Turning your ISO certification into a sales secret weapon

Lauren Keeves
Now you're no stranger to podcasts. You've been seen across the industry in many, but in this one, we're going to take a slightly different direction. We're going to talk about how ISO certifications can be leveraged within a company's sales and marketing.
So beyond just getting a certificate, to dive straight in, how have you seen MSPs leverage their certification to drive tangible benefits internally and track new business?
Jason Maricchiolo
Yeah, so it's great to be able to talk about this part of ISO certification, Lauren, because generally, you know, it's always about the implementation side and the technical controls. And I've got a strong passion about what to actually do with this thing once you get certified.
So, yeah, I've definitely seen different MSPs using the certification to help with their sales process and also to build trust with their clients. And so I always, you know, I always instruct my, you know, my partners once we're done, you know, this isn't the end, this is the start. And now you need to really start to, to promote your certification and start building that trust with your clients, but also, you know, future prospects. So definitely seen many different versions of it across the board, mainly as well in tenders. So in the tendering process, I've seen a lot of MSPs leveraging that certification to be able to, you know, differentiate themselves in that tendering process.
Lauren Keeves
Yeah, amazing. So how have you seen it translate from operational improvements to actually having a clear linear connection to the key differentiators within their proposals or client presentations? What are they calling out?
Jason Maricchiolo
Yeah, so from an operational perspective, we train partners how to effectively run a risk register. So they're running their own risk registers now internally. And so they're, you know, they're assessing and treating risk internally. We're training staff on how to also assess and treat risk internally. But then that kind of has an outwards facing aspect as well. Because now once they learn that practise, they're starting to do risk registers or at least starting to how to assess and treat risk within client sites or even using that as a discussion point in monthly meetings or account management meetings or in their quarterlies or QBRS, whatever anyone’s going to call it at any point in time. So there's definitely an operational benefit that comes out of an ISO project because they're learning along the way as well and they take those practises into their clients as well.
Lauren Keeves
Yeah. So then do you see them communicating that either to their existing clients or new businesses or do you find that it kind of just falls to the wayside? And again, something that once they've been through it internally and they're in that process, it's, you know, front of mind that, but do they actually go about communicating that?
Jason Maricchiolo
Well, yeah, well, I hope so. So they should definitely be communicating the risk that they're that they're uncovering within their clients sites because that effectively leads to projects, right. So I always say that, you know, by finding a gap or finding a risk within any organisation that should lead to some form of project in, in this case a technical project. So yeah, they definitely should be doing something with it if they're not. But it's again, it comes down to the training and, and how confident they are in using things like risk registers to be able to drive that conversation forward.
Lauren Keeves
Yeah, yeah. Well, from my side, when I've come across businesses that have gone, Yep, OK, we've got our ISO certification, whichever one it you know, might be, it's been like, right, let's just pop the logo on the foot of our website or let's just, you know, check it on our email signature done and dusted. But obviously there are so many more opportunities.
What have you seen from your side and what's worked well, to really showcase their achievement actually like, and that actually means something beyond just chucking it up onto those platforms?
Jason Maricchiolo
Yeah. Look, the lowest hanging fruit is to update the website, put it on your email signature. That should just be the minimum that you'll get that you're doing after an ISO project. But for those that know how to leverage it, that's when the real value comes in. So, you know, we're talking about adding those logos to proposals and making sure that we're attaching certificates to either these proposals scopes of work, even tender responses. Clearly that's a big player if you are in the tender game. But the, the other aspect as well that we love to train partners on as well is to make sure that the sales team knows what it is we just did right.
So if, if a BDM or you know, a sales leader or anyone doesn't know how to talk the ISO language and start to actually understand and communicate what we just did as a team, if they can't communicate it, then there's a big opportunity there that's lost. OK, because sales, you know, sales guys and and girls that are out there, they should absolutely be able to talk that ISO benefit to their clients to be able to show that they're a trusted MSP. They've been through an external auditing process. You know, these are the controls that are in place. They don't need to become ISO experts. They just need to know how to talk to it because it is a significant achievement and a significant investment at the end of the day. So it's worthwhile getting the sales team knowing how to actually talk to it.
