With any project as complex as the implementation of ISO 27001 there are some things to avoid.   Here are two quick things you shouldn’t do.

1.

Don’t focus on information security.  Although it sounds counter-intuitive it is only the “content” of ISO 27001 that is about information security.  What”s more is that if you achieve this and focus on the ISO 27001 process, it will ensure that information security is taken care of properly in your organization.

ISO 27001 is a management system standard.  It is a standard that describes requirements for a system for managing information security.  It does not include information security itself – merely the processes through which you will manage information security.  If you set the processes in place effectively they will (you will) effectively manage your information security.

The management system processes fall into two categories.  The “primary” processes in the standard are about the processes to understand your current information security perspective, quantify the risk to your organization and plan actions to accept or reduce the risk to make it acceptable.  It is implicit that senior management will be involved in accepting poor security….or pay to lower the risk.  There is no requirement in the standard that the risk has to be addressed or lowered, merely that management acknowledge it and accept it.  Other primary processes include a process to react to security incidents (or near incidents), contingency planning covering information security and a process to have access to information security contacts and information security legal requirements.

In addition to the primary proceses, “support” processes include document control, records managment, training, internal auditing, management and corrective and preventive action.

All of these processes must be formally defined in written procedures that describe a coherent and comprehensive system of processes that help understand and control information security.

It has to be said that although ISO 27001 is not “about” information security, it does make specific reference to information security technologies.  In an appendix it lists a number of general categories including physical accesss, human resources, communications, operations, etc.  These categories are expanded in some detail in ISO 27002 and ISO 27001 requires that these controls are considered when reviewing risks in the organization and that their non-applicability is formally justified in a “statement of applicability”.  Thus the pair of standards do actually require and cover information security but as mentioned earlier none of the requirements are mandatory.  Furhter, certification is about having a formal managemnet system to ensure information security is consistently and continually addressed to ensure it is and remains effective.  If you focus on the security issues you are not contributing towards ISO 27001 certification and you are not assuring the consistency and contunuallity of information security management.  Dont ignore the security issues but deliberately address the management system issues.  That is the long term solution.

2.

Dont overcomplicate your risk assessment method.  Risk is a calculation derived from probability and consequence.  To make it objective it needs to be quantified as a numeric value so that it can be compared to what management says it will accept.  This can be quite complex.  Ultimately risk usually includes subjective assessments of what the probability is and what value the consequence might affect.  There is a tendency to attempt to formalize each step and even break steps into multiple stages so the subjectivity can be limited.  However, truth is that when you add all the stages together the subjectivity still exists.  Keep the risk assessment methodology simple.  What is the max value of the information asset that may be compromised?  How serious is the threat?  How serious is the vulnerability?  (avoid breaking it down too far).  And when assigning numbers try 1-5 rather than 1-10.

The key factor to a good risk assessment is to identify the risks.  Most people in your orgnaization will understand what that means when the risk and consequence is described and they will know how serious they are.  So long as you do a good job of idnetifying risk the numbers assigned and range they exist within are lest important.

If this is your first attempt at a risk assessment then keep it simple.  You can always make it more complex next time around.

Cavendish Scott, Inc. is experienced at implementing ISO 27001 management systems.  We guarantee successful ISO certification and design and implement practical and easy to maintain systems.  We also provide ISO 27001 training and conduct ISO 27001 audits including gap assessments.

Diana Lough and Emily Myers

What the Quality Professional Needs to Know about AS9100.

This presentation covers the application of AS9100 in a general sense, talks about the differences between AS9100B and AS9100C and discusses the timelines for implementation of the new AS9100C.

Colin Gray gave the attached presentation to the Northern Colorado ASQ in September of 2009.

Northern Colorado ASQ Presentation Fix your QMS to ISO 9001:2008

The content included:

• A review of the changes to the standard (no real changes)
• A review of the corrigulum fixing errors with the new standard (no real errors – only in appendices)
• The implementation timescale – no ISO 9001:2000 certificates to be issued after November 15, 2009.  No ISO 9001:2000 certificates in existence after November 15, 2010.
• Example of a poor nonconformance issued against the changes (withdrawn by the auditor after a complaint – but beware)
• Key implementation activities

Diana Lough gave this presentation to Pikes Peak ASQ in September 2009.

