December, 2005 Visit and
bookmark our web site today: http://www.WhittingtonAssociates.com
Newsletter
Articles
December 2005
|
Public
Classes
Quality, Environment, Information Security,
Medical, Automotive, Aerospace
|
Click
on an article title to
jump to the
article:
1. Information
Security and ISO 27001
2. How to Select
and Use a Consultant
3. Suspension of
RABQSA Certification Transition
4. Z10 -
Occupational Health and Safety Standard
5. ANAB: QMS
and
EMS Outputs Matter!
6.
Classes: December, 2005 - February, 2006
|
ISO
9001:2000
Understanding
ISO
9001:2000
Implementing
ISO
9001:2000
Quality
System
Documentation
ISO
9001:2000
Internal Auditor
ISO
9001:2000 Lead
Auditor
|
ISO 14001:2004
Understanding
ISO 14001:2004
Implementing
an EMS
ISO
14001:2004 Internal Auditor
ISO
14001:2004 Lead Auditor |
ISO/TS
16949:2002
ISO/TS
16949:2002 Internal Auditor
Understanding
and Implementing ISO/TS 16949:2002 |
AS9100B:2004
AS9100
Internal Auditor
AS9100
Lead Auditor
|
| Books |
ISO 17799:2005 and
ISO 27001:2005
ISO
17799 - Understanding an ISMS
ISO
17799 - ISMS Implementation
ISO
27001 - ISMS Auditor |
ISO 13485:2003
Understanding
ISO 13485:2003
ISO
13485:2003 Internal Auditor
ISO
13485:2003 Lead Auditor |
|
See
ISO 9001, Auditing, and Six Sigma books at:
http://www.whittingtonassociates.com/v2/books.shtml
|
|
To
see previous
articles, go to Newsletter
Archives.
To avoid this
newsletter
being rejected,
or placed in a junk folder, please add Larry@WhittingtonAssociates.com
to your address
book or accepted list.
|
Six Sigma
Introduction
to Statistics
Green
Belt Certification
Black
Belt Certification
|
Atlanta Classes
Enroll and pay for an
Atlanta class at least 30 days in advance of the class and receive a
10% discount. Students at previous
Atlanta classes receive a 20% discount on future Atlanta classes.
|
|
1. Information Security and ISO 27001
|
Information
security flaws can result in escalating financial losses and wreak
havoc with business operations. The newly published ISO 27001:2005
standard for information security management systems can help
organizations plug existing leaks and prevent future threats.
"The
publication of ISO 27001:2005 is a big event in the world of
information security and the standard has been eagerly awaited," said
Ted Humphreys, Convenor of the working group responsible for managing
the development of the standard. "It is a standard that all
security-conscious organizations should look to implement."
ISO
27001:2005 can be used by a broad range of organizations – small,
medium, and large – in most of the commercial and industrial market
sectors: finance and insurance, telecommunications, utilities, retail,
and manufacturing sectors, various service industries, transportation
sector, governments, and many others.
The implementation of ISO 27001:2005 will
reassure customers and
suppliers that information security is taken seriously within the
organizations they deal with because they have in place
state-of-the-art processes to deal with information security threats
and issues.
Information is an
asset, which, like other important business assets, adds value to an
organization and consequently needs to be protected. Information
security protects information from a wide range of threats in order to
ensure business continuity, minimize business damage and maximize
return on investments and business opportunities.
An Information
Security Management System (ISMS) is a systematic approach to managing
sensitive company information so that it remains secure. It encompasses
people, processes and IT systems.
ISO 27001:2005, Information technology – Security techniques – Information security management systems – Requirements, specifies the processes to enable a business to establish, implement,
review and monitor, manage and maintain an effective ISMS.
It integrates the process-based
approach of ISO's
management system standards – ISO 9001:2000 and ISO 14001:2004 – including the Plan-Do-Check-Act (PDCA) cycle and requirement for
continual improvement.
The new
standard forms a complementary pair with the recently published ISO
17799:2005 "code of practice" on information security management.
