The IAQG recently released the latest on timing for upgrading to AS9100C.

Their original schedule still remains intact.  Key milestones for this schedule are.

• Release of sanctioned (mandatory) auditor training – End of April 2010
• Once re-accredited for AS91ooC with trained auditors for AS9100C Certification Bodies are free to start updating clients to AS9100C.
• Until July 1, 2011 Certification Bodies can audit to either AS9100B or C.
• After July1, 2011 all audits must be to the AS9100C version of the standard.

As mentioned this schedule that was published in 2009 is still approximately accurate.  The additional information provided gives specific deadlines to accreditation agencies, auditor oversight bodies and training organization oversight bodies.   For example it requires the auditor oversight bodies to come up with a transition path for their auditor members to upgrade.

The auditor training material will be available at the end of April and it might take the training organizations say a month to train their trainers, incorporate the material and get themselves organized to be able to present the courses.  These training organizations must then be formally reviewed by the training oversight organizations.  Perhaps allow another month for this to take place.  Now auditors can formally access the training courses, pass the exam and submit their information to be included on the OASIS database (recognizing them as fully qualified AS auditors).  This might take another month.  Thus it may take until the end of July until auditors are trained and available.

Certification Bodies also need to be accredited to perform AS9100C audits.  This will involve them updating their management system and using trained auditors.  They can then be subject to an accreditation audit as the final step.  If then had been planning the upgrade well, their management system will already be modified and they will be attempting book their accreditation as soon as they have qualified auditors.  Lets allow just another month to do this.  In this scenario it might be the end of August 2010 before AS9100C upgrade audits can take place.

Obviously there are possible scenarios that might allow upgrades to take place sooner.  If the auditor training can be managed in May (and some may be)  and the Certification Body accreditation audit can take place in June, for instance.  However, there is a limited number of both training oversight auditors and accreditation auditors.   And whether it is booking a training class or and oversight/accreditation audit, flights are preferred with 2-3 weeks notice and these things just take time.

It is almost certain that Certification Bodies wont be able to upgrade ALL of their auditors for some time – perhaps until after the end of the year.  This will have an impact on your choice of when you upgrade.

If your audit (surveillance or reassessment) is after August 2011 (or even by the end of the year) you are unlikely to be allowed to upgrade until 2011 (and then you wont have a choice to not upgrade it being after July 2011).

You best choice is to contact your Certification Body and attempt to firm up your upgrade audit date.  They are unlikely to know until more experience of the training is gained but your persistence is important.  Similarly you MUST plan your system upgrade.  It is essential you account for the changes that AS9100D will bring (in particular the PEAR effectiveness review process) and unless you are certain of your upgrade timing you might consider adding the AS9100C changes without removing AS9100B aspects – yet!  This will mean you are ready for any date that your Certification Body might give you and you will be certain of passing.

Cavendish Scott is providing upgrade consulting including document modification, new procedures, widespread integration of new elements (e.g., risk), PEAR, training and addressing AS9100B and C.  We are also providing AS9100C internal audits so that a successful upgrade can be guaranteed.  More…

AS auditors are currently in great demand.  Its about to get much more so.

IAQG has stipulated that to upgrade an existing AS9100B management system to AS9100C can be conducted during a normal surveillance or reassessment audit.  Upgrades during surveillance will require an audit at reassessment levels (twice as long as a surveillance audit) and upgrade during reassessment will require an audit at initial assessment levels (33% more).

Further, while the audit duration tables for AS9100C remain basically the same as they are currently, the rules have been changed to state that the table only covers ON-SITE time.  In other words each audit is likely to grow by a day or so as certification bodies used to include off-site time in this calculation.

What this means is that as soon as AS9100C starts to become audited, AS auditors are going to have twice their normal workload.  It is extremely unlikely that certification bodies will have the capacity to take on any new AS audits as their customers push to upgrade as soon as they can so they can distinguish themselves to their customers.