Pikes Peak ASQ Presentation. Regulatory and Statutory Compliance: Its Everybody”s Business

09 Sep 2009 ASQ Presentation by Diana Lough

TITLE: Regulatory and Statutory Compliance:It’s Everybody’s Business

Regulatory and statutory compliance has long played a part in business. Traditionally the emphasis has focused on the safety and efficacy for raw materials, components, sub-assemblies and finished products sold. It often included third-party testing resulting in a listing or mark on the product and for finished products and/or it may have required a registration or license with a government agency. Where there are regulatory and statutory requirements, compliance is mandatory and enforceable. Failure to comply can result in product confiscation, lost future sales, fines, and in severe cases, plant closures and legal prosecution. No matter the scale, failure to comply requires time and resources (and therefore money) to resolve the issue along with interruption to the business and failure to meet customer needs.

In today’s global marketplace, more governments are increasing “protection” for their citizens. More countries are following in the footsteps of Europe, Japan and Australia by requiring product registrations and in-country representation. Medical device exports have more stringent requirements.In some countries, medical and consumer product labeling and/or instructions for use must be translated in their official language.

And with the changing emphasis on the environment, the impact has broadened and more statutory requirements are coming into play. Local laws and ordinances may govern your organization’s waste stream, nuisance control and other negative impacts on the environment. Depending on the destination market for your product (national or international), there may be statutory laws regarding the product’s packaging (content and disposal) and the end of product life disposal. Legislation for banned chemicals is more commonplace, particularly in Europe and Canada. And transportation of goods even has country-specific restrictions.

So what business processes are impacted? New product development and design changes are still a primary focus. But regulatory and statutory requirements also impact marketing, sales, manufacturing, shipping and transportation, disposition of nonconforming material, facilities management, complaint handling, documentation, record keeping, and management. A brief overview of process controls for each of these will be covered.

The sky isn’t falling by any means. By ensuring your business processes are defined and implemented with adequate controls, your organization will maintain compliance and keep up with our changing world.

People have been making mistakes for tens of thousands of years. Since the industrial revolution, the impact of certain mistakes has grown immensely. Before the industrial revolution, a dull tool used in machining a part would likely only impact one part—since parts were made one at a time. With the advent of mass production, a dull tool used in machining could impact hundreds of parts.

ISO 9000 is written by quality professionals all over the world, professionals who have had a lot of experience with industrial mistakes and problems caused by poor control over processing. So, ISO 9000 can be viewed as a collection of situations that need to be controlled in order to avoid well-known sources of quality problems. In fact, each and every requirement of ISO 9001 is intended to promote adequate control over organizations’ operations and improvement of organizations’ processes.

Taking the requirements of ISO 9001 in order and treating them very generally, let’s incorporate each of the requirements into the phrase: “If you don’t x, you can expect quality problems.” (For comedic relief, you might imagine the following list as being akin to Jeff Foxworthy’s, “If you x, you might be a redneck.”)

