e-Newsletter

 
July, 2005

Visit and bookmark our web site today: http://www.WhittingtonAssociates.com

This e-Newsletter is in HTML format and may not be displayed properly by some email programs. Please click on our web site address above to see the e-Newsletter with its proper formatting.
 
July Articles
 Atlanta Classes

BOOKS: See recommended ISO 9001, Auditing, and Six Sigma books at: http://www.whittingtonassociates.com/v2/books.shtml


ARTICLES: Click on a title to jump to the article:

1. ISO 17799 and ISO 27001 - Information Security

2. Disposal of Electronic Records

3. What Does ISO 9001 Mean in the Supply Chain?

4. Sarbanes-Oxley and Outsourcing

5. Requirements and Guidance on Internal Audits

6. CQAs Recognized as RABQSA Provisional Auditors

7. Classes: July, 2005 - September, 2005

Call us at 1-800-404-7585 for these 1-day onsite classes:

  • AS9100B: Requirements Beyond ISO 9001:2000
  • ISO 9001:2000 Auditor Update - The Process Approach
  • Understanding ISO/TS 16949:2002 Requirements

To see previous articles, go to Newsletter Archives.

To avoid this newsletter being rejected, or placed in a junk folder, please add <Larry@WhittingtonAssociates.com> to your address book or accepted list.

Students attending a class in Atlanta receive a 20% discount on future Atlanta classes.

ISO 9001:2000 Lead Auditor
August 15-19, 2005
October 17-21, 2005

ISO 14001:2004 Lead Auditor
July 11-15, 2005

ISO 9001:2000 Internal Auditor
July 12-14, 2005
September 27-29, 2005

ISO/TS 16949:2002 Internal Auditor
July 19-21, 2005

ISO 9001:2000 Requirements
August 22, 2005
November 14, 2005

Quality System Documentation
August 23-24, 2005
November 15-16, 2005

Implementing ISO 9001:2000
August 25-26, 2005
November 17-18, 2005

Green Belt Certification
July 18-20, 2005
August 8-10, 2005

Black Belt Certification 
Group 17 (3 weeks): August 15-19
+ September 19-23 + October 17-21

See Training Classes in Other Cities

1. ISO 17799 and ISO 27001 - Information Security

ISO 17799:2005 - Information Technology - Security Techniques - Code of Practice for Information Security Management

This new version of ISO 17799 addresses the security of information in its widest sense, providing best business practice, guidelines and general principles for implementing, maintaining, and managing information security in any organization, producing and using information in any form.

Any organization has assets, essential to its continuity. Arguably, information in its various forms is the most important asset, be it printed, stored electronically, posted or e-mailed, shown on film or spoken. For most businesses, information security may be essential to maintain competitive edge, cash flow, profitability, legal compliance, and commercial image. But, many businesses and most non-business organizations may hold information as their only asset. An absence of information security may threaten their integrity and, therefore, their very existence.

ISO 17799:2005 recognizes that the level of security that can be achieved purely through technical means is limited. The required level of security (established through assessing the levels of risk and associated costs through breaches of security, against the costs of implementing security) should always be driven by appropriate management controls and procedures. Information security management requires, at a minimum, participation by all employees in the organization. It may also require participation from shareholders, suppliers, third parties, and customers.

ISO 17799:2005 identifies the controls that form the starting point for information security. It covers:

  • Security policy
  • Organization of information security
  • Asset management
  • Human resources security
  • Physical and environmental security
  • Communications and operations management
  • Access control
  • Information systems acquisition, development, and maintenance
  • Incident management
  • Business continuity management
  • Compliance

The interconnected e-commerce environment, with information now exposed to a growing number and a wider variety of threats and vulnerabilities, is the main beneficiary of this standard. It is destined to become an essential tool for organizations of every type and size, whether public or private.

Ted Humphreys, Convenor of the ISO working group that developed ISO 17799:2005, said: “The revised version of this standard provides organizations with many state-of-the-art additions and improvements in information security best practice." 

“For example, better management of security arrangements with external businesses, outsourcing and service providers, enhanced incident handling capability, dealing with problems of patch management, mobile devices, wireless technologies and harmful mobile code via the Internet, improvements in best practice managing human resources, and several other new features.”

