The ISO war on ethics continues, as ISO Secretary General Sergio Mujica has managed to pull the pin on a grenade that has been sitting on the field for a while, now. Beginning with a pilot project for the sale of (ironically) the anti-bribery standard ISO 37001, ISO is testing a draconian new pricing and licensing model that requires third-party CB auditors to act as de facto “copyright police” on its behalf. Worse, pricing for standards will now be set differently depending on which role you hold in the certification scheme.
Fortunately, there are a few workarounds to what may well be a patently illegal cash grab attempt by ISO here.
TLDR version:
- ISO can’t mandate CB auditors to do anything, since they don’t technically work for ISO.
- ISO can’t mandate that certification clients buy standards at all, since users can implement a system without owning the supporting standard.
- ISO has no legal staff to enforce any of this, and has abandoned copyright enforcement for over 10 years. Rolling that back now will face serious challenges in court. Selective copyright enforcement is not enforceable under law; it’s all or nothing.
- ISO cannot impose rules in standards that are aimed solely to improve its “monetization” goals.
- ISO cannot threaten de-certification for companies that don’t buy its standards; that’s extortion.
Differentiated Licensing Model
In what I suspect is a desperate attempt to fend off declining sales, ISO is rolling out what it calls the “Differentiated Licensing Model” (DLM) for its standards. Now, ISO standards will have different pricing depending on whether you are a user organization, a consultant, or a certification body. It’s not clear which of those groups will pay more than the others. Mind you, the content of the standard stays the same — the same words are on the pages — they are just charging some folks more than others for the identical content. This doesn’t even seem to be based on a traditional “bulk discount” model; it’s just price discrimination for one group over another.
I am betting the end-user organizations get the shaft and have to pay the most. ISO isn’t about to upset the CBs, since they will rely on them for this next part.
And this is where it gets really ugly.
CB Auditors Now Copyright Cops
Under the DLM, ISO is demanding that all CB auditors verify their clients have active licenses for standards at every single audit — initial, surveillance, and recertification — in a dramatic cash grab that cannot be legal. This is, no doubt, to prevent people from downloading the increasingly expensive and complex standards from sites like Scribd.com, Library Genesis, or Anna’s Archive.
CBs will also be tasked with ensuring clients have licensed copies of standards prior to any audits, as a condition of determining “audit readiness.” This does not appear anywhere in ISO 17021-1, where the rules for audit planning and audit programming appear, so it will be interesting to see if ISO forces ISO/CASCO to adds it. If so, ISO will be altering content to standards based on its own financial goals, further circumventing the principles of independence and consensus.I want you to take a moment to think about this. For years, ISO has claimed it has no role in CB audits, and as a result, has taken no responsibility for violations of the standards it produces related to CB conduct, such as ISO 17021-1 or ISO 19011. Instead, ISO has insisted that it merely publishes the standards, but cannot enforce them. Enforcement has, instead, fallen entirely on the IAF, which has abandoned all pretense of doing that one job. Now, CBs can violate both ISO and IAF rules at will, as well as laws, without any consequence.
(ISO and the IAF are two entirely separate private companies, wholly unrelated.)
But, suddenly, when it comes to stopping the leak of revenue for ISO, Secretary General Mujica finds his mojo and decides ISO does have the authority to enforce things during third-party audits. But only related to the sale of its standards.
ISO intends to enforce this through its own CASCO committee, which will likely update ISO 17201-1 and ISO 17011 to include these rules. More on that in a moment.
This makes every certification body auditor an unpaid, conscripted “copyright cop” working for ISO, whether they agree with this position or not. Again: CB auditors are not paid to do this. This is forced conscription and, mind you, something that isn’t even supported by any law or regulation. ISO is a private publishing company, not a government that can conscript citizens to work on its behalf.
Consider the implications here. Imagine if your plumber were forced to check if you owned the license for the music playing over your home’s sound system while he was fixing the shower head. Or if a crossing guard was conscripted to check your child’s clothing to make sure you paid for them before letting them cross the street.
This move creates a paranoid, dystopian world where any private company can forcibly demand employees of entirely unrelated organizations to act as loss prevention guards for its product. And there’s nothing anyone can do about it.
Now consider that CB auditors receive zero training on copyright and trademark law, but are being asked to enforce them. This is an invitation for a lot of headaches.
Mujica Personally Intercedes
According to official documents obtained by Oxebridge, Mujica and ISO’s VP of Policy, Christoph Winterhalter, presented information on the DLM to the ISO/CASCO General Meeting in April of this year. CASCO (Committee on Conformity Assessment) is the committee within ISO responsible for standards related to certification and accreditation bodies, and it produces ISO 17021, among others.
