Businesses risk losing over $1 trillion from loss or theft of data and other cybercrime, according to a recent study by security technology firm McAfee. They found that malware increased by 400 percent last year.

The malware is being designed to steal your data, steal your identity, or steal your money. The scale, as well as the sophistication, was very alarming according to McAfee. The survey found 80% of the malware is aimed at making a financial gain, rather than the traditional viruses and worms which just have nuisance value.

The increase in the availability and power of removable storage, such as mobile phones, laptops, and USB sticks, has made data loss or theft much easier. And, global supply chains mean that sensitive data is often stored abroad; often in countries with little intellectual property law.

Data lost accidentally, or through theft, can be expensive to replace or damaging to a company's reputation or brand. In the survey, 42 percent of companies said that laid-off employees were the single biggest threat to their data security.

ISO 27001

Knowing the magnitude of the threat, it could be time for your organization to implement ISO 27001:2005, Information technology - Security techniques - Information security management systems - Requirements.

ISO 27001 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented "Information Security Management System" within the context of your overall business risk. It specifies requirements for the implementation of security controls customized to the needs of an individual organization.

The standard is designed to help select adequate and proportionate security controls that protect information assets and give confidence to interested parties. It is intended to help:

• formulate security requirements and objectives;
• ensure security risks are cost effectively managed;
• ensure compliance with laws and regulations;
• provide a process framework for implementing and managing controls that ensure specific security objectives are met;
• define new information security management processes;
• identify and clarifying existing information security management processes;
• determine the status of information security management activities;
• determine the degree of compliance with the policies, directives and standards;
• provide relevant information about information security policies, directives, standards and procedures to trading partners;
• implement business-enabling information security;
• provide relevant information about information security to customers.

ISO 27002

ISO 27002:2005, Information technology - Security techniques - Code of practice for information security management, is a companion document for ISO 27001.

ISO 27002 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. It contains best practices of control objectives and controls in the following areas of information security management:

• security policy;
• organization of information security;
• asset management;
• human resources security;
• physical and environmental security;
• communications and operations management;
• access control;
• information systems acquisition, development and maintenance;
• information security incident management;
• business continuity management;
• compliance.

The control objectives and controls in ISO 27002 are to be implemented to meet the requirements identified by a risk assessment. The standard is meant to be a practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities.

ISO 27005

ISO 27005:2008, Information technology - Security techniques - Information security risk management, provides guidelines for information security risk management. It supports the general concepts specified in ISO 27001 and is designed to assist the implementation of information security based on a risk management approach.

Note: Knowledge of the concepts, models, processes, and terminologies described in ISO 27001 and ISO 27002 is important for a complete understanding of ISO 27005.

Training

We offer the following ISO 27001 courses. Click on the title to see the course description and class schedule. Enroll at least 60 days in advance of a class and receive a 15% discount.

Understanding ISO 27001 (2 Days)

ISO 27001 Implementation (3 Days)

ISO 27001 Internal Auditor (3 Days)

ISO 27001 Lead Auditor (4.5 Days)

The Software Engineering Institute published a March 2009 report, CMU/SEI-2009-SR-005, that compares CMMI-Development, v1.2, to the ISO 9001:2000 international quality standard. Since the more recent ISO 9001:2008 edition didn't add any new requirements or clause numbering to ISO 9001:2000, the SEI comparison remains valid.

The report is meant for anyone with knowledge of either the Capability Maturity Model Integration (CMMI ) Product Suite or the International Organization for Standardization (ISO) 9000 family of standards, that is interested in learning more about the other process standard.

The CMMI-DEV, v1.2, comparison to ISO 9001:2000 notes their similarities and differences. SEI points out that the report is not intended to be an exhaustive or authoritative comparison, nor does it provide specific guidance for deciding which model or standard to adopt.

Organizations that are implementing both ISO 9001 and the CMMI Development model will benefit from understanding the areas that are covered fully by both bodies of knowledge, as well as, areas not covered by both. While the two bodies of knowledge were developed independently and for different purposes, they have important connections and are largely consistent with each other.

The report is organized into four sections. The first section provides a brief overview of the report's focus and organization. The next two sections describe the two bodies of knowledge, i.e., the world of ISO 9000 and the world of CMMI-DEV. The final section provides a comparative analysis of the two bodies of knowledge. Finally, the appendices identify the report contributors, acronyms, terminology differences, resources, and references.

You can download the free, 70 page report in PDF format from this SEI web page.