“In summary, this revised ISO 17799 is the most important of standard for managing information security that has been developed – it establishes a truly international common language for information security for all organizations around the world to engage with each other to do business.”

ISO 17799:2005 can be ordered at: <http://webstore.ansi.org>.

ISO 27001:2005 - Information Technology - Security Techniques - Information Security Management Systems - Requirements

This new standard is planned for publication in November of this year. ISO 27001:2005 will complement ISO 17799:2005 and provide a specification for Information Security Management Systems and the foundation for third party audits.
 
2. Disposal of Electronic Records

Quality management systems are supported by large amounts of electronic information. And, many of these records must be kept for long times. Of course, when the retention periods are over, you want to dispose of the records in a way that protects the confidentiality of your business and personal data.

Does your records management process address the data residing on old computers that are ready for sale, recycling, or destruction? Does your organization understand that erased data on an old computer drive may still be retrievable?

There are a number of options for cleansing the drives of unwanted computers, from special wiping software to destruction services to manufacturers' recycling programs. But what many computer owners don't realize, is that these methods are often not enough.

There are signs that people are not aware of the risk from discarded drives. Last year, German encryption technology specialist Pointsec tested hard drives bought on eBay to see if they still carried data and discovered that seven out of every 10 devices it tested still retained readable information.

"What we've seen with a lot of clients is that they think that reformatting a drive gets rid of the data, and that's just not true," says Kathy Ferguson, a business unit manager with IBM's Asset Recovery Solutions Group. "In a typical scenario, that only overwrites partitions, or sectors of data. At the end of the day, you can recover that data readily if you have the right tools."

Wiping software is the obvious next choice for eliminating the data. Most of these technologies revolve around software meant to overwrite the information on the devices with a random series of numbers. By using multiple overwrites featuring different character sets, you can approach the same level of protection required by the U.S. Department of Defense, which requires a minimum of at least four passes with wiping tools (in cases where the DoD does not mandate the drive be destroyed).

Experts say the best approach in trying to completely erase information is to use a combination of data removal software and material destruction. All of the major computer makers and most hard-drive makers offer recycling programs where they will professionally destroy the data devices.

This article was based on a report written by Matt Hines for CNET News.com. Click on Skeletons on Your Hard Drive to read the full article.

3. What Does ISO 9001 Mean in the Supply Chain?

ISO has published a short information brochure,ISO 9001:2000 - What does it mean in the supply chain? This document is aimed at managers who are involved in selecting suppliers and making purchasing decisions, who may well encounter suppliers that claim to have an ISO 9001:2000-based quality management system. The brochure addresses the following main topics:
  • What is ISO 9001:2000?
  • What does "conformity to ISO 9001:2000" mean?
  • How does ISO 9001:2000 help managers to select a a supplier?
  • How can managers have confidence that a supplier meets ISO 9001:2000?
  • Can suppliers claim that their goods or services meet ISO 9001:2000?
  • What to do if things go wrong.
ISO Secretary-General Alan Bryden commented: "Within the context of the growth of international trade and global supply chains, ISO 9001:2000 is being used by suppliers and customers located in different countries to establish initial confidence, or even to select partners in the supply chain. This new brochure will help them avoid unpleasant surprises and use ISO 9001:2000 to its full potential."

The brochure is the work of the ISO 9000 Advisory Group (IAG). Co-Chair of the IAG, Nigel Croft, explained: "The IAG developed its informative brochure for the intended audience of purchasers in a business-to-business environment, who are not necessarily certified to or even familiar with ISO 9001:2000. It provides answers to questions they may have such as:
  • Does a claim of conformity to ISO 9001:2000 mean there is a 'guarantee' that all the goods and services provided will always meet the customers' requirements?
  • How can a purchaser be sure that its supplier really does have a quality management system that meets ISO 9001:2000 requirements and that is relevant to the products it is providing?
  • Where does product certification fit in?
  • What should customers do if they are not happy with the performance of their suppliers?"

Nigel Croft added: "One of the primary objectives of ISO 9001:2000, as described in Clause 1.1 of the standard is 'to specify requirements for a quality management system where an organization ... needs to demonstrate its ability to consistently provide product that meets customer and applicable regulatory requirements ...'.

