — political decision-makers, business and the public through data-based analysis Conformity assessments play a central role in this system. For economy and ver Conformity assessment and accreditation to they are an important basis for trust and security. Tests, inform professionally inspections and certifications can be used to confirm whether certain requirements for products, services, The findings derived from the results of the surveys can processes, systems or people are met and whether not only serve as decision-making aids for those involved in contractual agreements and legal or normative requirements politics, but are also an important support for companies, for safety, health or environmental protection are complied conformity assessment bodies and the German Accreditation with. Accreditation as confirmation that a conformity Body in order to be able to better assess current and assessment body has the competence to carry out certain future challenges and to be able to react to them. conformity assessment tasks is also an important pillar of QI. The QI-FoKuS project was launched in autumn 2019 by the 4 QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS) Machine Translated by Google Federal Institute for Materials Research and Testing (BAM), and the Technical University of Berlin (TU Berlin), Department of Innovation Economics under Prof. Dr. Knut Blind initiated. The project is financed by BAM funds. QI-FoKuS is supported by the Federal Ministry for Economic Affairs and Energy (BMWi) and a network of QI institutions and industry associations. The survey of companies in Germany on the use of standardized management systems is the first survey within the framework of QI-FoKuS. In addition to the motivation regarding the application of various Standards that set out requirements for management systems and the effects are addressed, in particular the certification for these standards and, linked to this, the role and function of accreditation – and thus various components of QI. One focus of this survey is on the ISO/IEC 27001 standard, which describes the requirements for information security management systems (ISMS). The dissemination of this standard is currently subject to a dynamic that is influenced by regulatory efforts with regard to information security. This justifies a special research interest. SUMMARY AND HEADQUARTERS RESULTS The aim of the QI-FoKuS initiative is to create a database for new scientific findings on influencing factors and effects in conformity assessment and accreditation. At the end of 2019, companies from various sectors and sizes in Germany were asked about the use of management systems and their effects in a first online survey. This included widely used, standardized management systems such as ISO 9001 and ISO 14001, as well as systems that had not been studied until now, such as ISO 50001 or ISO/IEC 27001. 180 questionnaires were evaluated for the present study. The following key findings can be derived from this: 1. ISO 9001 is the most widely used All other management systems examined are used comparatively less. 2. The certification rates of the different Management systems differ considerably: The quality management system according to ISO 9001 is not only the most widespread management system among those surveyed, the companies using it are also most frequently certified according to it (87%). In contrast, users of the management system for information security according to ISO/IEC 27001 are comparatively rarely certified (37%). 3. The simultaneous use of different management systems is widespread: over two thirds of the certified companies have more Management system standard in the sample, as a management system certification. On followed by ISO 14001 environmental average, the certified companies surveyed management system, ISO 45001 hold 2.6 certificates, with clear differences between occupational health and safety management small and large companies. The survey systems (BS OHSAS 18001) and ISO 50001 energy management systems. Information security management systems also included management systems that according to ISO/IEC 27001 are not yet so widespread. Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE 5 Machine Translated by Google companies have merely implemented without obtaining a 7. The management system standards fulfill their certificate. If these are also taken into account, it can be purpose: In the case of the management systems seen that the companies have implemented according to ISO 9001, ISO 45001 (BS OHSAS 18001) significantly more – namely 3.3 – management and ISO/IEC 27001, the main effect among those surveyed systems at the same time on average. The scope of is seen in improvements in terms of the purpose of the such joint use and integration of multiple management systems depends crucially on the characteristics of the respective standard, i.e. quality, work and health protection as well as information security. Energy and cost respective company with regard to industry affiliation or savings are cited as a key benefit in establishing ISO size. 50001 energy management systems. The main effects of the environmental management system according to ISO 14001 is raising employee awareness of environmental 4. ISO 9001 mostly serves as a “basic standard”: The issues. analysis of the management systems implemented in parallel in the respective companies shows that almost all users of environmental, energy and occupational safety management systems also have a certified quality 8. Overall satisfaction with the management systems management system according to ISO 9001. The varies: The perception of whether certification least common use with other standardized management against the respective management system standards is systems can be found with the ISO/IEC 27001 for information a good investment in terms of costs and benefits varies security. significantly. The companies surveyed that were certified according to ISO 9001, regardless of their size or industry, are significantly more satisfied overall 5. Various main motives for the than the users of the ISO 14001 environmental Use of management systems: While with ISO 9001 management system in particular. The overall positive and ISO 14001 customer requirements as external factors assessment of the management systems is also significantly motivate the introduction, occupational supported by the tendentially more positive assessments health and safety management systems according to ISO of the realized effects compared to the original ones 45001/BS (British Standard) OHSAS 18001 and ISMS Expectations when introducing a management according to ISO/IEC 27001 increase legal certainty system. the main motive. The certification of an energy management system according to ISO 50001 is particularly motivated by the prospect of associated tax breaks. For those surveyed, 9. Competence and its proof are the main Criteria when choosing the certification body: The improvements in the sense of the respective study results clearly confirm the great importance of management system or corresponding internal company accreditation, which is the most important criterion for the processes are not the main driver for the implementation of selection of the certification body for those surveyed. any of the management systems. In addition, 99% state that at least one of their certificates has been issued by an accredited body. The great importance of professional competence when choosing the certifier is also reflected in the fact that professional 6. Non-Certified Users of Management systems have other motives: In particular in the case dissatisfaction is given as the main reason for changing the certification body. of companies using ISO 9001, it is evident that those who do not have themselves certified are even more intrinsically motivated to use such a quality management system. For them, the corresponding demands from the 6 10. Every second respondent knows the handels facilitating international recognition agreements customer are not the top priority, but the goal of internal for accreditation: If known, great importance is also improvements. attached to them. QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS) Machine Translated by Google 11. Customer audits have a high relevance in the Practice: Every second company surveyed states that they are also audited by customers, especially with regard – regardless of specific company characteristics such as industry or size. — At the moment, the standard still lacks something broader to their quality management system, but also in terms of Awareness (29% of non-applying companies do environmental management and occupational health and not know them). Among those familiar with ISO/IEC safety. However, according to respondents, these audits 27001, only one in five companies plans to cannot replace certifications. implement it in the future. The low spread is mainly Overall, customer audits are perceived as stricter due to a lack of external pressure (legislators or customers). Concrete hurdles for the introduction in than audits as part of the certification process. one's own company are particularly 12. The study provides first cross-industry insights into the use of ISO/IEC 27001 for information security: associated effort and a lack of expertise, also in view of the complexity of the content of the standard. To support further dissemination of the information — Among the management system standards in this security management system, a number of study, ISO/IEC 27001 has one of the lowest certification rates: only every third company that uses it is certified. of measures considered useful: e.g The analysis of the main drivers for the introduction of enterprises (SMEs) or training and financial support. the standard accordingly shows predominantly Especially companies certified according to ISO/IEC 27001 intrinsic motives. And also internal effects, ie within the Guides for action for small and medium-sized company, especially with regard to prevention also consider the requirement of proof on the part of and customers or the legislator as promoting dissemination. Security, are dominant INTRODUCTION Normed and standardized (hereinafter referred to as scientifically proven. They not only enable economic benefits standardized) management systems are a global success: millions for companies, but also contribute overall to advantages of companies around the world work according to international for consumers, environmental protection and standards in a wide variety of management areas. This does not only concern the well-known standards for quality and environmental occupational safety, minimize risks and thus improve overall economic welfare.1 There are a large number of ISO 9001 and ISO 14001 in particular Studies that have examined management ISO 9001 and ISO 14001; The spread of other and documented the effects of these management system management systems for special areas such as energy or standards worldwide.2 However, other management information security management is gradually increasing. system standards have so far remained largely unnoticed, e.g. B. the standards ISO/IEC 27001 for ISMS and ISO 50001 for energy management systems, which were The general economic and social only introduced in 2005 and 2011. In addition importance of norms and standards Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE 7 Machine Translated by Google Managementsysteme management system standards A management system includes activities by which an organization identifies its goals and determines the process and resources Standards, e.g. from international standardization organizations such as ISO, define the requirements to support organizations in designing and implementing their specifications and processes to achieve the respective goals. At ISO alone, there are now more than 80 management system standards in a wide variety of areas.4 These standards are designed to be applicable in different organizations, regardless of industry, size, type, organizational form, or geographic, cultural and social conditions . required to achieve the desired outcomes.3 These goals can refer to a number of different ones relate to topics including product or service quality, operational efficiency, environmental performance, occupational health and safety, and many more. only a few studies cover several management systems together; most are devoted to just one norm. However, this fails to recognize that the management systems are compatible with each other and that in practice management systems are often used in different areas at the same time. Another aspect is the often very limited view of existing studies on exclusively certified companies, while in practice management systems are often implemented without a certificate being granted or sought. In addition, the certification itself often goes unnoticed in most