There are many factors that affect the answer to this question.  But generally the answer is “very quickly”.

Although philosophically ISO is about discipline, control, organization and improvement, this is achieved in part through the documentation of processes.  Thus larger and more complex organizations (more and more involved processes) will require more time to complete an ISO project.    Smaller and simpler organizations are relatively easier and can be completed more quickly.

Another important factor is the experience and expertise of the people implementing the ISO program.  If the project is being undertaken completely in-house with limited experience then the project is likely to be slower.  In-house people usually have other important tasks to do and not unsurprisingly ISO is a somewhat involved project.  It is not uncommon for in-house projects to take years to complete (just this week I spoke with two different organizations where the person I was talking with had taken over the ISO project about a year ago from somebody who had been working on ISO for 10-15 years).

The expertise factor has a substantial impact on an ISO project.  Not only does it affect timescales but it impacts  other important factors such as how conforming the project is and how easy the ISO system is to maintain.

Cavendish Scott can complete a full consulting project (where we do all of the work) in about 3 months for a company of up to about 50 people without too much strain.  Obviously the quicker a project is completed, the more compressed the effort.  Much quicker is possible.  We have completed a project for an organization of about 200 people in 30 days.  It required 4 of us to devote ourselves fairly constantly during that time – but it is possible.

So most projects could take between 3-6 months and very rarely do we allow projects to take 6-9 months.  Where they do drag on there is a concern that the project will lose momentum.

In house projects will typically take 3-4 times longer than what we would achieve.

Projects can be completed too quickly.  It is ideal to allow enough time for reflection on the way processes work in the organization.  Frequently we find that organizations have complex processes or that the best way to interpret a requirement requires a little thought.  Where processes are defined immediately within an extremely short timescale you don’t get this luxury.

Cavendish Scott is capable of short timescale projects but is aware of and manages any dangers that are created in this situation.

No.  Not yet!

Although AS9100C was issued in January, the Aerospace Organizations that control registration to AS have stated that no certificates can be issued to the C version of the standard until they declare.  The problem is that they also want to change the way the standard is audited.  That is controlled by AS9101 currently revision C – AS9101C.  The D version is in a draft (as of Sept 2009) but until it too is released it will not be possible to conduct audits to AS9100C.  There are also substantial changes to AS9101 expected in the D version.  It is expected that the detailed and time consuming checklist is to be removed and that a process “effectiveness” assessment  is going to be introduced.  All of the changes necessitates that even after AS9101D is formally issued, training will be necessary to bring auditors up to speed with the new standard and the auditing approach.  That too will take time.  In an attempt to increase consistency and reliability of the auditing process, sanctioned training is to be introduced.  One organization has been commissioned to generate training material which will then be presented more widely to all AS auditors.  Although this sanctioned training process has already been started, this too will delay the ability of registrars to be able to audit to the new standard.  Best guesses are the moment are “about the end of the first quarter of 2010″.

You can of course update your QMS to the requirements of the new standard at any time.  You must make sure you don”t take out any AS9100B requirements unless you are certain your next audit can be to the C version.  And you should beware of the problems of mixing the requirements of both standards and ending up with a mess.  Careful and precise cross referencing should resolve this issue.   Finally, there is no real advantage in doing this now.

Technically yes!  However, this is likely to be a struggle and should help you distinguish between a good registrar and a bad one.

There are no accreditation rules about this and thus what an accreditation agency might expect is that a registrar has a documented policy and procedure for doing this.  A good registrar would have this in place and thus simply explain the process – not moan about the difficulties.

If you want to extend your audit temporarily then you probably can without too much difficulty just by arrangement with the scheduler.  It is unlikely you will be able to extend it more than 3 months and you will need a good reason to do so (act of God is usually a good one!).  And a peculiarity of 17021 (the standard that registrars follow) is that the first surveillance audit cannot be more than 365 days from the initial audit – and that is firm.