Organizations
that so wish can have their information security management systems
independently certified as conforming to the requirements of ISO
27001:2005, although certification is not a requirement of the
standard. Up
to now, organizations that wished to have their ISMS certified have
done so in conformity with the British Standard, BS 7799 Part 2. This
is
now possible against ISO 27001:2005, which is an International
Standard.
We offer the following courses on ISO 27001 and ISO 17799:
ISO
17799 / ISO 27001 Understanding an Information Security Management
System
Atlanta, GA - February 7-8, 2006
ISO
177799 / ISO 27001 Information Security Management System Implementation
Reston, VA - February 7-9, 2006
Atlanta, GA - April 4-6, 2006
ISO
27001 Information Security Management System Lead Auditor
Atlanta, GA - February 13-17, 2006
Seattle, WA - March 6-10, 2006
2. How to Select and Use a Consultant
|
Choosing a qualified consultant is no easy
task. The importance of
taking the time to make a thoughtful selection cannot be
underestimated. Your choice could end up affecting the efficiency and
effectiveness of your business operations.
1. Understand the reasons for using a consultant
Why do organizations use consultants? An
organization may realize it
lacks the expertise, time, experience, or objectivity to perform the
work without outside assistance.
2. Identify
the services you need from
consultants
Competent consultants should not only be
able to plan the activities,
document your processes, and recommend system improvements, but also
suggest good practices, teach onsite classes, and conduct internal
audits.
3. Decide on
the selection criteria
You must agree on the criteria for
selecting the right consultant for
your organization. Some factors to consider include experience,
credentials, skills, availability, accessibility, cost, and references.
4. Find
prospective consultants
Now it's time to locate possible
candidates. There isn't a single
directory of consultants, so we will suggest a variety of ways to
identify consultants, e.g., prior use, referrals, associations,
consulting guides, advertisements, trainers, registrars, and the
Internet.
5. Request a
proposal
Ask the consultant candidates to submit
proposals for your evaluation.
To help them propose the appropriate services, include the following
information in your request: scope, timing, methods, fees, and expenses.
6. Choose
the consultant
Evaluate the proposals using the agreed
selection criteria. Know in
advance who will participate in the evaluation and make the
recommendation. You want the decision fully supported so the consultant
can work effectively with your organization.
7. Negotiate
the terms
Confirm the consulting fees and
estimated expenses. Although
negotiating the terms of the agreement remains to be done, you will
make your initial decision based on the available facts. Remember,
consultants may reduce their quoted rates to win your business.
8. Prepare
the agreement
It is very important to get a written
agreement. Make sure everyone has
the same understanding and expectations. The agreement could be a legal
contract or simply a letter of understanding. The bigger the job, the
more formal the agreement.
9. Manage
the consultant
Even an expert consultant needs to
be managed well. Ensure that the
primary contact at your organization fully accepts this coordination
role. Any issues or misunderstandings must be promptly resolved.
10. Evaluate
the results
When the project completes, evaluate the
results. Were the deliverables
acceptable? Were they produced on schedule? Did the outcome satisfy the
objectives? Assess the consultant’s performance. Did the consultant do
a good job of planning? Was the plan followed without significant
deviation? Were you kept informed throughout the project? Did the
consultant work well with others and foster teamwork?
Summary and
Guidance
If thoughtfully selected and wisely used, a
consultant can be a
valuable partner in setting up or improving your quality management
system. However, remember that the system is owned by your
organization.
Larry Whittington wrote a white paper on this subject, 10
Tips for the Selection and Use of a Quality Management System Consultant,
for BSI Management Systems. Also, ISO
10019:2005, Guidelines for the Selection of Quality Management System
Consultants and Use of their Services, is
available at (http://qualitypress.asq.org).
|
3. Suspension of RABQSA Certification Transition
|
RABQSA has announced the suspension of the Certification Transition
Plan requiring auditors to transition to the competency-based
certification schemes
for QMS, EMS, Food Safety and OH&S. The 31 December 2006 transition
deadline has been
suspended, to allow
auditors more time to choose their certification scheme.
“The message we have received from our customers throughout 2005 is
that more time is required to allow auditors to decide on the value of
transitioning from
the current qualification-based certification schemes to the
internationally
recognized competencybased schemes”, said Michael Carmody, CEO RABQSA.
