What is ISO 9001:2015 / ISO 27001 and why should you care?

We’re ISO certified. But what is it? And why should you care? ISO has multiple families of certifications; we’re certified in information security management (ISO/IEC 27001) and quality management (ISO 9000).

You may have also noticed that Paragon is unique in this certification. If other agencies aren’t certified, why should we go to the bother of taking four weeks out of the year to undertake an exhaustive certification process? The answer is twofold.

First, we are strongly committed to ensuring the safety and security of any and all data we touch and store on behalf of our clients, as GDPR, CCPA and other emerging regulations demand.

Second, ISO 9001:2015 lays out principles for ensuring the quality of services offered by vendors like Paragon Digital, and quality has always been a paramount goal of ours.

What is ISO 9001:2015 exactly?

It’s a set of principles and requirements, laid out by the International Organizations for Standardization, that organizations must follow when developing a quality management system. The principles are designed for an organization that: (to quote the ISO in full):

• “needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and
• aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements.”

ISO / IEC 27001 data security compliance

Let’s start with the first bullet: the need to demonstrate that products and services meet all compliance regulations worldwide.

When most people think of GDPR and CCPA, they think about the need to request and store consent from consumers in order to use cookies. But both regulations also address data security in fundamental ways. If any entity collects consumer data of any kind, that entity must ensure that the consumer won’t be harmed as a result of a data breach or some other issue.

Moreover, both GDPR and CCPA put the onus of ensuring compliance on the actual brand (aka the “controller”). Specifically,  GDPR Article 24 states that “the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.” Recital 74 further explains that the controller is responsible and liable for processing done on its behalf by a third party.

CCPA is built on California’s “agency law,” which says that any action taken by an agent acting on your behalf is your responsibility.

The bottom line: if you engage a third party to execute a campaign or some other marketing or customer care initiative, you are responsible for the actions of that third party. As Richy Glassberg, one of the co-founders of the IAB warned recently, vendor compliance is a gaping hole privacy compliance as most brand managers are unaware of their responsibility under both GDPR and CCPA.

This is why our certification is so important. Our ISO 9001:2015 certification provides our clients with the assurance they need that Paragon’s processes for handling consumer data complies with state-of-the-art practices and current regulations, and that they’ve been certified by an outside auditor.

Quality management

The quality management certification ensures we have the processes in place to “enhance customer satisfaction” and to “demonstrate conformity to specified quality management system requirements.”

In other words, when Paragon takes on work on behalf of clients, quality is front and center. Our high level of quality stems from the vast experience and expertise of our teams, of course. But it’s also enhanced by our strict adherence to the best practices laid out in the ISO principles.

The difficult task of meeting ISO certification requirements

It isn’t easy to achieve ISO certification as the requirements are quite stringent, encompassing people, processes, technology and even how physical workspaces are organized (for instance, our teams are physically separated per ISO requirements, and sensitive areas require biometric access).

Central to certification are annual audits by a third-party auditor. It typically takes the auditor four weeks to verify that every box is checked, and omitting even a single, seemingly minor requirement jeopardizes a successful certification.

After four years of audits and certification, Paragon has built a robust discipline, infrastructure and internal compliance and training team around the ISO principles, and it has become a way of life for our organization. All of our workflows – from the simplest task for a client to fulfilling a role they’ve handed off to us – are executed with these quality principles in mind.

When combined with our deep industry expertise, our clients are assured that the services they receive from Paragon are of the highest possible quality.

Peace of mind for clients in competitive industries

One final reason why ISO / IEC 27001 certification is important to us: clients in highly competitive industries want assurance that their data will never end up in the hands of their competitor, or will benefit a competitor in any way. Certification guarantees cross-company data sharing won’t ever occur – a process that is backed up by audited and accountable infrastructure.

At some point, your compliance team will ask if all of the third parties you work with are compliant with GDPR and CCPA. Answering for Paragon Digital Services will be easy for you, thanks to our ISO 9001: 2015 certification.

To find out more about how bespoke ad ops outsourcing can boost your business, get in touch.