Fires, earthquakes, and pandemics, as well as, terrorism and piracy, may cause organizations to become disaster victims at any time. A new standard, ISO 24762, will help businesses deal with the unexpected and safeguard their reputation, brand, and value-creating activities.

ISO 24762:2008, Information Technology - Security Techniques - Guidelines for Information and Communications Technology Disaster Recovery Services, as the title indicates, offers guidance on the information and communications technologies and services necessary for disaster recovery as part of business continuity management. With this guidance, ISO 24762 supports the operation of an information security management system by addressing the information security and availability aspects of business continuity management in time of crisis.

A business continuity plan includes an organization's strategies to prepare for future national, regional, or local crises that could jeopardize its capacity to continue with its core mission, as well, as its long term stability.

According to ISO 24762, business continuity management is an integral part of any holistic risk management process and involves:

• identifying potential threats that may cause adverse impacts to business operations and associated risks
• providing a framework for building resilience for business operations
• providing capabilities, facilities, processes, action task lists, etc., for effective responses to disasters and failures

With ISO 24762, organizations will be able to build resilience into their information and communications technology infrastructure critical to their key business activities. This will complement their Business Continuity Management initiative (to better manage relevant risks possibly interrupting their business activities) and their Information Security Management initiative (to effectively protect the confidentiality, integrity, and availability of information).

The fallback arrangements included in the standard will help out during periods of minor outages and, more importantly, will play an essential role in ensuring information and service availability during a disaster or failure, and for a long-term complete recovery of activities.

The standard includes guidelines on the implementation, testing, and execution aspects of disaster recovery, and can be applicable to both "in-house" and "outsourced" providers of physical facilities and services.

ISO 24762 is complemented by two other standards providing control objectives for information security aspects of business continuity management to further reduce risk:

• ISO 27001:2005, Information Technology - Security Techniques - Information Security Management Systems - Requirements, and
• ISO 27002:2005, Information Technology - Security Techniques - Code of Practice for Information Security Management.

The 1Q08 issue of the TickIT quarterly journal contains an article by Graham Cox on the future of ISO 20000, the IT services management standard. ISO 20000 was published in 2005 in two parts. Part 1 is the Specification and used for certification; Part 2 is the associated Code of Practice.

Parts 1 and 2 of ISO 20000 are in the review process and a revised Part 1 is expected in 2009 and the updated Part 2 in 2010. Both parts will take into account ITIL v3.

The new Parts planned for the ISO 20000 family are:

Part 3: Guidance on Scope and Applicability. This new Part may be issued as a Technical Report to allow faster publication, perhaps by the end of 2008.

Part 4: Process Reference Model. This new Part will work in conjunction with ISO 15504-8 as the Process Assessment Model for service management. Together, they will define a multiple stage capability and maturity model aligned to ISO 15504, also known as SPICE: "Software Process Improvement and Capability dEtermination", a framework for the assessment of software processes.

In addition, an incremental approach to conformity has been approved for development. The first stage of this approach would give advice to companies on requirements for reactive activities. The next stage would be mainly advice on requirements for proactive activities. The final stage would be advice on requirements for full integration. This incremental approach might lead to the requirements being subdivided to provide stages for conformity.

You can read the full article, and its discussion of TickIT and CMMI in relation to ISO 20000, at the TickIT Web Site.

GMDCAS stands for "Global Medical Device Conformity Assessment System", a program initiated by the International Accreditation Forum (IAF).

As many as 150 countries have no medical device regulations. Several of these countries are considering establishing their own, unique regulatory requirements, with more countries to follow. As a result, there is a strong need to develop a third party accreditation program that can be used by all countries.

Since these countries rely heavily on imported medical devices, their development of national QMS accreditation requirements could cause a serious adverse impact on that country's local healthcare system. Why? Because most medical device manufacturers cannot justify making special accommodations for a single, small market. In addition, many certification bodies might find it economically infeasible to apply for a separate accreditation for just a few clients.

Without a globally accredited QMS certification program for medical devices, the unintended consequence for these developing countries may be to lose their current access to healthcare technologies.

The IAF has established a Working Group for the ISO 13485 GMDCAS program. This group includes representatives from the United States, Canada, European Union, Australia, Japan, and China. It also includes industry experts in medical device regulations and standards. For more information, contact the Chairman of the IAF Working Group, Grant Ramaley, at (gramaley@aseptico.com).

Nonconformity

Are you using the right term? What do you call it when a requirement is not met? ISO 9000:2005, 3.6.2, defines the non-fulfillment of a requirement as a "nonconformity". As expected, "conformity" is defined in 3.6.1 as the fulfillment of a requirement.

However, some auditors use "conformance" and "nonconformance". Does it matter? ISO 9000:2005, 3.6.1, states that although conformance is synonymous with conformity, it is deprecated. What does that mean? Well, "deprecated" refers to a term that is considered obsolete and being phased out. That being the case, it is preferable to use the terms Conformity and Nonconformity.

Defect

If a nonconformity relates to the intended or specified use of the product, the correct term becomes "defect". ISO 9000:2005, 3.6.3, cautions that using the term "defect" has legal connotations related to product liability issues and should be used with extreme caution.

Finding

When you hear about audit findings, you probably think that problems or concerns are being reported. Is that always the correct interpretation? ISO 9000:2005, 3.9.5, defines a "finding" as the result of an evaluation of the collected audit evidence against audit criteria. It states that findings can indicate either conformity or nonconformity with audit criteria, or opportunities for improvement. So, findings can also be good. It's just that audit reports tend to focus on those findings that are nonconformities.