"A reasonable expectation of customers of organizations that claim to have an ISO 9001:2000-based quality management system should therefore be that the products or services they receive are in fact realized in conformity to those requirements on a consistent basis. It was with these issues in mind that the ISO 9000 Advisory Group developed the new brochure."

The brochure is available free of charge in the ISO 9000 section of the ISO web site: http://www.iso.org/iso/en/iso9000-14000/explore/9001supchain.html

4. Sarbanes-Oxley and Outsourcing
  
The Sarbanes-Oxley Act of 2002 (SOX) impacts on both user and service organizations. In this article, Luc Klein of LogicaCMG describes the options firms have for compliance, the specific issues they must be aware of, and why time is running out for non-U.S. companies that are listed in the United States.
 
As companies choose to devote key resources to core business activities, it is increasingly common for supporting functions to be outsourced. These often include IT-intensive activities such as information processing, claims management, and payroll. Drivers for outsourcing include more efficient and effective cost and risk management, as well as, improved service delivery and greater speed to market.

Under SOX (Section 404), organizations are responsible for ensuring that the service providers of any outsourced functions have documented their financial processes, carried out a risk assessment, and have in place adequate controls over financial reporting, which have been thoroughly tested for their effectiveness This responsibility can never be delegated to the service provider by the user organization.

In addressing SOX requirements, companies (particularly user organizations) must ask:
  1. What outsourced processes may affect our financial statements?
  2. How do we know our service providers have conducted proper risk assessments focusing on processes, systems, and people?
  3. How do we know our service providers have effective controls in place to mitigate, eliminate, or avoid risks?
  4. How do we know that changes to outsourced processes or systems will not have a material affect on our financial information?
There are two approaches to answering these questions:
  1. The user may have its internal or external auditor conduct an audit of its service provider.
  2. The service provider may have its own external auditor provide audit reports to the user.
Auditing Your Service Provider
If a user organization has large control over its outsourced activities, then it may need to be involved in performing risk and control assessments of the service provider, as well as, testing that the controls are effective. The user organization may ultimately use internal or external audits to evaluate its service provider’s control environment as an extension of normal audit procedures. It is important to determine contractual provisions for financial control auditing and to agree to the audit process between the user and service provider.

In some cases, it may not be practical to audit service providers from a service providers’ standpoint. This may be particularly true when multiple clients seek audits that may place burdens on the service provider’s resources, each looking for a range of assurances about internal controls.

Reliance on Service Provider Audits
Service providers may opt for a Statement on Auditing Standards (SAS) No. 70, Service Organizations. This is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA).

SAS 70 is accepted under SOX in relation to section 404. A SAS 70 audit involves an external, independent evaluation of service provider controls, their execution, and effectiveness. The audit, which is typically conducted by the service provider’s external auditor, addresses critical benchmarks, including completeness, accuracy, and timeliness of the control activities and processes.

There are two types of SAS 70 audit reports. Type I describes the service provider’s internal controls at a specific point in time, for example, at fiscal year-end. Type II not only includes the service provider’s description of internal controls, but also detailed testing of them over a minimum six-month period. With a SAS 70 report, user firms will not have to conduct their own audit of the service provider’s controls. Service providers may use a SAS 70 report for commercial purposes as well. SOX compliance and provision of a SAS 70 report as a standard can offer competitive advantage.

Conclusion
Under SOX, companies are not only responsible for having their internal processes in order, but they also remain responsible for controls of any outsourced activities. User and service providers have various options open to them. Users can ensure service provider compliance by conducting an audit themselves (by either their own internal or external auditor). Or, they can rely on audits provided by their service provider by means of a SAS 70 (or similar) statement by the service provider’s auditor. There are also specific issues organizations must know, such as timing of a SAS 70 statement; or the possibility of using an alternative standard. As non-U.S. companies must comply with SOX requirements from July 15, 2006, time is running out, especially for those at the early stages of planning, or worse, have yet to start. They may have to employ additional capability and resources in order to meet the SOX deadline.

About the Author
Luc Klein, MBA, is a senior business consultant in LogicaCMG’s finance business consulting unit. Contact at risk.solutions@logicacmg.com. Reprinted with permission.