If you are trying to obtain AS certification during 2010 you need to go for the B version and book your audit for no later than June/July.  If you can convince a Certification Body you will be ready for the C version then book your audit later in the year (more auditors will be qualified and it will be more likely) and get a very firm commitment from the Certification Body.  Good luck with that.

If you are currently AS9100B then make sure you contact your Certification Body and confirm your surveillance/reassessment audit.  Make sure you confirm this very strongly with your certification body.  Perhaps contact your auditor directly and confirm it.  Get their personal buy-in (making it more difficult for them to change it).  Maybe pay in advance.

Customers rarely inform you about their plans and Certification customers are no different.  If you were a Certification Body and a large, important customer phoned requesting an upgrade with a month or two notice you are unlikely to turn them down.  Auditors will be pulled off of other jobs to be able to get that job done.  Smaller organizations might be made to suffer – it is even possible that the Certification Body might simply drop smaller customers if they don’t have resources.

All of this will start about July/August/September time frame as auditors and Certification Bodies become qualified to conduct audits to AS9100C and its going to last a couple of years  (More on timing…).  Auditors might be tempted to switch Certification Bodies with promises of bigger fees.  Audit costs to clients will rise.

Of course there is really no way of telling how this will play out in the end.   The Certification Bodies don’t really know because nobody knows when everyone will want to upgrade and who else will want AS9100C audits.  The IAQG has allowed a couple of years to upgrade but that only reduces the increased workload to one and a half times as busy rather than twice as busy.

We can all hope that there are no scheduling problems but there is no downside to taking charge of this situation, informing your Certification Body of your upgrade plans, your expected upgrade audit date and firming up your audit for this year.

Cavendish Scott, Inc. is providing a standard upgrade consulting package including all modifications to all documents, integration of new requirements, new procedures and importantly a thorough pre-assessment/internal audit to make sure you will pass.  Guaranteed Success for a fixed price!  And your audits for 2010 are taken care of!  More..

Accelerated learning is a theory/practice of learning that acknowledges that we all learn differently.  It also builds on that fact and provides the premise that we all learn better if we see, here and practice things.   The theory incorporates the concepts of left-brain vs right-brain.

We adopt the basic principles of this in our training.  We ensure that training is substantially exercise based so that you have to learn for your self, so that you dont get bored and tired and so that you learn more.  Our training is fun and effective and better than the traditional style of training.  For instance, in our lead auditor training – 5 days,  we have about 30 powerpoint slides!!!!

We use these same principles when we customize our training and bring it in house to your organization.

For information about our training - click here

Simple answer. Yes.

Although it does not say in the standard, this is a common sense requirement that has been established as a rule imposed on certification bodies by the accreditation agencies.

Technically once you have audited thoroughly for a “few” years you might have collected evidence that will allow you to reduce the amount of auditing.  In practice this rarely happens.

Cavendish Scott, Inc.  performs internal auditing for many clients.  We are professional, quick and effective.  And it allows you to concentrate on your normal work.  Click here for more information

As of December 4, 2009 the new AS auditing standard is “out” as a draft.  A confirmation vote is necessary (expected to be routine) and a committee review are necessary before formal publication.  It is expected that this standard will be published before the end of the year or certainly January of 2010.

There are still hurdles before organizations can be registered to the new AS9100C standard – mainly the design and distribution of mandatory “sanctioned” training.   It is still expected that the earliest that the training could be provided will be April 2010.  Then the certification bodies will have to be witnessed.

The new standard however, gives us great insight as to how it is expected that the AS9100C standard will be audited.  This standard is new.  There is no point in comparing it with the AS9101C version.

From a general perspective this standard provides an excellent set of rules and guidance directing an audit.  It changes the emphasis from auditing to the clauses of the standard to a process based approach.  Yes it was always intended that AS9100B would be audited in a process manner since ISO 9001:2000 pushed that approach.  However, third party auditors never had time or expertise to audit in this fashion.  This standard “explains” some suggested auditing methods/approaches that certification bodies are encouraged to follow.  A checklist still exists but becomes optional to ensure conformance.  The addition of evidence record forms (which should force auditors to find evidence of to support their nonconformances (rather than their “gut feeling”) and a process effectiveness assessment record which requires the auditor to identify a process, determine (from the organization) the measures that would indicate effectiveness) and then “score” the process.

