Why your corporate communications agency needs ISO 9001 and ISO 27001 (especially in 2026)

Written By steve gardiner

Corporate communications agencies sit closer to sensitive information than most people realise.

Not just press releases and social copy — but:

  • strategy decks and board narratives

  • crisis playbooks and incident comms

  • M&A messaging, stakeholder mapping, internal comms

  • executive profiles, media training notes, and “what we can’t say yet”

That means your agency isn’t only a creative partner. It’s also an operational extension of your organisation — and a potential risk surface.

This is why ISO 9001 and ISO/IEC 27001 matters.

ISO 9001: your communications output should be repeatable under pressure

ISO 9001 is a quality management system standard focused on consistent processes, leadership accountability, measurement, and continual improvement. (iso.org)

For a communications agency, that translates into very practical benefits:

  • reliable workflows (brief → production → approvals → delivery)

  • fewer “version control” disasters and missed steps

  • clearer ownership: who signs off, who checks, who publishes

  • better handling of urgent, high-stakes moments (crisis, investor news, regulatory comms)

In short: you’re not buying “creativity”. You’re buying creativity that still works at 11 pm on a Friday in a crisis.

ISO 27001: your agency must manage information risk like a grown-up

ISO/IEC 27001 is a standard for building and maintaining an information security management system (ISMS): identifying risks, applying controls, assigning responsibilities, monitoring, and improving over time. (iso.org)

Why this matters for comms agencies:

  • Agencies handle data and documents across many clients (a compromise hits multiple brands)

  • Comms teams often exchange files fast (email, shared drives, collaboration tools)

  • PR workflows involve third parties (freelancers, media lists, production teams)

ISO 27001 pushes a culture and system around:

  • access control (“Who can see what? ”)

  • asset management (where your client files live)

  • incident response (what happens when something goes wrong)

  • supplier risk (how third parties are handled)

The myth: “ISO = 100% secure / 100% efficient”

This is where many people overstate what ISO means.

  • ISO 27001 does not guarantee 100% security. It’s a risk management framework with continual improvement, not a magic shield. (ISMS.online)

  • ISO 9001 does not guarantee perfect efficiency. It demonstrates a managed, auditable approach to quality and improvement — not flawless output forever. (iso.org)

And that’s actually a strength: the standards are designed around reality — risks exist, pressure happens, and people make mistakes — so you build systems to reduce likelihood and impact.

Why is it vital for the “securitisation” of corporate strategy

If your corporate strategy is a competitive asset, then communications is part of the security perimeter.

A certified agency signals the following:

  • Governance (defined processes, accountability, documented controls) (iso.org)

  • Discipline under scrutiny (audits, corrective actions, continual improvement) (iso.org)

  • Lower operational risk when dealing with confidential narratives

In high-stakes environments, trust isn’t a feeling — it’s a system.

What to ask your agency (simple checklist)

If you’re selecting or reviewing a comms partner, ask:

1. Are you certified to ISO 9001 and ISO/IEC 27001 (not “aligned with”)?

2. What is the scope of certification (which offices/teams/services are covered)?

3. How do you handle access control, file sharing, and offboarding?

4. What’s your incident response process and reporting timeline?

5. How do you manage suppliers/freelancers who touch client materials?

Bottom line

ISO 9001 and ISO 27001 don’t promise perfection. They prove something more valuable: a verified operating system for quality and information security — exactly what you want from an agency trusted with your corporate narrative. (iso.org)

About the Author

Steve Gardiner (exec MBA) is a senior marketing and commercial leader at Lighthouse PR, bringing global experience from Accenture, Electronic Arts, Virgin Media, Telekom, and Etisalat. Latterly, as VP Business at Etisalat, he was responsible for $1.8B in revenue.

Today, Steve applies his strategic, marketing, and growth expertise to support Lighthouse PR clients as part of the agency’s service offering. 

steve gardiner https://www.lighthousepr.ro
Previous

Despite what you may see in Movies, never say - No Comment.
Next

CSR & ESG with purpose: how to build projects that matter (and don’t feel like marketing)