For training on CMMI v1.2, go to this Introduction to CMMI v1.2 course description. For training on ISO 9001, see these course descriptions:

Understanding ISO 9001:2008
Implementing ISO 9001:2008
ISO 9001:2008 Internal Auditor
ISO 9001:2008 Lead Auditor

The most searched topic at our web site is "audit procedure". So, this article includes a sample internal audit procedure. Any comments?

1.0 PURPOSE

The purpose of this procedure is to assess the conformity of our quality management system to specified requirements and its effectiveness in meeting quality objectives.

2.0 SCOPE

This procedure covers scheduling, initiating, planning, conducting, recording, and reporting internal audits. It also addresses qualifying auditors, performing follow-up audits, and managing the overall audit program.

This procedure applies to internal audits for all functional areas involved in performing, verifying, supporting, and managing our quality-related activities.

3.0 REFERENCES

3.1 Internal Audit Schedule, file PLAN.XLS
3.2 Corrective Action Procedure, QA-P-014
3.3 Prior internal and external audit reports
3.4 Documents for the areas to be audited:

• Quality Manual policies
  
• Department procedures
  
• Plans and specifications
  
• Work instructions and forms

3.5 Customer contracts
3.6 Statutes and regulations
3.7 Applicable standards

4.0 RESPONSIBILITIES

4.1 Quality Manager

Performs the duties of the audit program manager. Maintains the audit schedule, initiates audits, assigns qualified auditors, and manages the overall audit program.

4.2 Internal Auditor

Reviews the applicable documents, considers prior audit results, prepares an audit checklist, conducts the audit, and reports the results.

4.3 Lead Internal Auditor

Carries out the duties of an auditor, prepares the audit agenda, briefs the auditor team, conducts the opening and closing meetings, and issues the audit report.

4.4 Manager of Audited Area

Provides access to information, encourages employee cooperation, acknowledges any findings, proposes corrective actions, and notifies the audit program manager when actions are complete, effective, and ready for a follow-up audit.

5.0 PROCEDURE

5.1 Scheduling

The audit program manager creates and maintains the internal audit schedule. Each functional area within the quality management system is audited at least annually. Audits are conducted such that all activities corresponding to the requirements of the Standard are assessed throughout the year.

Departments may be scheduled for more frequent audits based on the importance of the area, the status of product quality, and the results of prior audits. Planned audits are identified on the internal audit schedule, along with tracking information regarding audit completion and closure.

The audit program manager presents the annual schedule for approval at the Management Review meeting. Supplemental audits can be added to the schedule during the year if warranted by changes to the quality management system.

5.2 Initiating

The audit program manager refers to the schedule to identify the audits planned for the next month. A reminder notice is sent to the assigned auditors, and the manager of the area to be audited, at least two weeks prior to the audit.

5.3 Planning

The audit program manager communicates the audit objective and scope in the audit notice sent to the assigned auditors and the managers of the areas to be audited. The lead auditor is appointed by the audit program manager and prepares the agenda for the audit. The agenda defines the auditor assignments and identifies the times and duration for each audited area.

Auditors prepare by reviewing the applicable parts of the Standard and quality manual, as well as, applicable plans, procedures, and instructions for the areas to be audited. Using this information, the auditors create checklists identifying the key requirements, representative samples, expected evidence, and suggested questions.

5.4 Conducting

The lead auditor briefs the team on the audit objective, scope, assignments, procedure, and forms. An opening meeting is held with the manager of the area to be audited to review the audit plan and initiate the assessment.

Auditors review documents, interview employees, examine records, and observe operations to search for evidence of conformity to requirements.

If a nonconformity is found, the auditor discusses it with the person being interviewed to confirm the facts and seek agreement with the finding.

5.5 Recording

Objective evidence of conformity with requirements is captured on the audit checklist. Any nonconformities are documented on nonconformity reports and reviewed with the lead auditor.

The auditor completes the first section of the nonconformity report (QA-P-17.01) to describe the requirement and evidence of nonconformity. The responsible manager for the identified process completes the next section by proposing the immediate correction, as well as, the corrective action to prevent recurrence of the nonconformity.

The manager of the process completes the third part of the form when the action has completed and its effectiveness has been verified. An auditor completes the final section during the follow-up audit to close the finding, as appropriate.

5.6 Reporting

The lead auditor prepares the audit summary report (QA-P-17.01) with assistance from the audit team. A closing meeting is held to share the audit results with the manager of audited area and seek acknowledgement of the report.

The lead auditor reminds the auditee that a representative sample was taken during a brief time period and nonconformities may still exist.

Appeals of findings are sent to the audit program manager for arbitration.

A copy of the audit report is given to the manager of the audited area. The original report goes to the audit program manager for record retention.

5.7 Correcting

The manager of the audited area submits an action plan within two weeks of the closing meeting. If the action plan is acceptable, the audit program manager approves the plan and notifies the manager to proceed with the proposed corrective action.

Actions are to be completed within sixty days of the plan approval, unless a new due date is negotiated with the audit program manager.

5.8 Verifying

An auditor is assigned to conduct a follow-up audit and verify the effective implementation of corrective actions for previously reported nonconformities.

Follow-up audits are scheduled within two weeks after receiving notice that the actions have completed. If the audit program manager has not received the notice by the due date, a reminder note is sent to the manager of the audited area.

If after one additional week the action has not completed, an overdue note will be sent, with a copy going to the manager's manager. If more work is still needed to complete the corrective action, a new due date must be negotiated with the audit program manager.

5.9 Training

The audit program manager selects auditors that are open-minded, impartial, objective, and possess sound judgment. These personal traits, along with company experience, are considered important auditor attributes for conducting effective audits.

Auditors receive classroom training in auditing techniques and Standard requirements, observe an audit conducted by a qualified auditor, and then participate as members of an audit team. The audit program manager maintains records of the auditor training and the list of qualified auditors.

5.10 Managing

The audit program manager maintains the audit schedule and assigns qualified auditors that are independent of the areas to be audited.

The audit program manager tracks the status of audits and summarizes the results for presentation at the Management Review meetings.

6.0 RECORDS

6.1 Audit Notice (sent via e-mail)
6.2 Audit Summary Report, form QA-P-17.01
6.3 Audit Nonconformity Report, form QA-P-17.02
6.4 Audit Checklist, form QA-P-17.03
6.5 Internal Audit Schedule, file PLAN.XLS
6.6 Auditor Training Records
6.7 Qualified Auditor List

7.0 ATTACHMENTS

7.1 Sample Audit Summary Report
7.2 Sample Nonconformity Report
7.3 Sample Audit Checklist Section

8.0 REVISION HISTORY

(Include revision level, change description, changed by, and effective date).

Training

If you want to attend a public internal auditor class, consider one of these courses. Enroll at least 60 days in advance of the class date and receive the discounted fee shown below:

ISO 9001 Internal Auditor - Quality - 3 days - $1016
AS9100 Internal Auditor - Aerospace - 3 days - $986
ISO/TS 16949 Internal Auditor - Automotive - 3 days - $1016
ISO 13485 Internal Auditor - Medical Devices - 3 days - $1016
ISO 20000 Internal Auditor - IT Services - 3 days - $1356
ISO 27001 Internal Auditor - Information Security - 3 days - $1271
ISO 14001 Internal Auditor - Environmental - 2 days - $931

If you want to arrange an on-site internal audit class, please contact me for a quote. We also have cost-effective 2-day on-site versions for most of the courses.

The ISO 20000 standard for IT Service Management includes requirements in clause 7.3 for Supplier Management. The objective of these requirements is to manage suppliers to ensure the provision of seamless, quality services.

Requirements:

An organization conforming to ISO 20000 is required to document their supplier management processes and name a contract manager responsible for each supplier. They are also required to document, and have all parties agree upon, service level agreements that describe the requirements, scope, level of service, and communication processes to be provided by the supplier.

The service level agreements with suppliers must be aligned with the service level agreements for the business. All the interfaces between the processes used by each party must be documented and agreed upon.

The organization must clearly document all the roles and relationships between the lead and subcontracted suppliers. They must require lead suppliers to demonstrate processes to ensure that subcontracted suppliers meet contractual requirements.

Major reviews of the contract or formal agreement must be conducted at least annually to ensure that business needs and contractual obligations are still being met. Contracts and service level agreements must be changed as appropriate after these reviews, or at other times as required. Any changes must be subjected to the organization's change management process.

A process must be established to deal with contractual disputes. And, a process must be established to deal with the expected end of service, early end of service, or transfer of service to another party.

Performance against service level targets must be monitored and reviewed. Actions for improvement identified during this process must be recorded and input into a plan for improving the service.

Documents:

• Supplier management procedure
• Contractual dispute procedure
• Lead-subcontractor supplier relationships

Records

• Supplier service level agreements
• Supplier-service provider process interface agreements
• Supplier service level performance records
• Supplier management improvement actions

Training:

If you are interested in learning more about ISO 20000 and IT service management, consider enrolling in one of these courses:

Understanding ISO 20000
Implementing ISO 20000
ISO 20000 Internal Auditor
ISO 20000 Lead Auditor

The Industrial Technologies Program (ITP) leads national efforts to improve industrial energy efficiency and environmental performance. The ITP is part of the U.S. Department of Energy's Office of Energy Efficiency and Renewable Energy (EERE).

"Save Energy Now" is a national initiative of the ITP to drive a 25% reduction in industrial energy intensity in 10 years. Companies nationwide can participate in no-cost energy assessments and utilize ITP resources to reduce energy use while increasing profits.

These energy assessments have helped U.S. manufacturing facilities save an average of $2 million, or 8% of their total energy costs, not to mention productivity improvements and reduced carbon emissions. Plants can begin the process of reducing energy intensity by applying for a no-cost energy assessment performed by a DOE Energy Expert.

Participating Plants
The energy assessments help identify key opportunities for savings by focusing on energy-intensive systems such as process heating, steam, pumps, fans, and compressed air.

You can go to this Participating Plants web site to see a list of companies by state, industry type (aluminum, chemical, glass, steel, etc.) and system type (compressed air, fans, pumps, process heating, steam). For example, in Georgia, 35 plants in 22 cities have already been assessed.

The plant assessment summary includes the company name, location, industry type, assessment type, energy expert, and assessment date. For some plants, the assessment report in PDF format may be available, and for others, a case study may be available.

Assessment Options
The DOE offers these energy assessment options:

For large plants: The nation's largest, most energy-intensive plants can apply to receive a 3-day system assessment. These on-site assessments are led by the DOE's Energy Experts who use the DOE's software tools and technical information to target a specific system area. Assessments also provide valuable hands-on learning that can help your staff gain knowledge to multiply the benefits of the assessment.

For small and medium-sized plants: The DOE's university-based Industrial Assessment Centers conduct 1-day assessments at smaller plants. Teams of highly trained IAC faculty and engineering students apply the same DOE software tools and technical resources to identify key savings opportunities throughout your plant.

For all plants: Contacting the EERE Information Center is the right option for any plant, large or small, if you are ready to boost energy savings and improve productivity. Whether or not you receive an assessment, you will find expert technical assistance and guidance on how to make the most of the "Save Energy Now" portfolio of resources.

For more information, go to the "Save Energy Now" web site.

Root Cause Analysis

ISO 9001:2008
Understanding ISO 9001:2008
Implementing ISO 9001:2008
Quality System Documentation
ISO 9001:2008 Internal Auditor
ISO 9001:2008 Lead Auditor

ISO 14001:2004
Implementing an EMS
ISO 14001:2004 Internal Auditor
ISO 14001:2004 Lead Auditor

ISO/TS 16949:2002
ISO/TS 16949:2002 Internal Auditor
ISO/TS 16949:2002 Lead Auditor
Understanding and Implementing ISO/TS 16949:2002

Core Tools
Advanced Product Quality Planning
Design Failure Modes Effects Analysis
Process Failure Modes Effects Analysis
Production Part Approval Process
Statistical Process Control
Measurement System Analysis

AS9100B:2004
AS9100 Internal Auditor
Implementing AS9100
AS9100 Lead Auditor

ISO 27001:2005
ISO 27001 - Understanding an ISMS
ISO 27001 - ISMS Implementation
ISO 27001 - ISMS Internal Auditor
ISO 27001 - ISMS Lead Auditor

ISO 20000-1:2005
Understanding ISO 20000
Implementing ISO 20000
ISO 20000 Internal Auditor

ISO 13485:2003
Understanding ISO 13485:2003
ISO 13485:2003 Internal Auditor
Implementing ISO 13485:2003
ISO 9001 Lead Auditor - ISO 13485 Emphasis

Capability Maturity Model Integration
Introduction to CMMI v1.2

Six Sigma
Introduction to Statistics
Green Belt Certification
Black Belt Certification

Books
See our list of ISO 9001, Auditing, and Six Sigma books. Includes book descriptions and links to Amazon.

© 2000-2009 Whittington & Associates, LLC

email: larry@whittingtonassociates.com

phone: 770-517-7944

web: http://www.whittingtonassociates.com