Welcome to the Whittington & Associates
e-Newsletter!
Visit and bookmark our web
site.
Our newsletters provide guidance on ISO 9001,
AS9100, ISO 13485, ISO/TS 16949, TL 9000, ISO
14001,
ISO 27001, ISO 20000, ISO 22000, and related ISO
standards, as well as, Six Sigma.
If you have any questions about the articles
appearing in this issue, or you want to suggest
topics for future issues, please let us
know.
ISO 9001:2009 - Clause 8 Changes
In previous newsletters, I have reviewed the
proposed changes for clauses 4, 5, 6, and 7 of
the draft ISO 9001:2009 standard. This month,
we'll look at the suggested changes for
clause 8, Measurement, Analysis, and
Improvement. Please note that only the new or
changed sections are discussed below.
Unaffected text has not been included.
8.2.1 Customer Satisfaction
As one of the measurements indicators of the
performance of the quality management system,
the organization shall monitor information
relating to customer perception as to whether
the organization has met customer
requirements.
Monitoring customer satisfaction is viewed as
more of an "indicator" of performance than
the "measurement" of performance.
8.2.2 Internal Audit
A documented
procedure shall be established to define the
responsibilities and requirements for
planning and conducting audits, establishing
records and reporting results.
The responsibilities and requirements for
planning and conducting audits, and for
reporting results and maintaining records
(see 4.2.4) shall be defined in a documented
procedure.
The requirement above has been edited to
emphasize the need for a documented procedure
(by placing it first in the sentence). Also,
"establishing records" has been moved ahead
of "reporting results" in the list of topics
to be defined in the procedure. Records are
being captured throughout the audit and
should be listed before the reporting of
results. The reference to 4.2.4 for record
control was moved to the new text below.
Records of the
audit and its results shall be maintained
(see 4.2.4).
The new text above highlights the need to
maintain records of the audit and its
results.
NOTE: See ISO 19011 ISO 10011-1,
ISO 10011-2
and ISO 10011-3for guidance.
The reference to the withdrawn ISO 10011,
Guidelines for Auditing Quality Systems, has
been replaced with a reference to ISO 19011,
Guidelines for Quality and/or Environmental
Management Systems Auditing.
8.2.3 Monitoring and Measurement of
Processes
When planned results are not achieved,
correction and corrective action shall be
taken, as appropriate, to ensure
conformity of
the product.
Clause 8.2.3 requires applying suitable
methods for monitoring and measuring
processes to demonstrate their ability to
achieve planned results. For some supporting
processes, these results are only indirectly
related to product conformity. Therefore, the
reference to product conformity has been
moved to the new Note below.
NOTE: When
determining suitable methods, the
organization should consider the type and
extent of monitoring or measurement
appropriate to each of its processes in
relation to their impact on the conformity to
product requirements and on the effectiveness
of the quality management system.
What is a "suitable" method for monitoring
and measuring processes? The Note above says
to consider the type and extent of monitoring
or measurement based on the impact of the
process on product conformity and system
effectiveness.
8.2.4 Monitoring and Measurement of
Product
The organization shall monitor and measure
the characteristics of the product to verify
that product requirements have been met. This
shall be carried out at appropriate stages of
the product realization process in accordance
with the planned arrangements (see 7.1).
Evidence of
conformity with the acceptance criteria shall
be maintained.
The requirement to maintain evidence of
conformity with acceptance criteria has been
moved from the paragraph below to the
paragraph above.
Evidence of
conformity with the acceptance criteria shall
be maintained. Records shall
indicate the person(s) authorizing release of
product for delivery to the customer (see
4.2.4).
The release of
product release and
service delivery to
the customer shall not proceed until
the planned arrangements (see 7.1) have been
satisfactorily completed, unless otherwise
approved by a relevant authority and, where
applicable, by the customer.
The requirement above has been edited
slightly and clarifies that the release of
product and service delivery is to the
customer.
NOTE: Evidence of
conformity with acceptance criteria can be a
record or as otherwise specified in the
planned arrangements.
The Note above clarifies that evidence of
conformity can be a record or as otherwise
specified in the planned arrangements, e.g.,
test procedure. There must be proof that
product test results indicate conformity with
the acceptance criteria.
