The simple answer is no!

The philosophies behind these disciplines are fundamentally different.  ISO is about establishing a defined way of running the whole business so that it is effective and successful.  Lean is about eliminating (seven types of) waste from processes and is usually applied as a project based philosophy to production type processes.  Six Sigma is also a project based philosophy with the reduction of variation being its main goal.

Although Lean and Six Sigma purists will claim that these techniques apply to the whole organization (and truthfully they can be), they are normally applied to a single process (at a time) where a variety of techniques are applied to reduce waste, reduce variability and increase efficiency.  Such tools as Kanban, one-piece-flow, standard work, tact time, 5S, statistical techniques, etc. are applied to and around the process in order to achieve improvement.  While these techniques can be applied to combined processes and even the management system of the organization as a whole, nowhere in the origins of these philosophies is there discussion about an organizational model or a breakdown of key processes that is found in ISO.

“Doing” ISO first will establish basic definitions for all processes in the organization including fundamental controls for such things as record keeping and document control.  Once the basic discipline exists within an organization, Lean and Six Sigma can be successfully applied to improve individual areas.

There are no big problems with doing Lean and Six Sigma before ISO.  It is possible that during ISO you will reorganize the way that your processes operate (as you define what they are and what they are trying to achieve) and this could cause effort in a Lean or Six Sigma project to be wasted – although the same could be said about an ISO project.  However,  ISO establishes processes for document control, records management, corrective action, competency definition, and management responsibilities that would be extremely beneficial during any project – including Lean and Six Sigma projects.  It is not unusual for a Lean or Six Sigma project to become “lost” when it does not use established document control, competency control and records management processes.

ISO is intended to provide a fundamental base to organizing a business.  Operating by design and not by accident.  While it does then actually require organizations to improve, it does not restrict how that is achieved.  To many people rush off to the promise of a Lean or Six Sigma project without strong basics in place.

Cavendish Scott, Inc. has been implementing ISO management systems for over 25 years.  We have been exposed to thousands of organizations some of which have adopted Lean and Six Sigma philosophies.  We have relationships with Lean and Six Sigma training organizations and can help you implement a strong management system in an organized and successful way.  Contact us for more information including supporting activities which are often overlooked.  With this discipline and organization established ISO pushes for and Lean and Six Sigma can deliver project based imprv

Lean Manufacturing (From Wikipedia)

http://en.wikipedia.org/wiki/Lean_manufacturing

Lean manufacturing or lean production, often simply, “Lean,” is a production practice that considers the expenditure of resources for any goal other than the creation of value for the end customer to be wasteful, and thus a target for elimination. Working from the perspective of the customer who consumes a product or service, “value” is defined as any action or process that a customer would be willing to pay for. Basically, lean is centered on preserving value with less work. Lean manufacturing is a generic process management philosophy derived mostly from the Toyota Production System (TPS) (hence the term Toyotism is also prevalent) and identified as “Lean” only in the 1990s.[1] [2] It is renowned for its focus on reduction of the original Toyota seven wastes to improve overall customer value, but there are varying perspectives on how this is best achieved.

Six Sigma (From Wikipedia)

http://en.wikipedia.org/wiki/Six_Sigma

Six Sigma is a business management strategy originally developed by Motorola, USA in 1981.[1] As of 2010[update], it enjoys widespread application in many sectors of industry, although its application is not without controversy.

Six Sigma seeks to improve the quality of process outputs by identifying and removing the causes of defects (errors) and minimizing variability in manufacturing and business processes.[2] It uses a set of quality management methods, including statistical methods, and creates a special infrastructure of people within the organization (“Black Belts”, “Green Belts”, etc.) who are experts in these methods.[2] Each Six Sigma project carried out within an organization follows a defined sequence of steps and has quantified targets. These targets can be financial (cost reduction or profit increase) or whatever is critical to the customer of that process (cycle time, safety, delivery, etc.).[2]

The term six sigma originated from terminology associated with manufacturing, specifically terms associated with statistical modeling of manufacturing processes. The maturity of a manufacturing process can be described by a sigma rating indicating its yield, or the percentage of defect-free products it creates. A six-sigma process is one in which 99.99966% of the products manufactured are free of defects, compared to a one-sigma process in which only 31% are free of defects. Motorola set a goal of “six sigmas” for all of its manufacturing operations and this goal became a byword for the management and engineering practices used to achieve it.

