Data centers are mission-critical facilities, and organizations spend a lot of time, money and resources to maintain reliable operations. Colocation, hosting sites and cloud services have service-level agreement obligations, as do many private enterprises, so practice of well-documented procedures should be mandatory.
For organizations that don't have full documentation, rigidly follow policies, or might have undiscovered shortcomings or vulnerabilities, there is an accepted way to identify and address these gaps.
International Organization for Standardization (ISO) 9001 is a globally recognized standard and serves to help businesses implement quality management procedures and practices. ISO 9001 has, so far, been revised four times. The latest update in 2015 expanded and generalized the standard to cover a wider range of businesses, including the service industry.
ISO 9001 certification is essential for companies to do business in Europe, but it is recognized and applicable internationally. There is no data center-specific version, but Iron Mountain and Amazon Web Services' infrastructure is ISO 9001:2015-compliant. With the quality management procedures in place, organizations can ensure customers receive consistent and reliable services and products.
What ISO 9001:2015 covers
ISO 9001:2015 places greater emphasis on top management involvement, adds leadership requirements for quality management and introduces the concept of risk-based thinking. IT teams can undertake the initial gap analysis as a good way to uncover operational weaknesses that should be addressed, even if they don't actually become ISO 9001 certified.
The ISO 9001 requirements could be considered common sense for most admins, but the requirements for documentation are rigid, which precludes glossing over things that may seem superfluous.
ISO 9001 certification is a six-step process that requires organizations to do the following:
- Understand ISO, through self-study or using one of the many online or professional consultant training courses.
- Run an internal gap analysis to identify areas in which operations fall short of ISO requirements and where improvements must be made before proceeding to formal certification steps.
- Begin documentation, which is the detailed on-paper formalization of processes, procedures and on-going plans for improvement, particularly where gaps have been identified.
- Start implementation, where the entire organization, along with top management, is trained in the standards and procedures and learns to fully implement them.
- Conduct an internal audit, which is a self-examination to prepare the IT team for the external audit. It can be done by staff, an existing or potential client or customer, or a consultant, to verify that an organization meets requirements.
- Receive a formal audit and certification, in two stages, from a registrar. Stage one determines whether an organization is ready for stage two and can be done remotely to save travel costs. Admins must remedy deficiencies before stage two, which is done on site. During this stage, the auditor reviews organizational methods, procedures and internal documentation. The auditor also interviews staff to ensure that the quality measures have been consistent for at least six months and verifies maintenance of records and evidence. If nonconformities are found, organizations must correct them and have the auditor perform another -- usually much shorter -- on-site audit.
How much can admins do in-house?
Admins can complete everything except the certification audit if they study the ISO 9001 standard, but it is wise to get assistance. The standard consists of multiple documents, and a good understanding of requirements at the outset could save headaches at the end and ensure a streamlined certification process.
Review several professional assistance offerings online to get an idea of what's involved and perhaps select a suitable introductory course. The gap analysis is a major task and is the foundation for preparing the necessary documentation for certification.
Even if an organization does not proceed toward ISO 9001 certification, admins will still uncover and solve a number of vulnerabilities in their operation, which is worth the cost of the introductory course and the time investment of documentation preparation.
What does certification cost?
An introductory course can be free or relatively inexpensive, or it might include firsthand consulting expertise to train staff on site and walk them through the process. The level of investment and assistance is optional, but the use of a good consultant saves time and potential costs from poor preparation or unaddressed issues.
The actual ISO 9001 certification cost is another matter. It depends on the thoroughness of preparation, the reviewer's travel distance and how long they must spend on site to complete their audit. A remote stage one audit saves travel costs, but there is still compensation for the auditor's time.
The certification is good for three years, with the assumption that the organization puts the policies and procedures into practice. Yearly follow-ups may be conducted to assure compliance and certification maintenance is not automatic; the two-stage certification audit must be repeated every three years to renew the certification.