It is not without reason that "organizational knowledge" has been included as a separate requirement in both ISO 9001:2015 and ISO 27001. This is because documented knowledge makes a major contribution to information security and is an essential part of the much-cited "IT security", which is unfortunately often reduced to traditional IT security in public discussions. You have to protect yourself against viruses and crypto Trojans and - in the age of IT-supported production - also against serious system failures. Most people are now very aware of this, whereas companies often underestimate the dangers that exist when knowledge is lost.

In large laboratories, it goes without saying that the development process is permanently documented. There is a defined standard process for this. In smaller medium-sized companies, the focus is on the enthusiasm with which an idea is driven forward and the existing expertise is incorporated into product development. It is precisely this often unconventional, even agile approach that is ultimately one of the great strengths of German SMEs. Those who want to get their products ready for the market quickly have no time to document the development steps because they are so busy making and doing.

For years, even decades, it can be completely unproblematic that the basic knowledge about your own products is not kept in the necessary depth of detail. However, as soon as a fault occurs or an existing product is to be modified or further developed, this basis, i.e. documented knowledge, is required. If the interrelationships in product development can no longer be reconstructed cleanly and in detail, this can have serious consequences.

The energy and time spent on troubleshooting are often the least of the problems. Even if I "only" no longer know who supplies the right raw material, this means that the supplier selection process has to be started all over again. A company may also have to start the development process all over again - with unpredictable costs. Ultimately, a product may have to be completely withdrawn from the market because functionality or freedom from defects can no longer be guaranteed. At this point, however, you may already have a major product liability case on your hands.

It is therefore not enough for the boss and a long-standing employee to know the company inside out. It is important to take care of knowledge transfer and to take this into account in future developments. In concrete terms, this means continuously documenting the product development process. To a certain extent, it is therefore a matter of taking precautions in order to have a long-term chance on the market. And this is not possible without secure, documented knowledge and know-how transfer. It is therefore necessary on the one hand to record the expectations of employees and also to create an awareness of the importance of knowledge for business success. Setting up a corresponding system is quite a challenge for SMEs and requires a well thought-out concept.

ISO 27001 addresses all of these points as part of information security: A company's knowledge and, above all, the secure and reliable handling of this knowledge are what sets it apart in the long term. Many organizations are therefore currently asking themselves whether they now need official ISO 27001 certification or whether it is not sufficient to simply align themselves with the content of the certification steps. There is a clear answer here: aligning with the structure and requirements of ISO 27001 makes sense in any case. More and more clients are defining ISO 27001 as a customer-specific requirement - in which case certification is a must either way.

But even if their own customers are not yet actively demanding this, companies can secure a head start over the competition in advance. Because when the requirement comes, other suppliers first have to deal with it, which gives them a head start of at least one year. Of course, ISO 27001 certification can and should also be actively used for public relations and as a competitive advantage over competitors. The advantage of forcing yourself to adhere to the requirements and ensure sustainability should not be underestimated.

The annual surveillance audits inevitably mean that you actively take care of the state of the art, stay up-to-date and up to date. The ISO 27001 certificate also answers many questions about documented standards and sustainability in relation to the state of the art in supplier audits. This saves audit time and rework.

Peter Miller/as