The changes in auditing approach are substantial.  It is likely certification bodies will need more time before the audit to prepare in the way they are being encouraged.  They have already been given more time on-site (through the guidance documents that kept the duration the same but changed it to “on-site time only”) and the reporting is going to be challenging.

Perhaps the most concerning thing about this standard is whether the existing auditor base, even with sanctioned training, are going to be capable of doing a good job of the new approach.

The IAQG committee has done a great job (which the IAF and accreditation agencies overseeing ISO 9001 would benefit from following) but the implementation will be key to success.

A more thorough review will be presented shortly.

With any project as complex as the implementation of ISO 27001 there are some things to avoid.   Here are two quick things you shouldn’t do.

1. Don’t focus on information security.  Although it sounds counter-intuitive it is only the “content” of ISO 27001 that is about information security.  What’s more is that if you achieve this and focus on the ISO 27001 process, it will ensure that information security is taken care of properly in your organization.

ISO 27001 is a management system standard.  It is a standard that describes requirements for a system for managing information security.  It does not include information security itself – merely the processes through which you will manage information security.  If you set the processes in place effectively they will (you will) effectively manage your information security. 

 The management system processes fall into two categories.  The “primary” processes in the standard are about the processes to understand your current information security perspective, quantify the risk to your organization and plan actions to accept or reduce the risk to make it acceptable.  It is implicit that senior management will be involved in accepting poor security….or pay to lower the risk.  There is no requirement in the standard that the risk has to be addressed or lowered, merely that management acknowledge it and accept it.  Other primary processes include a process to react to security incidents (or near incidents), contingency planning covering information security and a process to have access to information security contacts and information security legal requirements.

In addition to the primary proceses, “support” processes include document control, records managment, training, internal auditing, management and corrective and preventive action. 

All of these processes must be formally defined in written procedures that describe a coherent and comprehensive system of processes that help understand and control information security.

It has to be said that although ISO 27001 is not “about” information security, it does make specific reference to information security technologies.  In an appendix it lists a number of general categories including physical accesss, human resources, communications, operations, etc.  These categories are expanded in some detail in ISO 27002 and ISO 27001 requires that these controls are considered when reviewing risks in the organization and that their non-applicability is formally justified in a “statement of applicability”.  Thus the pair of standards do actually require and cover information security but as mentioned earlier none of the requirements are mandatory.  Furhter, certification is about having a formal managemnet system to ensure information security is consistently and continually addressed to ensure it is and remains effective.  If you focus on the security issues you are not contributing towards ISO 27001 certification and you are not assuring the consistency and contunuallity of information security management.  Dont ignore the security issues but deliberately address the management system issues.  That is the long term solution.

2. Dont overcomplicate your risk assessment method.  Risk is a calculation derived from probability and consequence.  To make it objective it needs to be quantified as a numeric value so that it can be compared to what management says it will accept.  This can be quite complex.  Ultimately risk usually includes subjective assessments of what the probability is and what value the consequence might affect.  There is a tendency to attempt to formalize each step and even break steps into multiple stages so the subjectivity can be limited.  However, truth is that when you add all the stages together the subjectivity still exists.  Keep the risk assessment methodology simple.  What is the max value of the information asset that may be compromised?  How serious is the threat?  How serious is the vulnerability?  (avoid breaking it down too far).  And when assigning numbers try 1-5 rather than 1-10.

The key factor to a good risk assessment is to identify the risks.  Most people in your orgnaization will understand what that means when the risk and consequence is described and they will know how serious they are.  So long as you do a good job of idnetifying risk the numbers assigned and range they exist within are lest important. 

If this is your first attempt at a risk assessment then keep it simple.  You can always make it more complex next time around.

Cavendish Scott, Inc. is experienced at implementing ISO 27001 management systems.  We guarantee successful ISO certification and design and implement practical and easy to maintain systems.  We also provide ISO 27001 training and conduct ISO 27001 audits including gap assessments.