Lauren Keeves
Yes. So have you seen scenarios where it's actually been the deciding factor for the end client when choosing a partner?
Jason Maricchiolo
Yeah, yeah, partner plenty of times. Generally what happens is either when it comes down to the short listing, the, the quickest way to knock any body out that, that even if they do have a great response is to go, well, let's start at the, at the very top.
Are they ISO certified? Because if they've got 3 or 4 partners in there out of six that are certified, then it immediately helps to make that decision a bit easier for the buyers. So, you know, we now use it.
We've now gone to the scenario where there was 6, two of them might not have been certified. And then it comes down to, you know, now we've got 4. That's a bit more of an easier decision to make and then you dive into to those four and it could come down to how well have they communicated their ISO status in their tender response and also the scope of their ISO certification as well.
We have seen where scopes have been extremely limited and that's something that we're really passionate about that we want to make sure that the scope of an ISO certification covers the entire business and it only just, it just relies on you just reading what that scope statement is to see what it doesn't include.
So yeah, I've definitely seen the ISO be the differentiator between definitely bringing down the pool of prospects and then ultimately being the one that could win out.
Lauren Keeves
Yeah, yeah, and because from my side, I've seen a shift. Most MSP's that haven't got a strategy in place will say their target market is any industry and have around 20 to 200 seats. Now that's a whole other conversation. But I've seen now that shift, or at least with the ones that I'm working with, they're going after the 50+ at a minimum. And those more mature businesses are looking for these types of certifications. So, yeah, if you aren't really forward with it or getting in front of people, you can easily miss out on opportunities to tender.
So now obviously you talk about the importance of the sales team being able to articulate that message. Is that something that you help with in terms of that talk track so it lands and actually makes an impact?
Jason Maricchiolo
Oh, of course, yeah. I mean, for all our partners, the offer's always there as well to sit with the sales team and actually train them on how to speak that ISO language and to use it as a sales tool. Because at the end of the day, you know, you've just gone through a massive audit, you've just gone and invested in what you have from a monetary perspective. And so, yeah, it's definitely something that we help with and we teach, we teach those leaders on how to speak to that ISO certification. And in some cases, you know, we're only really using ISO as a general term here. But if you start to actually look into which ISOs you are certified to, there's different ones, right? So there's ISO 27001 which is clearly the infosec one, the one that everybody in our space is I suppose latching onto and you know, and is at some point needing to become certified to.
But then you've got some other forward thinking and progressive partners that have gone and got the quality certification, which is more about making sure that the service desk and that the customer satisfaction side of the business is also being looked at.
And, you know, having that quality certification is also a massive tick box when it comes to trying to win work. Because, you know, we're not, we're now not talking specifically about the cyber side and how secure you are, but it's also about the fact that we take negative feedback and we take neutral feedback and we do something with it. You know, we're not just going to let it slide. If we get a negative feedback, we're going to follow it up and we're going to raise corrective actions over that.
So, you know, there's many different avenues that, especially from a sales perspective that you could be using these certs to really strengthen your offering to any particular prospect.
You know, you've got environmental as well.
OH&S depending on what industries that you're selling into.
I know a couple of MSPs that have gone down the environmental path because they have clients in that vertical, OK. And so that's just an added benefit for those clients and an added bit of assurance for them that their MSP is also environmentally sustainable and actually cares about the environment.
So there's many different ways to be able to use your ISO certs and message that to win work.
Lauren Keeves
So is there a standout campaign without naming names, is there something that you can share with the viewers that you would recommend that they do to really emphasise through their marketing?
Jason Maricchiolo
Great question. So I don't have a specific named example, but you know, in a hypothetical example, I would, you know, if I was certified to, you know, Infosec and environmental and quality, that would absolutely be something that I would draw up a capability statement that is specific around that that environmental industry, if that's what I was going for. And I would use all three standards to kind of paint that picture of why we are the best in, you know, that particular vertical.
So you could use the same thing for the financial system or even from a professional services vertical. Depending on where you're playing, there's different ISO standards that can help you out.