RABQSA will continue to offer both its traditional qualification and
the new competency-based certification products, including the
associated Training Course
Certification and TPECS certification products, until our customers
have had sufficient
time to make an informed choice as to the most appropriate scheme that
will serve their
needs.
RABQSA will engage industry, and its current certified professionals,
to promote the value of being internationally recognized to deliver a
professional service
and product direct to industry; and providing a career pathway for
people seeking competency
based, professional certification.
“The future value of personnel certification to industry will be based
on the demonstration of your ability, not simply showing your
qualifications”,
said Carmody; “It’s about confidently showing your customer, you are
the
right person with the knowledge and skill for the job no matter where
you choose to
work”.
For more information, go to the RABQSA web site at
(http://www.rabqsa.com/news.shtml).
4. Z10 - Occupational Health and Safety
Standard
|
ANSI/AIHA Standard Z10, Occupational Health
and
Safety Management Systems, has been published. The standard, developed
through a consensus process by a committee of experts and stakeholders
from industry, labor, business, professional organizations, and
government, is a fully recognized American National Standard. The
American Industrial Hygiene Association (AIHA) serves as secretariat
for the Z10 Committee.
The new standard enables organizations to integrate occupational health
and safety (OHS) management into their overall business management
systems. It focuses on principles that are broadly applicable to
organizations of all sizes and types, not on detailed specifications.
It is compatible with relevant OHS, environmental, and quality
management standards, as well as, with approaches to OHS management in
common use in the United States.
Founded in 1939, the American Industrial Hygiene Association (AIHA) is
the premier association of occupational and environmental health and
safety professionals. AIHA’s 12,000 members play a crucial role on the
front line of worker health
and safety every day. Members represent a cross-section of industry,
private business, labor, government, and academia. You can order the
Z10 standard for $65 at this AIHA
web site.
ANAB Accreditation Program for Z10
The ANSI-ASQ National Accreditation Board (ANAB) has developed an
accreditation program to support ANSI/AIHA Standard Z10. Because the
new standard is compatible with environmental and
quality
management standards, such as ISO 14001 and ISO 9001, it will allow
organizations to integrate occupational health and safety management
into their overall business management systems.
“The Z10 standard of management systems and principles is designed
to help organizations of all types and sizes improve their occupational
health and safety performance,” says Robert H. King Jr., ANAB
president. “Our accreditation program is intended to meet the needs of
the U.S. market for an accredited certification program for
occupational health and safety management systems.”
|
5. ANAB: QMS and EMS Outputs Matter!
|
The ANSI-ASQ
National Accreditation Board (ANAB) recently
issued a notice titled, "Outputs
Matter!" Since ANAB
is the U.S. accreditation
body for ISO 9001 and ISO 14001 registrars (certification bodies), we
need to pay attention to their advice.
The ANAB
notice said for clients with a
certified Quality Management System (QMS), the expected outputs
should be trends of improving:
- customer satisfaction,
- product and/or service
conformance, and
- continual improvement.
For clients with a certified Environmental Management System (EMS), the
expected outputs
should be trends of improving:
- environmental performance,
- legal compliance,
- pollution prevention, and
- continual improvement.
The purpose of their
notice was
to encourage an increased focus by certification bodies (CBs) during
audits on the outputs (results) of certified clients. Early in
every audit of a client, the audit team should review information
regarding the
trends of the expected outputs. When the information indicates no
improvement
or, even worse, a negative trend, the audit team should determine what
the
client is doing to identify why its management system is failing.
Users of certified organizations are saying with increasing
emphasis that these firms are not delivering
the expected outputs. These users are even beginning to question the
value of accredited certification. As a result, ANAB accreditation
auditors (during their office and witness audits of CBs) will increase
their focus on what is being done to ensure the CB auditors
have a consistent and appropriate focus on outputs during their audits
of certified
clients.
The ANAB notice included the EMS and QMS white papers below that
elaborate on
the parts of the ISO standards,
ISO guides, and IAF guidance that support this focus on system outputs.