5. Requirements and Guidance on Internal Audits

You're probably familiar with the ISO 9001:2000 requirements for an internal audit program. But, have you thought about improving your internal audits by considering the extra requirements and guidance from the different industry sector schemes? Well, read on, because after a brief review of the ISO 9001:2000 audit requirements, you'll hear about additional requirements (AS9100, TL 9000, ISO/TS 16949, ISO 13485, and ISO 14001) and guidance (ISO 9004, ISO 14004, ISO 90003, and ISO 19011) to consider for your internal audit program.      

Audit Definition
According to ISO 9000:2000 (and ISO 19011:2002), an audit is a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.

Audit Requirements
Clause 8.2.2 of ISO 9001:2000, states that the organization must conduct internal audits at planned intervals to determine whether the quality management system:

a) conforms to the planned arrangements, to the requirements of this International Standard, and to the quality management system requirements established by the organization, and
b) is effectively implemented and maintained.

An audit program must be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and methods must be defined. Selection of auditors and conduct of audits must ensure objectivity and impartiality of the audit process.
Auditors must not audit their own work.

The responsibilities and requirements for planning and conducting audits, and for reporting results and maintaining records must be defined in a documented procedure.

The management responsible for the area being audited must ensure that actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities must include the verification of the actions taken and the reporting of verification results.

Audit Guidance - ISO 9004
Clause 8.2.1.3 of ISO 9004:2000 states that top management should ensure the establishment of an effective and efficient internal audit process to assess the strengths and weaknesses of the quality management system. The internal audit process acts as a management tool for independent assessment of any designated process or activity. The internal audit process provides an independent tool for use in obtaining objective evidence that the existing requirements have been met, since the internal audit evaluates the effectiveness and efficiency of the organization.

It is important that management ensure improvement actions are taken in response to internal audit results. Planning for internal audits should be flexible in order to permit changes in emphasis based on findings and objective evidence obtained during the audit. Relevant input from the area to be audited, as well as, from other interested parties, should be considered in the development of internal audit plans.

Examples of subjects for consideration by internal auditing include:

  • Effective and efficient implementation of processes,
  • Opportunities for continual improvement,
  • Capability of processes,
  • Effective and efficient use of statistical techniques,
  • Use of information technology,
  • Analysis of quality cost data,
  • Effective and efficient use of resources,
  • Process and product performance results and expectations,
  • Adequacy and accuracy of performance measurement,
  • Improvement activities, and
  • Relationships with interested parties.
Internal audit reporting sometimes includes evidence of excellent performance in order to provide opportunities for recognition by management and motivation of people.

Aerospace - AS9100
In addition to the basic ISO 9001:2000 requirements, AS9100B:2004 states that detailed tools and techniques must be developed, such as, checksheets, process flowcharts, or similar methods to support audit of the quality management system requirements. The acceptability of the selected tools will be measured against the effectiveness of the internal audit process and overall organization performance. Internal audits must also meet contract and/or regulatory requirements.

Telecommunications - TL 9000
TL 9000, Release 3.0, doesn't add any requirements to those expressed in clause 8.2.2 of ISO 9001:2000.

Automotive - ISO/TS 16949
In addition to the basic ISO 9001:2000 requirements, ISO/TS 16949:2002 adds five sub-clauses:

8.2.2.1 Quality Management System Audit
The organization must audit its quality management system to verify compliance with ISO/TS 16949 and any additional quality management system requirements.

8.2.2.2 Manufacturing Process Audit
The organization must audit each manufacturing process to determine its effectiveness.

8.2.2.3 Product Audit
The organization must audit products at appropriate stages of production and delivery to verify conformance to all specified requirements, such as, product dimensions, functionality, packaging, and labeling at a defined frequency.

8.2.2.4 Internal Audit Plans
Internal audits must cover all quality management related processes, activities, and shifts, and must be scheduled according to an annual plan. When internal or external nonconformities or customer complaints occur, the audit frequency must be appropriately increased. Note: Specific checklists should be used for each audit.

8.2.2.5 Internal Auditor Qualification
The organization must have internal auditors who are qualified to audit the requirements of ISO/TS 16949.

