The ISO Show

Information is increasingly becoming the number one priority for businesses. With so many of us reliant on tech to stay in operation, there is an inevitable increase in data breaches and incidents year-on-year. The addition of new AI driven technology has added a new layer of complexity to the information security landscape, regarding both the new risks using the technology brings as well as falling prey to more complex AI led scams. Thankfully ISO Standards are here to help, with ISO 27001 tackling general information security and ISO 42001 for effective AI Management. But how do these two compare, and is there merit in implementing both? In this episode, Ian Battersby is joined by Bas Von Hertom, Cyber Security Specialist at TUV Nord, to discuss what ISO 27001 and ISO 42001 are, the main differences between the Standards and how they can complement each other when integrated. You'll learn · Who is Bas Von Hertom? · Who are TUV Nord? · What are ISO 27001 and ISO 42001? · How does ISO 42001 support regulatory frameworks such as the EU AI Act? · How do ISO 27001 and ISO 42001 differ in managing information security risks? · Other key differences between ISO 27001 and ISO 42001 · How much more work is involved for Implementing ISO 42001 if you already have ISO 27001 in place? · Can ISO 27001 and ISO 42001 be integrated? · What organisations should be implementing both Standards? · How are Certification Bodies quoting for ISO 27001 and ISO 42001? · Bas's advice to leadership teams looking to build a case for full certification Resources · TUV Nord · Isologyhub In this episode, we talk about: [02:05] Episode Summary – Ian is joined by Bas Von Hertom, Cyber Security Specialist at TUV Nord, to explore the differences between ISO 27001 and ISO 42001 and the benefits of integrating both Standards. [02:30] Who is Bas Von Hertom? Bas is the Cyber Security Specialist at TUV Nord. He is a lead auditor for Standards including ISO 27001, ISO 42001, TISAX and standards specifically for industrial automation. Bas had once stated around 5 years ago that he would never pursue a career in auditing, but once he came into contact with TUV Nord he decided to give it a go. Before joining TUV, he was a very hands-on systems administrator and many of those skills transferred well into auditing. [04:45] Who are TUV Nord? TUV Nord are a UKAS accredited Certification Body. They also offer services for testing and inspection. TUV have worked with a large range of sectors, from manufacturing and energy to IT, healthcare and even space. [06:25] What are ISO 27001 and ISO 42001? ISO 27001 is the Standard for Information Security Management, with compliant management systems being called an ISMS. It provides structure for identifying, assessing, and managing risks related to the information security while also ensuring availability and resilience on the information security. ISO 42001 AI Management is a much more recent Standard, being published in December of 2024. It focuses on ethical and effective AI management, with a system that applies to relevant products in addition to the wider business. [07:30] How does ISO 42001 support regulatory frameworks such as the EU AI Act? The EU AI Act sets out legal obligations that organisations offering AI products must comply with, however it only defines the rules rather than providing any implementation guidance. This is where ISO 42001 can fill the gaps, by providing a framework that will meet these regulatory requirements. [08:45] How do ISO 27001 and ISO 42001 differ in managing information security risks? Both Standards take a risk-based approach to their subject matter, but the nature of the risks that each address are what differ. ISO 27001 focuses on risks that relate to the protection of information assets based on confidentiality, integrity and availability of information. It's also ensures that business objectives are clearly defined and aligned with business strategy. ISO 42001 on the other hand deals with a broader and more complex set of risks, because it also looks at ethical considerations. This can includes the monitoring and measurement of ethical risks such as AI bias and discrimination. It also looks at societal, legal and reputational risks as one of ISO 42001's key values is creating trust within the AI space. [10:10] Other key differences between ISO 27001 and ISO 42001: Besides their subject matter, another key difference is the way objectives are framed and evaluated. In ISO 42001 these objectives have to be aligned with the Annexes within the Standard, which is something not commonly done when implementing ISO 27001. ISO 42001 also requires an 'AI Impact Assessment', which again, aligns with the systems objectives as the results of the AI Impact Assessment will describe the way bias, ethical and societal considerations impact other requirements within ISO 42001. [11:00] How much more work is involved for Implementing ISO 42001 if you already have ISO 27001 in place? If you already have ISO 27001 in place, you have a strong foundation for ISO 42001. ISO 27001 puts the fundamental base in place, with a governance structure, risk assessment processes, internal audits, corrective actions and methods for continual improvement. There's a lot of overlap where the high-level requirements are concerned. However, ISO 42001 also looks at AI products and services, which differs from ISO 27001. ISO 42001 may also require additional training for those involved with the management systems and the AI products and services. [12:15] Can ISO 27001 and ISO 42001 be integrated? Yes, and in fact, Bas highly encourages it! If you intend to implement both Standards, it's much more efficient to do so as an integrated management system. They both utilise the Annex SL format, a high-level structure that's shared with most ISO Standards, so they're designed to be integrated. This also saves on duplication of effort where documentation is concerned and also potentially on cost if you require additional support with implementation. [13:30] What organisations should be implementing both Standards? Both ISO 27001 and ISO 42001 can apply to any business. Most businesses are now utilising AI in some form, and ISO 42001 can apply to those using it just as much as it does to those developing their own AI tools or selling related services. However, sectors where ISO 42001 will likely become fundamental include the financial sector, where AI tools for fraud detection are becoming popular. There's also a growing need for it within the medical field as AI is increasingly used for research and development. [14:30] How are Certification Bodies quoting for ISO 27001 and ISO 42001? There are a number of variables that Certification Bodies use to work out certification costs, these include size of the organisation and business complexity. This can be tricky to calculate for ISO 42001 as you need to consider the amount of AI systems used before you can provide a quote. The full requirements for this are described in ISO 42006, which is a guidance Standard. Most certification bodies will offer a discount for the combined certification to both Standards. An integrated approach is certainly something that Bas recommends, in addition to ensuring that you keep the same auditor or audit team throughout the implementation. By having one team for both systems, you can complete combined internal audits to save on time and resources. [16:20] Bas's advice to leadership teams looking to build a case for full certification: First of all, don't wait, just make a start. A lot of businesses make the mistake of waiting until it's a common requirement within their market, which can leave you lagging behind the curve. Instead, strive to be one of the early adopters as that will give you a strategic advantage in the market. This is especially the case if you already have ISO 27001 in place. You already have the foundational knowledge to implement ISO 42001, so just make a start on looking at risks relevant to ISO 42001. Many businesses opt to implement certain Standard due to the demands of their clients, and ISO 42001 is likely to be added to that list. So it's better to get a head start! Bas also recommends finding sources of guidance on ISO 42001 implementation. Whether that's sourcing training or an external party to advise, it's good to have other sources of knowledge of you're not familiar with the Standard or ISO implementation as a whole. [21:30] Bas's favourite quote: We don't rise to the level of our expectation, but we fall to the level of the systems that we use. If you'd like to find out more TUV Nord or are looking for ISO 27001 and ISO 42001 certification, check out their website. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Watch the video interview here Europe is only partially on track to meet its 2030 environment and sustainability objectives, and while some objectives are being scaled back, we are seeing the introduction of more regional regulations that require tangible annual sustainability reporting. Businesses that have built sustainability into their way of working from the start are leading the charge and defining what it means to operate responsibly. As with today's guest, Forest, an e-bike provider that is not only 100% powered by renewable energy but has also achieved the coveted B Corp Accreditation. In this episode, Mel Blackmore is joined by Laura Elms, VP of Sustainability & Corporate Affairs at Forest, to discuss how they embedded sustainability from the start and explore their journey towards B Corp Accreditation. You'll learn · Who are Forest? · Who is Laura? · Why was B Corp important to Forest from the start? · What other Standards do Forest currently hold? · What does Forest's higher B Corp score of 99 mean in reality? · How did Forest embed sustainability into a business from day one rather than retrofitting it later? · How has Forest balanced growth with genuine environmental accountability? · What does tackling Scope 3 look like in urban mobility? · Why did they also attain Verra Validation, and why does third-party validation matter? · How do sustainability, communications and public policy intersect in Laura's role? · Advice for those seeking B Corp Accreditation · B Corp Version 7 · What role do you think sustainable transport should play in helping cities to meet their net zero targets? Resources · Forest · B Corp Accreditation · Carbonology