8.3 Control of Nonconforming Product
A documented
procedure shall be established to define
Tthe controls and related
responsibilities and authorities for dealing
with nonconforming product. shall be
defined in a
documented procedure.
The sentence above has been edited to begin
with (instead of end with) the requirement
for a documented procedure.
Where
practicable, the organization shall
deal with nonconforming product by one or
more of the following ways:
The requirement now begins with "where
practicable", meaning where feasible or
possible, deal with nonconforming product in
one or more of the four ways listed.
d) when
nonconforming product is detected after
delivery or use has started, by taking action
appropriate to the effects, or potential
effects, of the nonconformity
The new entry above in the list of ways to
deal with nonconforming product is text that
has been moved from the last sentence in
clause 8.3 to become part of the list.
Records of the
nature of nonconformities and any subsequent
actions taken, including concessions
obtained, shall be maintained (see 4.2.4).
The deleted text above wasn't actually
deleted, it was just moved below the next
sentence.
When nonconforming product is corrected it
shall be subject to re-verification to
demonstrate conformity to the requirements.
Records of the nature
of nonconformities and any subsequent actions
taken, including concessions obtained, shall
be maintained (see 4.2.4).
When nonconforming product is detected
after delivery or use has started, the
organization shall take action appropriate to
the effects, or potential effects, of the
nonconformity.
This deleted text was moved to entry (d) in
the list of ways to deal with nonconforming
product.
8.5.2 Corrective Action
A documented procedure shall be
established to define requirements for
f) reviewing the
effectiveness of the corrective action
taken.
I've heard people complain that only
"reviewing" a corrective action isn't
sufficient. You must instead verify that the
action taken was effective in preventing
recurrence of the detected nonconformity.
If these people had read the definition of
"review" in the ISO 9000:2005 Fundamentals
and Vocabulary, maybe they wouldn't be as
concerned.
ISO 9000:2005, 3.8.7, states that a review is
the activity undertaken to determine the
suitability, adequacy, and "effectiveness" of
the subject matter to achieve the established
objectives.
So, the proposed clarification shouldn't be
necessary, but if people are misinterpreting
the word "review", then adding
"effectiveness" should help avoid any
confusion.
8.5.3 Preventive Action
A documented procedure shall be
established to define requirements for
e) reviewing the
effectiveness of the preventive action
taken.
See the 8.5.2 explanation for the reason
behind this 8.5.3 change. The additional
8.5.3 text should help clarify that the
action taken must be effective in preventing
the potential nonconformity.
CMMI versus ISO 9001
The 2Q07 issue of the TickIT software quality
journal includes the final article of a three
part series exploring the relationship
between ISO 9001:2000 and CMMI in terms of
the benefits gained by undertaking combined
surveillance audits.
The first article explained that a good
mapping between ISO 9001 and CMMI would be
essential for the combined surveillance
audits to work effectively. The first two
articles developed this mapping from an ISO
9001 perspective, that is, would an
organization with CMMI level 3 satisfy the
requirements of ISO 9001.
In the final article, the mapping is examined
from the perspective of CMMI, i.e., would
an organization with ISO 9001 (and TickIT)
satisfy the requirement of CMMI level 3.
The author concludes that an organization
with CMMI level 3 would stand a reasonably
good chance of satisfying the requirements of
ISO 9001:2000. However, the converse would
not be as easy to say. There is a greatly
increased reliance on exactly how an
organization implements the requirements of
ISO 9001 which will bear on its ability to
satisfy CMMI under a SCAMPI appraisal.
While the two models are very similar, the
differences noted in the 2Q07 article may
result from their origins and on what is
perceived as their goals, or maybe at the way
they aim to achieve their goals - that is,
driven by customer satisfaction back into
processes or driven by processes to give
customer satisfaction.
However, there is some evidence to suggest
that organizations with ISO 9001 experience
find it somewhat easier to undertake a
CMMI-based improvement program and associated
appraisal. This probably has little to do
with the mapping, but more to do with the
cultural understanding of the need for
documents, records, processes and procedures,
management commitment, involvement, and
reviews.