Most recently, we know that the AI standard, which we might talk about a little bit later, came out, which is ISO 42001.
And so that's another example of another area where you could, you know, definitely leverage what you're doing in AI and actually, you know, put a certification around it to show your partners that, you know, you know what you're talking about and that you can really help them.
Lauren Keeves
Yeah, Yeah. I think making that connection, they'll kind of put that into one box and then they'll put the services into another box rather than actually draw the lines between them. And that's a very similar conversation that I'm having either from a target market or ICP standpoint, rather than just trying to reuse the same script or push the same pitch onto different clients. They've got different interests, they've got different challenges that they're having. And so from a services perspective, they should be tailoring it to actually talk to the client's language and what it means to them. And the same applies for the ISO certifications, right? How can you tailor it like a capability statement per vertical as to the actual play to the ISO strengths, their strengths, and you're really blend it together.
Jason Maricchiolo
Yeah, yeah, it's such a great point. It really is. And it's something that I think that once we learn how to leverage the discussion around the ISO and how to actually talk to it, I feel like it then becomes second nature. So, you know, for those that aren't certified or haven't gone through a process themselves, it's kind of a different language. But then once you are in it and you've been through a bit of an implementation, you know, and you start to learn, you know, how it all works and how this can then relate back to clients and verticals, that's when I feel like I see a bit of a transformation happen within an MSP.
Lauren Keeves
Yeah, for sure. You already started sharing around the AI certification and I know that's quite a hot topic. What do you see becoming of that and how fast do you think it's going to get picked up?
Jason Maricchiolo
Yeah, it look, it came out at the end of 2023 and it took a good solid year for it to kind of embed and for anyone to, you know, get the standard, understand it and then be able to build out systems. So we just became one of the first in Australia to become certified to the ISO 42001
Lauren Keeves
Congratulations!
Jason Maricchiolo
Thank you very much.
But there's a reason why we wanted to do that, because we wanted to help our partners lead the way from an AI governance perspective. And we thought the only way to do that responsibly was to actually go through it ourselves. And so we wanted to, we wanted to do it and we did it. And we got certified, you know, a couple of weeks ago.
And so now we've seen probably, you know, it's, it's now about 10% of our MSPs that are actually already adopting ISO 42001 and they are bolting that on to their existing ISO 27001.
And so that is a really good way to be able to leverage both standards. And they just have missions to become the thought leaders and lead the way from an AI governance perspective. So they're walking the walk as well. So I definitely see that it's a small adoption at this point.
It's not something that everyone's diving into unless you're, you've either got some help like us or, or you know, you're on that bleeding edge yourself. But I do feel like it's something that 2026 will bring because we have been talking about 27001 for years now.
You know, going back about 8 or 9 years, you could have said that this was more just an enterprise kind of, you know, certification 27001. But what we've seen is that it's definitely trickled down to literally everybody now because it does scale really well with any size business.
It doesn't matter if you're one business or if you're 500, it scales extremely well because everything is a risk based approach and the standard is a management system on how to manage your risk. So we've found that now it doesn't matter what size you are. Your supply chain and things like insurance companies are looking to reduce their risk profiles of, you know, the companies that they're insuring. And one way to do that is to be able to, you know, produce an ISO certificate.
Lauren Keeves
Yeah. And of that 10% out of interest, are they already kind of in the market or are they proactive with selling copilot licences and building, you know, businesses processes or AI bots, you know - are they actively doing that or are these ones, you know, wanting to get the certification before they start pursuing that path?
Jason Maricchiolo
Yeah, really, really good. Good question.
So now the 10% that are doing it with us now they're all doing something in AI. So it's not something that they are using the certification and then they're going to start. They are all doing different things.
So we could be talking about some building internal tools to be able to help answer questions so that others don't have to, you know, humans don't have to answer those questions if they're, you know, well documented and things like that.
We've got others that are using AI to, to categorise tickets within ticketing systems.
And so there's tools out there that do all of those kind of things.
We have those that are leveraging AI to be able to communicate to clients on their behalf so that, you know, what we call, you know, external facing AI and that has its own challenges as well because you need to govern, you know, those just as much as you do on the internal side.