surveys. This affects both the role of the certification bodies and their competence, proven in the form of accreditation. This report presents the results of a cross-industry online survey of companies in Germany on the use of various standardized management systems. The study not only offers insights into the motives for implementation and the assessment of the effects; rather, it also focuses on conformity assessment as a central element of quality infrastructure (QI). For this purpose, management system standards usually prescribe so-called internal audits, which are carried out by the companies themselves. Certification by an independent third party is also widespread. The present study therefore makes an explicit distinction between companies that have themselves certified against the implemented standard and those that apply the standard without certification. Reasons for certification are also highlighted 8 such as the criteria for choosing a certification body or changing it. As it is for notoriety and Assessing the benefits and effects of accreditation up to now there has only been little empirical data, this study is also dedicated to this instrument in particular. Furthermore, audits can also be carried out, for example, by business partners, e.g. B. buyers along the supply chain (so-called customer or supplier audits). The present study also confirms the importance of this form of conformity assessment, which is widespread in practice, and draws comparisons with certification. A special part of the study deals with the management system standard ISO/IEC 27001 for information security in detail. There has not yet been any cross-industry study for Germany on this standard. Standards in the field of information security, such as ISO/IEC 27001, and proof of effective application through certification are becoming increasingly important, particularly against the background of advancing digitization and regulatory initiatives such as the IT Security Act and the European Cybersecurity Act. The study contributes to a comprehensive picture of the use of management systems in Germany and helps in particular to understand the various facets of conformity assessments. This study enables companies that have so far dealt little or not at all actively with standardized management systems to gain an insight into the motives and mode of action other companies. Certification bodies can use the results to the selection criteria of the QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS) Machine Translated by Google certification body and the reasons for changing a certifier. The created, for example for the environment, occupational results of the survey also offer the possibility of deriving safety, information security and energy. active strategies for increasing the spread of this standard in the Surveys of the International Organization for area of information security. Standardization (ISO) show that Germany is far ahead internationally in terms of the absolute number of certificates5 Overall, QI-FoKuS is intended to contribute to a better issued: only China has more ISO understanding of the economic and social value and benefits 9001 certificates, for ISO 50001 certificates as well as the modes of action of conformity assessments Germany even ranks first and fifth for ISO/IEC 27001 and sixth for ISO 14001 and accreditation as important elements of QI, and to enlist relevant stakeholders for this Rank 6 sensitize. Even if these figures only contain reported certificates from accredited certification bodies, they still clearly show the Growing popularity of normed and standardized management systems widespread use of standardized management systems. The actual application is likely to be much higher, considering the limitations of the ISO survey7 and the fact Management systems based on ISO and other standards are enjoying growing popularity both internationally and in that many companies have implemented management systems without being certified. Germany. Introduced in 1986, over a million companies are now certified according to the ISO 9001 quality management system standard. In the course of this success, standards Table 1: As part of the study, standardized management were gradually established for other areas of management as systems and the number of certificates issued in Germany in well 2018 according to the ISO survey. Norm/Standard title Number of certificates in Germany (locations)8 ISO 9001 Quality Management Systems - Requirements 47.482 (73.559) ISO 14001 Environmental management systems - requirements with 8.028 (14.525) Instructions for use ISO 50001 Energy management systems - requirements with 6.243 (14.736) Instructions for use ISO 13485 Medical devices - quality management - requirements 2.662 (3.249) for regulatory purposes ISO/IEC 27001 Information security - IT security procedures - 1.057 (2.003) Information Security Management Systems - Requirements ISO 22000 Food safety management systems 257 (479) – Requirements for organizations in the grocery chain Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE 9 Machine Translated by Google title Norm/Standard Number of certificates in Germany (locations)8 ISO 45001 (previously Occupational health and safety management systems BS OHSAS 18001) – Requirements with guidance on application ISO 20000-1 147 (483) 48 (148) IT Service Management - Part 1: Specification for Service Management IATF 16949 Quality management systems - Special requirements when using ISO Not available in the current (before 9001 for series and ISO survey ISO/TS 16949) Production of spare parts in the automotive industry Number of certificates issued in Germany 14.000 70.000 12.000 60.000 10.000 50.000 8.000 40.000 6.000 30.000 4.000 20.000 2.000 10.000 0 2003 2005 2001 1999 1997 1995 1993 2017 2015 2013 2011 2009 2007 2005 2003 2001 1999 1997 1995 ISO/IEC 20000 1993 ISO 9001 Figure 2: Number of certificates issued for selected management system standards in Germany. Source: ISO Survey (2018). 10 QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS) 2007 ISO 13485 2009 ISO 22000 2011 ISO 50001 2013 ISO/IEC 27001 2015 ISO 14001 2017 0 Machine Translated by Google QUESTIONNAIRE AND METHODOLOGY The questionnaire The survey focused on the use and effect of internationally The questionnaire contained mostly closed and some open- standardized management systems. The questionnaire was ended questions. In the former, the respondents were developed based on interviews with industry representatives and certification bodies as well as using a five-point rating scale being used for the extensive literature research on previous studies on assessments. Most of the questions, apart from those management systems and tested in advance with regard on the number of employees and industry, are not mandatory. given a selection of possible answers, with scale questions to the comprehensibility of the questions and the duration of the survey. While many studies only record certified companies, a special feature of this survey is that it also includes those companies that have The survey was distributed as an online questionnaire as part implemented standardized management systems of the newly created QI-FoKuS initiative with the help of without being certified for them. The questionnaire recorded multipliers. The German Society for Quality (DQG), the and differentiated between the two options accordingly. A Federation of German Industries (BDI), industry associations particular focus of the survey was on the criteria for (e.g. the Association of the Chemical Industry (VCI) and the selecting the certification body and any reasons for a Association of the Automotive Industry (VDA)) as well as change. certification bodies, chambers of industry and commerce and others Furthermore, the importance of accreditation as an important Interest groups drew the attention of their members to the pillar of QI and of international accreditation agreements survey in newsletters and on their websites. Participation was recorded. Finally, a form of conformity assessment that in the survey was possible from the end of September to the is widespread in practice but often neglected scientifically end of December 2019. and empirically, auditing by business partners, was also A total of 248 questionnaires were completed, 134 of addressed in the survey. them completely. This publication includes the evaluation of the answers of all 180 participants who filled out the entire main part of the questionnaire (on the use of According to the topics mentioned, the questionnaire with management systems). The statistical evaluation was a total of 137 questions is divided into the following carried out by the Federal Institute for Materials Research sub-areas subdivided: and Testing together with the Technical University of Berlin. — Details of the participating company — Use and importance of management systems — Motives and effects of management systems — Special section on information security management according to ISO/IEC 27001 Participants and sample — Selection criteria of certification bodies — Accreditation and importance of international recognition agreement In most cases (n=99), the questionnaire was filled out by the responsible quality managers, followed by the — Dissemination and importance of supplier and customer audits management group (n=30) and the administration (n=26). Further Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE 11 Machine Translated by Google The industry The industry 21% Chemical, pharmaceutical, rubber, plastic 9% other services 7% Certification, inspection and testing 7% mechanical engineering Electrical engineering 7% metal industry 6% 6% Miscellaneous information and communication 4% health and social care 4% 4% Vehicle construction (incl. aerospace, ship and boat construction) medical technology 3% 3% Professional and academic services 3% research Institute 3% Transport and storage 3% Public administration, defence, social security Agriculture 2% 2% plant construction 1% Universities, clubs, associations 1% Manufacture of glass, glassware, ceramics, earth and stone processing 1% Energy and water supply, oil 1% optics 1% Trading; Maintenance and repair of motor vehicles 1% Mining 1% construction industry 0% 5% 10% 15% 20% 25% Figure 3: Industry affiliation of the participating companies (N=180). many of those questioned indicated that they work in the But also German mechanical engineering and electronics field of standardization or in education and training. The technology sector (7.2% each) and the metal industry (6.1%) Employees from the areas of design, production and manufacturing, are strongly represented. The second strongest industry as well as from the export business and marketing, are not group are other service providers (8.9%). Companies in the ICT well represented. sector make up 4.4% of the sample. There were only a few participants from the construction industry and trade (only 0.6% each). 93% of the participating companies have their headquarters in Germany, with one third belonging to an international and The classification of companies by size follows the definition of the one fifth to a national group of companies. 44% are sole European Commission (2003/361/EG) for SMEs, which distinguishes between — small companies with up to 50 proprietorships. employees or maximum turnover of 10 million euros The assignment of the branch affiliation was carried out — medium-sized companies with 50 to 250 employees working and 10 to 50 million euros turnover according to the statistical classification of economic branches in the European Community (NACE). Various sectors were grouped together to show differences, specifically — large companies with more than 250 employees and over 50 million euros turnover. manufacturing/manufacturing and “all others”. More than half of the participants in the survey come from the , Employ Since very large companies also took part in the survey, very manufacturing sector. The chemical and pharmaceutical large companies with 500-999 or more than 1000 employees are industry in particular is overrepresented (20.6%). This is also referred to as a separate group in the results. due to the very successful support provided by a relevant industry association. 45% of the participating companies employ up 12 QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS) Machine Translated by Google Company size (sales in million euros) Company size (sales in million euros) Company size (employees) Company size (employees) 11% 14% 1 - 9 employees 10% 10 - 49 employees 38% up to 2 12% 50 - 249 employees 2 to 10 53% 250 - 499 employees 10 to 50 500 - 999 employees 23% over 50 21% 1000 and more employees 6% 12% Figure 4: Company size by number of employees (N=180). Figure 5: Company size by turnover in million euros (N=160). 10%, in larger companies it is at least 29% on average (companies with 500-999 employees are leading with an average of 36%). 