Our December 2007 newsletter included an article titled, "Are e-Audits in Your Future?" It discussed the advantages and possible drawbacks of conducting electronic audits from a remote location.

Having remote access to documents and records for audit preparation, and then conducting interviews by teleconference, can save travel time and expenses, as well as, be less disruptive to the auditee. However, not being present at the remote location may reduce the effectiveness of the audit.

The article examined e-audits by assessing their impact on the four primary types of evidence: Documents, Observations, Records, and Statements. One of our readers, Eric Bawden, responded with his e-audit approach using that same framework for analysis. See below in Italics.

Documents: With the proper authorization, auditors could review the remote location's electronic documents while planning the audit and also see them during the execution of the audit. However, use of a collaboration tool and/or a teleconference will not allow the auditors to see if any uncontrolled or obsolete documents are in use.

"This is not the case in our businesses. Documents are accessed real time and viewed using Microsoft NetMeeting. We take screen shots of the auditee's desktop and capture file names and retention software that is used for our objective evidence. If an obsolete or uncontrolled document is being used we know as if we were physically at the site."

Note: The reader is correct for electronic documents. I was referring to any printouts that might be in use.

Observations: Since the audit is remote and video cameras will not be available for full viewing of the facility, the auditors will not be able to see if the work is being done per planned arrangements. So, evaluating conformity will be limited to what can be judged through interviews and electronic records. Auditors will not see poor housekeeping at the site or observe body language during interviews.

"In our remote audits, we ask for pictures to be taken of the areas and sent to us via email. These pictures can be used for poor housekeeping issues, work being done per planned arrangements, and specifically in our test and measurement labs to verify test equipment is labeled correctly."

Note: Good idea, as long as the photographer is impartial and objective. The auditor could provide instructions on the areas to be sampled with the pictures.

Records: If an organization creates electronic records and scans hardcopy records into electronic format, these records will be available for remote access by the auditors. However, some companies may have a significant number of completed forms that are kept as hardcopy records. Even if the auditors request some of these hardcopy records be scanned for viewing, the auditors would not be physically selecting the sampled records.

"Sample records may not be physically selected, but while viewing a process or procedure where records are required to be retained, we have the ability to complete a random sampling as we are the ones controlling what processes and procedures to view."

Statements: In a traditional audit, the person being interviewed is reluctant to have their responses captured on a recording device. As a result, auditors write an abbreviated version of the comments in their notes. If an auditee wanted to, they could later say it was a case of miscommunication.

With remote audits, the auditor keys the questions into the collaboration tool and the auditee types in the responses. A concern is that a more experienced employee could be coaching the interviewee and the auditor wouldn't know it. Also, with a typed response, you don't hear the tone and inflection of the voice to aid you during the interview.

"While using Microsoft NetMeeting, we also are teleconferencing. Generally speaking, we set up our interviews with one person at a time, and while coaching could be happening at the other end of the phone, a savvy auditor will pick up the pauses in the conversation and be able to act if necessary."

Although the answers are recorded, they will not become a direct part of the audit report. And, the auditee should be made aware of this fact to alleviate any fear they may have about their responses being captured verbatim.

If a teleconference is being held, the auditor captures the responses in their notes, as with a traditional audit. However, they won't be able to observe the body language during the interview. Even if a video feed is available, what can be gained through observation will be limited.

"I agree with this statement."

"We have been conducting remote audits in our program for over three years now and while we do find them somewhat limiting compared to onsite audits, we have not run into the issues that you state in your article."

Thanks very much to Eric Bawden. Comments from other readers?

ISO 9001:2000
Understanding ISO 9001:2000
Implementing ISO 9001:2000
Quality System Documentation
ISO 9001:2000 Internal Auditor
ISO 9001:2000 Lead Auditor

ISO 14001:2004
Implementing an EMS
ISO 14001:2004 Internal Auditor
ISO 14001:2004 Lead Auditor

ISO/TS 16949:2002
ISO/TS 16949:2002 Internal Auditor
ISO/TS 16949:2002 Lead Auditor
Understanding and Implementing ISO/TS 16949:2002

AS9100B:2004
AS9100 Internal Auditor
Implementing AS9100
AS9100 Lead Auditor

ISO 27001 / ISO 17799
ISO 27001 - Understanding an ISMS
ISO 27001 - ISMS Implementation
ISO 27001 - ISMS Internal Auditor
ISO 27001 - ISMS Lead Auditor

ISO 20000
Understanding ISO 20000
Implementing ISO 20000
ISO 20000 Internal Auditor

ISO 22000
Understanding ISO 22000
ISO 22000 Internal Auditor
Understanding HACCP
Implementing SQF Systems
Advanced HACCP

ISO 13485:2003
Understanding ISO 13485:2003
ISO 13485:2003 Internal Auditor
Implementing ISO 13485:2003
ISO 9001 Lead Auditor - ISO 13485 Emphasis

Capability Maturity Model Integration
Introduction to CMMI v1.2

Six Sigma
Introduction to Statistics
Green Belt Certification
Black Belt Certification

Books
See our list of ISO 9001, Auditing, and Six Sigma books. Includes book descriptions and links to Amazon.

© 2000-2008 Whittington & Associates, LLC

email: larry@whittingtonassociates.com

phone: 770-517-7944

web: http://www.whittingtonassociates.com