Welcome to the Whittington & Associates e-Newsletter! Visit and bookmark our web site.
Our newsletters provide guidance on ISO 9001, AS9100, ISO 13485, ISO/TS 16949, TL 9000, ISO 14001, ISO 27001, ISO 20000, ISO 22000, and related ISO standards, as well as, Six Sigma.
If you have any questions about the articles appearing in this issue, or you want to suggest topics for future issues, please let us know.
Audit Conference in October in Atlanta
Hundreds of auditors from all over the world are expected to attend the ASQ Audit Division's annual conference in Atlanta.
The conference will be held at the Sheraton Atlanta on October 11-12, 2007 with a theme of "Strategic Auditing: Innovation, Implementation, Interaction".
Larry Whittington will speak on "How to Audit the Difficult Areas". For more information about the conference, visit the conference web site.
ISO 17799 Changes to ISO 27002
To consolidate information security standards under the "27000" series number, ISO 17799:2005 has been changed to ISO 27002:2005. The renumbered standard has the same content and retains the same title, "Information Technology - Security Techniques - Code of Practice for Information Security Management".
The ISO 27000 family currently consists of:
ISO 27001:2005 - Information Security Management Systems - Requirements
ISO 27002:2005 - Information Technology - Security Techniques - Code of Practice for Information Security Management
ISO 27006:2007 - Requirements for Bodies Providing Audit and Certification of Information Security Management Systems
Information security titles in development include:
ISO 27000 - Information Security Management Systems Fundamentals and Vocabulary
ISO 27003 - Information Security Management Systems Implementation Guidance
ISO 27004 - Information Security Management Measurements
ISO 27005 - Information Security Risk Management
ISO 27007 - Information Security Management Systems Auditor Guidelines
ISO 27011 - Information Security Management Guidelines for Telecommunications
PAS 99:2006 is a specification of common management system requirements as a framework for integration. It was developed by British Standards Institution (BSI), the UK's national standards body.
This Publically Available Specification (PAS) helps organizations integrate and effectively manage the common requirements of two or more management system standards, for example,
ISO 9001 - Quality
ISO 14001 - Environmental
ISO 27001 - Information Security
ISO 22000 - Food Safety
ISO 20000 - IT Service Management
OHSAS 18001 - Health and Safety
The PAS 99 common requirements clause structure is shown below:
4.1 General requirements 4.2 Management system policy 4.3 Planning
4.3.1 Identification and evaluation of aspects, impacts, and risks
4.3.2 Identification of legal and other requirements
4.3.3 Contingency planning
4.3.4 Objectives
4.3.5 Organizational structure, roles, responsibilities, and authorities 4.4 Implementation and operation
4.4.1 Operational control
4.4.2 Management of resources
4.4.3 Documentation requirements
4.4.4 Communications 4.5 Performance assessment
4.5.1 Monitoring and measurement
4.5.2 Evaluation of compliance
4.5.3 Internal audit
4.5.4 Handling of nonconformities 4.6 Improvement
4.6.1 General
4.6.2 Corrective, preventive, and improvement action 4.7 Management review
4.7.1 General
4.7.2 Input
4.7.3 Output
Annex B of PAS 99 lists for each common requirement the corresponding clauses of ISO 9001, ISO 14001, ISO 27001, ISO 22000, ISO 20000, and OHSAS 18001.
For example, PAS 99 includes Internal Audit as clause 4.5.3. Internal audit requirements are addressed in 8.2.2 of ISO 9001, 4.5.5 of ISO 14001, 6 in ISO 27001, 8.4.1 in ISO 22000, 4.3 in ISO 20000, and 4.5.4 in OHSAS 18001.
The use of PAS 99 should result in:
improved business focus
a more holistic approach to managing business risks
less conflict between systems
reduced duplication and bureaucracy
more effective and efficient audits, both internally and externally
You can order a copy of PAS 99 at the BSI web site.
Records Management
The ISO 9001:2000 quality standard addresses the control of records, but only includes three sentences of requirements:
Records must be established and maintained to provide evidence of conformity to requirements and of the effective operation of the quality management system.
Records must remain legible, readily identifiable and retrievable.
A documented procedure must be established to define the controls needed for the identification, storage, protection, retrieval, retention time, and disposition of records.
If you want to know more about records management than included in ISO 9001:2000, you should look at ISO 15489-1:2001, Information and Documentation - Records Management.
Records
According to ISO 15489-1:2001, records are information created, received, and maintained as evidence in pursuance of legal obligations or in the transaction of business.
Records contain information that is a valuable resource and an important business asset. A systematic approach to managing these records is essential to protect and preserve them as evidence of actions.
A records management system results in a source of information about business activities that support subsequent activities and business decisions, as well as, ensure accountability to present and future stakeholders.