250 employees and thus belong to the classic medium-sized companies, 12% have between 250 and 500 employees. 38% of those surveyed are companies with more than 1000 employees. Just over half of the companies (53%) generated sales of at least EUR 50 million in 2018, 14% a maximum of EUR 2 million. second company (56%)). The innovative activity of the participating companies was also recorded in the questionnaire: It was ascertained whether the respective company brought innovations in relation to products or services onto the market in 2018 or introduced noticeably improved processes. If this is the case, the company is described as innovative in the following. Of the 180 companies in the sample, 130 are companies in at least one area The average export share for small companies with up to 50 employees is below (product, process, service) innovative. Specifically, 46% state that they introduced product innovations in the previous year (especially large companies with more than 1000 employees and over 50 million While a third of the companies sell their products and services exclusively domestically, another third of the participants state that they generate at least half of their sales from exports. This applies above all to companies from the manufacturing sector (every Average export shares by number of employees Average export shares by number of employees 1000 AND MORE 34% 500 - 999 36% 250 - 499 33% 50 - 249 29% 10 - 49 9% 1-9 2% 0% 5% 10% 15% 20% 25% 30% 35% 40% Figure 6: Export shares by company size (measured by the number of employees (N=137)). Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE 13 Machine Translated by Google euros in sales are relatively more active here than Having introduced process or service innovations. The groups of export-intensive companies only 28% state that they have brought product with export quotas between are relatively frequently innovations to the market). 45 or 42% of those surveyed also state thatinvolved in product innovations small companies with up to 49 employees, of which Research Activities Research Activities Innovation activity Innovation activity Product innovation Internal Research process innovation External cooperation service innovation 0% 20% 40% 60% 80% 100% 0% Yes No 20% 40% 60% 80% 100% Yes No Figures 7 and 8: Innovation activities (N=134-137) and research activities (N=86). 10% and 50%, and higher than 50%. In these two groups, 65% and 62% of respondents say they have introduced process innovations, compared to just 25% of non-export companies. 82% of companies practice this In the present report, the industry affiliation, company size, export activity and research and innovation activities are used as distinguishing criteria in order to structure the results and to work out individual special features. Research and innovation activities are carried out internally, and 67% state that they also cooperate with external research institutions. USE OF MANAGEMENT SYSTEMS Companies can implement management systems and also have themselves certified with regard to the requirements of the relevant standard. Certification is confirmation from a third party (ie independent) that the requirements defined in the applicable standard are met. Certificates are therefore an important piece of evidence that creates transparency for customers or other interested parties and can contribute to a uniform level of quality and security.10 Certification rate fluctuates significantly: Applicants of ISO 9001 most frequently, of ISO/IEC 27001 rarely certified According to the ISO survey, ISO 9001 for quality management is the most widespread management system standard worldwide and in Germany. This is also reflected in the results of this survey: 83% of the 180 participants state that they apply this standard. 130 participants are there ISO 9001 certified, 20 others apply the standard without certification. Are widespread in our 14 QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS) Machine Translated by Google Also sampled the environmental management system indicates having relinquished a previous certification. standard ISO 14001 (total 51%), ISO 45001 (BS OHSAS While general quality management systems according 18001) for management systems in the areas of occupational health and safety (41%) and the energy to ISO 9001 have a certification rate of 87%, only two thirds of the companies that implement industry- management system standard ISO 50001 (37%). specific quality management system standards (ISO 13485 for medical devices and IATF 16949 Significant differences in the certification rate are for the automotive industry) are also certified for it. The noticeable: The survey results for ISO 9001 not only next chapter examines the respective motifs in more show a generally wide spread, but also that companies tend to use it more often detail. are certified as users of other management systems. ISO 9001 in this branch is not certified. The size of the company also plays a role: the group of small Simultaneous use of different Management systems widespread: 70% of certified companies have more than one Management System Certification companies (up to 49 employees) has significantly lower certification rates than the companies in all Of the 180 participants in the survey, 169 use at least comparison groups (63% vs. 90%). one standardized management system. Of these, 151 Manufacturing companies in particular are comparatively often certified. Only one interviewed company using have at least one corresponding certificate. Companies that implement and certify not just one, Other standards are often implemented without obtaining but several different management systems (either a certificate. While environmental management simultaneously or successively) can generally benefit from systems according to ISO 14001 also have a high various advantages of combined use or integration. certification rate (81% of users have a certificate), Possible synergies result, for example, from the only about every third user of a management system similar documentation requirements or standard according to ISO/IEC 27001 for information security can be certified (37%). And even with management Check-Act cycle, which many of the standards considered structures and processes (e.g. the Plan-Do systems for occupational health and safety according to ISO 45001 (BS OHSAS 18001), more have in common). Familiarity with the requirements, than every second user does without certification. actions involved in implementing a working principles, necessary resources and 5% even give here Number of certificates and certification rate Number of certificates and certification rate 20 0 40 60 35 ISO 45001 or BS OHSAS 18001 (n = 73) 48 16 20 33 36 Other (n = 47) 14 ISO 13485 (n = 21) 4 3 5 7 5 160 1 87% 81% 48% 72% 3 37% 1 10 21 IATF 16949 bzw. ISO/TS 16949 (n = 31) 140 4 34 ISO 50001 (n = 67) ISO/IEC 27001 (n = 54) 120 20 17 75 ISO 14001 (n = 93) ISO 22000 (n = 10) 100 130 ISO 9001 (n = 150) ISO/IEC 20000 (n = 9) 80 77% 1 68% 3 67% 2 40% 1 33% 6 certified Implemented without certification Implemented but relinquished certification Figure 9: Use of selected management systems and proportion of companies that have certification (certification rate). Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE 15 Machine Translated by Google number of employees number of certificates/ n Sales volume Pursue 1000 and more number of certificates/ n Pursue 3,4 59 over 50 3,1 76 500 - 999 2,6 9 10 to 50 2,2 31 250 - 499 2,4 17 2 to 10 1,7 18 50 - 249 2,1 38 up to 2 1,5 13 10 - 49 1,5 17 not specified 1,5 2 1-9 1,5 11 I do not know 2,4 11 151 total n export orientation total company form number of certificates/ number of certificates/ Pursue international 3,3 151 55 group of companies no export 2,1 31 EU (outside Germany) 2,6 64 America (excl. USA) 2,5 2 national 2,7 32 1,8 59 n Pursue group of companies one-man business Miscellaneous 1,8 4 not specified 1 1 total 151 deer 2,8 8 Asia 3,0 9 Africa 1,0 1 not specified 2,9 36 total 151 Table 2: Average number of certificates per company, divided according to the number of employees in the company, turnover (in million euros), type of company and export orientation (with the respective main export market). The basis is formed by companies that hold at least one certificate (N= 151). management systems, companies can facilitate the Number of employees and turnover: small sub implementation of another standardized management system. accept up to a maximum of 50 employees or up to a maximum of 2 million euros in sales have an average of 1.5 certificates, The study can provide a rare detailed empirical insight into this while those with more than 1,000 employees have 3.4. There are also differences in the different types of company: integrated certification. Even if the degree of integration in the As expected, individual companies have the fewest individual companies cannot be derived from the present certificates, while national and international groups of companies survey, the survey results nevertheless show that the have significantly more certifications. On average, simultaneous use of several management systems is exporting companies hold more certificates than widespread. 70% of the certified companies have been successfully certified against more than one management non-exporting companies. This is especially true for companies system standard. If you also look at the implementations with main export markets in Asia, followed by the US. without a certificate, then 80% use more than one standardized management system. The average of all certified participants is 2.6 certificates per company. There are If you also take into account all implementations without a sometimes significant differences: The number of certificates per certificate, it shows that each participating company uses company increases with the an average of 3.3 standardized management systems (certified and/or only implemented). 16 QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS) Machine Translated by Google Number of certifications and implementations per company Number certifications and (0 simultaneously) to max.of10 (0 to max. 10implementations simultaneously)per company 50 45 40 35 30 25 20 15 10 5 0 0 1 2 3 4 certifications 5 6 7 8 9 10 Certifications and Implementations Figure 10: Number of certifications and implementations of management systems per company (0 to max. 10 simultaneously). Basis: Certified companies (N=151), Certified and/ or implementing companies (N=169). Every fourth certified participating company has exactly two certified management systems, 17% have three, 14% four. Every eighth certified person in our sample is even certified against at least five different management systems. Only companies in the manufacturing sector and in the transport and warehousing sectors are affected. In addition, this is primarily the case with very large companies: All of the at least five times Those who are certified have a turnover of more than 10 million euros (84% even more than 50 million euros), with just one exception they all belong to national or international groups of companies. Conversely, it is predominantly (59%) individual companies with mostly fewer than 250 employees who are only certified against a single management system. The distribution of sectors is also much more mixed here: two-thirds do not belong to the manufacturing industry. The survey also provides insight into which management systems are shared. This shows that ISO 9001 serves as the "basic standard" for the quality management system. Almost all users of environmental, energy and occupational safety management systems are also certified against this ISO standard. Also the environmental and Energy management systems are very often shared. This is consistent with previous studies showing that ISO 50001 is very rarely implemented and certified when no other management system is already in place, particularly ISO 14001 and ISO 9001.11 The lowest level of commonality with other standardized management systems is found with ISO / IEC 27001 for information security. Here had itself has already shown a low certification rate among users. On the other hand, a joint use of management systems with other certified management systems (co-occurrence) can be seen in occupational health and safety according to ISO 45001 (BS OHSAS 18001). The scope of such joint use and integration of multiple systems depends crucially on the characteristics of the respective company, e.g. with regard to industry affiliation or company size. This is consistent with previous studies in other countries where similar trends were found. Overall, this development is also supported by the fact that the ISO management system standards are compatible due to the common high-level structure introduced in 2012 (uniform basic structure, requirements and terms). Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE 17 Machine Translated by Google ...x% are also certified according to ISO 9001 ISO 14001 ISO 50001 ISO/IEC 27001 ISO 45001 IATF 16949 ISO 9001 (n=130) 100,0% 56,9% 34,6% 9,2% 26,2% 15,4% ISO 14001 (n=75) 98,7% 100,0% 53,3% 13,3% 44,0% 22,7% ISO 50001 (n=48) 93,8% 83,3% 100,0% 14,6% 43,8% 29,2% ISO/IEC 27001 (n=20) 60,0% 50,0% 35,0% 100,0% 20,0% 20,0% ISO 45001 (n=35) 97,1% 94,3% 60,0% 11,4% 100,0% 25,7% IATF 16949 (n=21) 95,2% 81,0% 66,7% 19,0% 42,9% 100,0% from those certified according to… Table 3: Integration of various management system standards: Percentage of companies certified according to two management system standards. The basis is formed by companies that are certified against the respective standard(s). A total of 151 companies have at least one certificate (N=151). Big differences in timing initial certification At the turn of the millennium (ISO/IEC 20000, ISO 22000, ISO/IEC 27001), less than half of the companies using them are certified. Big differences between the various On average, these certifications are also younger: 47% of those management systems arose at the time of initial certification. Over 80% of certified for their ISMS according to ISO/IEC 27001 published in 2005 the companies certified according to ISO 9001 have had their certification for at least 10 years. Only every eighth company in Companies are certified for a maximum of 3 years (after initial our sample has only been certified for the first time in the last 3 years. certification), 43% state that they have been certified between 4 and 9 years. Many participating companies have also had quality management It remains to be seen whether there will be a similar development in the specifically for the automotive industry according to IATF 16949 (ISO/TS coming years as with the longer established standards. 16949) and environmental management according to ISO 14001 for more than 10 years An exception among the more recent standards is ISO 50001 for energy management systems, which was only introduced in 2011, but achieved years (68% and 60% respectively). a comparatively high certification rate early on (72% of the interviewed applying companies are certified): every fifth certified company received its This tends to show that precisely those standards show relatively more first certificate certifications that have been available for some time. More recent standards – for which certification has only been possible for a few years – in the past 3 years, 75% said they were first certified 4-9 years ago. The have a lower certification rate. For the standards that only after the following chapter on the motives for certification shows a clear reason for this trend. 18 QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS) Machine Translated by Google years since initial certification 1. Publication of the years since initial certification international standard 0% 10% 20% 40% 30% 60% 70% 90% 80% 106 ISO 9001 (n=127) 3 43 ISO 14001 (n=72) ISO 45001 or OHSAS 18001 (n=31) 8 2 ISO/IEC 27001 (n=19) 3 12 33 over 10 years 8 4 - 9 years 1996 1996 1999 (2018) 2005 9 2 1987 1999 (2017) 8 5 11 5 3 21 6 ISO 13485 (n=14) 100% 16 13 ISO/TS 16949 (IATF 16949) (n=19) ISO 50001 (n=44) 50% 9 2011 1 - 3 years Figure 11: Years since initial certification for various management system standards. MOTIVES TO USE MANAGEMENT SYSTEMS In addition to the primary goal of the respective ISO 13485 for the field of medical devices, the standard standardized management system (e.g. increasing the is seen as a door opener for market access, especially quality of products and services or increasing occupational safety), companies use the according to ISO 50001 (energy management) is the management systems for various internal and external reasons. This differs internal improvements through a standardized Importance of the motives depending on the management system. management system is comparatively greatest with The participants were asked to rate the relevance ISO 9001 and ISO 45001 (BS OHSAS 18001). abroad. The most important driving force for certification goal of realizing associated tax breaks. The desire for of given motives on a scale from "does not apply at all" (1) to "fully applies" (5). Different main motives for the implementation and certification of Management systems Quality management: driven by customer demands and internal improvement Customer requirements are the most important reason for the participants in the survey to implement ISO 9001 While customer requirements are the main driver for the introduction and certification of ISO 9001 and ISO 14001, with ISO 45001/BS OHSAS 18001 (health or to be certified against it. This is particularly true for companies with more and safety) and ISO/IEC 27001 (information than 1000 employees (mean value: 4.5). This is for small companies with up to 49 employees security) it is the increase in legal certainty. In the case comparatively less important (mean: 3.3). For them, of the quality management system internal company improvements come first Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE 19 Machine Translated by Google Motives for applying ISO 9001 4,1 demand from the customer 4,0 Improvement of internal company processes 3,7 Promotion of domestic market access 3,5 Increase employee awareness 3,4 Competitors are certified 3,4 Increased legal certainty 3,3 Fulfillment of corporate management goals 3,3 Promotion of market access abroad 3,3 Marketing and image purposes 1,9 To be the first in the industry to be certified 1,3 Response to a specific incident 2 1 Overall Certified 3 4 5 Non-certified Figure 12: Average assessment of the motives for implementing the ISO 9001 standard. The basis is formed by responding companies that implement this standard with (N=92-103) or without certification (N=14-16), total (N=106-119). ). Evaluation scale: 1 (does not apply at all) to 5 (fully applies). digit (AV: 3.8), which are the second most important motivation the latter is by far the most important reason for service providers for the entire sample. (AV: 4.2). With the implementation of ISO 9001, they also aim The export orientation also plays a role: While customer create legal certainty (AV: 3.6 each). in particular to increase employee awareness of quality and requirements are a decisive motivator for companies that have an export share of more than 50% (AV: 4.6), their Group requirements and the fulfillment of corporate importance decreases for companies that are only active management goals also play a further important role (AV: 3.5) domestically (AV: 3, 6). The very export-oriented companies for service providers. also cite market access abroad and the fact that competitors are also certified as other important reasons (AV: 4.1 The data also shows that a quality management system is not and 3.9). Overall, market access abroad is one of the main implemented as a reaction to specific incidents, but rather reasons for certification according to ISO 9001 - and is is a strategic decision based on the above motives. therefore rated higher than for the domestic market Since the survey not only covered companies that are certified market access. However, this is also related to the overall according to ISO 9001, but also those that use the standard high export orientation of the participants surveyed. without certification, differences in motivation can also be seen here: While certified companies external customers Significant differences in the motives for introducing ISO 9001 cite requirements as the main motive (AV: 4.3), companies that can be seen overall in the various sectors: During the processing do not seek certification primarily aim to implement ISO 9001 at Trade mainly due to customer demands awareness of quality ( MW: 3.7). internal improvements (AV: 4.0) and increasing employee (AV: 4.5), domestic market access (AV: 4.1), and only then internal improvements (AV: 3.9) motivated 20 QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS) Machine Translated by Google Motives for applying ISO 14001 and ISO 50001 Tax Relief (ISO 50001 only) 4,2 demand from the customer assessment of the Increase employee awareness 3,2 Weather competitors are certified Figure 13: Average 3,5 2,0 3,5 motives for implementing 3,4 1,8 the ISO 14001 and ISO 50001 standards. Form the basis 3,2 Improvement of internal company processes 3,3 3,1 Increase in legal certainty Marketing and image purposes 2,8 Promotion of domestic market access 2,3 Fulfillment of corporate management goals Promotion of market access abroad Response to a specific incident 1,1 those standards with or implement without 2,8 certification (N=10 for 2,2 1,5 1,5 responding companies, 2,7 1,6 To be the first in the industry to be certified 3,9 2,8 ISO 14001 or N=22-26 for 1,6 ISO 50001). Evaluation 1,4 2 1 3 4 5 scale: 1 (does not apply at all) to 5 (fully applies). ISO 14001 ISO 50001 In the special case of the quality management system for the can benefit from tax breaks and some companies are medical device industry according to ISO 13485, it is even legally obliged to provide evidence of the use of shown that market access both at home and abroad is the decisive criterion for the introduction and certification an energy management system. This explains the great importance attached to these motives by the respondents. Only (AV: 4.9 and 4.8). then do intrinsic motives follow, such as increasing However, the small sample size of only nine companies employee awareness or improving internal processes. limits the meaningfulness here. However, the latter is more important for companies that only implement and do not have themselves certified (AV: 3.8). Customer requirements or market access Environmental and energy management: mixed Motive do not play a significant role for any of the respondents. Customer requirements are not only the main motivator Although the standard is mainly implemented by large for implementation and certification in quality companies, primarily from the manufacturing sector, the management systems. The introduction of an motives are nevertheless similar across the entire sample. environmental management system in accordance with ISO 14001 is also being driven by customer requirements, albeit at a comparatively low level overall. The fact that competitors are certified also plays an important role Information security according to ISO/IEC 27001: here. However, the second main motive is intrinsic: In fact, Prevention the most important motive companies want their employees to be more aware of environmental issues and improve internal company With the implementation of ISO/IEC 27001, the companies processes overall with the help of the management system. surveyed – regardless of industry or size – primarily want to increase legal certainty or meet legal requirements. There are no significant differences between When implementing an energy management system companies that apply the standard or are additionally certified according to ISO 50001, however, customer requirements against it. play a subordinate role. Rather, the main drivers are the fulfillment of legal requirements In terms of the standard, its introduction is intended and the increase in legal certainty, as well as the to prevent information security incidents (e.g. hacker attacks), incentive to save taxes in particular. Certified companies in Germany awareness of information security in particular in a preventative sense, and to raise employee Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE 21 Machine Translated by Google Motives for applying Motives for applying ISO/IEC 27001 ISO/IEC 27001 Figure 14: Average 4,2 Increase in legal certainty assessment of the motives 3,9 Prevention of information security incidents for implementing the ISO/ 3,8 Increase employee awareness IEC 27001 standard. Form the basis 3,6 Improvement of internal company processes 3,0 Fulfillment of corporate management goals answering sub 2,9 demand from the customer implement this standard 2,7 Marketing and image purposes 2,5 Promotion of domestic market access with (N=22-25) or without 2,1 Promotion of market access abroad certification (N=12-15), 2,0 To be the first in the industry to be certified total (N=34-40). Evaluation 1,9 Contestants are certified scale: 1 (does not apply 1,5 Response to a specific incident at all) to 5 (fully applies). 