So it's been such a great experience to be able to do these workshops across our client base because, you know, everyone is doing something different and it's really exciting to see what they're actually working on.
Lauren Keeves
I can't wait to see what comes of that. With the opportunity for businesses to explore 42001, do you think moving forward it would be something that they do before going external, but they're having to do it internal or do they need to understand what they want to take to market before they go through with the process?
Jason Maricchiolo
I would put it this way, anyone that is looking to get to that 42001 level, I would say that they least need to be ISO 27001 certified. It's a very good addition to a 27001 ISO because as we know 27001 is based on information security. And so the information that's going into these AI systems, it needs to be protected and secure as well, right? So there's no point kind of trying to go out and doing 42001 in isolation. You absolutely can do it.
But I feel like in our space, in our MSP industry, I believe that it's a better addition to 27001 because let's face it, the 27001 is going to be the ticket to play in most cases. So we need to get that done and dusted and out of the way.
And then it just becomes about, OK, now how can I leverage this commercially and adding on an AI system might be the answer to that question for that particular company.
So no, I think it can be something that as long as we can leverage it and we understand how to use it and talk to it and show clients trust because what we are now building for them, we've got proper AI ethics and code of conducts and transparency principles and all of those things front of mind when we're actually building these things out for our clients.
So it doesn't have to be something that they have to wait until they're ready to go and do it.
I feel like they can start the process at any time, whether or not they're doing a lot with AI or not, and then using that to help build their capability.
Lauren Keeves
Yeah, right. Well, let's now talk in a general sense again, across the board. We've already touched on how the sales team need to start leveraging it and having that talk track around that. But what benefits do you see with training any layer of the service desk up to, you know, sales and SLT, how much time and what would you recommend for getting them to also have some sort of talk track, you know, they're the ones interacting with the clients day to day? What are your thoughts there?
Jason Maricchiolo
Absolutely. So training is definitely a part of an implementation from a technical standpoint and an operational standpoint. So the way it generally works is even if you take a new hire, they go through their typical onboarding, you've got all of your, you know, your normal, you know, HR related onboarding items, but then the ISMS becomes a part of their onboarding. So they read the policies, they sign off on them, they make sure that they understand their roles and responsibilities. They understand that, you know, there's consequences if we breach policies, just like there would be with any other company policy like a drug and alcohol or, you know, a motor vehicle, one that you know, that we have as well.
So there's that aspect there where staff really do need to be onboarded to, to any management system, understand that it exists and then understand their roles and responsibilities because we all have them in every single system.
And then from a technical standpoint, it's always good for, you know, whoever can know the technical side of the standard to, to know what our rules are.
Things like acceptable use policies and things like that will always help to explain to, you know, either younger staff or staff that necessarily aren't on that, you know, that senior engineer level.
It will still help them understand how this supposed to use and govern their information. You take someone in a finance team that may not be technical at all, but they've got some really confidential documents that they are responsible for. We even train those in those areas. Don't go sending Excel spreadsheets with everyone's payroll information around to each other because that is a surefire way to make a mistake. You could send it to the wrong person or something else could happen to that data.
So training of across the board is absolutely imperative in my in my book.
Lauren Keeves
OK, so thinking about the audience or the end client here, do you find that you have to go to, you know, those great lengths to describe, you know, the ISO certifications, how it's relevant to them because there's gaps in their knowledge from the receiving end?
Jason Maricchiolo
Usually what I find is that being armed with the information upfront can help with some trickier sales meetings. So generally it's not just decision makers in there, but you have key influencers. You might have someone technical, an IT manager or someone that that isn't a stranger to the ISO. And so they might turn around and ask the salesperson, you know, can you talk to me about your scope of your certification? And if, if that salesperson doesn't know what the scope of the certification is, that's almost a telltale sign that it was a tick box exercise. You know, no one really actually trained this person on what a scope is. And they can't answer the fact that it is the entire organisation, including any outsource providers in any other countries or whether or not it's just the local branch or the local office and everyone else offshore is actually out of scope. So I find that being able to talk to the standard can also help on those trickier, you know, conversations that might be a little bit further down the garden path, not just the first meeting that you're having with the prospect.