Currently, most organizations decide to become ISO 27001 certified because of customer or market pressure or because they deal with “important” customers and want to prove they are capable of handling information.  More increasingly there are requirements in RFQ’s, when dealing with government contracts and meeting legislation e.g. HIPPA.  These types of requirements are not going to go away and are likely to become more and more important.  ISO 27001 certification answers these questions without any effort.

ISO 27001 is a management system standard for controlling information security that requires defined and documented procedures and processes that “assure” the management of information.

When working on ISO 27001, many organizations overlook the management system part and focus on strengthening information security.  This is a mistake.  The truth is that ISO 27001 does not require any particular security technique or performance of information security.  Theoretically you could have very poor information security and still be ISO 27001 certified.

Management should be keen to do ISO 27001 because it gives them an objective understanding of the information security perspective without committing to spending indeterminate amounts of money on security.

Information Security Personnel should be keen to do ISO 27001 because it spreads the awareness of the importance of information security and clearly assigns ultimate responsibility to organization management.

You become certified following a successful audit by an accredited certification body.   In order to satisfy the audit you must write procedures and define processes that describe your approach to conducting an information security risk assessment.  There are other standards that provide information on how to do a risk assessment but unless you are going to invest in a computer based risk assessment tool, then excel provides an excellent mechanism.  Microsoft also has a free risk assessment tool that could be used but the emphasis here is on “keep it simple”.

The risk assessment process needs to be comprehensive and includes criteria for risk calculation and a re-assessment cycle once any corrective actions have been taken.

A few other processes need to be in place too, including a formal process for dealing with security incidents that occur (or nearly occur), a process to review and generate a statement of applicability (defining which security controls are applicable and explaining them), contingency planning and a process for having information security contacts and knowledge of relevant legislation.

Additionally you need all of the supporting processes and procedures in place to make sure the management system remains effective including document control, record control, management review, objective setting, training, internal audit and corrective and preventive action.

All of these processes and procedures operate in a comprehensive and congruent management system that ensures awareness, responsibility and control over information security.

Although focusing on the security controls is a mistake (both from a certification and management perspective), it cannot be ignored.  There are about 173 information security control requirements identified in ISO 27001 (and expanded in ISO 27002) from managing the physical access controls to HR issues (e.g. employment contracts) to software development controls to technical network and operating controls to legal and contingency planning.  These requirements must be reviewed and conscious decisions made about how they are to be applied (or not).  All of these reviews and decisions need to be recorded and traceable.

No individual control (or group of controls) are mandatory so long as management accept the responsibility for the residual risks that exist.  In practice the system of information security controls need to be “appropriate” or it is likely that a certification body auditor will be uncomfortable recommending certification.  Once everything is working a certification assessment needs to be completed.

Cavendish Scott provides consulting, training and auditing for ISO 27001.  We guarantee that our consulting clients will pass their ISO assessment and get certified.  Getting certified to ISO 27001 is fairly easy to achieve and our unique approach takes nearly all of the effort while providing a meaningful and easy to maintain system.

To be 14001 certified you must have a documented system (procedures) in place and you must adopt environmental activities that promote improvement in environmental issues.  You are NOT required to change the way your business operates nor adopt any activity that will be detrimental to the organization.  Typically organizations focus on simple and easy activities that actually provide financial benefit to the organization.

The main procedures and activities cover (usually new) processes in your organization to formally identify and record what environments aspects exist within the organization and what impacts they have.  Procedures then require identification of the most important and the establishing of programs and objectives to improve “some” environmental issues.  As mentioned, these are expected to have a positive financial impact on the organization like the reduction of energy usage or the reduction of waste.

The organization must also  formalize the control over those impacts that it has identified (e.g. if you have equipment that expels dust or affect the air, then you have to have equipment or procedures that describes how you control that equipment to make sure it performs as expected).

The processes for identifying environmental aspects and impacts and setting programs and objectives, needs to be repeated at least annually.  A few other processes are also necessary – Emergency response plans, knowledge of environmental legal requirements and control over communication regarding environmental issues.