2 1 Overall Certified 4 3 5 Non-certified increased and internal company processes improved Information security in the foreground. It is striking that the less become. External demands from customers have different levels innovative companies are more motivated than innovative of importance depending on the size of the company. companies with regard to possible internal improvements While in smaller companies (fewer than 50 employees) (AV 4.3 vs. 3.4). demands from customers do not play a major role (AV: 1.7), this is the most important motive in companies with 250 to 1000 employees (AV 4.0). As expected, the importance of market Differentiation from competitors generally plays a access abroad increases with size and export orientation. subordinate role. When comparing the motives between certified and non-certified companies applying this standard, however, it becomes apparent that the former have competition in their In smaller companies, on the other hand, there is an Consider the decision: On the one hand, certified companies increase in employee awareness in relation to rate the motive higher than the first Comparison of motives for management systems CLAIM CUSTOMER SIDE 5,0 INTERNAL 4,5 IMPROVEMENT INCIDENT RESPONSE 4,0 3,5 3,0 TO BE THE FIRST TO GET CERTIFIED MARKET ACCESS ABROAD Figure 15: Comparison of the average BE 2,5 Assessment of the motives 2,0 for the implementation of 1,5 various management 1,0 INCREASE IMAGE PURPOSES EMPLOYEE AWARENESS system standards. ISO 9001 (N=106-119), ISO 13485 (N=8-9), ISO 50001 (N=22-26), ISO 14001 COMPETITORS ARE DOMESTIC MARKET ACCESS CERTIFIED (N=10), ISO/ IEC 27001 (N=35-40). Evaluation scale: 1 (does not apply at all) to 5 (fully FULFILLMENT OF GOALS INCREASE LEGAL SECURITY ISO 9001 22 ISO 13485 CORPORATE GOVERNANCE ISO 50001 ISO 14001 ISO/IEC 27001 QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS) applies). Machine Translated by Google (or as one of the first) to use this management system The special part of this survey also sheds light on difficulties in the industry and, on the other hand, the fact that competitors in introducing ISO/IEC 27001 as well as reasons for not using are already using this standard. this management system and possible measures to increase its spread. A specific information security incident is for the participating companies is not a decisive motivator for the Figure 15 compares the motives for using the various introduction of a management system according to ISO/ management systems. The effects realized through the IEC 27001, which again points to an intrinsically motivated, application of the standards are presented in the following preventive drive. section. EFFECT OF MANAGEMENT SYSTEMS The individual management systems have very different effects on the companies concerned. The participants Use of the management systems according to ISO/IEC 27001 and ISO 9001. were asked to rate the impacts that they believe have been realized through the implementation of the respective management system standards. Also here were before ISO 9001 achieves the desired effect with quality improvement given effects on a scale from 1 (“does not apply at all”) to 5 (“completely applies”). An improvement in the sense of ISO 9001, i.e. ensuring or improving the quality of the manufactured products or services (e.g. lower reject rates or customer complaints), Management system standards serve their purpose is confirmed as the strongest effect by the participants.12 In this sense it is also the stronger Employee awareness of With the management systems according to ISO quality issues is a second main effect of the management 9001, ISO 45001 (BS OHSAS 18001) and ISO/IEC 27001, system according to ISO 9001. the main benefit is seen in improvements in terms of the purpose of the respective standard, i.e. quality, occupational health and safety and information security. Respondents did not report any notable impact on sales from the management Also in terms of financial effects, respondents generally system standards, with the exception of the companies applying perceive cost savings as one of the most important benefits. ISO 13485 (quality management for medical devices). Tax However, ISO 9001 hardly had any impact on insurance breaks as well as energy and cost savings are in turn the main premiums in the participating companies. advantages of the energy management system according to ISO 50001. Greater awareness among employees is the most Image improvements are among the main effects, while important effect in the case of ISO 14001 and also a significant increases in sales are considered comparatively small. In effect of the particular, companies that only sell domestically realized lower sales effects through ISO 9001 compared to Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE 23 Machine Translated by Google Effect of ISO 9001 Effect of ISO 9001 Figure 16: Average assessment of the 3,9 quality improvement impact of using the 3,7 Higher employee awareness management system according to ISO 9001. Form the basis 3,6 image improvement responding companies 3,5 Reduction of internal company costs implementing this 3,3 Greater legal certainty standard with (N=76-104) 3,1 Increase in sales through reference to certificate or without certification 2,0 Lower insurance premiums 2 1 (N=14-16), total 3 4 5 (N=90-120). Evaluation scale: 1 (does not apply at all) to 5 (ful In total certified Non-certified exporting companies (AV 2.1 compared to 3.2). For users of an energy management system according to ISO 50001, however, the financial advantages are the most important: In addition to the reduction in the Company characteristics hardly play a role in the company's internal energy costs, the tax relief that is perception of the effects of ISO 9001, which are rated granted with the certification plays a decisive role by far. similarly by all respondents — regardless of industry, number of employees, turnover or export orientation. However, there are differences between the companies But even non-certified companies benefit: For them, the increased legal certainty through the that are certified according to ISO 9001 and those Application of ISO 50001 the most important main that have only implemented the standard: for both effect (AV: 4.8). This is also based on the binding EU groups, the company-internal improvements through Directive 2012/27/EU on energy efficiency, according the quality management system are the most to which non-SMEs have to carry out an energy audit. ISO 50001 can support companies in meeting the important effects. However, those who are not certified perceive them more strongly than those who are certified (mean: 4.3 versus 3.9). The increased requirements of the guideline. In this sense, the survey results also show that large companies in particular, as those affected by the EU directive, use the employee awareness is also rated second with 3.9, higher than that of the certified. It is also noticeable ISO 50001 management system. If one takes into that those who are not certified name increased legal account their tendentially higher energy consumption, certainty as the third most important effect (AV: 3.8), they are also the ones who can benefit above average while this only ranks 5th for those who are certified (AV: 3.2). The effects on costs and insurance premiums from better energy management. Accordingly, the are estimated to be comparatively lower for both groups. random sample almost exclusively identified energyintensive processing sectors such as the chemical industry as the main users of the standard. Environmental management systems increase employee awareness – financial advantages as Main effect of energy management systems Increased awareness of environmental issues and ISO/IEC 27001 is often implemented without certification – increasing security is imminent foreground actual improvements in terms of the management system are the greatest perceived effects among the surveyed With 20 certified companies and another 33 that have users of the environmental management implemented an information security management system according to ISO 14001. Image improvements system according to ISO/IEC 27001 without certification, and cost savings are also important effects. this standard is one of those with the smallest certification rates. During the analysis of 24 QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS) Machine Translated by Google ISO ISO 14001 and ISO 50001 Effects of ISOEffects 50001 14001ofand Figure 17: Average assessment of the impact of using the Tax relief (only 50001) 4,2 Higher employee awareness management system according 3,6 3,4 to ISO 14001 and ISO 50001. Basis 3,5 Improvement in terms of the management system 3,7 3,3 image improvement 2,8 are companies that implement Reduction of internal company costs 3,2 3,7 Greater legal certainty this standard with or without 3,0 certification (N=8-10 for ISO 3,5 2,1 Increase in sales through reference to certificate 14001 or N=18-26 for ISO 50001). 1,8 1,8 Lower insurance premiums Evaluation scale: 1 (does not 1,8 2 1 ISO 14001 5 4 3 apply at all) to 5 (fully applies). ISO 50001 While the main drivers for the introduction of the standard were Direct financial benefits in the form of cost savings (due to primarily intrinsic motives, there is also a focus on internal fewer information security incidents) or increases in sales only effects, particularly with regard to prevention. occur to a small extent as an effect, regardless of company size, industry or innovation activity. However, there are differences with regard to a reduction in insurance premiums: All companies, regardless of size and industry, consider the larger companies and the manufacturing industry (AV: 3.1 increase in information security in companies to be the most compared to 1.3 for service providers) register a comparatively important effect. Also the risk of information security incidents high impact through the use of ISO/IEC 27001. could be reduced. Increasing employee awareness with regard to information security In principle, certificates have a signaling function towards was a main motivation for introducing a management system interested parties. Certificate holders can show them that they ISO/IEC 27001 and actually occurs as another companies that implement the standard but do not hold a significant effect. An increase in legal certainty – although the certificate, the certified respondents can also record a higher main motive for the introduction (AV: 4.2) – is only in fourth image gain (average: 2.5 compared to 3.4). Overall, however, place of the realized effects (AV: 3.7). this effect meet the requirements of the standard. Compared to the Effect of ISO/IEC 27001 Effect of ISO/IEC 27001 4,1 Increasing the company's information security Figure 18: Average assessment of the impact of using the 4,0 Reduction of risk of information security incidents management system 3,9 Higher employee awareness according to ISO/ IEC 3,7 Greater legal certainty image improvement Increase in sales through reference to certificate by companies that implement 2,8 this standard with (N=11-15) or without certification (N=17-25), 2,7 Reduction of internal company costs total ( N=28-40). 2,1 Lower insurance premiums certified Evaluation scale: 1 (does not 3 1 2 In total 27001. The basis is formed 2,8 4 5 apply at all) to 5 (fully applies). Non-certified Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE 25 Machine Translated by Google Comparison of effects of management systems Comparison of effects of management systems Figure 19: Comparison of the IMPROVEMENT IN THE MEANING OF MANAGEMENTSYSTEMS average assessment of the 5,0 HIGHER EMPLOYEE AWARENESS 4,5 effects of implementing various 4,0 management system standards. LESS INSURANCE PREMIUMS 3,5 ISO 9001 (N=90-120) ISO 13485 3,0 (N=5-9), ISO 50001 (N=18-26), ISO 2,5 14001 (N=8-10), ISO/ IEC 27001 2,0 1,5 (N=28-40) . Evaluation scale: 1 (does 1,0 not apply at all) to 5 (fully applies). IMAGE IMPROVEMENT INCREASE IN SALES REDUCTION INTERNAL COSTS ISO 9001 GREATER LEGAL SECURITY ISO 13485 ISO 50001 ISO 14001 ISO/IEC 27001 comparatively lower than with the ISO 9001 or ISO 14001 from “does not apply at all” to “completely applies”). In the standards. The various effects of the management case of ISO 13485 (medical products - quality management systems are shown in Figure 19 for comparison. The following systems), the respondents are particularly satisfied with section examines how the participating companies regard to the cost-benefit ratio (however, the small number of companies of n=9 must be taken into account). assess the overall cost-benefit ratio of the certification. Satisfaction with ISO 9001 overall is also quite high, regardless of company size or industry (AV: 3.9). The ISO 14001 certification has the lowest level of satisfaction (AV: 3.4). Overall, there are no significant differences in satisfaction Cost-benefit ratio highest in the with regard to industry, company size, research and innovation activities, or use with or without a certificate. quality management systems Finally, the participants were asked whether the Overall certification is a good investment in terms of costs and benefits (on a 5-point scale management systems good investment? management systems good investment? 