It is a surprisingly common request to permanently move an audit date.  Registration was frequently achieved by a target such as the end of the year but there is often a more convenient time to have an audit.  If you are audited in November but it would be more convenient in March then you effectively want to move your certificate date by four months.  So for that year of moving you need to extend your audit year by 4 months or shorten it by 8.  That will mean that you should have a more intensive audit for that period and you should expect to pay for it.

Note that for small companies, you may have a one day audit each year but it may be the “required” auditing is actually less than one day.  The guidance table used to calculate duration applies to the initial audit and provides for surveillance audits at 1/3 of that duration.  if your initial audit was calculated to 2 days then your surveillance might be one day but only 2/3 of a day is “mandatory” according to the table.  In this instance your normal days surveillance audit should be sufficient to extend your audit year in order to move your certificate date – and thus the regular date of your surveillance.

Because there is a new certificate to be issued and there are other administrative records to be maintained (justifying all of this) expect an administrative fee also.  If you attempt to move your certificate date during a re-assessment year then it is possible the administrative fees are less or not applicable because a new certificate is issued anyway.  But you need to be careful during a reassessment year.  You do not want a certificate that shows an expiration in December and a new certificate that starts in April.  That gap might cause problems.  Thus an extended certificate or an additional certificate will be necessary.

While all this seems to make sense, and there doesn’t seem to be rules against it, it is strongly recommended that you contact the most senior management in the registrar possible.  And even then you might need a lot of good luck.

Finally, if your registrar is not helpful in this matter, you should consider transferring to another registrar.  It is likely that they would be willing to assign their certificate with a mutually beneficial date and audit schedule in order to gain your business.  And transferring is basically a free exercise.

No.

You have options.  The standard requires that you know your customers “perception” of your performance.  And perception is reality.  The truth is not as important as what your customers think about you.  You may be perfect but if they don”t think so then they wont repeat orders.  So this information is important and this process worthwhile doing.

A survey is one way of doing this.  Alternatively, you could telephone your customer and “obtain feedback” or even capture information informally during sales meetings or over lunch.

To be meaningful and actionable the information you collect about what your customer thinks of you should be quantifiable in some way.  Technically ISO does not restrict information to quantifiable information and you could purely subjectively make conclusions and take actions – but that is obviously flawed.  Quantifiable information could be obtained by asking for a score out of 5 or noting a response such as “good” and “OK” as positive versus a response such as “problematic” or “poor” as negative.  You could structure your conversation with the customer to capture a response about predefined subjects (you have the survey and complete it for them).

In particular the 2008 version of the standard has given more examples such as warranty information and repeat business.  These do NOT represent perception but they can be an indicator.  Other market research, second hand sales and competitive analysis can all count towards your customer satisfaction information.

Bottom line is that you need some quantifiable conclusion.  An auditor should be looking for evidence (notes, surveys, emails, etc.) of the raw data and then conclusions …..and actions.  If this information is meaningful then you should be doing something about it – to correct potential problems and to reinforce good performance.  If the information is not meaningful – then change it.  If the customer has a perception that your on time delivery is 80% then take actions to improve it to 85% (even if it really is on 75%).

Evidence to show the auditor should include the raw data, analysis, trends and conclusions and actions.  A folder, electronic records or evidence in established systems such as management review minutes (for the analysis) and the corrective/preventive/improvement action system (for action) is needed.

Yes and No.  There are no secret requirements in ISO.  The standard itself is well written and very clear.  Obviously there is the question of different people’s interpretation/perception but technically its the perception of your own management that is important.  Of course, perception is less important if a requirement has been misinterpreted – but these instances are far and few between these days.

There are “secret” requirements that registrars impose.  For instance, you are expected to have completed a full round of internal audits each year.  Technically this should be defined in the registrars contract but they don’t always do a good job of communicating these things.

Worse still is that some registrars have checklists and other auditing tools that they don’t tell you about in advance but expect you to comply with.  In the extreme this will lead to nonconformances.

Be sure to ask your registrar to point out additional requirements (and give the annual audit requirement as an example) and to provide you with copies of all tools, checklists, etc. that their auditor will use.  This provides some protection if their auditor shows up with other requirements.