Records Management
ISO 15489-1 defines records management as the field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use, and disposition of records, including processes for capturing and maintaining evidence of, and information about, business activities and transactions in the form of records.
Policy
Organizations should define and document a policy for records management. The objective of the policy should be to create and manage authentic, reliable and usable records that are capable of supporting business functions and activities for as long as they are required.
Authenticity
An authentic record is one that can be proven to 1) be what it claims to be, 2) be created or sent by the person purported to have created or sent it, and 3) be created or sent at the time indicated.
To ensure the authenticity of records, an organization should implement and document policies and procedures that control the creation, receipt, transmission, maintenance, and disposition of records.
Record policies and procedures should ensure that record creators are identified and authorized, and that records are protected against unauthorized addition, deletion, alteration, use, and concealment.
Reliability
A reliable record is one whose contents can be trusted as a full and accurate representation of the applicable transactions, activities, or facts. They can be depended upon during subsequent transactions or activities as being reliable.
Records should be created at the time of the related transaction or incident, or soon afterwards, by individuals who have direct knowledge of the facts, or by instruments routinely used within the business to conduct the transaction.
The system that manages the records should be capable of continuous and regular operation in accordance with applicable procedures and provide ready access to all relevant records.
Integrity
The integrity of a record refers to its being complete and unaltered. Records must be protected against unauthorized changes.
Policies and procedures should specify what additions or annotations may be made to a record after it is created, under what circumstances they may be authorized, and who is authorized to make them. Any annotation, addition, or deletion of a record should be explicitly indicated and traceable.
The record system should include controls for access monitoring, user verification, authorized destruction, and security to prevent unauthorized access, destruction, alteration, or removal of records.
Usability
A usable record is one that can be located, retrieved, presented, and interpreted. The record should be capable of being connected to the business activity or transaction that produced it.
To learn more about records management, you can order ISO 15489-1:2001 from the ANSI eStandards Store.
New Software Product Quality Standards
Within the Software Engineering set of ISO standards is a "25000" series of standards on Software Product Quality Requirements and Evaluation, known as SQuaRE.
Newly released SQuaRE standards:
ISO 25001:2007 - Software Engineering - Software Product Quality Requirements and Evaluation (SQuaRE) - Planning and Management
This standard provides details about the planning and management requirements associated with software product quality requirements and evaluation. While it is mainly concerned with product quality requirements and evaluation, wherever it is relevant, it also discusses the corresponding process requirements and evaluation activities.
ISO 25001 aims to clarify the requirements which should be identified by the organization in order to ensure the success of specifying quality requirements and executing the evaluation. It is intended to be used in conjunction with the other parts of the SQuaRE series and with ISO 14598 and ISO 9126-1 until they are superseded by the ISO 25000 series of standards.
ISO 25020:2007 - Software Engineering - Software Product Quality Requirements and Evaluation (SQuaRE) - Measurement Reference Model and Guide
This standard provides a measurement reference model and guide for measuring quality characteristics. It sets requirements for the selection and construction of quality measures, as well as, contains informative annexes addressing the following topics: criteria for selecting software quality measures and quality measure elements, demonstrating predictive validity and assessing measurement reliability, and an example format for documenting software quality measures.
ISO 25030:2007 - Software Engineering - Software Product Quality Requirements and Evaluation (SQuaRE) - Quality Requirements This standard provides requirements and recommendations for the specification of software quality requirements. It applies to both acquirers and suppliers. It focuses on software quality requirements, but takes a system perspective since software is normally developed and applied as part of a larger system.
Software product quality requirements are needed for:
specification (including proposal and contractual agreement);
planning (including feasibility analysis);
development (including early identification of potential quality problems during development); and
evaluation (including objective assessment and certification of software product quality).
If software quality requirements are not stated clearly, they may be viewed, interpreted, implemented, and evaluated differently by different people. This may result in software that is inconsistent with user expectations and of poor quality; users, clients, and developers who are unsatisfied; and time and cost overruns to rework software.
Other Released SQuaRE standards:
ISO 25000: 2005 - Software Engineering - Software Product Quality Requirements and Evaluation (SQuaRE) - Guide to SQuaRE
ISO 25051:2006 - Software Engineering - Software Product Quality Requirements and Evaluation (SQuaRE) - Requirements for Quality of Commercial Off-The-Shelf (COTS) Software Product and Instructions for Testing
ISO 25062:2006 - Software Engineering - Software Product Quality Requirements and Evaluation (SQuaRE) - Common Industry Format (CIF) for Usability Test Reports
Whittington & Associates provides training, consulting and auditing services for
quality systems based on
ISO 9001, ISO/TS16949, TL9000, AS9100, ISO 13485,
as well as, ISO 27001, ISO 20000, ISO 22000, and ISO 14001.