Outputs matter in EMS Audits
History
When ISO 14001
was
introduced in 1996, a key concern of non-governmental organizations
and regulators was the lack of performance requirements in the
standard. Compliance
with law was (and is) not required for registration. Specific
performance
requirements for air, water, and waste management were also not
prescribed.
With the
introduction of ISO 9001:2000, the focus shifted from simple
conformity to the effectiveness of the management system. The EMS focus
also shifted. There is now an expectation that
the output of the EMS includes an improved level of compliance
with legal requirements and improvement in the level of environmental
performance.
Requirements
The
expectations of an effectively
implemented EMS are stated in the introduction to ISO
14001:2004: “[An EMS] enables an
organization to ... take action as needed to improve its performance
...”
The standard requires top management to commit to continual
improvement, prevention
of pollution, and compliance with legal and other requirements
(subclause 4.2).
The standard also requires an organization to evaluate and prioritize
its
environmental aspects and impacts, establish objectives and targets,
and define
and implement the means for their achievement (subclauses 4.3.1 and
4.3.3).
The
organization must evaluate its compliance with legal and other
requirements
(subclause 4.5.2) and take corrective and preventive actions (subclause
4.5.3).
The organization must review the results of evaluations of compliance
with
legal and other requirements, its environmental performance, its
progress in
meeting objectives and targets, the status of corrective and preventive
actions, and opportunities for improvement as part of management
reviews
(subclause 4.6).
While
EMS
conformity assessment requirements do not
discuss specific EMS performance expectations, the importance of an organization’s
demonstrated
commitment to compliance and the need to consider the organization’s
environmental performance and compliance are underscored in ISO Guide
66
and the associated IAF guidance.
ISO
Guide 66 and the IAF guidance provide
several performance-focused criteria for the selection and
qualification of
audit teams (ISO Guide 66 subclauses 4.2.3.2
a, c and d;
IAF guidance G.4.2.11 and G.4.2.15). The IAF guidance discusses expectations regarding the information
gathered during audits and surveillance that provides a basis for
initial and
continued certification, including information relating to
environmental
performance, compliance with legal and other requirements, continual
improvement, and overall effectiveness of the organization’s EMS (IAF
Guidance G5.3.21, G5.3.22, and G5.6.5 a, d and
e).
ISO
Guide 66 and the
IAF guidance have been
careful to avoid the EMS conformity assessment process developing
into "compliance" auditing. However, the importance of considering
compliance
information as a basis for initial and continuing certification is
recognized
in ISO Guide 66 subclause 4.1.1.5
and IAF guidance G.4.1.6 and G5.6.5 d, which
emphasize the
need for the CB to verify that a system is in place to assure
compliance.
Expectations of CB Audit Teams
CB audit teams
are
in a position to drive a focus on outputs by a certified organization.
The CB
audit team should focus on environmental performance measures and
compliance at
the earliest opportunity during the audit.
The audit team
should review environmental performance measures to determine if the
organization shows improvement in all the measures based on the
objectives and
targets of the EMS. If the organization does not show
improvement on any of the performance measures, the audit team should
investigate to determine what element of the EMS might be allowing this
finding to occur.
The audit team should use the initial tour of the facility and
subsequent tours
to look for compliance issues. If any are discovered, the audit team
should
ensure management is alerted to the non-compliance.
The audit team
should, as
in the previous situation, investigate to determine where a failure in
the EMS might be allowing the non-compliance to
occur. The EMS elements to be investigated could include 4.3.2 Legal
and Other
Requirements; 4.3.3 Objectives, Targets and Programs; 4.4.1 Resources,
Roles, Responsibility
and Authority; 4.4.2 Competence, Training and Awareness; 4.4.6
Operational
Control; 4.5.1 Monitoring and Measurement; 4.5.2 Evaluation of
Compliance;
4.5.3 Nonconformity, Corrective Action and Preventive Action; and 4.6
Management Review. The nonconformance should be written against the
appropriate
requirement of the standard.
Summary
Criteria
and guidance for the certification
process emphasize the need for the CB to consider an organization’s
compliance
with legal and other requirements and its environmental performance as
factors
essential to demonstrating that an EMS is
effectively implemented.