Lauren Keeves
Yeah. And I know I, I agree. I think there are many creative ways that you can integrate, you know, trying to articulate it both to you and have the different audiences. Like he said, you've got the ones that will call you out on the sport, making sure you understand the scope, but then you've got others that they don't understand what it truly means. So producing even content that can help them in their own education of it, because we know the buyers journey most of the time they're doing all of their own research and background you before you've even walked in the door. So if you don't have enough on that side, yeah, and you're not armed to have those conversations, you know, they'll grill you and they'll try and find the right provider.
So yeah, the salesperson who's actually going into the room needs to be across the scope, but also content needs to be there on the website. And they actually know what they're doing. And like you say, it's not just a tick box exercise that they put the logo there and they're actually using it and leveraging it to its fullest.
Jason Maricchiolo
Absolutely. And we're really good at being able to talk to technical stacks. You know, a lot of a lot of the sales process becomes, you know, we use this tool and we partner with this, you know, cyber company or whatever it's going to be. We're really good at talking about tools and partnerships, but then what actually ties all of those tools and partnerships together is actually your ISO certificate.
And so, yeah, we just, we just need to make sure that we can actually communicate that and it'll just mean, you know, you have a much smoother sales process just to try to get through those first couple of, you know, entry points.
Lauren Keeves
Well, I guess as a key take away, what are the key things that you want the viewers to walk away from this conversation with, you know, either things that they need to do or things that they need to think about.
Jason Maricchiolo
Yeah. And I look, I've been at this for 2 1/2 years now, which has been crazy that it's gone this fast. And my message has always been the same.
There are many MSPs out there, although a lot have started and although we have done, you know, our fair share by our own admission to be able to uplift a lot of MSPs that are partnering with us. There's a lot more out there that just either haven't made the decision yet to be able to go down this route or are potentially just a little bit hesitant or don't know what the next step might be or how much things cost.
So my key take away is always just start asking those questions. Message me on LinkedIn. I'm not hard to, to find these days. And I'm always happy to talk to anybody that wants to have just a friendly conversation, even if it's not around ISO. But yeah, just start the conversation, figure out what it looks like within your business. Find out who is likely in your client base to be the ones that will first ask you at some point, you know, hey, I'd like you to start getting your ISO because our insurance providers are now looking upstream and we need assurances from you. Figure out who those key partners are, but then also think about what areas or what arenas you want to play in from a growth perspective and figure out, OK, how long is it going to take me to get certified? What do I need to do to be able to play into these areas and then build your strategy from there?
So yeah, my take away is just start with a phone call and figure out what that looks like because you'd be surprised often how this can fit in with your business. And you know, it's not as daunting as many make it out to be.
Lauren Keeves
Great. Well, from my side, I just want people to slow it down a little bit once they've been certified. Yes, you want to just go, go, go. You've worked so hard to get to this point, but you want to make sure that you communicate it right, you communicate it fully and that the team are armed. You know, whether it's sales, finance or even the services team, like everyone needs to be on the same page and have their talk track, you know, ironed out so they can actually convey how important it is. And you know, what they've gone through is huge, and you know what it actually means to their clients. There's no point in just chucking it onto the website and your email signature. That's just a given.
They need to actually be strategic with it and have actual impact. So don't rush straight out the gate. Once you've been certified, if you put a plan in place to communicate it right, you'll be so much better off.
Jason Maricchiolo
Yeah, it's a great point. I completely agree. The amount of times I've seen, you know, in our industry, you know, that that that response we just got certified, you know, it's our commitment to, you know, XY and Z, it's fantastic. But then I would love to see the follow up. And some MSPs do it really well and others they just probably don't have that manpower behind them yet to be able to take that marketing and leverage it the way that they can.
So yeah, it's a very good take away.
Lauren Keeves
Well, thank you so much for joining me today. It's been great catching up and I myself have even learned a few things. So I hope the viewers have got something from this and can take it back to their business. And yeah, like you say, just start asking questions.
Jason Maricchiolo
That's it. Awesome. Thanks, Lauren. It's been great. Thanks for having me.