In this episode, we talk about: [00:30] Episode Summary – Mel is joined by Laura Elms, VP of Sustainability & Corporate Affairs at Forest, to explore how they lead the way in sustainability including insight into their journey towards B Corp Accreditation. [01:10] Who are Forest? Forest is the only shared E-Bike operator to power its entire fleet with 100% renewable energy. It's also one of the world's first micro-mobility companies to have B Corp Accreditation and Verra Validation. [01:40] Who is Laura and how did she get involved with sustainability? Laura admits that she had a rather non-linear approach to getting into sustainability. She started her career shortly after graduating in financial communications and investor relations. Working in her first firm, she worked closely with a women called Caroline who went on to found Forest along with two other co-founders. Caroline reached out to her 2 years after starting Forest and Laura felt it was a no-brainer as she had a pre-existing interest in sustainability, and had come to prefer the start-up space over a more corporate setting. As is typical with the nature of start-ups, Laura wore many hats from the outset as it was a small team of four. Sustainability was what she was most passionate about, and has been the area she nurtured for Forest over the course of her six years working with them. [03:40] Why was B Corp important to Forest from the start? Laura noticed that B Corp was gaining traction back when Forest started in 2020. She was curious about the intersection between B Corp and ESG, particularly from a start-up perspective. When starting at Forest, she knew it would be a significant benefit to utilise renewable energy, but she felt like they needed to go above and beyond that. From there she researched B Corp and the costs involved, which were affordable as it's relative to your revenue, which is a great advantage to start-ups. She was pleased to find that Forest could cover the 5 pillars of B Corp's credentials, not only providing bikes for urban settings but also providing excellent governance and additional benefits to their surrounding community, workers and environment. In short, B Corp helped set the foundations for a good well rounded company that could grow. [05:15] What other Standards do Forest currently hold? Forest currently hold ISO 9001 certification and are looking to implement ISO 14001 in the near future. They currently operate within 18 boroughs in London, and are expanding from one central hub to several more warehouses, which is what will be covered under that ISO 14001 scope. With B Corp as their guiding North Star, they're confident they have all the right foundations in place to grow as needed. [06:10] What does Forest's higher B Corp score of 99 mean in reality? Within B Corp there are 5 pillars: · Community · Environment · Governance · Customers · Workers Its core focus is sustainability, but its approach is much more holistic and similar to the way ISO's implement a system that encompasses how a business works rather than just a siloed focus on one area. B Corp looks at a multitude if areas, such as: · Reducing Scope 1, 2 & 3 emissions · Looking at your supply chain · Evaluating how your activities interact with your stakeholders To earn a B Corp score, you need to get certain marks and then you're scored across the 5 pillars. Many businesses going for B Corp tend to do well in the sustainability area, but they struggle with other areas such as workers and customers. The framework is designed to be more holistic than simply focusing on sustainability, so If you focus too much in that area, it may come at a detriment to the other pillars. [08:20] How did Forest embed sustainability into a business from day one rather than retrofitting it later? Sustainability was Forest's vision and mission right from the start. Their CEO and Founder had previously worked at a ride-hailing company called Cabify, and had led the Latin American operations there. Cabify was the first mobility company to offset all its emissions, this was prior to 2020 so it was seen as though-leader in the space. This inspired the now CEO of Forest with the concept of 'Human Forest', which was the idea that humans on bikes in a city can save CO2 by choosing bikes over carbon emitting modes of transport. Having it as a core part of the business from the start meant they didn't have to worry about budgeting road-blocks or additional approval. It was simply a part of the brand. Laura can see why retrofitting the same level of sustainability commitment may be difficult for other businesses, as Forest had already baked in the price of renewable energy from the beginning and didn't have to worry about that transition. Forest do differ in that unlike other larger companies that will be showing smoother trajectories towards net zero, they're already there. They face the unique challenge of keeping it there as they grow, as more bikes and available geographical locations means more manufacturing and bigger scope 3 emissions. So their transition to net-zero will overall look a lot less linear. [11:15] How has Forest balanced growth with genuine environmental accountability? Forest have managed to reduce their carbon footprint by 53% year on year, even with their continued growth. Tackling environmental accountability can be something that gets businesses stuck in a rut, especially with any applicable regulations. As Laura quotes, often perfection is the enemy of good. Small incremental changes are better than trying to get it all right first time. In Forest's case, to achieve that 53% reduction they looked at a more creative solution. Rather than manufacturing brand new bikes when needed, they reached out to the wider e-bike market to those that utilised their same manufacturer and asked if they had any spare bikes. This helped to massively bring down emissions that would have otherwise been created making new bikes, by accessing a second-hand market. This can't be done indefinitely, but it's a small action that has created a large impact for that year. Forest have also worked with manufacturers to help switch to using solar energy for the production process, which they are now monitoring to see how much this reduces emissions by. [13:50] What does tackling Scope 3 look like in urban mobility? Scope 3 for most businesses is their biggest source of emissions, typically accounting for around 80-90% of a businesses total emissions. For Forest this is closer to 100%. They've also noticed that compared to 3 years ago, the emissions are slightly less for things such as production and shipping of bikes. Laura admits that this may not be entirely due to the processes themselves getting more efficient, but as by-product of improving other areas such as technology or use of office spaces to help bring down the businesses overall emissions. At this stage, it's getting the methodology right for scope 3, to ensure their data is as accurate as possible. This includes sending questionnaires to suppliers and making use of technology to improve data gathering and analysis. [15:45] Why did they also attain Verra Validation, and why does third-party validation matter? Laura at the time was looking to ensure the highest level of credibility possible, which started with B Corp, ISO certification and then Verra Validation. Verra was a leader in this space, and dominate the market in terms of carbon offsetting. Forest didn't want to go through the whole process to sell offsets with Verra as it didn't make sense for their business, but they did want the validation as another layer of credibility. [17:45] How do sustainability, communications and public policy intersect in Laura's role? London, unlike most other major cities, does not have a single unified body, instead you have to negotiate borough by borough. Each one has the option to pick different operators and set their own requirements, which adds an extra layer of difficulty on top of existing sustainability regulations. Forest provided the perfect solution for various London boroughs who sought to reduce their overall carbon emissions. [19:05] Laura's advice to organisations seeking B Corp Accreditation: Get in contact with B Corp itself. They done a lot to improve their platform, and there's a lot you can do via the portal without their assistance. However, B Corp and their team at B Lab can give you more insight and context for the data they're looking for. She also recommends that you incorporate B Corp as early on as you can as it helps to set a solid business foundation. Laura also recommends going beyond the B Corp portal after certification to reach out to the wider B Lab community, as there are a lot of fantastic brands to connect with. B Corp will often host in-person networking meetings where certified businesses can catch-up, review progress and share new ideas. [20:40] B Corp Version 7: B Corp have recently released (as of podcast publication) a new version of their requirements, raising standards once again. One of the new requirements includes verification of an organisations' emissions, which includes products. Forest only just received their B Corp re-authentication in December 2025, and their next focus is obtaining ISO 14001 for their new warehouses. However, they do intend to stay B Corp accredited, so will likely look at meeting version 7 requirements following that. [21:45] What role do you think sustainable transport should play in helping cities to meet their net zero targets?: Transport makes up a third of UK emissions. Getting people onto more bikes and being more active will result in a significant reduction in emissions for our cities. When Forest asked their users: what would you otherwise have done in terms of transport if you didn't get on one of our bikes, 11% said that they would have gone in a car or a taxi. So an 11% modal shift, which is pretty significant! This doesn't account for private bike owners either. For cities, there's a big push to get HGVs off the road and to retrofit spaces to accommodate for more cycle traffic. It's a lot to consider and will require a lot of work, but with transport making up a third of total UK emissions, it's worth the effort for the benefits it will bring. If you'd like to find out more about Forest and follow along with their journey, check out the Linkedin page. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