Environment - ISO 14001
ISO 14001:2004, clause 4.5.5, is similar to ISO 9001:2000, clause 8.2.2, except:

ISO 9001 says the organization must conduct internal audits, while ISO 14001 states the organization must ensure they are conducted. ISO 9001 says to determine if the system has been effectively implemented, while ISO 14001 says to determine if the system has been properly implemented.

14001 leaves out that the management for the area being audited must ensure the actions are taken without undue delay to eliminate detected nonconformities and their causes (since addressed adequately by 4.5.3 in 14001 on Nonconformity, Corrective Action, and Preventive Action). Also, ISO 14001 leaves out coverage of follow-up activities for the verification of actions taken and the reporting of verification results.

ISO 14001:2004, A.5.5, states that internal audits of an environmental management system can be performed by personnel from within the organization or by external persons selected by the organization, working on its behalf. In either case, the persons conducting the audit should be competent and in a position to do so impartially and objectively. In smaller organizations, auditor independence can be demonstrated by an auditor being free from responsibility for the activity being audited.

Note: If an organization wishes to combine audits of its EMS with environmental compliance audits, the intent and scope of each should be clearly defined. Environmental compliance audits are not covered by ISO 14001.

Environment - ISO 14004
Clause 4.5.5 of ISO 14004:2004, EMS - General Guidelines on Principles, Systems, and Supporting Techniques, states that internal audits of an organization's environmental management system should be conducted at planned intervals to determine and provide information to management on whether the system conforms to planned arrangements and has been properly implemented and maintained. They can also be performed to identify opportunities for improvement in an organization's environmental management system.

An organization should establish an audit program to direct the planning and conduct of audits and identify the audits needed to meet the program's objectives. The program should be based on the nature of an organization's operations, in terms of its environmental aspects and potential impacts, the results of past audits, and other relevant factors.

Each internal audit need not cover the entire system, so long as the audit program ensures that all organizational units and functions, system elements, and the full scope of the environmental management system are audited periodically.

The audits should be planned and conducted by objective and impartial auditors, aided by technical experts, where appropriate, selected from within the organization or from external sources. Their collective competence should be sufficient to meet the objectives and scope of the particular audit and provide confidence as to the degree of reliability that can be placed on the results.

The results of an internal environmental management system audit can be provided in the form of a report and used to correct or prevent specific nonconformities, fulfill one or more objectives of the audit program, and provide input to the conduct of the management review.

Medical Devices - ISO 13485
ISO 13485:2003, Medical Devices - Quality Management Systems - Requirements for Regulatory Purposes, doesn't expand on the basic audit requirements of ISO 9001:2000.

Software - ISO 90003
ISO 90003:2004, Guidelines for the Application of ISO 9001:2000 to Computer Software, states that when software organizations separate their work into projects, audit planning should define a selection of projects and assess both the compliance of their project quality planning to the organization’s quality management system and the compliance of the project to the project quality planning. This selection should ensure coverage of all stages and all processes. This may necessitate auditing various projects at different stages of their product development life cycle, or auditing a single project as it progresses through various stages. Where the intended project changes its timescale, the internal audit schedule may be reviewed, either to change the timing of the audit, or to consider a different project.

Other Sources - ISO 19011 and QE19011S
ISO 19011:2002 provides guidelines for quality and/or environmental management system auditing. It gives suggestions for conducting internal and external audits, as well as, on the competence and evaluation of auditors. Although supplementary guidance and examples are provided in ISO 19011:2002, the US decided additional guidance was necessary. Therefore, QE19011S:2004 was published with the ISO 19001:2002 text, plus extra guidance for first-party (internal) audits, second-party (external) audits, and small organizations.
6. CQAs Recognized as RABQSA Provisional Auditors


RABQSA International (RABQSA) and the American Society of Quality (ASQ) have announced that RABQSA will recognize the ASQ Certified Quality Auditor (CQA) for immediate certification as an RABQSA certified QMS Provisional Auditor in the Accredited (ISO 17024:2003) QMS Personnel Certification Scheme.

“Having determined that the CQA examination and related criteria meets the knowledge based competency requirements of RABQSA’s accredited QMS Auditor certification, we are extremely proud to offer accredited certification to ASQ’s QAD CQA’s”, said Michael Carmody, CEO of RABQSA. “The increased international recognition and ASQ CQA entry into the ISO-based personnel certification community will provide a firm base on which to further develop the relationship between the American Society for Quality and RABQSA to the benefit of our certified personnel,” said Carmody.

