March 2006 e-Newsletter

Welcome to the Whittington & Associates e-Newsletter!
Visit and bookmark our web site today: http://www.WhittingtonAssociates.com

Newsletter Articles March 2006	Public Classes Quality, Environment, Information Security, Medical, Automotive, Aerospace
Click on an article title to jump to the article: 1. New Information Technology Standards 2. Product Part Approval Process (PPAP), 4th Edition 3. IWA 1:2005 for Health Service Organizations 4. Quality Management Gives Competitive Advantage 5. Environmental Aspects, Impacts, and Targets 6. Classes: March, 2006 - May, 2006	ISO 9001:2000 Understanding ISO 9001:2000 ISO 9001:2000 Requirements Implementing ISO 9001:2000 Quality System Documentation ISO 9001:2000 Internal Auditor ISO 9001:2000 Lead Auditor	ISO 14001:2004 Understanding ISO 14001:2004 Implementing an EMS ISO 14001:2004 Internal Auditor ISO 14001:2004 Lead Auditor
	ISO/TS 16949:2002 ISO/TS 16949:2002 Internal Auditor Understanding and Implementing ISO/TS 16949:2002	AS9100B:2004 AS9100 Internal Auditor AS9100 Lead Auditor
Books	ISO 17799:2005 and ISO 27001:2005 ISO 17799 - Understanding an ISMS ISO 17799 - ISMS Implementation ISO 27001 - ISMS Auditor	ISO 13485:2003 Understanding ISO 13485:2003 ISO 13485:2003 Internal Auditor ISO 13485:2003 Lead Auditor
See ISO 9001, Auditing, and Six Sigma books at: http://www.whittingtonassociates.com/v2/books.shtml
Newsletter	Six Sigma Introduction to Statistics Green Belt Certification Black Belt Certification	Atlanta Classes
To see previous articles, go to Newsletter Archives. To avoid this newsletter being rejected, or placed in a junk folder, please add Larry@WhittingtonAssociates.com to your address book or accepted list.		Enroll and pay for an Atlanta class at least 30 days in advance of the class and receive a 10% discount. Students at previous Atlanta classes receive a 20% discount on future Atlanta classes.

1. New Information Technology Standards

A new Information Technology series of standards is being published on Security Techniques for IT networks.

The ISO 18028 standards detail the specific operations and mechanisms needed to implement network security safeguards and controls in a wide range of network environments, providing a bridge between general IT security management issues and network security technical implementations. ISO 18028 comes in five parts:

ISO/FCD 18028-1:200x - Information Technology - Security Techniques - IT Network Security - Part 1: Network Security Management
Defines and describes the concepts associated with, and provides management guidance on, network security.

ISO 18028-2:2006 - Information Technology - Security Techniques - IT Network Security - Part 2: Network Security Architecture
Defines a standard security architecture, which describes a framework to support the planning, design, and implementation of network security.

ISO 18028-3:2005 - Information Technology - Security Techniques - IT Network Security - Part 3: Securing Communications Between Networks Using Security Gateways
Defines techniques for securing information flows between networks using security gateways.

ISO 18028-4:2005 - Information Technology - Security Techniques - IT Network Security - Part 4: Securing Remote Access
Provides guidance for accessing networks remotely - either for using email, file transfer, or simply working remotely.

ISO/FCD 18028-5:200x - Information Technology - Security Techniques - IT Network Security - Part 5: Securing Communications Across Networks Using Virtual Private Networks
Defines techniques for securing inter-network connections that are established using Virtual Private Networks (VPNs).

Information held by IT products or systems is a critical resource that enables organizations to succeed in their mission. Additionally, individuals have a reasonable expectation that their personal information contained in IT products or systems remain private, be available to them as needed, and not be subject to unauthorized modification. IT products or systems should perform their functions while exercising proper control of the information to ensure it is protected against hazards such as unwanted or unwarranted dissemination, alteration, or loss.

The term "IT security" is used to cover prevention and mitigation of these and similar hazards. Many consumers of IT lack the knowledge, expertise, or resources necessary to judge whether their confidence in the security of their IT products or systems is appropriate, and they may not wish to rely solely on the assertions of the developers. Consumers may therefore choose to increase their confidence in the security measures of an IT product or system by ordering an analysis of its security (i.e., a security evaluation).

ISO 15408 can be used to select the appropriate IT security measures and it contains criteria for evaluation of security requirements. It comes in three parts:

ISO 15408-1:2005 - Information Technology - Security Techniques - Evaluation Criteria for IT Security - Introduction and General Model

Allows you to compare between the results of independent security evaluations. It does so by providing a common set of requirements for the security functions of IT products and systems and for assurance measures applied to them during a security evaluation.