Outputs
Matter in QMS Audits
History
The ISO
9001:2000 revision brought
a major shift in emphasis on management commitment to and participation in an organization’s QMS.
The
revised standard contains specific requirements for establishing
objectives and
criteria for QMS processes for management activities, provision of
resources,
product realization, and monitoring and measurement of products,
processes, and
the QMS itself for achieving customer
satisfaction and continual improvement.
If supply
chain customers and other
interested parties are to rely upon and receive value from the
third-party
certification system, it is imperative that these QMS processes provide
outputs
that meet customer, regulatory, and the organization’s own
requirements. In plain words, outputs matter! To
achieve these outputs, the inputs to processes must be complete and
appropriate, and the processes must be robust. Feedback to ANAB,
through witness audits, complaints, and their involvement at ISO and
IAF
indicates the objectives of this shift in emphasis of ISO 9001:2000
have not
been consistently achieved.
Requirements
Clauses 4
through 8
of ISO 9001:2000 require top management
to commit to its QMS by communicating to the organization the
importance
of meeting established requirements, establishing a quality policy and
measurable quality objectives, conducting management reviews,
allocating
sufficient resources, and ensuring that customer requirements are
determined
and met, with the aim of enhancing customer satisfaction.
Responsibilities and
authorities are to be defined and communicated within the organization.
Resources are to be provided, including competent personnel and a
supportive
infrastructure and work environment.
Product
realization must be planned and
carried out effectively and efficiently. Products, processes, the QMS
itself,
and customer satisfaction must be monitored and measured. Data must be
analyzed
to demonstrate the suitability and effectiveness of the QMS, including
customer
satisfaction and product conformity to established requirements.
Decisions
related to conformity of product and continual improvement of the QMS
must be
made and actions taken when results are not achieved. The organization
is
required to conduct internal audits that determine if the QMS is
effectively implemented and maintained and conforms to the
organization’s
planned arrangements and to the ISO 9001 standard.
Expectations of CB Auditors
Top management
of a
certified organization is ultimately responsible for establishing and
sustaining a customer-focused, process-based QMS in conformance with
ISO
9001:2000. CB auditors are in an excellent position to instill through
their
auditing practices a driving focus by the organization on the intent
and
requirements of ISO 9001:2000 (and the concept of this paper) that
output does
matter. CB auditors should focus on the suitability and effectiveness
of the
organization’s QMS by probing the organization’s ability to determine
necessary
inputs, implement effective processes, and produce
outputs that consistently deliver products that meet customer and
regulatory
requirements.
CB auditors
should thoroughly audit the interaction and
communication of the QMS processes both within the organization and
with
customers. Successful implementation of the QMS should lead to the
establishment of appropriate planning, realization, and monitoring of
processes
and products to assure product conformance and continual improvement of
the
QMS. Where the goals and objectives of the organization and customer
and
regulatory requirements have not been met or the trends are negative,
CB
auditors should identify the underlying processes that are deficient.
Where
requirements of the standard have not been met, nonconformities should
be
written.
CB auditors
should similarly focus on the processes of the organization’s
internal audit function, corrective action, and preventive action to
maintain
the effectiveness of the QMS. While the CB auditor’s periodic
surveillance gives an independent assessment of QMS status, it is
ultimately the scope and
depth of the organization’s ongoing efforts between such audits that
assure
long-term effectiveness. Internal auditors need to look at process
inputs,
outputs, and interactions with the same diligence as CB auditors.
CB auditors
should probe the effectiveness of root cause analyses and corrective
action
applied by the organization to internally identified nonconformities of
products, processes, and the QMS. Similarly, the effectiveness of
handling
customer returns and complaints should be probed to validate data on
perceived
customer satisfaction.
Summary
The consistent
application of criteria in auditing an
organization’s QMS with regard to achieving customer satisfaction,
delivering
conforming product, and continually improving the QMS is imperative.