“We are excited at the added value the relationship with RABQSA will create within ASQ and the Quality Audit Division (QAD), said Mark Kempf, Chairman of ASQ QAD. “For a number of years, ASQ has strived to establish international recognition within the ISO conformity assessment framework. With RABQSA now firmly supporting the ASQ CQA program, our potential to achieve enhanced recognition and international acceptance has been realized”, said Kempf.

All ASQ CQAs will be contacted over the next month with information outlining the application process for RABQSA certification. Data exchange between both organizations has enabled RABQSA to streamline its application and evaluation process.

ASQ CQAs certified by RABQSA will be listed on the RABQSA international register of certified auditors and will receive a Certificate and ID Card marked with the logos of RABQSA, the American Society for Quality, and the Accreditation Body.

For further information regarding RABQSA Personnel and Training Certification, and further detail on the ASQ CQA strategic initiative, please contact Ms. Shanya Salamaca at ssalamaca@rabqsa.com or 1-888-722-2440.

7. Class Schedule: July, 2005 - September, 2005

To enroll in these public classes, you can click on the course title, go to Class Schedule at our web site, or call us at 800-404-7585.

Classes taught by Larry Whittington are shown in yellow.

ISO 9001:2000 Lead Auditor (RABQSA Certified) - BSI Management Systems
Initial course version developed by Larry Whittington 
July August September
11-15  San Jose, CA 01-05  Anaheim, CA 12-16  Chicago, IL
18-22  Reston, VA 08-12  New York, NY 19-23  Pittsburgh, PA
25-29  St. Louis, MO 15-19  Atlanta, GA 26-30  Phoenix, AZ
  15-19  Dallas, TX   - -
  - - 22-26  Reston, VA   - -
  - - 29-02  Las Vegas, NV   - -

 
ISO 9001:2000 Internal Auditor (RABQSA Certified) - BSI Management Systems
Initial course version developed by an Associate at Whittington & Associates
July August September
06-08  Chicago, IL 09-11  Reston, VA 27-29  Atlanta, GA
12-14  Atlanta, GA 30-01  San Jose, CA 27-29  Memphis, TN

Implementing ISO 9001:2000
Course developed by Larry Whittington
July August September
07-08  Anaheim, CA 25-26  Atlanta, GA 20-21  Reston, VA

Understanding ISO 9001:2000
July September
06  Anaheim, CA 19  Reston, VA

Understanding ISO 9001:2000 Requirements (Atlanta Only - $295)
Course developed by Larry Whittington
August November
22  Atlanta, GA 14  Atlanta, GA


Quality System Documentation (ISO 9001:2000)
Course developed by Larry Whittington
August September
23-24  Atlanta, GA 22-23  Reston, VA

The above public courses can be offered on-site at your facility. In addition, we offer these on-site courses:

  • ISO 9001:2000 Auditor Update - The Process Approach (1 Day) - Course developed by Larry Whittington
  • Understanding ISO/TS 16949:2002 Requirements (1 Day) - Course developed by Larry Whittington
  • Internal Quality Auditing (2 Days) - Course developed by Larry Whittington (based on ISO 19011)
  • AS9100B: Requirements Beyond ISO 9001:2000  (1 Day) - Course developed by Larry Whittington
To arrange an economical on-site class, please call us at 800-404-7585.  

© 2000-2005 Whittington & Associates, LLC. All rights reserved.
You may copy this e-Newsletter provided you copy it completely, do not change it, and include this copyright notice.
-top-

Copyright © 2000 - 2007  Whittington & Associates, LLC.
All Rights Reserved.
242 Highlands Drive, Woodstock, GA 30188
770-517-7944 or fax 770-517-7945
Site by Frogtown Media Web Design

 
Whittington & Associates provides training, consulting and auditing services for quality systems based on
ISO 9001, ISO/TS16949, TL9000, AS9100, ISO 13485, as well as, ISO 27001, ISO 20000, ISO 22000, and ISO 14001.
Send this page to a friend