The fact that Mujica and Winterhalter personally appeared at the CASCO meeting is unusual, and it reinforces just how desperate Mujica is to get certification bodies to tow the line. Clearly, Mujica is pushing to have CASCO standards incorporate language to support his new DLM copyright cop deputization project. According to minutes of the meeting, Mujica is facing pressure to come up with new ways to make money:
ISO is under various pressures (regulations, emerging technologies such as AI, social changes, etc.), and ISO itself needs to change. ISO members are diverse and not uniform, and new value creation and monetization are required.
Mujica is absolutely toxic, as always. ISO is a non-profit organization, and shouldn’t be concerned with “monetization” at all. Hell, he claims to be an NGO (although ISO does not meet the legal definition of NGO under Swiss law, so that’s up for debate). They are supposed to be a de facto charity, offering good works in exchange for not having to pay taxes. Mujica has run ISO as a commercial publishing house for his entire leadership run. This tracks, considering he had been criminally investigated back in his home country of Chile when he was running that country’s customs agency.
It also appears that Oxebridge’s draft Bill of Rights for Standards Users, which calls on ISO standards to be published for free, has reached Mujica. Per the minutes:
In response to growing pressure to make standards freely available, =the ISO Chair and Secretary General of CASCO gave a presentation. We have clarified our views on copyright.
If CASCO yields to Mujica’s pressure, it will be compelled to incorporate content into official standards, such as ISO 17021-1, solely to enforce ISO’s “new value creation and monetization” objectives. This is a significant departure from what standards are allowed to contain per the World Trade Organization’s TBT regulations. If this passes, ISO can put whatever language it wants in any standard, simply to drive additional revenue its way. No more consensus.
To date, the WTO has refused to enforce the TBT rules on ISO, despite the fact that they were specifically created to constrain ISO from doing such things. WTO may be forced to finally step in, although it is unlikely.
Licensing Nightmare
Under DLM, if you want to put a copy of an ISO standard on a server, you will have to buy a different license… at, no doubt, a highly inflated cover price. CB auditors will then have to conduct in situ information security audits, just to ensure that you have the right license for the type of usage you have employed. Again… without any training or compensation for doing so.
And in an example of trying to catch the horse after it’s already fled the barn, ISO is saying its standards cannot be used for AI training. Too late, dummies, the AI companies have already absorbed your entire libraries and there’s no getting that horse back.
ISO is then requesting that national standards bodies, like ANSI and BSI, follow their misguided plan. This essentially concedes that ISO can’t enforce this thing in countries where the national standards body disagrees with the policies. Countries can still legally make ISO standards available for free if they so choose.
Given the participation by Winterhalter, who is simultaneously the head of Germany’s national standards body, DIN, we can assume that they have already signed onto this.
The Solution
The only good news is that ISO no longer has any in-house legal counsel, having dumped their former advisor, Holger Gehring, years ago. So they have neither the cash nor the lawyers to enforce any of this. That won’t stop overcaffeinated CB auditors from writing nonconformities if they find unlicensed copies of standards or if they perceive any other “copyright violation” their untrained brains might imagine.
Both national standards bodies and CBs must push back against this. They cannot allow themselves to be conscripted into providing — for free — support services to a third-party company that has no authority over them. There is no legally enforceable regulation or statute here, so NSBs and CBs can refuse and face no penalty. Let the IAF try to enforce this, given its long-standing inability to enforce its own MLA and IAF mandatory documents. Will never happen.
Next, there is an obvious magic bullet here. ISO cannot force you to buy anything. That’s illegal. So user organizations can simply declare, during an audit, that they do not have a copy of any ISO standards, so there’s nothing to pay a license for. For example, if I started a new company tomorrow, I wouldn’t need to buy the standard at all, since I have it in my head. ISO cannot force me to buy one under threat of decertification by a third party, or that’s extortion.
Write this next part down: companies are required to show conformity to the standard, not ownership of it.
For ISO 9001, at least, we will continue to offer the alternative, open-source Oxebridge Q001 standard, which companies can use to implement ISO 9001.
Meanwhile, China continues to push to develop its own alternate standards, free of ISO’s copyright and licensing, and appears ready to make them available for free. There is no way that ISO’s 1920’s mindset will compete with what is coming from Beijing.
The full language of ISO’s insane cash grab appears in the Foreword for the new edition of ISO 37001, which you can (legally) read here.
If you’d like a refresher on the insane way ISO makes money by taking other people’s intellectual property and then keeping it for itself, see my video here.
Hat tip to Management Systems World for the reporting on this (paywalled) and this post on LinkedIn by Joanna Nowak-Milewski (in Polish).
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