• If you don’t have a system to manage quality, you can expect quality problems. In other words, if you have no systems in place to ensure quality in processing, processes will become idiosyncratic and dysfunctional. This will cause quality problems.
• If you don’t have any documented methods of operations, you can expect quality problems. Word of mouth might work for a while but as time passes, so do memories of what was agreed to be the right way to do it; as product requirements become more plentiful and complicated, processes used to realize such products need to be clearly defined and process documentation (e.g., drawings) is necessary—or else you will have quality problems. Can you imagine a (legal) organization that uses no documentation whatsoever?
• If you don’t control your process documentation and records, you can expect quality problems. If you have no controls over your documentation—which almost hard to imagine—people will make mistakes. Imagine no dates or revision levels on drawings or specifications; imagine random part numbers or order numbers; imagine people finding their work instructions blowing around in the parking lot. No control over records would mean that you could not retrieve any evidence of contractual agreements, no evidence of work completed, no evidence of inspection or test results, etc. Without adequate control over documents and records, you are going to have quality problems.
• If you don’t have top managements’ interest in quality, you can expect quality problems. If top management doesn’t drive it, don’t expect autopilot to take over. If management does not provide some mechanism for communicating the importance of quality, the importance of quality will not be communicated; if management does not plan quality assurance, management is effectively planning for quality problems; if management does not periodically review performance and establish goals for improvement, performance will not improve. Without management commitment, you are going to have quality problems.
• If you don’t determine and provide resources necessary to assure quality, you can expect quality problems. If incompetent human resources are involved, you will have problems. If the provided work spaces and equipment are inadequate or unreliable, you will have problems. If the work environment is such that it hinders processing or degrades product somehow, you will have problems.
• If you don’t plan product realization, you can expect quality problems. Without some idea of what to make, how to make it, how to check it, and how much to produce, you can expect problems.
• If you don’t understand what your customers want, you can expect quality problems. Failure to understand customer requirements will not fix itself internally during subsequent order processing. If you make promises to customers that you do not have the ability to fulfill, you will have problems—not just quality problems, but business problems.
• If you don’t control the process for designing products, you can expect quality problems. If inputs to the process are ill-defined and criteria for success are equally ill-defined, you will have design problems. If the outputs of design are not reviewed to determine their acceptability, i.e, they are not verified or validated to meet customer needs, you can expect quality problems. If you have no controls over design changes, you will have problems.
• If you don’t exert some control over suppliers or supplied product, you can expect quality problems. If you use unreliable suppliers and/or you don’t properly qualify and quantify product to be purchased and/or you do nothing to verify supplied product, you will have quality problems.
• If you don’t plan how each order will be processed, you can expect quality problems. If you don’t provide information describing the product or instructions to make the product, you will have problems. If suitable equipment is not provided to process work, you will have problems. If you don’t have inspection devices and you need them to determine conformity, you are going to have problems.
• If you don’t control processes resulting in product that cannot be verified to conform to requirements, you can expect quality problems. If you are building bombs or packing parachutes for a living, and you let just anyone off the street process work using whatever equipment they might be carrying, you are going to have problems. If you have no specified method for processing, you are going to have problems.
• If you don’t or can’t identify product you are working with, you can expect quality problems. If traceability is required and you cannot maintain it, you are going to have problems.
• If you don’t notify the customer that you smashed, lost, or otherwise ruined product they supplied to you, you can expect quality problems—at the very least dissatisfied customers.
• If you don’t make efforts to preserve product during processing, storage, and transport, you can expect quality problems. If you ruin product while working with it, allow it to spoil during storage, or fail to package it properly for shipment, you are going to have problems.
• If you don’t establish a par for processing performance, you can expect quality problems. Without measures revealing how well you are performing, you will not know how well you are performing. If you don’t know how satisfied your customers are, you don’t know how well you are performing; if you don’t know the degree to which working practice complies with established methods, you don’t know how well you are performing; if you don’t establish a par for processing and analyze actual performance against par, you don’t know how well you are performing; if you don’t measure or monitor your product to determine if it meets requirements, you don’t know how well you are performing. In this latter case, you don’t know if your product conforms to requirements, which will cause quality problems every time.
• If you don’t control nonconforming product, you can expect quality problems. If you continue to add value to product that doesn’t conform to requirement in the first place, or if you ship nonconforming product to customers, you can expect big problems.
• If you don’t analyze the measurement data you are collecting, you can expect quality problems. Unanalyzed data is not worth collecting.
• If you don’t improve upon what you do, you can expect quality problems. As tolerances become tighter and competition grows stiffer, improvement must be a permanent objective of any process—or else you will have problems.
• If you don’t take actions to eliminate the root causes of your problems, you can expect quality problems. If you simply correct errors and go on, you can expect the same errors to repeat themselves—resulting in the same old problems.
• If you don’t take actions to address potential problems, you can expect quality problems. If you don’t avoid them, you will experience them.