This
is especially important to the continued reliance of the customer
supply chain
and other interested parties on the added value of the third-party
certification system. To achieve the intended purposes of ISO
9001:2000, certified
organizations must be held accountable. Outputs
do matter!
|
6. Class Schedule: December, 2005 - February, 2006
|
To enroll
in these
public classes, you can click on the course title, go to Class
Schedule at our web site, or call us at 800-404-7585. Enroll and pay for an
Atlanta class at least 30 days in advance of the class and receive a
10% discount. Students at previous
Atlanta classes receive a 20% discount on future Atlanta classes. Classes
taught by Larry Whittington are shown in yellow.
SO
9001:2000 Lead
Auditor (RABQSA Certified) - BSI Management Systems
Initial
course version developed by Larry Whittington
| December |
January |
February |
| 05-09
Chicago, IL |
09-13
San Jose, CA |
06-10 San Diego, CA |
| 12-16
Atlanta, GA |
23-27
Reston, VA |
13-17 Atlanta, GA |
| 12-16 Las
Vegas, NV |
30-03
Houston, TX |
13-17 Orlando, FL |
- -
|
- - |
27-03 St. Louis, MO |
ISO
9001:2000
Internal Auditor (RABQSA Certified) - BSI
Management Systems
Initial course version developed by an Associate at Whittington
&
Associates
| December |
January |
February |
| 06-08
Reston, VA |
18-20
San Jose, CA |
22-24 San Antonio, TX |
| - - |
24-26
Atlanta, GA |
- - |
Implementing
ISO
9001:2000
Course
developed by Larry Whittington
| January |
February |
March |
| 10-11
Chicago, IL |
09-10
Atlanta, GA |
07-08 Reston, VA |
Understanding
ISO
9001:2000
| January |
February |
March |
| 09 Chicago, IL |
- -
|
06 Reston, VA |
Understanding
ISO
9001:2000 Requirements (Atlanta Only - $295)
Course
developed by Larry
Whittington
| February |
May |
| 06
Atlanta, GA |
01 Atlanta, GA |
Quality
System
Documentation (ISO 9001:2000)
Course
developed by Larry
Whittington
| December |
January |
February |
| 01-02 San
Diego, CA |
12-13
Chicago, IL |
07-08 Atlanta, GA |
ISO
17799 / ISO 27001 - Understanding an Information Security Management
System
| December |
January
|
February |
| 19-20
Reston, VA |
- - |
07-08
Atlanta, GA |
- -
|
- -
|
22-23 Newark, NJ |
ISO
27001 - Information Security Management System Lead Auditor
| December |
March |
| 05-09 San
Jose, CA |
06-10 Seattle, WA |
ISO
17799 / ISO 27001 - Information Security Management System
Implementation
| February |
March
|
April |
07-09 Reston, VA
|
- -
|
04-06 Atlanta, GA |
Understanding
ISO 14001:2004
January
|
February
|
March |
30
Atlanta, GA
|
- - |
27 San Jose, CA |
Implementing
an Environmental Management System
| December |
January |
March |
| 13-14 San
Diego, CA |
17-18 Reston, VA |
28-29 San Jose, CA |
- -
|
31-01 Atlanta, GA
|
- - |
ISO
14001:2004
Internal Auditor
| January |
February |
March |
| 19-20 Reston, VA |
20-21
Atlanta, GA |
30-31 San Jose, CA |
ISO
14001:2004 Lead Auditor
| January |
February |
March |
| 23-27 San
Jose, CA |
13-17
Houston, TX |
20-24 Reston, VA |
- -
|
- -
|
27-31 Atlanta, GA |
On-site
Courses
The above
public
courses can
be offered on-site at your facility. In addition, we offer these
on-site courses:
- ISO 9001:2000
Auditor Update - The
Process
Approach (1 Day) - Course developed by Larry
Whittington
- Understanding
ISO/TS 16949:2002
Requirements (1 Day)
- Course developed by Larry
Whittington
- Internal
Quality
Auditing (2 Days) - Course developed by Larry
Whittington (based on ISO 19011)
- AS9100B:
Requirements Beyond ISO 9001:2000 (1 Day) - Course developed by Larry
Whittington
To arrange
an
economical
on-site class, please call us at 800-404-7585.
© 2000-2005 Whittington & Associates, LLC. All rights reserved.
You may copy this e-Newsletter provided you copy it completely, do not change it, and include this copyright notice.
|