0% 10% 20% 30% 40% 50% 60% Figure 20: An 70% 80% 90% 100% MW n ISO 13485 4,6 9 ISO 45001 44 assessment of whether, all in all, the management systems mentioned represent a 3,9 116 ISO 9001 3,8 36 ISO/IEC 27001 ISO 50001 3,7 26 ISO 14001 3,4 10 good investment in terms of costs and benefits for the company. Rating scale: 1 (does not apply at all) to 5 (applies fully). Doesn't apply at all1 26 2 3 4 Fully agree5 QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS) Machine Translated by Google Differences between the motivation to introduce management systems and the effects actually achieved 13485 and ISO 14001 this is the case with image The overall positive results in terms of overall The situation is different, however, when it comes to rated higher than for motivation. For ISO 9001, ISO enhancement. satisfaction are further supported if one compares the increasing legal certainty through the use of effects that actually occurred with the initial motives. standardized management systems: although this is rated In particular, with ISO/IEC 27001 and ISO 13485 (quality as an important main effect in many systems, there is management for medical devices), the company- still a negative deviation compared to the original internal improvements become clear in their actual effect motivation. Here the actual effect falls short of the apparently high expectation. Deviations between motives for introduction and actually perceived effects (based on Deviations between motives for introduction and actually perceived effects the respective average (related to the respective average values) values) 0,8 0,6 0,5 0,6 0,4 0,3 0,3 0,4 0,2 0,2 0,2 0,1 0,1 0,1 0,0 -0,2 0,0 0,0 -0,1 -0,1 -0,4 -0,4 -0,6 -0,5 ISO 9001 ISO 14001 ISO 50001 ISO/ IEC 27001 Corporate Improvement Increase employee awareness Increase in legal certainty image purposes Figure 21: Deviations in the assessment of the effects actually perceived from the original assessment of the motives (based on the respective mean values). ISO 9001: N=90-120, ISO 14001: N=8-10, ISO 50001: N=18-26, ISO/ IEC 27001: N=28-40. CERTIFIED AND NON-CERTIFIED COMPANY COMPARISON The analysis of the certification rates has already are exclusively or mainly active in Germany. shown clear differences between the individual management systems. The data also indicate that for both standards, manufacturing companies tend to A closer look shows that especially large and very comparatively often do without certification. are certified than those in the service sector, which export-oriented companies Not only implement management systems according to ISO 9001 and ISO 14001, but are also more likely to If one looks at the motives and realized effects, there are sometimes clear differences between certified and only be certified accordingly than small companies and those that implementing companies Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE 27 Machine Translated by Google perceive the quality management system as the most evident. Non-certified companies tend to be even more intrinsically motivated important effect; However, they rate non-certified higher than as certified. For example, in the case of ISO 9001 or ISO certified. Similar patterns can also be seen in employee 50001, they are primarily motivated by internal improvements and an increase in employee awareness, while awareness. Legal certainty that has been gained is also used by non-certified persons external customer requirements are the main drivers for those tends to be rated higher than by those who have been certified who are certified, in addition to internal improvements. And even – for both ISO 9001 and ISO 50001. with ISO/IEC 27001, competitors play a greater role as an As expected, image gains are much more pronounced among external factor than with non-certified companies. those who have been certified than among those who implement a management system without obtaining a certificate (observed in particular with ISO/IEC 27001). Especially with ISO 9001 it also shows that both Group corporate improvements SPECIAL PART: ISO/IEC 27001 background High increase in ISO/IEC 27001 certificates worldwide – use mainly in the ICT sector In the course of digitization, information security is playing an increasingly important role in companies. Since 2005, ISO/IEC 27001 has made it possible to implement a According to the latest ISO survey, there were 31,910 worldwide as of December 31, 2018, after a steady increase since 2006 corresponding internationally standardized management valid ISO/IEC 27001 certificates.13 With 1,057 system. Certification according to international standards certificates at 2,003 locations (sites), Germany is in fifth place worldwide. For about 40% of the Standards such as ISO/IEC 27001 are also gaining in importance Certificates in Germany were sectoral data in in light of the latest European and German regulatory initiatives, collected as part of the ISO survey. According to this, in 2018 e.g. within the framework of the IT security catalog and every second ISO/IEC 27001 certificate was in the IT sector, within the framework of the Cyber security Act (EU 2019/881 followed by the service sector with 23% and mechanical and on the certification of cyber security of information and plant engineering with 5%. communication technology ). Despite the high growth rates for the certs As a result of the clarifications, this standard has not been So far, however, there have only been very few scientific as widespread in Germany and worldwide as might be surveys of use in companies worldwide. expected given the ongoing digitization and the associated No cross-industry data is available for Germany yet. This importance of the information security of digitally stored data. survey thus provides the first insight into the implementation For this reason, the survey not only asked about the motives and certification according to ISO/IEC 27001. and the effect, but also about hurdles in the introduction and potential measures to promote the use of the 28 QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS) Machine Translated by Google Definition of information security ISO/IEC 27001 As information security, reference is made to the Standard DIN EN ISO/IEC 27000:2017 the upright The international standard ISO/IEC 27001 is part of the maintaining the confidentiality, integrity and availability of information. With the help of International Electrotechnical Commission (IEC) at the end of 2005, and specifies the requirements for the Confidentiality of information is to ensure that information is establishment, implementation, maintenance and not made available to unauthorized persons. Integrity ensures that continuous improvement of information security ISO/IEC 27000 family, published by ISO jointly with the the information is correct and complete and is not changed without management system (ISMS). After implementing an authorization. Availability, on the other hand, describes the ISMS based on ISO/IEC 27001, organizations can also be property that information can be accessed and used by the certified if they wish. authorized person. Management system according to ISO/IEC 27001 in Germany. not use this management system. Of these 114 companies, more than one in four stated that they did not know the standard at all (29%). Lack of external pressure Main reason not to implement Of the companies that are familiar with the standard, one in five ISO/IEC 27001 plans to use it in the future. Most of those who do not plan to do so say that customers or the legislator do not require an ISMS. The motives for implementing ISO/IEC 27001 and the effects Few respondents justify non-application of the ISO/IEC achieved have already been highlighted in the main part of 27001 standard with the fact that ISO 9001 already covers the report. However, the survey also targeted those information security. Good companies that Why is ISO/IEC 27001 not used? Why is ISO/IEC 27001 not used 42% My customers don't ask for it 30% The legislature does not require it 28% The top management sees no need or has rejected it 25% Haven't really thought about it yet No staff to introduce one Information security management system available 23% 22% IT is outsourced to a service provider 19% Costs outweigh benefits 11% ISO 9001 covers information security sufficiently 11% My company is not a potential victim of an attack 0 5 10 15 20 25 30 Figure 22: Reasons for not implementing the ISO/ IEC 27001 standard. The basis is formed by companies that know this standard but do not apply it, N=64 (multiple answers possible). Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE 29 Machine Translated by Google ISO/IEC 27001 Reasons for non-certification ISO/IEC 27001 Reasons for non-certification Customers don't ask for it Figure 23: Reasons for waiving 4,0 certification according to ISO/ IEC 27001. The basis is formed by companies, 3,8 Costs outweigh benefits who apply this standard, however 3,6 Legislators don't require it are not certified to do so (N=16-17). Evaluation scale: 1 3,4 Deviation from the norm possible due to waiver (does not apply at all) to 5 (fully No competitive advantages applies). 3,4 High bureaucracy 3,2 2,0 Disturbance of normal operation due to audit 1 2 3 4 5 one in ten respondents, on the other hand, gives the reason The time required is seen as the greatest difficulty, followed by that their own company is not a potential victim of an attack. the high costs. This is followed by the necessary external However, large and innovative companies in particular do advice, which can also be seen in connection with the other see the danger here: innovative companies never justify difficulties - the complexity of the standard content and the lack of non-application with a lack of risk - on the contrary, 60% of them name a lack of pressure from customers as the reason. internal expertise on the part of the IT staff. Almost every fourth respondent gives as a reason for not The high costs and the lack of internal expertise (in the form of using ISO/IEC 27001 that the top management does not see the need to implement the management system. qualified personnel) are Manufacturing considered higher hurdles than The lack of qualified personnel is also in the other industries. In most cases, the hurdles are rated higher mentioned by many companies as an obstacle to the by companies using this standard without being certified for it. introduction. A quarter of the companies have not yet This applies in particular to the low motivation of the employees thought about implementing the ISO/IEC 27001 standard and the lack of commitment from the top management level. and 22% state that they have outsourced their own IT to external service providers. Companies that use the standard but do not get certified for it Various measures can help with the dissemination cite that the main reasons are that customers do not require certification, the cost of certification is too high and that the If dissemination of the ISO/IEC 27001 standard is actively legislator does not require certification. sought, various measures can contribute to this. The participants were able to assess the suitability of possible measures that could promote the use of the ISO/IEC 27001 standard in Germany. All of the proposed measures (with Effort and expertise major difficulties in implementing ISO/IEC 27001 mean values between 3.6 and 4.1) are rated as sensible by the companies applying the standard. The provision of guidelines for action, especially for SMEs, is considered to be Companies that have implemented an ISMS according particularly helpful. see SMEs to ISO/IEC 27001 or are certified in this regard were asked about the obstacles to implementation. 