 |
Whittington Newsletter |
 |
| QMS, EMS, Information Security, and Six Sigma |
March 2007 |
|
|
Greetings!
Welcome to the Whittington & Associates e-Newsletter!
Visit and bookmark our
web
site.
Our newsletters provide guidance on ISO 9001,
AS9100, ISO 13485, ISO/TS 16949, TL 9000, ISO 14001,
ISO 27001, ISO 20000, and related ISO
standards, as well as, Six Sigma.
If you have any questions about the articles
appearing in this issue, or you want to suggest
topics for future issues, please let us know.
|
|
How to Audit Customer Communication |
|
An effective customer communication process
contributes to the success of any organization’s
quality management system, and ultimately, to the
success of the organization itself.
Conversely, many
problems an organization experiences with its
customers can be traced back to poor
communication.
ISO 9001 Requirements
ISO 9001:2000, clause 7.2.3, Customer
Communication,
states an organization must determine and
implement
effective arrangements for communicating with
customers in relation to:
a) product information,
b) inquiries, contracts or order handling,
including
amendments, and
c) customer feedback, including customer
complaints.
To understand how to audit the customer
communication process, we should first look
at other
ISO 9001:2000 requirements that relate
directly or
indirectly to customer communication,
including:
5.2 - Top management must ensure that customer
requirements are determined and are met with
the aim
of enhancing customer satisfaction.
5.6.2.b - The input to management review must
include information on customer feedback.
7.2.1 - The organization must determine the
requirements specified by the customer, as
well as,
any requirements not stated by the customer, but
necessary for the specified or intended use,
where
known.
7.2.2 - The review of requirements must be
conducted
prior to the organization's commitment to
supply a
product to the customer.
7.2.2 - Where the customer provides no documented
statement of requirement, the customer
requirements
must be confirmed before acceptance.
7.5.4 - If any customer property is lost,
damaged,
or otherwise found to be unsuitable for use, this
must be reported to the customer and records
maintained.
8.2.1 - The organization must monitor information
relating to the customer perception as to whether
the organization has met customer
requirements.
8.2.4 - Product release and service delivery
can not
proceed until all planned arrangements have been
satisfactorily completed, unless otherwise
approved
by a relevant authority, and where applicable, by
the customer.
8.3.b - One of the ways an organization may deal
with nonconforming product is by authorizing its
use, release, or acceptance under concession by a
relevant authority and, where applicable, by the
customer.
8.5.2.a - A documented procedure must be
established
to define requirements for reviewing
nonconformities
(including customer complaints).
ISO 9004 Guidance
In addition, ISO 9004:2000, clause 7.2,
states that
management should ensure the organization has
defined mutually acceptable processes for
communicating effectively and efficiently
with its
customers and other interested parties.
ISO 9004 also suggests that organizations
implement
and maintain such processes to ensure adequate
understanding of the needs and expectations
of its
interested parties, and for translation into
requirements for the organization.
Verifying Effectiveness
Verifying the effectiveness of customer
communication is a critical component for
achieving
customer satisfaction. Although there is no
specific
requirement in ISO 9001:2000 for a documented
procedure, depending on the size, complexity, and
culture of the organization, it may be
necessary to
have one in order to ensure effective
implementation
of the customer communication process.
ISO 9000:2005 defines the term “customer” as the
recipient of the product. It also gives
examples of
customers, including the “end user”.
Many organizations sell their products or
services
through dealers and retailers and may not be
receiving orders directly from end users. It is
important for the auditor to verify how the
organization also communicates about the
quality of
its products and services to the end users,
and to
verify the mechanism for obtaining feedback
(besides
complaints) from the end users. The needs of the
dealers and retailers may at times be
different from
those of the end users.
Audit Approach
As we’ve seen, customer communication falls
in three
general categories:
1. An organization’s general communication to
existing or potential customers, such as
advertisements or marketing information,
2. Specific information relating to a customer
inquiry, requirement, or order, and
3. Communication in response to customer feedback
and complaints.
General Communication
Where an organization receives orders from
dealers
and not the end users, the auditor should
establish
that the product information available to the end
users (e.g., pamphlets, brochures, and web sites)
describes the products and services
adequately and
accurately. The auditor should also try to
establish
how the customer needs have been identified and
product specifications arrived at.
The auditor should verify the product
information to
confirm that it is readily available to
customers or
potential customers, and provides information
that
is up-to-date and accurate. The auditor could
also
query how often advertising material, web
sites, and
product catalogs are reviewed to reflect the
organization’s current product offerings and
services, and what measures are taken if a
particular product is modified, discontinued,
or no
longer available.