CMMI is very prescriptive and will invariably
provide coverage of ISO 9001:2000
requirements; but ISO 9001 being very
high-level and generic cannot be assured of
covering all the specific requirements of
CMMI.
You can see the full article and color-coded
mapping at the TickIT
web site. Click on Introduction
to CMMI v1.2 to see our schedule of
SEI-licensed classes in Springfield, VA.
ISO 27006 for ISMS Certification Bodies
The new standard, ISO 27006:2007 is titled,
Information Technology - Security Techniques
- Requirements for Bodies providing Audit and
Certification of Information Security
Management Systems.
ISO 27006 specifies requirements and provides
guidance for bodies providing audit and
certification of an information security
management system (ISMS) beyond the
requirements within ISO 17021 and ISO 27001.
It is primarily intended to support the
accreditation of certification bodies
providing ISMS certification.
The requirements in ISO 27006 need to be
demonstrated in terms of competence and
reliability by any organization providing
ISMS certification. The guidance in ISO 27006
provides additional interpretation of these
requirements for ISMS certification bodies.
ISO 23988:2007, Information Technology - A
Code of Practice for the Use of Information
Technology (IT) in the Delivery of
Assessments
Growth in the power and capabilities of
Information Technology (IT) has led to its
increasing use to deliver, score, and record
responses of tests and assessments in a wide
range of educational and other contexts.
Suitably used, IT delivery offers advantages
of speed and efficiency, better feedback, and
improvements in validity and reliability.
However, its increased use has raised issues
about the security and fairness of
IT-delivered assessments, as well as,
resulted in a wide range of practices.
ISO 23988 provides a means of showing that:
the delivery and scoring of an assessment
are fair and do not disadvantage some groups
of candidates, e.g., those who are not IT
literate;
a summative assessment has been conducted
under secure conditions and is the authentic
work of the candidate; and
the validity of the assessment is not
compromised by IT delivery.
In addition, ISO 23988 may help:
provide evidence of the security of
the assessment (which can be presented to
regulatory and funding organizations);
establish a consistent approach to the
regulations for delivery (of benefit to
assessment centers who deal with more than
one assessment distributer); and
give an assurance of quality to
purchasers of "off-the-shelf" assessment
software.
ISO 23988 gives recommendations on the use of
IT to deliver assessments and to record and
score responses. Its scope is defined in
terms of three dimensions: the types of
assessment to which it applies, the stages of
the assessment "life cycle" to which it
applies, and its focus on specific IT
aspects.
IIA Global Technology Audit Guides
The Institute of Internal Auditors (IIA) is
producing a series of publications with
guidance on information technology. Each
guide is written in straightforward business
language to address timely issues related to
information technology management, control,
or security.
Click on the links below to download the free
GTA Guides in PDF format.
Guide 1: Information Technology
Controls
This guide covers technology topics, issues,
and audit concerns, as well as, issues
surrounding management, security, control,
assurance, and risk management.
Download
Information Technology Controls (PDF, 2MB)
Guide 2: Change and Patch Management
Controls: Critical for Organizational
Success
This guide is about managing risks that are a
growing concern to those involved in the
governance process. Like information
security, management of IT changes is a
fundamental process that can cause damage to
the entire enterprise and easily disrupt
operations if it is not performed well. This
enterprise-wide impact makes change
management of interest to many audit
committees and, as a result, to top
management.
The objective of the guide is to convey how
effective and efficient IT change and patch
management contribute to organizational
success. Because the role of an audit is to
assess risks and provide assurance to the
organization, auditors cannot ignore the
potential impact that changes to information
systems and other IT assets can have on
business operations. More importantly, the
guide gives readers the necessary knowledge
to help them counsel their boards about
change-management risks and controls and to
help their organizations comply with
constantly changing regulatory requirements.
Download
Change and Patch Management Controls:
Critical for Organizational Success (PDF,
1037KB)
Guide 3: Continuous Auditing: Implications
for Assurance, Monitoring, and Risk
Assessment
Organizations are continually exposed to
significant errors, frauds, or inefficiencies
that can lead to financial loss and increased
levels of risk. An evolving regulatory
environment, increased globalization of
businesses, market pressure to improve
operations, and rapidly changing business
conditions are creating the need for more
timely and ongoing assurance that controls
are working effectively and risk is being
mitigated. These demands have put increased
pressure on chief audit executives and their
staff.