30 QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS) Machine Translated by Google Difficulties with ISO/IEC 27001 Difficulties with ISO/IEC 27001 3,5 High expenditure of time 3,0 High costs 2,9 Required external advice for implementation 2,8 Complexity of the standard content 2,7 In-house expertise not sufficient 2,4 uncertainty about benefit 2,3 Few advisory services available 2,3 Difficult determination of scope 2,3 Low motivation of employees 2,0 Lack of commitment from top management 2 1 In total certified 3 4 5 Non-certified Figure 24: Average assessment of the difficulties in implementing and certifying an ISMS according to ISO/ IEC 27001. The basis is formed by companies that use this standard without certification (N=19-23) and with certification (N=12-14). Evaluation scale: 1 (does not apply at all) to 5 (fully applies). a high financial hurdle when introducing an ISMS according to ISO/IEC 27001. As expected, they consider financial support especially for this target group to be very useful. This applies both to financial support for consulting services (AV 4.3 versus 3.4 for large companies) and for certification and its maintenance. guidelines for action are particularly high, followed by training courses and financial support. On the other hand, they rate demands from customers or the legislator as less conducive to dissemination than those companies that already use the ISO/IEC 27001 standard. With mean values of 3.6 or even 3.9, the demand for proof from the legislator or the customer is also considered a sensible measure by everyone companies to varying degrees surveyed using ISO/IEC 27001 companies, with no major differences in terms of company size or industry. All participating companies were asked whether there had ever been an incident that affected the confidentiality, availability or integrity of important information. A quarter of respondents answered yes, although there are differences by company size. While only However, companies certified according to ISO/IEC 27001 consider this to be a more sensible measure overall than companies that apply this standard without certification (AV 4.2 vs. 3.3 when required by legislators and AV 4.5 vs. 3.5 when required by Customers). Companies that are familiar with ISO/IEC 27001 but do not use it evaluate the benefits of a affected by information security incidents one in ten small companies answered yes to this question, this is the case for more than one in two large companies.14 Comparing the groups of users and Non-user of a management system according to ISO/ Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE 31 Machine Translated by Google Measures to disseminate ISO/IEC 27001 Measures to disseminate ISO/IEC 27001 Figure 25: Evaluation of 4,1 Guidelines for action, especially for SMEs 4,5 measures to promote the spread of 3,9 Practice-oriented training materials the ISO/ IEC 27001 standard in Germany. base form sub 4,3 3,9 Financial SME support for advice assume that apply this standard 4,2 (N=35-40) and companies 3,9 Customer requests proof 3,0 who know this standard, but not apply (N=10-12). Evaluation scale: 3,9 4,0 Increasing awareness of the standard 1 (not useful at all) to 5 (very 3,8 Financial SME support for certification useful). 4,2 3,7 3,6 Best practice exchange between companies 3,6 Legislators require proof 3,0 2 1 Users ISO/IEC 27001 5 4 3 Non ISO/IEC 27001 users IEC 27001 shows that users report being affected by Conclusion and Outlook information security incidents more frequently than those who do not use this ISMS standard. While only one in four nonusers reported an incident in the In view of the growing importance of information security and the increasing risk of potential attacks that could endanger information security,15 ISMS in Companies in the past reported that 38% of the group of accordance with ISO/IEC 27001 are implemented very companies using ISO/IEC 27001 do so. In this context, cautiously in Germany. The survey was able to provide initial however, the motives behind the implementation of the insights into motives, effects and hurdles. The results indicate management system according to ISO/IEC 27001 have that although the standard is known to many, there is often no shown that specific incidents are not a significant driver for the need to implement it, as this is not (yet) actively demanded by interested parties. Also the one with the respondents are, but rather strategic motives are present. Occurrence of information security incidents Occurrence of information security incidents Figure 26: Occurrence of incidents In total 27% 56% that compromised the confidentiality, 17% availability or integrity of important information (cyber attack, intrusion, insiders, data protection). Basis: user 38% 43% 19% all survey participants, N= 161 (users of an information security management system according to non-user 24% 16% 61% ISO/ IEC 27001 (N=42) and non-users (N=119)). 0% 20% 40% 60% 80% 100% Yes No Don't know 32 QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS) Machine Translated by Google The effort involved in introducing it is viewed as Dissemination is seen both in financial and informational a hindrance. measures as well as through demands for proof from customers or the legislator. However, an analysis of the impact of ISO/IEC 27001 shows that the ISMS can help Increase information security in the company and to reduce the risk of information security incidents, including Special study on ISO/IEC 27001 by increasing employee awareness of information security. Based on the first findings of this survey, 125 companies Overall, the general satisfaction with the cost-benefit ratio of ISO/IEC 27001 is high among the certified companies surveyed. certified according to ISO/IEC 27001 were surveyed separately at the beginning of 2020. The results of this study will be published in a separate QIFoKuS Report (Vol. 2). ways to support others THE ROLE OF CERTIFICATION, ACCREDITATION AND CUSTOMER AUDITS Certificates can help companies to signal the fulfillment of requirements for products or working methods and Competence and its proof Main criteria when choosing the certification body processes in the form of management systems and thus reduce information asymmetries between market participants. By far the most important criterion for the participants in this survey when selecting the certification body is its accreditation. Through accreditation, certification bodies can have their competence confirmed by an independent Companies usually have the choice of which certification accreditation body. This great importance is also reflected in body they want to be certified by. the actual certification practice: 99% of the respondents state So far, however, there have only been a few studies on the that at least one of their certificates is from an accredited Zerti criteria that companies use. The present study has addressed such criteria for the most widespread management system standard ISO 9001 as well as for ISO/IEC 27001 for certification body has been issued. information security. The participating companies were asked to rate the given criteria on a scale from “not at all important” (1) to Following on from this, the second most important criterion “very important” (5) according to the importance they attach when selecting the certification body is the to them. The following section examines the results in detail. professional competence of the auditors, followed in the case of ISO 9001 by the reputation of the certification body. Specialist knowledge of the respective customer's industry also plays a comparatively large role. Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE 33 Machine Translated by Google Criteria for choosing the certification body Criteria for choosing the certification body 4,6 Certification body is accredited 3,9 4,2 Competence of the auditors 3,7 4,0 Reputation (image) of the certification authority 3,2 3,9 Specific knowledge of the industry 3,3 3,7 Easy and quick implementation 3,0 3,5 Possibility of an integrated audit 3,7 3,5 International orientation of the certification body 3,0 3,1 Low certification authority fees 3,2 3,0 Low travel and ancillary costs (auditor) 2,8 2,2 Third Party Recommendation 1,4 2,2 Specification by the top management level 1,5 1,6 Specification/request from the customer 1,4 1 2 3 4 ISO 9001 ISO/IEC 27001 Figure 27: Average evaluation of the criteria when choosing certification bodies for the ISO 9001 (N=76-87) and ISO/ IEC 27001 (N=12-13) standards. Rating scale: 1 (not important at all) to 5 (very important). While it is also important to the participants that the certification give different reasons. 45% of the 104 participants is carried out quickly and easily, the costs of the certification who provided information on this had already changed (fees of the certification body and ancillary and travel certification bodies in the past. The reason given most costs) are less important. Especially strongly export-oriented frequently by the participants was dissatisfaction with the companies with more than half of their sales abroad, which professional performance of the certifier. Close behind is are certified according to ISO 9001, rate the international the desire to bundle the certifications in the company to orientation of the certification body as particularly important (AV: one provider. Although cost is not one of the most important reasons for choosing a certification authority as described 4.2 compared to AV of 2.5-3.4 for comparison groups). above, it can still be a reason for switching: 40% of The participants attach the least importance to the recommendation or specification of third parties when choosing the certification body. Respondents name this. For 17%, different interpretations of the requirements from the relevant management system standard by the auditors offered a reason to change the Companies often use different ISO management systems in certification body. parallel. In particular, companies using ISO/IEC 27001 name the possibility of an integrated audit as an important criterion when choosing their certification body. 60% are already certified according to ISO 9001, every second according to Great importance of accreditation and international recognition agreements ISO 14001. Especially in the international movement of goods With integrated audits by a certification body, companies can benefit from uniform structures, pool resources and use mutual recognition of certificates an important trade synergies. facilitation. Recognition agreements for accreditations therefore play an important role. However, only every second respondent knows this tool (56% of n=138). However, only Professional dissatisfaction main reason for Change of certification authority 64% can confirm whether there is a recognition agreement for their certificates, with around 18% denying this or saying they don't know. The For changing a certification authority, it can 34 QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS) 5 Machine Translated by Google Certification authority in Certification authority in past changed past changed Reasons for changing certification authority Reasons for changing certification authority Dissatisfaction with the professional performance of the 23 certifier 22 Bundling to one provider for certification 45% 55% 19 cost reasons Different interpretation of the requirements by different providers 8 3 Lack of accreditation of the certification body Lack of recognition of the certificate (due to 1 reputation of the certification body) Yes No 0 10 5 20 15 25 Figures 28 and 29: Percentage of participants who have already changed certification bodies in the past (left, N=104) and number of reasons given for changing certification bodies (right), N=47 (multiple answers possible). Every second survey states that it is also audited by customers. Respondents, however, confirm the effect of such agreements: 78% of 40 respondents agree that they contribute This is particularly the case with the quality management to better recognition of certificates abroad. standards: In addition to ISO 9001 (51 participants), this also applies to the industry-specific management systems in the medical device sector and the automotive industry (12 and 15). Environmental management systems according to ISO Customer audits with high relevance in practice 14001 and occupational health and safety management In addition to conducting internal audits (first side) and also audited by customers of the companies surveyed (20 auditing by independent external parties (third side/certification), and 15 cases). systems according to ISO 45001 (BS OHSAS 18001) are companies are often also audited by their customers (second In most cases, customer audits replace this side). From 134 participating companies our no certificates, but 27% of the Accreditation and International Recognition Agreements Accreditation and International Recognition Agreements Has one of your certificates been issued by an accredited certification body? 108 1 Have you ever heard of international recognition agreements for the 56 71 accreditation of certification bodies? Does your certification have an international recognition agreement in terms of 42 12 11 12 accreditation? 0 20 40 60 80 100 120 140 160 Yes No Don't know Figure 30: Number of participants who state whether their company holds a certificate issued by an accredited certification body (N=109), whether they are aware of international recognition agreements for accreditation (N=138) and whether their companies have a certification international recognition agreement exists (N=66). Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE 35 Machine Translated by Google The international recognition agreement contributes to to be recognized Theabroad international recognition agreement makes it easier for certificates Certificates are more easily recognized abroad % 5% 5% 0% 13% 10% 23% 20% 30% 55% 40% 50% Doesn't apply at all1 2 60% 70% 80% 100% 90% 3 4 Fully agree5 Figure 31: Assessment of whether recognition agreements help to ensure that certificates are more easily recognized abroad (N=40). Participants that certificates at least partially replace customer audits. For 69% of the respondents, an existing certification tend to be described as more stringent than certification: 63% simplifies the customer audit process. The requirements of the audits go beyond the requirements of the certifier. of those surveyed state that the requirements of customer customer audits Customer audits and certificates Customer audits and certificates mean values Customer audits replace certificates Certificates replace customer audits 22 The requirements in the customer audits go beyond the requirements of the certifier. 