Specific Communication
Some or all of the following means of an
organization’s specific customer
communication may
be observed by the auditor:
Inquiries, contracts, or order handling,
including
amendments, e.g.,
• quotations
• order forms
• confirmation of order
• amendment to order
• delivery documentation
• invoices
• credit notes
• e-mail and general correspondence
• visit reports or notes to/from customer
Customer feedback and the complaints management
process, e.g.,
• Letters in response to complaints
• Acknowledgments
Other areas where the auditor may observe the
organization’s communication with customers
are:
• During the ordering process where the customer
provides no documented statement of
requirement, the
organization must have a system in place to
obtain
or confirm these customer requirements before
accepting the order
• During the design and development process there
may be considerable communication taking place
between the organization and the customer
• During the process of authorizing product
release
or service delivery (under concession by the
customer) prior to satisfactory completion of all
planned product testing
• During the process of authorizing the use of
nonconforming product by release or
acceptance under
concession by the customer
• During the process of gathering customer
satisfaction data from customers on their
perception
as to how well products and services are meeting
their requirements
The auditor would use normal trace methods to
verify
the conformity of these activities to the
customer
communication requirements of ISO 9001, as
well as,
assessing the effectiveness of communications
with
customers in the execution of the inquiry,
contract,
or order.
Note: This article was based one of the Auditing
Practices Group papers at the ISO web site.
Another paper at that site addresses the customer
feedback and customer complaint processes.
|
|
New TL 9000 R4.0 Handbooks |
|
TL 9000 was developed by the Quality
Excellence for
Suppliers of Telecommunications Forum (QuEST
Forum)
to meet the quality requirements of the worldwide
telecommunications industry.
The TL 9000 Requirements Handbook establishes a
common set of quality management system
requirements
(based on ISO 9001:2000) for suppliers of
telecommunications products: hardware, software,
and/or services.
The TL 9000 Measurements Handbook defines a
minimum
set of performance measurements that are used to
evaluate results and identify improvement
opportunities. All certified TL 9000
organizations
are required to submit product
measurements.
TL 9000 Requirements Handbook, Release
4.0
The new TL 9000 Requirements Handbook, R4.0,
consists of all the ISO 9001:2000
requirements and
90 additional Tele-com requirements. All audits
completed after July 1, 2007 must be performed to
the R4.0 Requirements.
The upgrade to R4.0 may be done during a
surveillance audit and does not have to be done
during a certification or re-certification audit.
Auditors must have delta training before
conducting
a third party audit to R4.0.
Summary of Changes
The ISO 9001:2000 base remains unchanged.
- ~30% adders remain unchanged
- ~30% adders with minor changes
- ~40% adders with major changes or are
new
These new and changed requirements were
designed to:
- Ensure intended results instead of specifying
methods of doing
- Emphasize design process quality
measurements
- Add required testing (regression, document
verification, stress, abnormal condition and
system), and
- Broaden scope of certain requirements, e.g.,
from “software only” to “common” or,
“hardware and
software”
There was a net gain of 9 adders in TL 9000 for a
total of 90 unique Tele-com requirements.
TL 9000 Measurements Handbook (Release
4.0)
All data as of July 2007 or later must be
submitted
according to this handbook. Auditors must
have delta
training conducting a third party audit to
R4.0.
Summary of Changes
The basic measurements and reporting processing
remains unchanged. There were minor modifications
and clarifications to the common (NPR, FRT,
OFR, and
OTD) measurements, as well as, the field returns
(FR) measurement.
The system outage (SO, SONE, EIO)
measurements were
simplified. The software (SFQ, SPR) measurements
were considerably changed and shortened. The
service quality (SQ) measurement was also
simplified, applied to additional product
categories, and changed to report
defects.
To learn more about TL 9000, go to the Quest
Forum
web site.
|
|
Writing Checklist for Documents |
|
When writing a procedure, keep in mind these
questions:
• What is the objective of process?
Know its
purpose before starting.
• Which activities are part of scope?
Agree
on coverage of activities.
• Who is responsible for these activities?
Identify key process players.
• What are inputs and who are suppliers?
Identify
inputs and providers.
• What are outputs and who are customers?
Identify outputs and recipients.
• What is referenced as an information source?
Identify related documents.
• What is the logical series of steps?
Organize
the steps in a logical sequence.
• How are the activities performed? Interview
users and observe operations.
• Which departments use the process? Know
readers
and users of the process.
• What reports or records are generated?
Identify
records for the process.
• What forms are used? Don’t overlook
forms used
to collect information.
• When and where is the work performed?
Identify
timing and location of work.
• What products are covered by the process?
Define its applicability.
• What process documentation already exists?
See
if documents can be adapted.
• What are the requirements of the process?
Know
user and organization needs.
• What are the quality criteria? Identify the
acceptance criteria.
• What are the related procedures? Ensure
compatibility with other processes.
• Which tasks have or need instructions?
Add or
refer to needed instructions.
• How might the process be audited? Be able to
demonstrate conformity.
|
|
ISO 16085 for Risk Management |
|
ISO 16085:2006, Systems and Software
Engineering -
Life Cycle Processes - Risk Management, defines a
process for managing risk in system and software
life cycles.
ISO 16085 can be used with existing set of
processes
defined by ISO 15288, Systems Engineering -
System
Life Cycle Processes, and ISO 12207, Information
Technology - Software Life Cycle Processes, or it
can be used independently.
Risk management is a key discipline for making
effective decisions and communicating the results
within organizations. The purpose of risk
management
is to identify potential managerial and technical
problems before they occur so that actions can be
taken that reduce or eliminate the probability
and/or impact of these problems should they
occur.
Risk management is a critical tool for
continuously
determining the feasibility of project plans, for
improving the search for and identification of
potential problems that can affect life cycle
activities and the quality and performance of
products, and for improving the active
management of
projects.
ISO 16085 describes a process for the
management of
risk during systems or software acquisition,
supply,
development, operations, and maintenance. The
purpose of this standard is to provide suppliers,
acquirers, developers, and managers with a single
set of process requirements suitable for the
management of a broad variety of risks and it is
suitable for adoption by an organization for
application to all appropriate projects.
ISO 16085:2006 supersedes ISO 16085:2004 and
can be
ordered from ANSI
for $107.00 It has also been issued as IEEE
standard 16085-2006 and can be ordered from IEEE
for a member price of $85.00
|
|
Information Security Audit Checklist |
|
According to the Information Security Forum,
security management is “keeping the business
risks associated with information systems
under control within an enterprise.”
Requirements for security management include
clear direction and commitment from the top,
the allocation of adequate resources,
effective arrangements for promoting good
information security practice throughout the
enterprise, and the establishment of a secure
environment.
An information security program is a critical
component of every organization’s risk
management effort, providing the means to
protect the organization’s information and
other critical assets. Therefore, the
information security program should be
assessed at planned intervals to ensure it is
meeting requirements and achieving
objectives, as well as, to identify
opportunities for security improvements.
The audit team should look for evidence that
the information security program is well
organized and well managed. The security
program must also specifically mitigate risks
in satisfying key business objectives, and
this traceability must be clear.
The information security audit should confirm
that key risks to the organization are being
identified, monitored, and controlled; that
key controls are operating effectively and
consistently; and that management and staff
have the ability to recognize and respond to
new threats and risks as they arise.
The information security audit’s goals,
objectives, scope, and purpose will determine
the actual audit procedures and questions
that are required. The IT Compliance
Institute has published a series of IT Audit
Checklists. To see the Information Security
Checklist written by Dan Swanson, click
here.
|
|
Want to Comment on ISO 9001:2009? |
|
The ISO 9000:2000 family of quality
management system standards is being updated
with an anticipated final release date in
2009. The updated standards (ISO 9001 and ISO
9004) are being released as committee drafts
and available for review at the American
Society for Quality (ASQ) web site.
Of course, the two documents are not intended
to be used for quality system design
purposes. As committee drafts, the two
standards are offered only for public review
and comment.
For ISO 9001, the requirements standard, the
plan is to produce minor changes for
clarification and compatibility with ISO
14001. Although the changes are expected to
be minor, even small changes to the standard
may dramatically impact your quality
management system.
For ISO 9004, the guidelines document, the
plan is to produce a major revision with its
focus on providing guidance on organizational
sustainability rather than performance
improvement.
ASQ and the international standards
developers are making these committee drafts
available at this early
stage in their development in an effort to
determine if the direction of the two
standards is on target with user needs.
Directions for users to follow in providing
comments to the standards developers are
included within the electronic document. All
public comments need to be submitted before
March 31, 2007.
The ISO 9001 draft includes yellow
highlighted text to indicate the changed
areas. However, the ISO 9004 draft is very
different, uses a different clause structure,
and does not include any highlighting of its
changes.
You can download the free draft standards
from the ASQ web site by clicking
here.
|
|
Class Schedule |
|
| Quick Links... |
|
|
|
|
 |
 |
|