Continuous auditing is a method used to
automatically perform control and risk
assessments on a more frequent basis.
Technology is the key to enabling such an
approach. Continuous auditing changes the
audit paradigm from periodic reviews of a
sample of transactions to ongoing audit
testing of 100 percent of transactions. It
becomes an integral part of modern auditing
at many levels.
This guide focuses on helping chief audit
executives to identify what must be done to
make effective use of technology in support
of continuous auditing and highlights areas
that require further attention. It provides
continuous audit guidance that will benefit
the organization by significantly reducing
instances of error and fraud, increasing
operational efficiency, and improving
bottom-line results through a combination of
cost savings and a reduction in overpayments
and revenue leakage.
Download
Continuous Auditing: Implications for
Assurance, Monitoring, and Risk Assessment
(PDF, 956KB).
Guide 4: Management of IT Auditing
There is no question that IT is changing the
nature of the internal audit functions. The
risks companies face, the types of audits
that should be performed, how to prioritize
the audit universe, and how to deliver
insightful findings are all issues with which
chief audit executives must grapple. This
guide is designed for chief audit executives
and internal audit management personnel who
are responsible for overseeing IT audits. Its
purpose is to help sort through the strategic
issues regarding planning, performing, and
reporting on IT audits.
Guide 5: Managing and Auditing Privacy
Risks
One of the many challenging and formidable
risk management issues faced by organizations
today is protecting the privacy of customers'
and employees' personal information. The cost
from privacy breaches is increasing every
day. The organization's customers, suppliers,
and business partners want assurances that
the personal information collected from them
is protected and used only for the purposes
for which it was originally collected.
This guide is intended to provide the chief
audit executive, internal auditors, and
management with insight into privacy risks
that the organization should address when it
collects, uses, retains, or discloses
personal information. The guide provides an
overview of key privacy frameworks which help
to understand the basic concepts and aid in
finding the right sources for more guidance
regarding expectations and what works well in
a variety of environments. It also covers the
details on how internal auditors complete
privacy assessments.
Download
Managing and Auditing Privacy Risks (PDF,
752KB)
Guide 6: Managing and Auditing IT
Vulnerabilities
This guide was developed to help chief audit
executives and internal auditors ask the
right questions of IT security staff when
assessing the effectiveness of their
vulnerability management processes. The guide
recommends specific management practices to
help an organization achieve and sustain
higher levels of effectiveness and efficiency
and illustrates the differences between high-
and low-performing vulnerability management
efforts.
Download
Managing and Auditing IT Vulnerabilities
(PDF, 574KB)
Guide 7: IT Outsourcing
Information technology (IT) outsourcing has
grown in popularity as an efficient,
cost-effective, and expert solution designed
to meet the demands of systems
implementation, maintenance, security, and
operations.
The benefits of IT outsourcing are
accompanied with the need to manage the
complexities, risks, and challenges that come
with it. It is important that internal
auditors understand the outsourcing context
and help the organizations with a
comprehensive review of its outsourcing
operations and evaluation of its compliance
with applicable laws and regulations.
This guide provides the chief audit
executive, internal auditors, and management
with information on the types of IT
outsourcing activities, the IT outsourcing
lifecycle, and how outsourcing activities
should be managed by implementing
well-defined plans that are supported by a
company-wide risk, control, compliance, and
governance framework.
Discounts
Enroll and pay for an Atlanta class 30 days
in advance
and receive a 10% discount. Students at previous
Atlanta classes receive a 20% discount on future
Atlanta classes.
Books
See our list of ISO 9001, Auditing, and Six Sigma
books. Includes book
descriptions and links to Amazon.
Whittington & Associates provides training, consulting and auditing services for
management systems based on
ISO 9001, ISO/TS16949, ISO/TS 29001, TL 9000, AS9100, ASS9110, AS9120, ISO 13485,
ISO 27001, ISO 20000, and ISO 14001.