ISO 15408-2:2005 - Information Technology - Security Techniques - Evaluation Criteria for IT Security - Security Functional Requirements

Defines the required structure and content of security functional components for the purpose of security evaluation. It includes a catalog of functional components that will meet the common security functionality requirements of many IT products and systems.

ISO 15408-3:2005 - Information Technology - Security Techniques - Evaluation Criteria for IT Security - Security Assurance Requirements
Defines the security assurance requirements. It includes the evaluation assurance levels that define a scale for measuring assurance, the individual assurance components from which the assurance levels are composed, and the criteria for evaluation of Protection Profiles or Security Targets.

ISO 18045 is a companion document to the ISO 15408 family of standards:

ISO 18045:2005 - Information Technology - Security Techniques - Methodology for IT Security Evaluation
It describes the minimum actions to be performed by an evaluator in order to conduct an ISO 15408 evaluation, using the criteria and evaluation evidence defined in ISO 15408.

Copies of these IT Security standards can be acquired at the ANSI e-Standards Store.

2. Production Part Approval Process (PPAP), 4th Edition

The Production Part Approval Process (PPAP), 4th Edition manual will be released on March 1, 2006. The PPAP manual defines requirements for the production part approval process, as defined by Chrysler Group, Ford Motor Company, and General Motors. It has been updated to align with the automotive "process approach".

The new PPAP manual includes the following changes:

Alignment of PPAP to the ISO/TS 16949:2002 process approach
Relocation of Customer Specific Instructions to appropriate Web sites to provide more current requirements
Update of Truck OEM requirements and moved to Appendix H
Revised Part Submission Warrant (PSW)
Updated specific PPAP requirements, including:

1. Materials reporting and polymeric identification requirements in the design record
2. Process capability index usage (Cpk and Ppk)
3. The definition and approval catalog parts and definition of black box parts

Modified customer notification and submission requirements to align with OEM requirements
Clarified and communized Appendices C, D, and E to match the PPAP reporting requirements
Revised Tire Appendix to allow OEM specification of applicability and to eliminate duplications with allowances already provided in the PPAP requirements
Reorganized and updated Appendix F to stress the importance of the Bulk Materials Checklist
Revised Glossary to be consistent with the updates in the text

The Production Part Approval Process, Fourth Edition is exclusively available from the Automotive Action Group (AIAG) at a price of $20 for members and $60 for non-members. To purchase, visit the AIAG Online Store or call AIAG customer service at 248-358-3003.

3. IWA 1:2005 for Health Service Organizations

IWA 1:2005 provides guidance for any health service organization involved in the management, delivery, or administration of health service products or services, including training and research, in the life continuum process for human beings, regardless of type, size, and the product or service provided.

IWA 1:2005, Quality Management Systems - Guidelines for Process Improvements in Health Service Organizations, can be acquired at the ANSI e-Standards Store. Other International Workshop Agreement (IWA) standards for quality management systems that are available at ANSI include:

IWA 2:2003 Quality Management Systems - Guidelines for the Application of ISO 9001:2000 in Education
IWA 4:2005 Quality Management Systems - Guidelines for the Application of ISO 9001:2000 in Local Government

4. Quality Management Gives Competitive Advantage

The Aberdeen Group recently issued a report that revealed more than half of best-in-class companies cite enforcement of quality procedures as the top strategic action for their business. Manufacturers that have developed a quality management program that spans from suppliers, through sales and production, and out to the end-customer are achieving competitive advantage.

According to the research presented in the report, "The Product Quality Benchmark Report: Achieving Quality across the Global Manufacturing Network", leading manufacturers are creating competitive advantage by incorporating performance metrics into production and business processes, implementing corporate education initiatives, and embedding corrective actions into standard operating procedures.

This benchmark study reveals that best-in-class companies are much more likely to have a global quality program in place. And, they are four times more likely than average performers to empower their decision makers with web-based, integrated technologies. Many of these leading companies are also considering either business intelligence solutions or corporate-wide quality databases to help further their quality goals within the next two years.

According to the Aberdeen Group, manufacturers should create a comprehensive quality management strategy that spans procurement, product lifecycle management, enterprise resource planning, manufacturing execution systems, customer relationship management, and their document management systems. Quality metrics, functions, and data should be managed across both the supply chain and the product lifecycle, transcending functionally-oriented systems. For more information, go to the Aberdeen Group web site.

5. Environmental Aspects, Impacts, and Targets

ISO 14001:2004 is concerned with environmental management so an organization can:

minimize harmful effects on the environment caused by its activities
achieve continual improvement of its environmental performance

Implementing an environmental management system requires identifying the environmental aspects associated with the organization’s past, existing, or planned activities, products, and services. An environmental aspect is an element of an activity or product or service that can interact with the environment.

