Continuing the subject of sudden ISO assignments, we are disassembling the duties you didn’t apply for. So, where normally does it start? You didn’t even know the job existed until the meeting where someone said, “Since you’re organised, can you take environmental/quality/security on as well?” Suddenly you are the Head of Something Important. No badge, no budget, no training course booked. Just a calendar full of meetings and a new column in your job description.
Here’s the blunt truth: most SMEs don’t have a full‑time compliance person. The work lands on the office manager, the HR lead, the person who knows where the stationery is kept. We know the reality of small business life: people wear multiple hats and still keep the lights on. This article is written for you – the reluctant appointee – with practical, no‑nonsense advice you can use in under two hours a month.
Start Small. Measure the Obvious.
ISO standards aren’t moral crusades; they’re management systems. They reward consistency, not heroics. The fastest win is to measure something simple and meaningful. Bins are the classic example: measure what you throw away, how often, and who collects it. Energy is another obvious metric – meter readings once a month will tell you more than a thousand sustainability manifestos. These small, repeatable actions create a trail of evidence that ISO auditors like to see and managers can understand.
You don’t need fancy software to begin. A well‑named spreadsheet, a shared drive folder called “Environmental Evidence” and a recurring calendar reminder will do the job. The point is to create a habit: collect, record, review. That habit is the backbone of ISO 9001, 14001, 45001 and 27001 alike.
The Legal Register Isn’t a Monster
When someone says “legal register” it sounds like a beast. It isn’t. It’s a list of the laws and regulations that apply to your business and where the evidence lives. For most SMEs, the list is short. You don’t need to be a lawyer; you need to know where to look and who to call if something changes. Keep the register simple: law, relevance, owner, evidence. Review it quarterly. If nothing’s changed, tick the box and move on.
Internal ISO Audits: Short, Sharp, Useful
Internal audits are not witch hunts. They are short conversations with evidence. Pick a process – purchase orders, waste handling, access control – and follow it for an hour. Ask for records, check a sample, note one or two improvements. Feed those into your action tracker. Audits done well are coaching sessions that prevent surprises at external assessments.
Management Review in Under Two Hours
Management review sounds formal, but in an SME it’s a pragmatic catch‑up. Gather your metrics: non‑conformances, waste notes, energy readings, incident reports, customer complaints, and any regulatory changes. Present them in a single page or slide. Sit with the person who signs the cheques and have a focused conversation: what worked, what didn’t, what needs resource. Record decisions and owners. Done.
Evidence Trumps Rhetoric
Auditors want to see that you do what you say. Policies are useful, but evidence is king. If you claim to control access to sensitive data, show the access log. If you claim to segregate hazardous waste, show the transfer notes. If you claim to have trained staff, show the attendance list and the short test or checklist they completed. Evidence needn’t be perfect; it must be honest and retrievable.
Top 10 SME ISO Questions We Get Asked
Is ISO worth it for a 20‑person firm? – Yes, if you want to reduce rework, win tenders, or reassure customers. The standards scale. You’ll get more value if you focus on practical controls that reduce cost and risk rather than chasing certificates for their own sake.
What if we fail the audit? – You won’t be shut down. Non‑conformances are opportunities to fix things. Most audits result in minor findings. Fix them, record the corrective action, and you’re back on track. The scary stories are rare; the paperwork to close findings is the real work.
Can we use spreadsheets instead of fancy software? – Absolutely. Spreadsheets are fine if they’re controlled, backed up, and accessible. The danger is complexity: if your spreadsheet becomes a labyrinth, it’s time to simplify or move to a lightweight tool. The tool should serve the process, not the other way round.
Will ISO just create more paperwork? – Only if you let it. The right approach replaces ad‑hoc chaos with simple records that save time. Think of documentation as a memory bank for the business: short, searchable, and useful.
When should we go UKAS? – If you need to meet a tender requirement or a regulator insists on accredited certification, go UKAS. If you want to improve operations, reassure customers, or build a management system without the cost of accreditation, non‑accredited certification can be a pragmatic first step.
How do we prepare for an external audit? – Keep evidence tidy, run internal audits, and do a management review. Make sure the people who will be interviewed know the basics of the processes they own. Practice a short walk‑through of a process with a colleague. It’s less about theatre and more about being able to show the thread from policy to practice.
What if we don’t have an environmental manager? – Then you do what SMEs always do: distribute responsibility. Nominate process owners, keep a simple action tracker, and schedule short monthly check‑ins. The system survives on attention, not headcount.
How do we handle incidents? – Record them, contain the harm, investigate the root cause, and implement corrective actions. Small businesses often overcomplicate incident reporting. Keep it proportionate: what happened, why, who fixed it, and what will stop it happening again.
Is ISO 27001 only for tech firms? – No. Information is everywhere: customer lists, payroll, contracts. The standard helps you protect what matters. Start with an asset register and basic access controls. You don’t need a SOC overnight.
Can we self‑certify? – You can document your system and claim compliance, but certification by a third party – accredited or not – gives credibility. Non‑accredited certification is a legitimate, lower‑cost route for many SMEs, provided you’re transparent about its limits.
Final Word: Be Practical, Not Perfect
If you’re the part‑time quality manager, your superpower is pragmatism. ISO standards reward steady, sensible effort. You don’t need to be an expert; you need to be consistent, curious, and honest. Start with the bins, keep the evidence tidy, run short audits, and make management review a real conversation. If you want help, an unaccredited certification body can be a friendly, affordable partner to get you started. If a tender or sector rule demands UKAS, we’ll tell you straight. Either way, you’ll sleep better knowing the basics are under control – and that’s the whole point.
We are here if you need guidance to start you ISO journey:
