Welcome to the Whittington & Associates
e-Newsletter!
Visit and bookmark our web
site.
Our newsletters provide guidance on ISO 9001,
AS9100, ISO 13485, ISO/TS 16949, TL 9000, ISO
14001,
ISO 27001, ISO 20000, ISO 22000, and related ISO
standards, as well as, Six Sigma.
If you have any questions about the articles
appearing in this issue, or you want to suggest
topics for future issues, please let us
know.
Information Security Risk Management
Organizations of all types are very concerned
by threats that could compromise their
information security. The new ISO 27005:2008
standard, which describes the information
security risk management process and
associated actions, will help information
technology (IT) departments manage these
risks.
Threats may be deliberate or accidental, and
may relate to either the use and application
of IT systems, or to IT's physical and
environmental aspects. These threats may take
any form from identity theft, risks of doing
business on-line, denial of service attacks,
remote spying, theft of equipment or
documents, as well as, a seismic or climatic
phenomenon, fire, floods, or pandemic
problems. These threats may result in various
business impacts, for example, financial loss
or damage, loss of essential network
services, loss of customer confidence through
to loss power supply, or failure of
telecommunication equipment.
A risk is a combination of the consequences
that would follow from the occurrence of an
unwanted event and the likelihood of the
occurrence of the event. Risk assessment
quantifies or qualitatively describes the
risk and enables managers to prioritize risks
according to their perceived seriousness, or
other established criteria.
ISO 27005:2008, Information technology -
Security techniques - Information security
risk management, provides guidelines for
information security risk management and
supports the general concepts specified in
ISO 27001:2005, Information technology -
Security techniques - Information security
management systems - Requirements.
ISO 27005 is designed to assist the
implementation of ISO 27001, which is based
on a risk management approach. Knowledge of
the concepts, models, processes, and
terminologies described in ISO 27001 and ISO
27002: 2005, Information technology -
Security techniques - Code of practice for
information security management, is important
for a complete understanding of ISO 27005.
The information security risk management
process consists of:
Context establishment
risk assessment
risk treatment
risk acceptance
risk communication, and
risk monitoring and review.
However, ISO 27005 does not provide any
specific methodology for information security
risk management. It is up to the organization
to define its approach to risk management,
depending, for example, on the scope of the
information security management system, based
on the context of risk management, or the
industry sector.
Most organizations recognize the critical
role that information technology plays in
supporting their business objectives, and
with the advent of the Internet and the
prospect of performing business online, IT
security has been in the forefront. ISO 27005
is relevant to managers and staff concerned
with information security risk management
within an organization and, where
appropriate, external parties supporting such
activities.
The IEEE 829-2008 standard for "Software and
System Test Documentation" has been revised.
The prior version described the format and
content of numerous items of test
documentation. The updated standard removes
some items of test documentation and modifies
the format and content of the remaining
items.
Test processes determine whether the
development products of a given activity
conform to the requirements of that activity,
and whether the system and/or software
satisfy the intended use and user needs.
Testing process tasks are specified in
829-2008 for different "integrity levels".
These process tasks determine the appropriate
breadth and depth of test documentation. The
documentation elements for each type of test
documentation can then be selected.
The scope of testing addressed by the
standard includes software-based systems,
computer software, hardware, and their
interfaces. This standard applies to
software-based systems being developed,
maintained, or reused (legacy, commercial
off-the-shelf, and non-developmental items).
The term "software" also includes firmware,
microcode, and documentation. Test processes
can include inspection, analysis,
demonstration, verification, and validation
of software and software-based system
products.
The key changes in the 829-2008 standard are
described below:
New Direction
The revised standard introduces the concept
that the test effort has tasks to accomplish
during the entire development life cycle, not
merely during the test activity. It moves
from a document focus to a process focus.
New Test-Related Documentation
The 829 standard adds a Master Test Plan for
the management of a large and/or complex test
effort. It adds a Master Test Report to
summarize the results of tasks identified in
the Master Test Plan. The Master Test Report
may also be used to consolidate the results
for multiple Level Test Reports. It adds a
Level Interim Test Status Report for use
during the test execution activity.
The standard recognizes that some projects
may want some stand-alone and some combined
documents, and allows for any combination of
plan, design, test cases, and test procedures
within test levels. It adds a process for
choosing the appropriate documentation and
contents.
The standard moves away from requiring
identical documentation, providing instead,
documentation based on the integrity level of
the project. It identifies the minimum
recommended tasks for the identified
integrity level.
New Processes
The standard introduces the concept of
integrity levels. It provides a mechanism by
which projects can identify their integrity
level. The higher the integrity level, the
more test tasks that are recommended.
829-2008 also introduces the concept of test
management. It describes tasks that are
exclusive to those who manage a test effort.
The following key concepts are emphasized in
this new 829 Standard:
Integrity Levels
The standard defines four integrity levels to
describe the importance of the software or
system aspects to the user. The process of
identifying the integrity level is the
criticality analysis. Each project or
organization identifies the aspect of the
system or software that is most important.
Minimum Testing
The standard defines the recommended minimum
testing tasks required for each of the four
integrity levels. It includes a table of
optional testing tasks for tailoring the test
effort to meet project needs and application
specific characteristics. A low integrity
level project such as an internal
bug-tracking program requires fewer test
tasks than would a high integrity level
project like developing software/firmware for
medical devices.
Testing Intensity
The standard introduces the notion that the
integrity and rigor applied to testing tasks
vary according to the integrity level. Higher
integrity levels require the application of
greater intensity and rigor. A high integrity
level project such as developing medical
devices may execute a myriad of tests for
each unit, as well as, for integration and
system/acceptance tests. These tests will
likely go to the depth of each test level
looking for every conceivable deficiency. A
low integrity level project may only do
acceptance testing against the primary
functionalities rather than system testing
against the requirements.
Testing Criteria
The standard defines specific criteria for
each testing task including minimum
recommended criteria for correctness,
consistency, completeness, accuracy,
readability, and testability.
Systems Viewpoint
The standard includes recommended minimum
testing tasks to respond to system needs. It
recognizes that software does not exist in
isolation, and that much of current software
development may actually be for software
intensive systems or for embedded firmware.
Therefore, the entire system needs to be
taken into account when identifying the
system integrity level and the resultant test
tasks.
Selection of Test Documentation
The types of test documentation, and the
content topics within each documentation
type, need to be selected based on the
testing tasks associated with the identified
integrity level.
The prior standard required every project to
use the same test documents and to include
the same information. The new standard
provides for tailoring based on the integrity
level. Therefore, a high integrity level
project (e.g., medical devices) will require
the full range of test documentation and
contents as described in the 829-2008
standard. Conversely, a low integrity level
project may require only a minimum quantity
of test plan information and a full range of
test case and test procedure information.
According to a joint announcement by the ISO
(International Organization for
Standardization) and the IAF (International
Accreditation Forum), the two organizations
have agreed to an implementation plan for a
smooth migration to ISO 9001:2008.
1) Certification to ISO 9001:2008 will only
be issued after publication of ISO 9001:2008
(expected before the end of 2008) and after a
routine surveillance audit or
re-certification audit against ISO 9001:2008.
2) One year after publication of ISO
9001:2008, all certifications issued (new
certifications and re-certifications) must be
to ISO 9001:2008.
3) Two years after publication of ISO
9001:2008, existing ISO 9001:2000
certifications will not be valid.
This transition plan is possible, because ISO
and IAF have agreed that ISO 9001:2008
introduces no new requirements. The revised
quality standard only introduces
clarifications to the existing ISO 9001:2008
requirements, and changes to improve
consistency with ISO 14001:2004, the
environmental standard.
ISO 9001:2008 Differences
You can read about the changes in ISO
9001:2008 vs. ISO 9001:2000 by downloading my
paper, ISO
9001:2008 Differences, from my web site.
It is a PDF file with 19 pages describing
every text change throughout the standard.
Deleted ISO 9001:2000 text is
indicated by strikethroughs. New ISO
9001:2008 text is highlighted and
underlined. The underlining will
allow readers to distinguish the new text,
even if the paper is printed without color.
Most of the
text in ISO 9001:2000 has not been affected
by ISO 9001:2008 and is not repeated in the
paper. Revised text is shown in Italics to distinguish it from comments.
Note: The ISO 9001:2008 differences are
explained using the content of ISO/FDIS
9001:2008 and may change when ISO 9001:2008
is published.
New QE 19011S:2008 Audit Guidance
ISO 19011:2002, "Guidelines for Quality
and/or Environmental Management Systems
Auditing", was issued in the United States as
QE 19011. Due to the third-party and large
organization focus of ISO 19011:2002, a
US-only version, QE 19011S:2004, was
developed and released.
The QE 19011S:2004 standard included all the
text from ISO 9011:2002, plus supplemental
text for first-party (internal) audits and
second-party (supplier) audits, as well as,
guidance for small organizations.
The new QE 19011S:2008, "Guidelines for
Management Systems Auditing" addresses not
only quality and environmental audits, but
also occupational health and safety audits.
As a result, the document title now reflects
that the guidance is applicable to any
management system.
Minimal changes were made to the existing
guidance. The additional auditing guidance
relates to:
Objectives of an OHSMS audit program
Consideration of labor management agreements
Determination of health, safety, and
security rules
Communication of potential injury or
illness situations
The 17th Annual ASQ Audit Division conference
will be held October 16-17, 2008 in the home
of the historic Masters Golf Tournament in
Augusta, Georgia. Audits are more than a
"game", but there are some analogies we can
draw that enable all of us, from beginner to
"pro", to improve our approach and execution.
In short, "improving" or "mastering" our
audit game.
Getting equipped: Just as a beginning
golfer gets equipped with the basic clubs,
spikes, and other gear, the beginning or
novice auditor needs to "fill the bag" and
get ready to play. This track or session
will help the new auditor obtain the
fundamentals to plan, conduct, report, and
follow-up an audit.
Teeing Up: Golfers know a good clean
drive is the start of enjoying a hole on the
course. Auditors, too, know that preparation
and the opening phases of an audit get the
whole.
On the Fairway: Knowing the right club
for the right lie in the fairway is
important. Knowing the right tools,
techniques, and approaches to use during an
audit can make the entire process more
effective and informative.
Out of the Rough: All does not go
smoothly. Sometimes a well intentioned,
considered shot goes astray and heads into
the rough. An experienced auditor needs to
know where the potential "traps", "bunkers",
and "rough" spots lie, and how to get out of
them, and better yet, how to avoid them.
The Short Game: After the drive and
the fairway, the hole can be made or broken
near and on the green. Auditors, too, know
they need to be able to summarize the
findings and recommendations and craft a
cogent report for the auditee to make good
use of the results. Closing meetings and
effective follow-up and follow through are
also important.
Leader Board: Every tournament
establishes those that not only "make the
cut", but get on the "leader board" for the
final rounds. This session/track is intended
to vet those "leaders" in the audit field.
Recognized, established authors and
professionals will participate in an
interactive exchange with the attendees on
topics of timely interest and auditing
issues.
The Keynote Speakers will be Steve Ettlinger,
Paul Borawski, and Paul Palmes. Larry
Whittington will present a session on "The
Auditee Bill of Rights". To register for the
conference, go to this ASQ
Audit Division Conference web site.
Whittington & Associates provides training, consulting and auditing services for
management systems based on
ISO 9001, ISO/TS16949, ISO/TS 29001, TL 9000, AS9100, ASS9110, AS9120, ISO 13485,
ISO 27001, ISO 20000, and ISO 14001.