For those in the automotive industry, namely suppliers working with European OEM's, you're likely familiar with TISAX but not necessarily with the Standard that many of its requirements originate from. ISO 27001 is the leading Information Management Standard, and its Annex A forms the basis of TISAX, however there are many differences between the two. For Automotive suppliers looking to create a more holistic Information Security Management System, it can be beneficial to implement elements of both even if you don't intend to certify to both. In this episode, Ian Battersby is joined by Emma Coxhill, isologist at Blackmores, to explore the differences between TISAX and ISO 27001, how existing ISO 27001 compliant management systems can be leveraged for TISAX compliance and the benefits of implementing both Standards for automotive suppliers. You'll learn · How does TISAX differ from ISO 27001? · How does the recertification / annual surveillance for TISAX and ISO 27001 differ? · Can a company have TISAX without ISO 27001 and vice versa? · How can an existing ISO 27001 certification be leveraged for TISAX? · What are the additional benefits of implementing both TISAX & ISO 27001? · What is a reasonable timeframe for implementing TISAX? · The key role of Internal Audits · How can Blackmores support companies in implementing TISAX? Resources · Register for our TISAX webinar here · ENX · Isologyhub In this episode, we talk about: [02:05] Episode Summary – Emma Coxhill joins Ian to dive into the key differences between ISO 27001v Information Security and TISAX, including the benefits of implementing both and how each can be leveraged to assist in the implementation of the other. [03:10] What is TISAX? TISAX was developed for the automotive industry by the German Association of the Automotive Industry, VDA, and it's managed by the ENX Association. It's based on the ISO 27001 Annex A controls, and was created for the automotive industry because they were looking to standardise the framework for assessing and sharing information security results between manufacturers and their suppliers. [04:20] How does TISAX differ from ISO 27001? ISO 27001 is a general Information Security management Standard, it can be applied to any business, whereas TISAX is only applicable to the automotive industry. ISO 27001 includes a framework of requirements that everyone must implement, whereas TISAX has a more customisable element. With TISAX you can select an applicable level and relevant subject areas for your operations. The last main difference is the fact that ISO 27001 certification ends in a certificate which can be shared and displayed wherever you want. TISAX in comparison has Labels, which are only available through the ENX portal where you have control over who can access them. [05:15] How does the recertification / annual surveillance for TISAX and ISO 27001 differ? The good news is that TISAX is a bit more forgiving than ISO when it comes to a recertification cycle. TISAX does not require an annual Surveillance like ISO 27001, instead once you've earned a Label it remains valid for 3 years. ISO 27001 in comparison requires an annual Surveillance for each year until the 3rd when you have your Recertification Audit. If you have a significant change to scope part way through your 3 years of TISAX, you will need to have a chat with your auditor to see if extra work is required. This will depend on your level, with higher levels likely to require some additional work and for you to adjust your scope within the ENX portal. Overall, a TISAX label is less of a burden than traditional Management System Standards like ISO 27001. However, TISAX is a lot more strict and will require more upfront preparation ahead of earning your Label. [07:30] Are Internal Audits required for TISAX? They are, but the amount and frequency are a lot more flexible than ISO 27001. You can do as many as you like, but at a bare minimum we recommend you conduct internal audits 6 months ahead of your TISAX label expiring to ensure you're ready for re-certification. You can of course carry on with annual internal audits to make sure you're on track. This can be handy if specific clients ask for further evidence of you following processes in accordance with TISAX requirements. [08:35] Can a company have TISAX without ISO 27001 and vice versa? You can! Both are independent Standards, however they do compliment each other. Organisations that hold both have a competitive advantage, as ISO 27001 applies to all industries and is more widely recognised. However, if you only operate in the automotive space, TISAX may be sufficient. If you supply to multiple sectors, it's worth considering implementing both TISAX and ISO 27001. [09:25] How can an existing ISO 27001 certification be leveraged for TISAX? If you already hold an existing ISO 27001 certification, than you're already 80% of the way there to TISAX compliance. As TISAX is based off of ISO 27001's Annex A controls, a lot of the requirements cross over, so you will already have most of the foundations in place to cover TISAX. It will just be the more automotive specific requirements that will require some additional work. These requirements include considerations for: · Data Protection · Prototype protection · Assets · 3rd Party Suppliers The amount of additional work will also depend on the TISAX Level you're aiming for, with Level 3 being the most demanding for these specific requirements. [10:55] What are the additional benefits of implementing both TISAX & ISO 27001? Benefits include: Robust Information Security – Having both TISAX and ISO 27001 forms a strong and versatile information security infrastructure that will cover all of your operations. Easy Integration – These two Standards complement each other, and can easily be integrated. If you already have ISO 27001 in place, you have already completed a majority of the framework and will be familiar with what's required to earn and keep both your ISO certificate and TISAX Label. Customer Trust and Long-Term Resilience – TISAX is desired, if not an outright requirement for European based OEM's to work with suppliers. They require this because TISAX is a trusted Standard, a Label displays your commitment to information security within the automotive industry. It also helps to put you in a better position to both safeguard data as well as respond in the event of a data / security incident. Wider market access – If you supply to more than just the automotive industry, than having ISO 27001 in place will grant you access to the wider market that will recognise that Standard over TISAX. [12:05] What is a reasonable timeframe for implementing TISAX? This will depend on a number of factors including the type of organisation, the number of sites, resources available etc. The key thing to note is that this is note a 2 week project, it will take a number of months to get everything in place for your external assessment. A good measure of if you're ready is if you can score at least more than 2.71 on your self-assessment, and have completed a few internal audits to double check. If you already have ISO 27001 in place, than you're looking at between 3 – 6 months. If you do not have ISO 27001 in place than you're looking at 6 months minimum. For Level 2, you will need proof that ,you have everything in place, it's all been communicated and the relevant individuals have been trained. Level 3 requires everything to be in place and operating for a certain amount of time, typically around 3 months is ideal to start building a library of evidence ahead of your external assessment. Emma's top tip: Be honest in your self-assessment. It's there to be a benchmark, and you need to reflect on the reality of your position if you're to accurately assess what Level you are ready to be assessed against. [14:20] Core elements for success: As with any Standard, ISO or otherwise, TISAX will require leadership commitment in order to be successful. The requirements of TISAX need to come from the top down, just like with ISO 27001. The Leadership ultimately drive TISAX's success, by ensuring the relevant resources are in place, and involved individuals have the necessary time to implement and maintain the Label. For those within the Automotive Sector, TISAX is becoming an absolute requirement. It's being pushed as a tender requirement, so you may lose out on business if you opt to not earn a Label. [16:35] The key role of Internal Audits: As mentioned earlier, Internal Audits are a key part of the process for both TISAX and ISO 27001. It acts as a business health check to ensure you're on the right path. They can help identify areas which may be non-conforming or simply highlight opportunities for improvement. For TISAX, there is not outright requirement for 3rd party audits ahead of your assessment, however we would recommend them as a fresh pair of eyes can reveal things you may have overlooked. An external auditor will also be more unbias and can provide an honest review and feedback as to what TISAX Level you are ready for. [18:25] How can Blackmores support you with TISAX Implementation?: We can provide as little or as much support as needed. This can include a fully guided implementation where we assist you through each step. This can apply to both TISAX and ISO 27001 if you wish to certify to both Standards. Other options include: · Assisting with your TISAX self-assessment (aka a Gap Analysis) · Conducting a Maturity Assessment · Conducting internal audits · On-site support during your TISAX assessment audit We are happy to provide whatever level of support you need. Blackmores do not provide a tick-box exercise, we pride ourselves on ensuring an implemented system works for you. [21:10] Upcoming TISAX Webinar – Join us on the 18th March 2026 at 2pm for a webinar where we'll dive into TISAX further and provide practical guidance on how to complete the VDA Self-Assessment. Attendees will also get access to some freebies. So don't delay, register your place here today. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Emma Coxhill, information security specialist at Blackmores with TISAX and ISO 27001 expertise. She explains what TISAX is and who it applies to. She covers why it matters for protecting IP and winning tenders. She walks through assessment levels, subject areas, ENX registration, self-assessments, audits and practical first steps to earn a TISAX label.