ISO 14001:2004, clause 4.3.1, on Environmental Aspects requires an organization to:

Establish, implement, and maintain a procedure to identify its environmental aspects
Include aspects of its activities, products, and services within the defined scope of its system
Consider environmental aspects that it can control or influence
Take into account:

planned or new developments
new or modified activities, products, and services

Determine those environmental aspects that have or can have significant environmental impacts
Document the environmental aspects and impacts and keep the information up to date
Ensure the significant aspects are taken into account in its environmental management system

After identifying the environmental aspects, you must analyze them to determine any significant environmental impacts. An environmental impact is any change to the environment, whether adverse or beneficial, wholly or partially resulting from an organization’s environmental aspects. The table below provides examples of aspects and impacts for an activity, service, and product:

Activity, Product, or Service	Environmental Aspect	Environmental Impact
Activity: Boiler Operation	Discharge of heated water	Changes to water quality (temperature)
Service: Fleet Operation	Fuel consumption	Depletion of non-renewable fossil fuels
Product: Printer Disposal	Generation of solid waste	Land use

After identifying environmental aspects and determining impacts, you are ready to establish environmental objectives and targets. Be sure to consider regulatory and other requirements that are applicable to the environmental aspects when setting the environmental objectives and targets.

An environmental objective is an overall environmental goal, consistent with the environmental policy, that an organization sets itself to achieve. For example, reduce your consumption of non-renewable resources.

An environmental target is a detailed performance requirement, applicable to the organization, that arises from the environmental objectives and that needs to be set and met to achieve those objectives. For example, reduce your use of heating oil by 20% by end of 2007.

Performance indicators are used to track progress in achieving objectives and targets, for example:

Quantity of raw materials, energy, or emissions
Waste produced per quantity of finished product
Number of environmental incidents (above limits)
Percent of waste being recycled
Number of environmental accidents (unplanned)
Percent of recycled material used in packaging
Quantities of specific pollutants emitted
Number of prosecutions

Activity, product, and service examples are provided below for an environmental aspect, objective, target, program, indicator, control, and measurement

Activity: Operation of fossil fuel-based boiler

Aspect: Consumption of heating oil

Objective: Reduce consumption of non-renewable resources

Target: Reduce current consumption by 20% within one year

Program: Install more efficient fuel burners

Indicator: Heating oil consumed per working hour of boiler

Control: Procedure for recording oil consumption

Measurement: Monthly tracking of oil consumption rates
Note: another aspect for this activity would be the discharge of heated water

Product: Air conditioner

Aspect: Generation of solid waste

Objective: Reduce consumer solid waste from disposal of packaging by reducing quantity of materials used

Target: Achieve 35% reduction in packaging material by 2008

Program: Redesign packaging and implement changes

Indicator: Quantity of packaging material used per unit

Control: Procedures for design control and product packaging

Measurement: Quarterly tracking of quantity of material used

Note: another aspect for this product would be the use of electricity

Service: Transportation and distribution of products

Aspect: Vehicle emission of nitrogen oxide

Objective: Increase positive impact on air by improving effectiveness of fleet maintenance

Target: Achieve 25% reduction in emissions by 2008

Program: Identify key maintenance parameters for reduction

Indicator: Vehicle emissions per mile

Control: Procedures for maintenance; training of technicians

Measurement: Quarterly testing of vehicle emissions
Note: another aspect for this service would be the generation of waste oil

The benefits of establishing an environmental management systems are:

Improving environmental performance
Maintaining good public relations
Obtaining insurance at reasonable cost
Enhancing image and market share
Reducing incidents that result in liability
Helping attain permits and authorizations
Conserving input materials and energy
Improving cost control
Promoting contractor and supplier awareness

To enroll in an ISO 14001:2004 course, go to:

Understanding ISO 14001
Implementing ISO 14001
ISO 14001 Internal Auditor
ISO 14001 Lead Auditor

6. Class Schedule: March, 2006 - May, 2006

To enroll in these public classes, you can click on the course title, go to Class Schedule at our web site, or call us at 800-404-7585.

Classes taught by Larry Whittington are shown in yellow.

