Yes, they can. In fact, it is a good idea to reference them whenever they apply. The International Organization for Standardization publishes the international standards, known as “ISO standards”. ISO standards are not law. They are internationally agreed upon best practices and standards created by experts for the benefit of manufacturers, sellers, buyers, customers, users, trade associations and regulators. They cover everything from manufacturing processes to service delivery. The most popular standards include those for management systems, data protection and privacy, quality management and net zero guidelines.
For example, when purchasing goods from an international supplier, it is possible to stipulate that the supplier’s quality management standards must comply with ISO 9001: 2015 (Quality management systems – Requirements). That warranty will ensure that customers receive quality products, that the products comply with regulatory and statutory requirements, and it will be helpful when defending product liability claims. ISO 9001 is the only standard that a company can be certified for. To date, over one million companies globally have been certified for ISO 9001.
In service agreements, suppliers often have access to the purchaser’s data to fulfill its obligations under the contract. It is common to grant a license for the use of the data during the term of the contract and reference ISO standards for information security management. A contract clause referencing ISO standards for information security management could state:
“The supplier’s information security management system will comply with and apply the standards in ISO/EIC 27002: 2022 (Information security, cybersecurity and privacy protection — Information security controls).”
EIC is a reference to the International Electrotechnical Commission. The EIC collaborated with the ISO to create ISO/EIC 27002. Maintaining the confidentiality of the data would be dealt with in the Confidentiality provisions of the contract, which usually stipulate that confidentiality of the data continues to apply even after the contract term ends.
Of course, these are just examples, and the wording of the provision above may not be enough to achieve the desired outcome. For example, you may also want to reference the company’s risk management policies and protocols in addition to ISO standards. Additionally, when drafting the contract, you could consider related or other ISO standards that may apply to your specific situation, such as those related to privacy.
Never miss a post.
We'll keep you in the loop with everything good going on in the modern professional development world.