Watch the full video interview here Annual sustainability and ESG reporting is now becoming a necessity for many businesses, whether driven by region specific regulations and legislation, industry expectations or client demand. However, doing so is definitely easier said than done. It requires a complex network of data being gathered from multiple sources which then needs to be collated, analysed and summarised in a cohesive report for leadership and possible public publication. Thankfully, there have been developments in new AI driven technology that can help ease this annual burden, allowing you to focus on utilising the results to make meaningful sustainability impacts. In this episode Mel Blackmore is joined by Darayush Mistry, Head of Product at Pulsora, to discuss how AI can make a difference in ESG and sustainability reporting, including its benefits, pitfalls and the balance of utilising AI while considering its environmental impact. You'll learn · Who is Darayush? · Who are Pulsora? · When did Darayush realise how AI could be utilised for ESG and sustainability reporting? · What are the positives of AI in this space? · Why is AI for ESG and sustainability reporting becoming more necessary? · What are the risks involved in using AI for ESG and sustainability reporting? · Where is AI making a real difference in reporting? · What parts of ESG and sustainability reporting need human judgement? · How does AI help collate data from multiple sources? · How might regulators react to AI being utilised in reporting? · How can businesses utilise AI while still considering it's environmental impact? · Darayush's advise to sustainability leaders looking to explore AI solutions Resources · Pulsora · Darayush Mistry · Carbonology In this episode, we talk about: [00:25] Episode Summary – Mel is joined by Darayush Mistry, Head of Product at Pulsora to discuss the use of AI tools in ESG and Sustainability reporting, how you can leverage this technology and what risks you need to be aware of before doing so. [02:40] Who is Darayush Mistry? Darayush has been working with enterpirise software for the past 2 decades. This technology is used by companies to help operationalise their business. He began his career at a company called Siebel Systems, which operated in the CRM space, spending 10 years there before moving onto the world of sustainability. Darayush recalls how everyone was so used to working from a set of spreadsheets just 20 years ago, whereas now most will use a central CRM for business operations. This is an area that sustainbilty reporting seems to have lagged behind, with many still trying to collate their data from multiple spreadsheets and other external sources rather than having a dedicated central system. This is why he was eager to work with Pulsora, to bring similar solutions to businesses as he once had with CRM's in the past. [05:25] Who are Pulsora? Pulsora are an AI-forward SaaS (software as a service) platform. The Pulsora platform helps businesses to operationalise their sustainability initiatives, which includes data collation, calculation and reporting features. This is set up for scope 1, 2 and 3 level reporting, with considerations for climate related goals, waste water monitoring, biodiversity and policy oriented information. Darayush's role as Head of Product means he sits at the intersection between customers and Pulsora's engineering and design teams. His job is to ensure that whatever Pulsora created ultimately provides value to their customers in the form of successful sustainability outputs. [07:50] When did Darayush realise how AI could be utilised for ESG and sustainability reporting? Darayush can pinpoint a time four years prior when he first stepped into a more sustainability focused role, speaking to the co-founders of Pulsora back in 2021 they were sharing experiences of using the then early versions of AI tools such as ChatGPT and Gemini. It clicked for them then that they could do something similar for sustainability reporting, making it as easy as possible while still being accurate. It wasn't until 2 years later that they had a product to launch with Pulsora AI in late 2024. This initial product allowed users to write long from narrative responses for carbon disclosures. Regulations like CSRD require a comprehensive disclosure, but not everyone is an expert in parsing the data to write that, so Pulsora AI helped get past that writers block, to give people the building blocks for that professional disclosure. [11:55] What are the positives and negatives of AI in this space? The biggest benefits include: · Giving professionals and sustainability teams more time back to achieve their desired outcomes. · Cutting down on spending time in spreadsheets and on calculations on an annual basis. · Reduction of repetitive tasks · Ease of data collection from multiple sources and locations · Ease of data calculation · Allowing for pre-audit of data using AI tools · Highlighting data gaps when rationalizing the data [17:20] Why is AI for ESG and sustainability reporting becoming more necessary? People are starting to move on from the mindset of 'Let's try AI' to 'Let's use AI'. Time is one of the most precious resources we have, and any tool that can help accelerate more mundane tasks so that people can focus on making results happen should be a priority. Sustainability teams are under increasing pressure to produce tangible results, something that can be made easier with the help of AI tools. [20:06] What are the risks of using AI in ESG and Sustainability reporting? Don't treat AI as this magic wand, it's a tool you can leverage. At the moment, it's good at certain tasks, but it cannot act on its own. In order to progress, sustainability teams need to push on the initiatives to produce results. People know their business best, and though AI can infer certain information and produce a result, it may not always be the best solution for you. You still need that human input into areas such as strategy and action planning. Darayush reminds us of Amara's Law: "We as humans severely overestimate technology outcomes in the short-term, and severely underestimate that in the long-term" Don't fall into the trap of thinking AI can do everything. [22:30] Where is AI making a real difference in reporting? Data collection, ad-hoc sustainability reporting and providing insights into the data provided. It can also help with providing a starting point for carbon disclosures or options for various strategies that you could explore. Currently, the biggest one is data collection, as it can help do this efficiently and consistently, allowing for improved accuracy in your overall sustainability data. [25:20] What parts of ESG and sustainability reporting need human judgement? Darayush states that these are complementary to each other, it should never be all of one and none of the other. There will be elements that need more human in the loop and areas where it's required less. It's applicable in degrees. One example of where the human input will be higher is in completing a materiality assessment and figuring out how to execute your decarbonisation strategy, which will require your knowledge and experience of how the business operates, it's core values and what your ultimate goals are. AI can do the heavy lifting in areas such as sustainability reporting, as it can collate all the data and create initial reports very fast. But, at the end of the day, humans still need to understand these outputs and provide their own judgement. 'AI' today isn't true AI, they're LLM's with a great capacity to collect data, analyse it and provide outputs that can be starting points. It cannot replace human judgement, as we provide the nuance in context and experience needed to apply those results effectively. AI responses operate in a perfect world where everything is an easy step by step process, which we all know does not reflect reality. [29:40] How does AI help collate data from multiple sources? Older technologies like OCR (optical Character Recognition) was the go to years ago when scanning various different documents like spreadsheets, PDF's, receipts etc. This required specific code to be written to read these docs accurately, this would then feed into pipelines to bring this data together. This code was quite rigid, so any changes to document layouts would cause things to break. AI in comparison is much more adaptable, it's capable of reading much more natural language and extracting what's required for its designated task. It also provides a much more friendly UI (user interface), meaning you don't need an IT specialist to utilise the technology. [33:15] How might regulators react to AI being utilised in reporting? Based on Darayush's previous experience in the finance sector when people were using dedicated platforms for financial reporting, the regulators didn't care where the data came from or how it was collated, they just card if it was accurate. Regulators want transparency, accuracy and a big part of this is providing an audit trail so they can see where the data came from. They simply want businesses to follow their guidelines, the how you get from A to B is of little importance so long as the result is accurate. If anything, the existence of these tools will raise the bar of expectations from regulators, as businesses should be able to provide the required information with these tools readily