Finally you must control (with procedures) the supporting activities which will ensure that the environmental system described so far, continues to exist.  This includes document control, record control, training, calibration, internal auditing, management review, nonconformance management and corrective and preventive action control.

All of these processes and procedures operate in a coherent management system that is internally audited to ensure everything continues to work effectively, provides demonstrable improvements in environmental impacts (not necessarily anything “big”) and assures protection where impacts actually occur.

Finally ISO 14001 certificates are issued by accredited certification bodies in the established way.  You must subject yourself to audit to prove your system meets the requirements of the standard.

To do this successfully you will need some expertize in ISO 14001, resources to define processes, write procedures and implement activities, and commitment of management to support the program.

Cavendish Scott consults, trains and audits in ISO 14001.  ISO 14001 is actually quite straightforward and can be designed and implemented very quickly without much internal effort.  Cavendish Scott will also help maintain your system so you dont have to worry about it.

Yes – but obviously this is controversial.

The most common issue or mistake with ISO systems is the structure of the documentation.  One approach is to structure documentation around the ISO standard.  One document is written for each requirement of the standard until all of the requirements are “explained” in a document.  This approach is very effective at meeting the requirements of the standard and is easy to “boilerplate” – which is why some consultants are comfortable with this approach.  The resulting documents dont provide much additional value as they really only describe the standard and thus arent much use for improvement or even straightforward management.  Because the documentation and the processes it described doesnt have much meaning to the organization, the documents are often ignored and thus as things change in the organization, documentation doesnt get updated and problems occur with certification.  This approach usually requires constant and deliberate management to keep ISO registered.

 An alternative approach is the “process approach” which is advocated by ISO itself.  In this approach, documented procedures are written that describe the activities in the organization.  These documents are actually quite useful as they clarify the right way of doing things and can be used for review and improvement.   The documents become a tool through which the business is organized and operated.  Maintenance is not a chore but a natural part of what is done.

 These two extremes are easy to understand and one is described above as clearly better than the other.  However, it is very difficult to achieve a process based system.  What should I include in the procedure?  What level of detail?  How and where do I get the requirements?  Should the requirements from one section be in one procedure?  What if requirements seem un-applicable?  It is also true that in smaller organizations the benefits to be obtained from any ISO system are less substantial than they are in a larger organization.  Consequently the ease of implementation and simple acknowledgment of the expected maintenance effort are easy to accept as a price for certification.

 If you are using a consultant you should demand a process based system.  Before contracting get them to describe and commit to that approach.  If you attempting ISO alone and you are a small organization (very small 1-5 people and not real expectation of growth) then you have more options.

AS9100C (the latest version) was issued in January of 2009.  However it is not currently possible to be registered/certified to it.  The IAQG (International Aerospace Quality Group) has published a timeline that explains how and when organizations can become certified but this is currently awaiting two activities to be completed.

First, a companion standard AS9101 must be re-published to the D revision.  This standard contains instructions on how AS9100 should be audited and in the C version included a full standard checklist (which is now to be optional).  The substantial changes mean that AS9100C cannot be audited until this standard is published.  Currently this standard is being issued as a draft.  The draft will then need to be reviewed and voted upon.  That process will take many months that will mean it will not be available for final issue until about the end of the first quarter 2010.

Secondly, mandatory training is currently being designed.  This training has been identified by the IAQG as necessary to ensure better and more consistent auditing of AS9100.  A single source designer is about to be identified and when training materials are completed and approved by the IAQG, they will be made available to other training providers to deliver.  At this point, the single training designer has not been identified, materials have not yet been approved or made available for presentation.  It is currently expected that training will be “available” during the first quarter of 2010.

If both of these tasks are completed on time then certifications to AS9100C should be possible shortly after.  It is recommended that you dont plan on until mid to late summer 2010.  Cavendish Scott Intends to provide general training for AS9100C, the mandated AS9100C training and other AS training once these events are more defined.  We also intend to provide AS9100C upgrade materials and tools.