10 8 5 Certificates simplify the customer audit process 8 51 6 16 20 11 9 5 24 9 3 9 21 1,4 2,6 20 3,7 21 3,8 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Doesn't apply at all1 2 3 4 Fully agree5 Figure 32: Relationship between customer audits and certification (N=64-66). Evaluation scale: 1 (does not apply at all) and 5 (fully applies). 36 QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS) Machine Translated by Google CONCLUSION The study examines the use and effects of management systems in Germany with a focus on conformity assessment. The participating companies were asked about the most widespread standardized management systems. The survey thus provides insights not only into the established standards such as ISO 9001 or ISO 14001, but also to more recent ones such as ISO 50001 for energy management systems and, for the first time across all sectors, ISO/IEC 27001 for information security management systems. The data shows that the use of two or more management systems is widespread and companies appear to be of synergies can be used. Not only does a differentiated picture emerge of the various main motives and effects, but the data also allow a systematic differentiation between the assessments of certified and non-certified companies. For the still little used management system The companies using the ISO/IEC 27001 standard for information security are satisfied with it increase business and the risk of reduce information security incidents. However, hurdles are seen in particular in the effort associated with implementation. If further dissemination of this management system standard is desired, the measures that the participants consider useful can be taken, which are aimed in particular at providing more information and financial support for implementation and certification, especially for SMEs. One focus of the study is the consideration of the various parties who can carry out the conformity assessment. The results underscore the great importance of competent certification bodies and the important role of accreditation in this area – even if it turns out that many of the participants in the survey are not familiar with the underlying mechanisms, such as the international recognition agreements for accreditation. Furthermore, the important position of supplier and customer audits in business practice is confirmed. lich of their contribution, the information security in the Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE 37 Machine Translated by Google GLOSSARY — Accreditation: In the accreditation procedure, conformity assessment bodies prove to an independent accreditation body that they carry out their activities in a technically competent manner, in compliance with legal and normative requirements and at an internationally comparable level. The accreditation body appraises and monitors the • management system and the competence of the staff employed by the conformity assessment body.16 — Recognition agreement: The mutual recognition of the services and results of accredited bodies worldwide contributes to reducing technical barriers to trade and international acceptance of accredited assessment services without costly Increase multiple accreditations. This procedure follows the principle: “Once checked, accepted everywhere”. To this end, national accreditation bodies can enter into multilateral agreements with the European and international accreditation organizations (EA MLA, IAF MLA and ILAC MRA). 17 — Audit: systematic, independent, documented process for obtaining records, statements of fact or other relevant information and evaluating them objectively to determine the extent to which specified requirements are met (ISO/IEC 17000). — Conformity assessment: Demonstration that specified requirements relating to a product, process, system, person or body are met (ISO/ IEC 17000). Conformity assessments can be performed by many people, including the provider of a product or service, its purchaser and other parties that may have an interest, such as insurance companies and regulators: — Internal audit (first side/first party): through Led by the person or organization offering the subject of conformity assessment. 38 — Supplier (or customer) audit (second party): carried out by a person or organization that has an interest in the subject of the conformity assessment as a user (e.g. buyer or user of a product ). — External audit (third party): through led by a person or entity controlled by the person or organization responsible for the subject of the conformity assessment and of interests as a user of this object, is independent (e.g. •certification). — Management system: A management system includes activities by which an organization identifies its goals and determines the process and resources required to achieve the desired outcomes.18 These goals can refer to a number of different ones Relate to topics including product or service quality, operational efficiency, environmental performance, occupational health and safety, and many others. Standards, e.g. from the International Organization for Standardization ISO, specify the requirements or guidelines to support organizations in the design and implementation of their policies and processes to achieve these goals. — Quality Infrastructure: The system that comprises the organizations (public and private) together with the set of rules, the relevant legal and regulatory framework and the actions needed to support and improve the quality, safety and environmental performance of goods, services and processes . It is based on standardization, • Conformity assessment, • Accreditation, metrology and market surveillance.19 — Certification: Confirmation by an independent third party that specific requirements for a product, process, system or person are met (ISO/ IEC 17000). When certifying standardized management systems • confirms a QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS) Machine Translated by Google independent, external auditor, whether the so that the organization meets the requirements documented procedures of the respective specified in the management system standard.20 organization are appropriate and followed in practice, ABBREVIATIONS DAkkS: German accreditation body ISMS: Information Security Management System IEC: International Electrotechnical Commission SMEs: small and medium-sized enterprises (International Electrotechnical Commission) MV: mean ICT: Information and communication technology QI: quality infrastructure ISO: International Organization for Standardization (International Organization for Standardization) THANKS The authors would like to thank the many people who We would also like to thank the German Society for supported this study. In particular, Philipp Hess (TU Berlin) for helpful tips on questionnaire design and Quality (DGQ) and the associations VCI, VDA and the umbrella organization BDI as well as various evaluation, Jonas Haas for statistical support, certification bodies for announcing the survey among Petra Keitzl and Susanne Stobbe for project their members and customers. Thanks are also due to management and correction, and Olaf Mätzner for the interviewees who prepared the survey. technical support. The BMWi and Dr. We thank Michael Nitsche (BAM) for the general support of the project. Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE 39 Machine Translated by Google NOTES AND REFERENCES 1 certified companies with a transitional period until 2021. Blind, K. (2015). From standards to quality infrastructure A review of impact studies and an outlook. In: P. Delimatsis (Hrsg.), The law, economics and politics of 7 international standardization; Cambridge University Press. The ISO survey only records certifications that are reported Vgl. Castka, P., & Corbett, C. J. (2015). Management lead to distortions, as can the fact that certificates from by the accredited bodies. Possible reporting errors can also 2 Systems Standards: Diffusion, Impact and Governance of non-accredited bodies are not taken into account. See ISO ISO 9000, ISO 14000, and Other Management Standards. (2019), The ISO Survey, available at: https:// Foundations and Trends in Technology, Information and www.iso.org/ the-iso-survey.html Operations Management, 7, 161-379 sowie Power, D., & 8 Terziovski, M. (2007). Quality audit roles and skills: See ISO Survey (2019). The decrease in the number of Perceptions of non-financial auditors and their clients. valid certificates recorded in 2018 compared to the Journal of operations management, 25(1), 126-147. previous year can be explained by a change in the collection method as part of the annual ISO survey. 3 ISO 9000:2015 9 Hereinafter referred to as "manufacturing industry". 4 www.iso.org/ management-system-standards 10 The survey relates to the number of valid certificates of See Blind, K., & Mangelsdorf, A. (2016). Certification in German companies - between competitive advantage selected ISO management standards issued by certification and cost factor. In: R. Friedel & EA Spindler (Eds.), 5 bodies accredited by members of the International Certification as a success factor: Sustainable management Accreditation Forum (IAF). with trust and transparency (pp. 23-32), Springer. 11 Vgl. Karcher, P., & Jochem, R. (2015). Success factors and 6 As far as the relative number of the respective certifications is organizational approaches for the implementation of concerned (i.e. the certifications related to the number energy management systems according to ISO 50001. The of companies in the country), Germany is well behind TQM Journal, 27(4), 361-381. doi:10.1108/ TQM-01-2015- countries such as Italy or Spain (see Herasÿ 0016 sowie Wulandari, M., Laskurain, I., Casadesús, M., & Saizarbitoria, I., & Boiral, O. (2013) . ISO 9001 and ISO Heras-Saizarbitoria, I. (2015). Early Adoption of ISO 50001 14001: towards a research agenda on management Standard: An Empirical Study. In A. Chiarini (Ed.), Sustai system standards. International Journal of Management nable Operations Management: Advances in Strategy and Reviews, 15(1), 47-65.) For quality management Methodology (pp. 183-202). Cham: Springer International specifically for the automotive industry according to IATF Publishing. 16949 (previously ISO/ TS 16949). no data from the ISO 12 Survey 2018 available, as it has been an IATF This effect is experienced even more strongly by (International Automotive Task Force) standard since users of the quality management system for medical devices 2016. In the area of occupational health and safety according to ISO 13485 (4.1). These generally tend to management, the figures only refer to the ISO 45001 determine stronger effects than users of general quality standard, which has been the BS (British Standard) OHSAS 18001 standard sinceaccording 2018 - buttofor management ISO 9001. This applies 40 QUALITY INFRASTRUCTURE | Research for conformity assessment and safety (QI-FoKuS) Machine Translated by Google especially the positive effects on sales (both the strongest effect with 4.7 for ISO 13485 and the highest difference to ISO 9001 with only 3.0); (n=5-9). 13 Due to a change in the survey method, from 2018 the valid ISO certificates can no longer be compared with previous years (ISO, 2019). 14 Similarly, as part of the 2018 cyber security survey by the Alliance for Cyber Security, 43% of large and 26% of medium-sized companies stated that they had been affected by cyber security incidents in 2018. See Federal Office for Information Security (BSI). (2018). Cyber security survey 2018: Cyber risks & protective measures in companies. Retrieved from: https:// www.allianz-fuer cybersecurity.de/ SharedDocs/ Downloads/ ACS/ cyber Sicherheits-umfrage_2018.pdf? __blob=publicationFile&v=9 15 ibid 16 https:// www.dakks.de/ content/ was-ist-akkreditierung 17 https:// www.dakks.de/ content/ internationales-netzwerk 18 ISO 9000:2015 19 UNIDO. (2018). Quality Infrastructure - UNIDO‘s unique approach. Abgerufen unter: https:// www.unido.org/ sites/ default/ files/ files/ 2018-08/ UNIDO_QI_CASE_FINAL_ON LINE_2.pdf 20 See Castka, P., & Corbett, CJ (2015). Research for Conformity Assessment and Safety (QI-FoKuS) | QUALITY INFRASTRUCTURE 41 Machine Translated by Google Machine Translated by Google Machine Translated by Google 202000661 -BAM Media Team Federal Institute for Materials Research and Testing (BAM) Under the Oaks 87 12205 Berlin, Germany Info@bam.de www.bam.de