available. [36:30] How can businesses utilise AI while still considering it's environmental impact? – AI can certainly aid the sustainability industry in certain areas, such as reporting, but it's a resource intensive tool. It consumes a lot of energy and water. Like with most emerging technology, the sustainability impact usually isn't addressed until much later. Much like with mobile phones, which create tonnes of E-waste every year, not to mention the mined material required to make them. It's factors like this which eventually get regulators involved to help reduce the overall harm caused. AI is yet to go through this evolution, but both regulator and consumer pressure is building to reduce the impact of AI. This will inevitably lead to innovation as companies seek to find more sustainable ways to cool data centres and reduce the resource burden. On the flip side, AI can help save energy in other ways, such as time taken to complete the tasks for a human, which will include travelling to an office and amount of time they use a device for the task. This also has its own carbon footprint, which can comparatively be reduced by using AI to complete the tasks in minutes as opposed to hours or days. The bottom line as of the start of 2026 is, we know there is a resource issue when it comes to AI, and companies are looking at better ways to address it as the technology develops. [42:20] Darayush's advise to sustainability leaders looking to explore AI solutions – Identify a problem space where you can apply AI in a measured way an start using it. The only way you can find out how it impacts you is to use the technology. Currently, AI shines is areas such as collating data from multiple sources and locations, so if that's an issue you're tackling where sustainability reporting is concerned, that's a good place to start with utilising AI. If you'd like to learn more about Pulsora, check out their website. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

A Standard like ISO 14001 may seem more appropriate for large enterprises looking to address their environmental footprint, however it can apply to any business no matter the size. All businesses produce waste, and we can all do more to save energy, resources and money in the process. For some SME's, tackling resource wastage through effective environmental management can make a huge difference. Such is the case for today's guest, Surface Print, a family owned wallpaper manufacturer managed by its 4th generation. In this episode, Ian Battersby is joined by James Watson, Managing Director of Surface Print, to discuss why they implemented ISO 14001, the related resource challenges for SME's seeking ISO Standards and benefits gained from certification. You'll learn · Who is James? · Who is Surface Print? · Are there any other Standards Surface Print have to adhere to as a wallpaper manufacturer? · Did those other Standards help with understanding the process for ISO implementation? · What was the driver behind ISO 14001 implementation? · How long did it take them to achieve ISO 14001? · Have they considered any other ISO Standards? · What were the challenges for an SME seeking ISO certification? · What were the benefits of implementing ISO 14001? · How have Surface Print leveraged ISO 14001 in marketing and communications? · James' top tip Resources · Surface Print · James Watson · Isologyhub · What is the Isologyhub? In this episode, we talk about: [02:05] Episode Summary – Managing Director of Surface Print joins Ian to discuss their journey towards ISO 14001 certification, the challenges involved with ISO implementation for SME's and the benefits felt after certification. [03:25] Who is James Watson? James Watson is the Managing Director of Surface Print, a wallpaper factory that is a family-owned business based in Lancashire. Both he and he sister are the current directors, he 88 year old father is still involved within the business. They are the 4th generation in their family to be involved with wallpaper, starting with their great-grandfather, Walter Watson, who started the business all the way back in the 1880s! [04:35] Who are Surface Print? Surface Print operate in both analogue and digital printing, with 10 large analogue printing presses and 6 state-of-the-art HP digital presses. They have two elements to the company, with Surface Print handling 3rd party printing and white labelling for interior design brands. The second is 1838 Wall Coverings, which is the original design branch that sells their designs worldwide. Surface Print are not a volume printer, they focused on high-quality manufacturing with a key focus on attention to detail. All the manufacturing occurs at the UK factory. Their typical clientele include the likes of John Lewis, Harrods and other high-end interior stores. Their 1838 Wall Coverings branch recently had a collaboration for the past 3 years with the Victoria and Abbot Museum in London, where they were allowed access to their archive for inspiration on designs. [07:35] Are there any other Standards Surface Print have to adhere to as a wallpaper manufacturer? Mainly it's the Construction Products Regulation EN 15102, which is specifically for construction products used in buildings. They also needed to get FSC certified as they were dealing with paper and wood pulp. [08:20] Did those other Standards help with understanding the process for ISO implementation? James quite honestly admits that no, none of the previous mandatory regulations helped with understanding the ISO process. As they understood that it was going to be quite the task, they outsourced help from Blackmores to assist with implementation. Alison Henshaw from our Team worked alongside Surface Print's ISO committee to break down the Standard and offer valuable consultancy on aspects such as legislation. [09:05] What was the driver for ISO 14001 Implementation? Wallpaper manufacturing is very heavy waste. Analogue machines can have up to 10% - 20% waste per production order. With that much waste, it can quickly make the entire process very inefficient. There was also the spend on energy and gas to consider as all of those prices are increasing year-on-year. ISO 14001 could solve both of these issues while saving them a significant amount of money. [10:15] How long did it take Surface Print to achieve ISO 14001? In total, around 12 months. It would have been quicker, but there were some administration issues with the Certification Body that delayed the final Assessment. [11:55] Have Surface Print considered any other ISO Standards? As they're only just into their first year of ISO 14001 certification, they've opted to stay focused on maturing that system before opting to go for any other Standards. [08:20] What were the challenges for an SME seeking ISO certification? Surface Print initially struggled with the administration side of ISO 14001, things like keeping on top of document and process updates, updating the legal register etc. This is where Blackmores Consultant Alison came in to bridge the gap and ensure they kept all the necessary paperwork up-to-date. They also needed more technical expertise in the area of environmental management. Their ISO committee weren't ISO experts and so there was a gap of knowledge between understanding the ISO Standard and how to apply it to the business, which is where Alison helped once again to guide them on their journey. [13:35] What were the benefits of implementing ISO 14001? Their ISO 14001 certification affects every decision made. It's not just about environmental management, it's about managing your business as a whole. The Standards actively require leadership commitment, so it starts from the top down. It's led to a more cohesive structure to making business decisions and thinking from a more environmental perspective. There have also been cost savings. Manufacturing in the UK is generally very expensive, so the more environmentally focused you can be results in savings on energy and resources. For example, Surface Print use a lot of electricity for both the machines and drying process involved in wallpaper manufacturing. They now measure their monthly energy usage against the rolls of wallpaper produced. They also installed solar panels which saved them a significant amount of electricity usage over the last year. They're also investing in newer equipment to help with efficiency, making plans on how to reduce gas usage. It's also helped with their general business administration as documentation needs to be kept up-to-date. The whole process is now a lot more thorough, and has greatly improved their general monitoring and measurement processes. They also have confidence in their regulatory and legal compliance, as ISO Standards have this as a basic requirement. Many opt to use a Legal Register to help keep all this information in one location. Surface Print also found that they can answer client questions quicker due to the amount of documented information at their fingertips, this now includes more environmental based questions, which are cropping up more often. [18:35] How have Surface Print leveraged ISO 14001 in marketing and communications? Surface Print often get asked by potential brand clients 'What's the benefit of working with you?', to which they can answer with a sustainability statement which lists all of the benefits. The first point of which is ISO 14001 certification, which is a globally recognised mark of effective environmental management. They ensure that their environmentally conscious stance is first and foremost in marketing and external communications. This is not done out of a forced obligation, Surface Print have chosen to do the right thing, which is becoming the norm. To not think about the environment, especially in high-waste industries, is generally frowned upon. [20:25] James' top tip for those thinking about implementing an ISO Standard – ISO implementation can cost a fair amount up-front, but the cost saving benefits within a year can supersede that investment. You will see a lot of big improvements at the start, once your system matures you can expect to see those improvements slow in rate while still driving continual improvement at a steady pace. With the addition of effective monitoring and measurement, those improvements are quantifiable, so you can really see the results of your investment. [23:25] James' book recommendation – Guinness Book of World Records [23:55] James' favourite quote – "You can take a horse to water, but you can't make it drink" If you'd like to learn more about Surface Print, check out their website. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