Quality Management System Courses
ISO 9001:2000 Lead Auditor (RABQSA Certified) - BSI Management Systems
Initial course version developed by Larry Whittington

March	April	May
06-10 Las Vegas, NV	03-07 San Antonio, TX	01-05 Orange County, CA
13-17 Reston, VA	24-28 Atlanta, GA	08-12 St. Louis, MO
20-24 Chicago, IL	24-28 Pittsburgh, PA	22-26 Reston, VA
27-31 Seattle, WA - -		- -

ISO 9001:2000 Internal Auditor (RABQSA Certified) - BSI Management Systems
Initial course version developed by an Associate at Whittington & Associates

MarchApril	May
21-23 Atlanta, GA	10-12 San Jose, CA
21-23 Pittsburgh, PA - -	23-25 Atlanta, GA

Implementing ISO 9001:2000
Course developed by Larry Whittington

March	May	July
07-08 Reston, VA	04-05 Atlanta, GA	25-26 Reston, VA
- -	16-17 San Jose, CA	- -

Understanding ISO 9001:2000

March	May	July
06 Reston, VA	15 San Jose, CA	24 Reston, VA

Understanding ISO 9001:2000 Requirements (Atlanta Only - $345)
Course developed by Larry Whittington

May	September
01 Atlanta, GA	11 Atlanta, GA

Quality System Documentation (ISO 9001:2000)
Course developed by Larry Whittington

March	May	July
09-10 Reston, VA	02-03 Atlanta, GA	27-28 Reston, VA
- -	18-19 San Jose, CA	- -

Information Security Management System Courses
ISO 17799 / ISO 27001 - Understanding an Information Security Management System

April	May	August
19-20 Seattle, WA	01-02 Atlanta, GA	22-23 Reston, VA

ISO 27001 - Information Security Management System Lead Auditor

March	April	May
06-10 Seattle, WA	24-28 Reston, VA	08-12 Atlanta

ISO 17799 / ISO 27001 - Information Security Management System Implementation

April	May	June
04-06 Atlanta, GA	16-18 Reston, VA	06-08 Atlanta, GA
04-06 San Diego, CA	- -	- -

Environmental Management System Courses
Understanding ISO 14001:2004

March	April	August
27 San Jose, CA	10 Atlanta	07 Reston, VA

Implementing an Environmental Management System

March	April	May
28-29 San Jose, CA	11-12 Atlanta, GA	30-31 Dallas, TX

ISO 14001:2004 Internal Auditor

March	April	May
30-31 San Jose, CA	19-20 Reston, VA	09-10 Atlanta, GA

ISO 14001:2004 Lead Auditor

March	April	May
20-24 Reston, VA	24-28 San Jose, CA	22-26 Chicago, IL
27-31 Atlanta, GA	- -	- -

Automotive (ISO/TS 16949) Courses
ISO/TS 16949:2002 Internal Auditor

March	April	June
01-03 Atlanta	05-07 Nashville, TN	06-08 Atlanta, GA
- -	- -	28-30 Chicago, IL

Understanding and Implementing ISO/TS 16949:2002

April	June
03-04 Nashville, TN	26-27 Chicago, IL

Aerospace (AS9100) Courses
AS9100:2004 Internal Auditor

August	- -
15-17 Dallas, TX	- -

AS9100:2004 Lead Auditor

March	April	June
20-24 Atlanta, GA	24-28 Chicago, IL	12-16 Las Vegas, NV

Medical Devices (ISO 13485) Courses
Understanding ISO 13485:2003

March	April	May
14 Orange County, CA	10 Reston, VA	23 Minneapolis, MN

ISO 13485:2003 Internal Auditor

March	April	May
14-16 Orange County, CA	10-12 Reston, VA	23-25 Minneapolis, MN

ISO 13485:2003 Lead Auditor

March	May	June
27-31 Minneapolis, MN	08-12 Boston, MA	05-09 San Diego, CA

On-site Courses
The above public courses can be offered on-site at your facility. In addition, we offer these on-site courses:

ISO 9001:2000 Auditor Update - The Process Approach (1 Day) - Course developed by Larry Whittington
Understanding ISO/TS 16949:2002 Requirements (1 Day) - Course developed by Larry Whittington
Understanding ISO 14001:2004 Requirements - Course developed by Larry Whittington
Internal Quality Auditing (2 Days) - Course developed by Larry Whittington (based on ISO 19011)
AS9100B: Requirements Beyond ISO 9001:2000 (1 Day) - Course developed by Larry Whittington

To arrange an economical on-site class, please call us at 800-404-7585.

-top-

Copyright © 2000 - 2007 Whittington & Associates, LLC. All Rights Reserved. 242 Highlands Drive, Woodstock, GA 30188 770-517-7944 or fax 770-517-7945	Site by Frogtown Media Web Design
Whittington & Associates provides training, consulting and auditing services for quality systems based on ISO 9001, ISO/TS16949, TL9000, AS9100, ISO 13485, as well as, ISO 27001, ISO 20000, ISO 22000, and ISO 14001.