Simple answer. Yes.

Although it does not say in the standard, this is a common sense requirement that has been established as a rule imposed on certification bodies by the accreditation agencies.

Technically once you have audited thoroughly for a “few” years you might have collected evidence that will allow you to reduce the amount of auditing.  In practice this rarely happens.

Cavendish Scott, Inc.  performs internal auditing for many clients.  We are professional, quick and effective.  And it allows you to concentrate on your normal work.  Click here for more information

Accelerated learning is a theory/practice of learning that acknowledges that we all learn differently.  It also builds on that fact and provides the premise that we all learn better if we see, here and practice things.   The theory incorporates the concepts of left-brain vs right-brain.

We adopt the basic principles of this in our training.  We ensure that training is substantially exercise based so that you have to learn for your self, so that you dont get bored and tired and so that you learn more.  Our training is fun and effective and better than the traditional style of training.  For instance, in our lead auditor training – 5 days,  we have about 30 powerpoint slides!

We use these same principles when we customize our training and bring it in house to your organization.

For information about our training - click here

The ISO standards do not dictate how you conduct your audits.  They merely require that they are effective.  It has been argued by some ISO proponents that a one-time event cannot be effective.

Cavendish Scott performs internal audits for many organizations.  We are ISO and auditing experts and take all of the problems and worry out of your ISO system.  Outsource your internal audits and relax.

Schedule an ISO Audit

Currently, most organizations decide to become ISO 27001 certified because of customer or market pressure or because they deal with “important” customers and want to prove they are capable of handling information. More increasingly there are requirements in RFQs, when dealing with government contracts and meeting legislation e.g. HIPPA. These types of requirements are not going to go away and are likely to become more and more important. ISO 27001 certification answers these questions without any effort.

ISO 27001 is a management system standard for controlling information security that requires defined and documented procedures and processes that “assure” the management of information.

When working on ISO 27001, many organizations overlook the management system part and focus on strengthening information security. This is a mistake. The truth is that ISO 27001 does not require any particular security technique or performance of information security. Theoretically you could have very poor information security and still be ISO 27001 certified.

Management should be keen to do ISO 27001 because it gives them an objective understanding of the information security perspective without committing to spending indeterminate amounts of money on security.

Information Security Personnel should be keen to do ISO 27001 because it spreads the awareness of the importance of information security and clearly assigns ultimate responsibility to organization management.

You become certified following a successful audit by an accredited certification body. In order to satisfy the audit you must write procedures and define processes that describe your approach to conducting an information security risk assessment. There are other standards that provide information on how to do a risk assessment but unless you are going to invest in a computer based risk assessment tool, then excel provides an excellent mechanism. Microsoft also has a free risk assessment tool that could be used but the emphasis here is on “keep it simple”.

The risk assessment process needs to be comprehensive and includes criteria for risk calculation and a re-assessment cycle once any corrective actions have been taken.

A few other processes need to be in place too, including a formal process for dealing with security incidents that occur (or nearly occur), a process to review and generate a statement of applicability (defining which security controls are applicable and explaining them), contingency planning and a process for having information security contacts and knowledge of relevant legislation.

Additionally you need all of the supporting processes and procedures in place to make sure the management system remains effective including document control, record control, management review, objective setting, training, internal audit and corrective and preventive action.

All of these processes and procedures operate in a comprehensive and congruent management system that ensures awareness, responsibility and control over information security.

Although focusing on the security controls is a mistake (both from a certification and management perspective), it cannot be ignored. There are about 173 information security control requirements identified in ISO 27001 (and expanded in ISO 27002) from managing the physical access controls to HR issues (e.g. employment contracts) to software development controls to technical network and operating controls to legal and contingency planning. These requirements must be reviewed and conscious decisions made about how they are to be applied (or not). All of these reviews and decisions need to be recorded and traceable.

No individual control (or group of controls) are mandatory so long as management accept the responsibility for the residual risks that exist. In practice the system of information security controls need to be “appropriate” or it is likely that a certification body auditor will be uncomfortable recommending certification. Once everything is working a certification assessment needs to be completed.

Cavendish Scott provides consulting, training and auditing for ISO 27001. We guarantee that our consulting clients will pass their ISO assessment and get certified. Getting certified to ISO 27001 is fairly easy to achieve and our unique approach takes nearly all of the effort while providing a meaningful and easy to maintain system.