An ISO Management System can't survive without Leadership engagement. It was seen as such an essential aspect that 'Leadership commitment' became a key requirement of many ISO Standards back in 2015 when the Annex SL format was adopted. It's easy to see why. An effective Management System will provide vital information for top management to make decisions on processes, policies and strategic direction. So, how do you get leadership involved with your ISO management system? In this episode, Steph Churchman is joined by Sarah Ball, the Service Improvement Manager at Blackmores, to discuss why leadership involvement is so crucial to effective ISO management, and explains how you can get their buy in whether you've got a mature system or are newly implementing ISO Standards. You'll learn · What is the isologyhub? · What issue is the Leadership Powerup tackling? · Who is the Leadership Powerup aimed at? · What are the six steps in the Leadership Powerup Gameplan? Resources · Isologyhub · What is the Isologyhub? · The Integral Role of Leadership within ISO · Aligning Objectives with Strategic Direction In this episode, we talk about: [02:05] Episode Summary – Blackmores Service Improvement Manager joins Steph on this episode to talk about the crucial role leadership plays in ISO management, and how you can get the most out of their involvement. [00:45] What is the isologyhub? The isologyhub is our online learning platform for all things ISO. Its main feature is the ISO Roadmap, a 7-step guided approach to implementing your own bespoke ISO 14001 compliant Environmental Management System. Since it's creation, it's grown to hold a library of over 200+ ISO related resources. The content available varies from quick accessible content such as ISO templates, ISO handbooks and short from video training we call Coffee Break Training which explain key elements of ISO Standards. This goes onto more in-depth content such as our ISO Pathways which take you through 3 levels of learning to help you progress from Learner to leader in your chosen subject area. There's other exclusive content on there which you can dip into, including ISO templates, training videos and previous workshops covering topics such as ESG and AI management. We also have a number of Gameplans, which are essentially guides where people can work through a particular set of information about a topic and get practical guidance that can be applied within their own organisation. [02:05] What issue is the Leadership Powerup tackling? In the past, it was quite easy for leadership to lose interest in the Management System once it had been implemented. This was in part due to how Standards used to be written, and would result in the system being delegated to specific individuals. In 2015 this, along with a number of other issues, were addressed and a new clause structure was introduced. This means that Leadership Commitment now isn't optional, as it's a direct requirement of all ISO Standards (Clause 5 typically). The Leadership Powerup Gameplan aims to help leadership understand their role in making the Management System effective for the wider business. It helps to assess their current level of commitment and guides you through a path of improvement to get them to be a positive ambassador for the Management System. Where leadership is concerned, it's important to remember that you're leading by example. If you don't care about the Management System, why should anyone else? For those that want more of a deep dive on Leadership's role within ISO, check out a previous podcast. [06:05] Who is the Leadership Powerup aimed at?: As a minimum it should be the individual or team that have day-to-day responsibilities relating to the management system. Ideally you would also want a member of leadership, as you'll need their input to gauge the current level of commitment. [06:50] What are the six steps in The Leadership Powerup?: Step 1: Evaluate Leadership – For this step it's important that you're 100% honest in your reflection of how leadership are currently promoting and engaging with the management system. It includes a workbook to help you self-score, though we recommend getting a team involved who can help shape a full perspective their engagement in reality. The included workbook also contains examples of key causes for a lack of leadership engagement. It walks you through the reasons for these causes, as it's only through understanding why something is happening is when you can seek to resolve the issues. Step 2: Boosting Knowledge - This section works through what good looks like in terms of effective leadership commitment. You need to be able to understand the ideal end point before you can plan on how to get there. Included in this section are key definitions and videos that break down what good looks like for leadership commitment. Step 3: Planning Your Process – During this step you will plan on how to reach your end goal. By this point you will have assessed your current level of leadership commitment and you will have a good idea of what good looks like. Included in this step is another workbook that will guide your planning process to answer the following questions: · What do you want to achieve by the end of the Gameplan? · What does good leadership engagement look like for us specifically in this business? There's also a helpful section on understanding how processes interact, which is a fundamental part of ISO management. It's about how your business operates as one big system and not as siloed departments and processes. Having leadership understand that big picture so that they can communicate that impacts to certain teams does affect the whole business. Step 4: Deliver Data – This section is all about information. Leaders love data as it helps them to make informed business decisions. This step guides you through what sort of data you should be gathering and how it can be presented to leadership. This is crucial as it links back to one of the fundamentals of quality management, that being data-driven decision making. This could be in the form of customer feedback or employee feedback, or in other metrics such as health & safety incident etc. It's all about making the most of this data. Step 5: Strengthening Strategy – It's very important that your ISO management system aligns with your businesses' strategic direction. This is a key way that you can get leadership involved in the management system, as the business direction will already be a key focus for them. Ensuring the management system not only aligns but helps to facilitate that will ensure that it stays at the forefront of their minds. This step provides you with guidance on how to go about aligning leadership priorities and management system priorities. Step 6: Consolidating Compliance – This step is about ensuring that you are doing what you say you're doing. The key part of leadership involvement includes leading by example, such as reviewing policies and updating them if they are no longer working for the business. It's about continuous review and implementation of key feedback and communication of changes happening within the management system from top management down. This Gameplan can be useful for businesses where the Management System has been in place for a while and may not require their direct attention once certification has been achieved. In order to drive effective continual improvement, it's key that they still keep that management system at the core of their activities. It can also be helpful when there is a change in leadership, and new individuals may not know what their level of involvement should be. If you'd like to become a member of the isologyhub, we have an exclusive 20% discount available for listeners, simply Contact Us and quote: Isologyhub20 to claim that discount. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

Sarah Ball, Service Improvement Manager at Blackmores who builds practical tools like the Audit Accelerator Gameplan. She explains why internal audits stagnate and how to refresh them. Short, actionable five-step guidance is discussed. Practical planning tweaks, challenging assumptions, boosting collaboration and rechecking progress are all covered.

