I’ve spoken a lot about how ISO makes money (you can see my YouTube video on the topic here.) The short version is that they dupe industry subject matter experts to surrender their intellectual property, and ISO publishes the results, keeping 100% of the profits for themselves. Worse, they charge a fee to the nations that send their experts to sign up for this lopsided arrangement. ISO may be a non-profit, but that just means the profits go to the salaries of its executives, and don’t have to be divvied out to shareholders or anyone else.

But the world is not enough. ISO is a hungry beast that must be fed, constantly.

The other way they generate revenue is by taking the intellectual property (IP) of third-party standards developers, repackaging it as “international consensus standards,” and — again — pushing all the profits to their execs.

Social Accountability 

Ironically, this began in earnest in the late 1990s. Years before, a group called the Council on Economic Priorities released an indepenent (meaning, not ISO) standard called SA8000. The focus was “social accountability” and it aimed to create a baseline for how companies should operate ethically and in compliance with world positions on human trafficking, labor rights, child labor, etc.

Because SA8000 wasn’t an ISO standards, it struggled. It languished virtually unknown for about ten years, until it began getting some attention in the fringes of the certification world. ISO noticed.

Fast forward to 2010, and ISO suddenly produced ISO 26000 on “Social Responsibility.” It repackaged many of the SA8000 concepts into ISO-speak, while watering it down significantly. (ISO has a troubled history with the International Labor Organization, so had to dilute ISO 26000 to keep the ILO off its back.)

Instantly, ISO 26000 leap-frogged SA8000 in recognition, based on the ISO brand name.

IT Service Management Systems

The work on snatching up SA8000’s intellectual property was informative for ISO, and so they began running this play as part of the normal playbook.

Now meet the Information Technology Infrastructure Library, or “ITIL.” This was a standard aimed at IT service management companies and industry consultants, based loosely on Deming’s theories but tailored for an industry that worked in digits vs. widgets. It was created in the 1980s by the UK Central Computer and Telecommunications Agency, and by 2001 had morphed into what we would now recognize as a typical management system standard.

Because it arose in the UK, BSI was paying attention. Prior to the 1980s, BSI was the world’s largest standards developer. Even though ISO existed for decades prior to that, BSI did all the international standards work. In the 1980s, BSI yielded this role to ISO under a cloudy power-sharing agreement that remains to this day. This is why BSI has control over so many of the biggest ISO Technical Committees, including that of ISO 9001.

In the 2000s, BSI took ITIL and repackaged it for its own use, publishing it as BS 15000. By 2005, it had transitioned over to a full ISO standard, known as ISO 20000.

Now, I work with ISO 20000 and do implementations for it, but I can tell you: it’s a mess. Because this was the product of a forced marriage between someone else’s IP and ISO’s approach to standards, the text doesn’t play nice with other management systems. Whereas ISO 9001 and other major management system standards utilize the “process approach,” ISO 20000 treats everything you do, both for customers or internally between departments,¬†as a “service.” If your IT department issues a new mouse to someone in accounting, that’s a service. Worse, ISO 2000 requires you to measure all those services, via service level agreements (SLAs) or targets. This results in over-inspection, and an approach that was already obsolete by the 1960s.

Because ITIL got it wrong, ISO 20000 gets it wrong. Neither understands how the post-1950s “process approach” works: that if you measure and manage processes, you will reduce variation and deficiencies in your services. ISO 20000 just demands you inspect the shit out of everything. It’s exactly what Deming railed against.

And, unfortunately, most companies need to implement ISO 9001 alongside ISO 20000, inviting a clash. While ISO 9001 demands you measure your processes to reduce inspection, ISO 20000 argues that you need to increase inspection and ignore processes entirely.

But, again, this is because ISO took the IP of an entirely different standard — ITIL — and tried to repackage it for sale on its own web store, to drive profits to ISO executives.

Aggressively Targeting IP

As a result of these successes, ISO has grown more aggressive in targeting the IP of any standards developer that it thinks may be onto something. Now we see ISO pushing hard into searching for existing IP on cannabis, artificial intelligence, sustainability, and more. They intend to take that IP, repackage it just enough to avoid copyright infringement charges, and sell them as official ISO standards.

With, yes, the profits going to the ISO Executives.

In recent months, I have been approached by a number of would-be standards developers or companies wanting to form their own accreditation schemes. Each time, we have to have “the talk.” I warn them that if they want to become an accreditation body, they have to protect their scheme from the prying eyes of bodies like UKAS and ANAB, who love to fast-track someone else’s idea and beat them to market. And, second, they have to protect the IP around their standards, because ISO is on the hunt for fresh meat.

Worse still, many standards developers utilize third-party consultants to assist in drafting their standards. Then, these same consultants are lured to ISO’s technical committees in order to gain bragging rights (“I was on the ISO TC!”) to promote their consultancies. They carry the IP over to ISO, often without the original developer even knowing. Without proper nondisclosures, non-competes, and contracts in place to limit how consultants can re-package your intellectual property, you are left unprotected.

The reality is that ISO is a commercial publishing company, not an NGO, and certainly not some humanitarian global organization like the UN or Red Cross. It publishes books, and dupes people into contributing to its scheme.¬† It will, by its very nature, be driven to seek out new IP to use for its own ends, because that is the model upon which it exists. Without other people’s IP, ISO would cease to exist.

So if you are developing standards — and Oxebridge can help with that, and yes we sign non-competes — proceed with caution. You have to work quietly and largely in secret until the time you publish, and then have copyrights and trademarks locked down tight to reduce the likelihood of outright theft. If approached by ISO to help develop a standard for them, demand you get paid for it. If ISO infringes on your IP, sue them.


About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.


ISO 45001 Implementation