It's been a busy year for ISO Standards, with that set to ramp up in 2026 thanks to upcoming Standard transitions. Before we dive into a new year, we'd like to take a step back and highlight some of the key ISO milestones from 2025. In this episode, Steph Churchman, Communications Manager at Blackmores, looks back at the major Standard updates from 2025, including changes to existing Standards, new ISO's published and key upcoming changes you need to be aware of for 2026. You'll learn · What ISO Standards have been updated in 2025? · What new ISO Standards were published in 2025? · What Standards are due to be published in 2026? · What ISO transitions do you need to be aware of in 2026? Resources · Isologyhub In this episode, we talk about: [02:05] Episode Summary – Steph reviews major ISO Standard updates from 2025, including changes to existing ISO Standards, new Standards published and what you need to know going into 2026. [02:34] What ISO Standards have been updated in 2025?: ISO 27701:2025: This is the Standard for Privacy Information Management and it recently received an update in October 2025. Key updates to this Standard include: · This is now a stand-alone Standard and can be implemented without an existing ISO 27001 ISMS in place. · The addition of further guidance for data processors and controllers. · Provides greater clarity on managing personal data within AI and digital ecosystems · More focus on organisational leadership involvement. · The update now aligns ISO 27701 more closely with global regulations such as GDPR, CCPA and LGPD. ISO 37001:2025, the Standard for Anti-bribery. This one was well overdue an update, with its last version being 2016! It's update arrived on 2nd Feb 2025, and included: - · Text harmonisation with the other ISO 37000 family of Standards, such as ISO 37301 (compliance management systems), ISO 37000 (governance of organisations) and ISO 37008 (internal investigations of organisations) to ensure consistency and easier integration. · The latest version now formally introduces the concept of anti-bribery culture and emphasises its importance for the effectiveness of the management system. · A greater emphasis on the role of top management and their involvement in overseeing the management system. · A new requirement has been added for awareness and training as fundamental asset for management system results. · It also receives the added climate change amendment, which many ISO's already embedded back in 2024 – learn more about that here. · And lastly, there's more comprehensive definitions of conflict-of-interest as well as procedures to raise awareness on reporting potential and actual conflicts. ISO 50002, the standard for energy audits. This isn't a certifiable standard, but rather a guidance document to support the energy management standard ISO 50001. The recent update has now split this Standard into 3 parts: · ISO 50002 part 1: General requirements with guidance for use. · ISO 50002 part 2: Guidance for conducting an energy audit in buildings. · ISO 50002 part 3: Guidance for conducting an energy audit in processes Most of the revisions focused on strengthening and adding further clarification to energy auditing principles such as Competency, Confidentiality, Objectivity, access to equipment, resources and information, Evidence-based approach and Risk-based approach Lastly, this update also clearly specifies the requirements for energy auditor competence. [07:10] What new ISO Standards were published in 2025? ISO 42006 - Requirements for bodies providing audit and certification of artificial intelligence management systems. This is a guidance Standard that actually relates to certification bodies rather than businesses choosing to implement ISO 42001. It builds on ISO 17021-1 and ensures that certification bodies operate with the competence and rigour necessary to assess organisations developing, deploying or offering AI systems. While one that you as a business may not have to worry about, it's a positive addition to the growing ISO 42000 family of Standards, which are currently the only global frameworks for best practice for AI Management. ISO 17298 Biodiversity - Considering biodiversity in the strategy and operations of organizations. ISO 17298 ultimately aims to help organizations of all types and sizes understand how they depend on and impact nature – and take concrete action to address it. It includes guidance to help you: · Understand your biodiversity impacts, dependencies and risks · Identify opportunities for green growth and nature-positive finance · And develop and implement a credible biodiversity action plan [09:45] What new ISO Standards are due to be published in 2026? ISO 53001 management system requirements for the United Nations Sustainable Development Goals. Many businesses have already done the hard work behind aligning their ESG activities with the UN SDG's, and will soon be able to benefit from certification to an internationally recognised Standard to help manage and improve their performance against those SDG goals. The Standard provides a framework for an SDG management system that will: · Enhance the organization's SDG performance. · Fulfil compliance obligations. · Achieve selected SDG objectives. · Create trust and confidence to relevant existing and future stakeholders If you wanted to get a head-start, the guidance document ISO 53002: Guidelines for contributing to the United Nations Sustainable Development Goals is available to download for free right now. ISO 14060: Net Zero Aligned Organisations. This Standard details requirements for how any type of organization can demonstrate that their net zero strategy is achievable, and that they are making credible and verifiable progress towards contributing to global net zero in line with the Paris Agreement. There are a lot of country specific legislation and regulations now in effect, or soon to be in effect, but there is a lack of clarity around what it actually means to be Net Zero. This is where ISO 14060 comes in, to create a globally accepted definition of what it means for an organisation to be net zero. In addition, this Standard will also: · Define what constitutes a credible net zero strategy at an organisational level · Establish how targets should be set, measured and delivered · Require organisations to align with the goals of the Paris Agreement · Build on existing ISO standards such as ISO 14064 for GHG verification and ISO 14068-1 for Carbon Neutrality · Have a focus on organisational claims, not product or event-level claims · And lastly it will be globally applicable and adaptable across sectors. [12:50] What ISO Standard updates do you need to be aware of for 2026?: The anticipated update to the leading environmental management system Standard, ISO 14001, is expected to be published in Q1 of 2026. It doesn't appear to have many major changes, but rather just further guidance and clarification in a few areas, including: · Modernised terminology and harmonised structure that aligns with other ISO Standards · Stronger focus on environmental conditions · Clearer EMS scope with life-cycle perspective · Again, we see a greater focus on leadership accountability · Refined risk-based planning · Introduction of a new change-management clause · Extended operational control to suppliers · Restructured management review · And an expanded Annex A for explanatory notes ISO 9001 is also due a revision. It was expected out around a similar time as ISO 14001, but following its public comment round, it's gone back under revision to make more changes after that feedback. As a result, this has pushed the expected publication date to either Q3 or possibly even Q4 of 2026. Now despite it going back into revision following feedback, the changes are still expected to be minor. Some of the expected changes include: · Impact of digital transformation – such as AI · Improved supply chain resilience · Proactive risk management and risk-based thinking · Quality culture and awareness of ethical behaviors · And increased attention to customer satisfaction Looking even further forward, ISO 45001 will also be up for revision soon, though that isn't expected to be published until 2027. We'll give you more details as soon as a draft version has been made available. All of these transitions will include a 3-year grace period, so there's no need to panic. Over the next year, we'll cover these changes in more detail, and will provide a variety of ISO Support options to help you manage and complete your ISO transitions. That's it from us for 2025! We look forward to brining you more ISO knowledge in 2026 😊 We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List

AI has become inescapable over the past years, with the technology being integrated into tools that most people use every day. This has raised some important questions about the associated risks and benefits related to AI. Those developing software and services that include AI are also coming under increasing scrutiny, from both consumers and legislators, regarding the transparency of their tools. This ranges from how safe they are to use to where the training data for their systems originates from. This is especially true of already heavily regulated industries, such as the financial sector. Today's guest saw the writing on the wall while developing their unique AI software, that helps the financial sector detect fraud, and got a jump start on becoming accredited to the world's first best practice Standard for AI, ISO 42001 AI Management. In this episode, Mel Blackmore is joined by Rachel Churchman, The Global Head of GRC at Umony, to discuss their journey towards ISO 42001 certification, including the key drivers, lessons learned, and benefits gained from implementation. You'll learn · Who is Rachel? · Who are Umony? · Why did Umony want to implement ISO 42001? · What were the key drivers behind gaining ISO 42001 certification? · How long did it take to implement ISO 42001? · What was the biggest gap identified during the Gap Analysis? · What did Umony learn from implementing ISO 42001? · What difference did bridging this gap make? · What are the main benefits of ISO 42001? · The importance of accredited certification · Rachel's top tip for ISO 42001 Implementation Resources · Umony · Isologyhub In this episode, we talk about: [02:05] Episode Summary – Mel is joined by Rachel Churchman, The Global Head of GRC at Umony, to explore their journey towards ISO 42001 certification. [02:15] Who is Rachel?: Rachel Churchman is currently The Global Head of GRC (Governance, Risk and Compliance) at Umony, however keen listeners to the show may recognise her as she was once a part of the Blackmores team. She originally created the ISO 42001 toolkit for us while starting the Umony project under Blackmores but made the switch from consultant to client during the project. [04:15] Who are Umony? Umony operate in the financial services industry. For context, in that industry every form of communication matters, and there are regulatory requirements for firms to capture, archive and supervise all business communications. That covers quite a lot! From phone calls, to video calls, instant messaging etc, and failures to capture that info can lead to fines. Umony are a compliance technology company operating within the financial services space, and provide a platform that can capture all that communications data and store that securely. [05:55] Why did Umony embark on their ISO 42001 journey? Umony have recently developed an AI platform call CODA, which uses advanced AI to review all communications to detect financial risks such as market abuse, fraud or other misconduct. This will flag those potential high-risk communications to a human to continue the process. The benefit of this is that rather than financial institutions only being able to monitor a very small set of communications due to it being a very labour intensive task, this AI system would allow for monitoring of 100% of communications with much more ease. Ultimately, it's taking communications capture from reactive compliance to proactive oversight. [08:15] Led by industry professionals: Umony have quite the impressive advisory board, made up of both regulatory compliance personnel as well as AI technology experts. This includes the likes of Dr.Thomas Wolfe, Co-Founder of Hugging Face, former Chief Compliance Officer at JP Morgan and the CEO of the FCA. [09:00] What were the key drivers behind obtaining ISO 42001 certification? Originally, Rachel had been working for Blackmores to assist Umony with their ISO 27001:2022 transition back in early 2024. At the time, they had just started to develop their AI platform CODA. Rachel learned about what they were developing and mentioned that a new Standard was recently published to address AI specifically. After some discussion, Umony felt that ISO 42001 would be greatly beneficial as it took a proactive approach to effective AI management. While they were still in the early stages of creating CODA they wanted to utilise best practice Standards to ensure that the responsible and ethical development of this new AI system. When compared to ISO 27001, ISO 42001 provided more of a secure development lifecycle and was a better fit for CODA as it explores AI risks in particular. These risks include considerations for things like transparency of data, risk of bias and other ethical risks related to AI. At the time, no one was asking for companies to be certified to ISO 42001, so it wasn't a case of industry pressure for Umony, they simply knew that this was the right thing to do. Rachel was keen to sink her teeth into the project because the Standard was so new that Umony would be early adopters. It was so new, that certification bodies weren't even accredited to the Standard when they were implementing the Standard. [12:20] How long did it take to get ISO 42001 certified? Rachel started working with Anna Pitt-Stanley, COO of Umony, around April 2024. However the actual project work didn't start until October 2024, Umony already had a fantastic head start with ISO 27001 in place, and so project completion wrapped up around July of 2025. They had their pre-assessment with BSI in July, which Rachel considered a real value add for ISO 42001 as it gave them more information from the assessors point of view for what they were looking for in the Management System. This then led onto Stage 1 in August 2025 and Stage 2 in early September 2025. That is an unusually short period of time between a Stage 1 & 2, but they were in remarkably good shape at the end of Stage 1 and could confidently tackle Stage 2 in quick succession. The BSI technical audit finished at the end of September, so in total from start to finish the Implementation of ISO 42001 took just under 12 months. [15:50] What was the biggest gap identified during the Gap Analysis? A lot of the AI specific requirements were completely new to this Standard, so processes and documentation relating to things like 'AI Impact Assessment' had to be put in place. ISO 42001 includes an Annex A which details a lot of the AI related technical controls, these are unique to this Standard, so their current ISO 27001 certification didn't cover these elements. These weren't unexpected gaps, the biggest surprise to Rachel was the concept of an AI life cycle. This concept and its related objectives underpin the whole management system and its aims. It covers the utilisation or development of AI all the way through to the retirement of an AI system. It's not a standalone process and differs from ISO 27001's secure development life cycle, which is a contained subset of controls. ISO 42001's AI life cycle in comparison is integrated throughout the entire process and is a main driver for the management system. [19:30] What difference did bridging this gap make? After Umony understood the AI life cycle approach and how it applied to everything, it made implementing the Standard a lot easier. It became the golden thread that ran through the entire management system. They were building into an existing ISMS, and as a result it created a much more holistic management system. It also helped with the internal auditing, as you can't take a process approach to auditing in ISO 42001 because controls can't be audited in isolation. [21:30] What did Umony learn from Implementing ISO 42001? Rachel in particular learned a lot, not just with ISO 42001 but with AI itself. AI is new to a lot of people, herself included, and it can be difficult to distinguish what is considered a risk or opportunity regarding AI. In reality, it's very much a mix of the two. There's a lot of risk around data transparency, bias and data poisoning as well as new risks popping up all the time due to the developing technology. There's also a creeping issue of shadow IT, which is where employees may use hardware of software that hasn't been verified or validated by the company. For example, many people have their own Chat GPT accounts, but do you have oversight of what emplyees may be putting into that AI tool to help with their own tasks? On a more positive note, there are so many opportunities that AI can provide. Whether that's productivity, helping people focus more on the strategic elements of their role or reduction of tedious tasks. Umony is a great example of where an AI has been developed to serve a very specific purpose, preventing or highlighting potential fraud in a highly regulated industry. They're not the only one, with many others developing equally crucial AI systems to tackle some of our most labour-intensive tasks. In terms of experience with Implementing ISO 42001, Rachel feels it cemented her opinion that an ISO Standard provides a best practice framework that is the right way to go about managing AI in an organisation. Whether you're developing it, using it or selling it, ISO 42001 puts in place the right guardrails to make sure that AI is used responsibly, ethically, and that people understand the risks and opportunities associated with AI. [26:30] What benefits were gained from Implementing ISO 42001? The biggest benefit is having those AI related processes in place, regardless of if you go for certification. Umony in particular were keen to ensure that their certification was accredited, as this is a recognised certification. With Umony being part of such a regulated industry, it made sense that this was a high priority. As a result, they went with BSI as their Certification Body, who were one of the first CB's in the UK to get IAF accredited, quickly followed by UKAS accreditation. [27:55] The Importance of accredited certification: Sadly, a new Standard creates a lot of tempting offers from cowboy certification bodies that operate without a recognised accreditation. They will offer a very quick and cheap route to certification, usually provided through a generic management system which isn't reflective of how you work. Their certificate will also not hold up to scrutiny as it's not accredited with any recognisable body. For the UK this is UKAS, who is the only body in the UK under the IAF that is able to certify companies to be able to provide a valid accredited certificate. There's are easily available tools to help identify if a certificate is accredited or not, so it's best to go through the proper channels in the first place! Other warning signs of cowboy companies to look out for include: · Off the shelf Management system provided for a fee · Offering of both consultancy and certification services – no accredited CB can provide both to a client, as this is a conflict of interest. · A 5 – 10 year contract It's vital that you use an accredited Certification Body, as they will leave no stone unturned when evaluating your Management System. They are there to help you, not judge you, and will ensure that you have the upmost confidence in your management system once you've passed assessment. Umony were pleased to have only received 1 minor non-conformity through the entire assessment process. A frankly astounding result for such a new and complex Standard! [32:15] Rachel's top tip: Firstly, get a copy of the Standard. Unlike a lot of other Standards where you have to buy another Standard to understand the first one, ISO 42001 provides all that additional guidance in its annexes. Annex B in particular is a gold mine for knowledge in understanding how to implement the technical controls required for ISO 42001. It also points towards other helpful supporting Standards as well, that cover aspects like AI risks and AI life cycle in more detail. Rachel's second tip is: You need to scope out your Management System before you start diving into the creation of the documentation. This scoping process is much more in-depth for ISO 42001 than with other ISO Standards as it gets you to understand your role from an AI perspective. It helps determine whether you're an AI user, producer or provider, it also gets you to understand what the management system is going to cover. This creates your baseline for the AI life cycle and AI risk profile. These you need to get right from the start, as they guide the entire management system. If you've already got an ISO Standard in place, you cannot simply re-use the existing scope, as it will be different for ISO 42001. If you're struggling, CB's like BSI can help you with this. [35:20] Rachel's Podcast recommendation: Diary of a CEO with Stephen Bartlett. [32:15] Rachel's favourite quote: "What's the worst that can happen?" – An extract from a Dale Carnegie course, where the full quote is: "First ask yourself what is the worst that can happen? Then, you prepare to accept it and then proceed to improve on the worst." If you'd like to learn more about Umony and their services, check out their website. We'd love to hear your views and comments about the ISO Show, here's how: ● Share the ISO Show on Twitter or Linkedin ● Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one. Subscribe to keep up-to-date with our latest episodes: Stitcher | Spotify | YouTube |iTunes | Soundcloud | Mailing List