The Capability Maturity Model Integration (CMMI) for Services, known as CMMI-SVC, is a new model that provides guidance to service organizations for establishing, managing, and delivering services. The model focuses on service provider processes and integrates bodies of knowledge that are essential for successful service delivery.

Service organizations are 80% of the world economy. In these lean times, they can benefit by using process improvement to make the most of their resources to achieve desired business results. The new CMMI-SVC is a guide to help service organizations reduce costs, improve quality, and improve the predictability of schedules.

CMMI-SVC provides best practices that service providers can use when they need to:

• Decide what services they should be providing, define standard services, and let people know about them
• Make sure they have everything they need to deliver a service, including people, processes, consumables, and equipment
• Get new systems in place, change existing systems, retire obsolete systems, all while making sure nothing goes terribly wrong with the service
• Set up agreements, take care of service requests, and operate service systems
• Make sure they have the resources needed to deliver services and that services are available when needed at an appropriate cost
• Handle what goes wrong and prevent it from going wrong in the first place, if possible
• Ensure they are ready to recover from potential disasters and get back to delivering services if a disaster occurs

The Standard CMMI Appraisal Method for Process Improvement (SCAMPI) is an appraisal method designed to evaluate an organization's processes using a CMMI model, including CMMI-SVC. This method is applicable to serve a wide range of purposes, including internal process improvement and external capability determinations. SCAMPI A appraisals are officially recognized appraisals that result in benchmark quality ratings (e.g., maturity levels). SCAMPI B and SCAMPI C are less rigorous appraisals designed to provide information on the approach to process improvement or the status of process improvement implementations.

The current SCAMPI appraisal method is applicable to version 1.2 of the CMMI-SVC, CMMI-ACQ, and CMMI-DEV models. However, no SCAMPI A appraisals using CMMI-SVC will be accepted by the Software Engineering Institute (SEI) for the first six months after the model's release. In other words, SCAMPI A appraisals will only be accepted with an on-site start date of August 26, 2009 or later. Other classes of appraisals (SCAMPI Bs & Cs) may be used during the first six months to monitor process improvement progress.

To download a free copy of the CMMI-SVC v1.2 model, go to this SEI web page.

Amid increasing scrutiny over U.S. cybersecurity, experts from the private and public sectors are pushing a set of recommendations they say are sorely needed to help shore up the nation's defenses against data breaches. The resulting Consensus Audit Guidelines (CAG) map out requirements for security controls needed to protect IT installations in government and the private sector.

Their creators include the U.S. Department of Homeland Security's US-CERT unit, the National Security Agency, and the Department of Defense. Commercial penetration testing and forensics experts from security vendors InGuardians and Mandiant also joined the effort.

The release comes on the heels of an earlier report by the Center for Strategic and International Studies (CSIS), a Washington think tank, which found U.S. cybersecurity policy lacking in the wake of high-profile breaches in both government and industry.

Aiming to shut the door on such attacks, the new CAG recommendations (available here) call for organizations to adopt 20 key security controls to safeguard themselves against current and future threats.

Recommendations include inventorying hardware and software, maintaining and analyzing security audit logs, setting up boundary defense measures, and implementing secure configurations for hardware, software, and network devices.

The effort marks the latest moves by security experts to fight back against an onslaught of major data breaches in both industry and government. The proposed CAG controls are also organized so that they can be implemented in stages, which their creators said is more practical than urging organizations to implement them all at once.

The audit team leader prepares an audit report that is a complete, correct, concise, and clear record of the audit. The written report may include the topics described below. Some topics may not be applicable for your organization and the topics may be included in a different sequence.

The asterisked (*) items are the minimum set of topics suggested by QE19011S:2008 for an internal audit report.

Audit Objectives (*): Identify the goals of the audit, e.g., to verify conformity, evaluate effectiveness, and identify opportunities for improvement.

Audit Scope (*): Define the extent and boundaries of the audit, e.g., a description of the physical locations, organizational units, processes, and activities addressed by the audit.

Audit Client: Identify the organization or person that requested the audit. In the case of an internal audit, the client is typically the audit program manager that schedules the audits.

Audit Team (*): Identify the auditor(s) that conducted the audit, including the lead auditor.

Auditee Representatives: List the managers, supervisors, and employees that were interviewed during the audit. Use titles instead of names.

Audit Date (*): Include the date(s) of the audit, as well as, the audit duration.

Report Date (*): Identify the issue date of the audit report.

Audit Location (*): List the site(s) that were audited.

Audit Criteria (*): Identify the applicable requirements against which the audit evidence was compared.

The audit criteria includes Legal, Organization, Customer, and Standard requirements. Use the "LOCkS" acronym to remember the requirement types.

Audit Summary: Provide a summary of the audit results in terms of strengths and weaknesses. Include the individual observations and nonconformities at the end of the report.

Audit Findings (*): Include the results of the evaluation of the collected audit evidence against the audit criteria. These audit findings may indicate conformity or nonconformity.

Audit Evidence: Describe the records, statements of fact, or other information, which were relevant to the audit criteria and verifiable. Audit evidence is part of the audit record and included in nonconformity reports.

The audit evidence includes Documents, Observations, Records, and Statements. Use the "DOoRS" acronym to remember the evidence types.

Audit Follow-up: Indicate any nonconformities closed from the prior audit of the area. Ensure the corrective actions were effective in removing the causes and preventing recurrence.

Audit Conclusions (*): Describe the outcome of the audit after consideration of the audit objectives and all audit findings, e.g., extent of conformity, effectiveness of practices, and recommended improvements.

Audit Plan: Describe the activities and arrangements made for the audit. The plan may include an audit agenda with the areas that were audited and the auditor assignments.

Audit Process: Describe the audit methodology used, e.g., interview personnel, review documents, watch operations, and examine records.

Audit Disclaimer: Explain the uncertainty caused by sampling. State there may nonconformities beyond those reported due to it being a limited sample taken during a brief time period. Or, state that just because there were no nonconformities reported, that doesn't mean there were no nonconformities.

Objectives Confirmation: Confirm that all the audit objectives were met. If not, explain why not and identify the actions needed to complete the audit as planned.

Obstacles Encountered: Identify any situations that took place during the audit that could decrease the reliability of the conclusions, e.g., lack of access or unavailability of personnel.

Areas Not Covered: Identify the functional areas or processes in the audit plan that were not addressed. Identify the areas and explain why they were left out.

Unresolved Opinions: Include any diverging opinions on audit findings or conclusions that were not resolved. Record the auditee issues and explain the escalation process.

Improvement Areas: Identify processes that could be improved. Note that suggestions are not binding.

Agreed Actions: Identify any actions resulting from the audit, e.g., corrective actions agreed to for the reported nonconformities.

Audit Confidentiality: Assure the reader that the audit results will be kept in strict confidence.

Thank You: Thank the auditee for their hospitality, cooperation, and openness.

Next Steps: Remind of due dates for corrective actions and highlight any issues needing further attention.

Distribution List (*): List the audit report recipients.

Issue the audit report within the agreed time period. If not possible, communicate the reasons for the delay to the audit client and agree on a new issue date. Timely audit reports are critical to obtaining timely and thorough corrective actions.

Schedule time on the audit agenda to prepare the report so it is available at the closing meeting. Or, issue the report shortly after the closing meeting. Follow the audit procedure.

Send a copy of the report to the recipients designated by the audit client. All audit team members and report recipients should respect and maintain the report confidentiality.

See clause 6.6 in ISO 19011:2002 and QE19011S:2008, clause 6.6, on audit reporting.

Sample Report

The report we use for internal audits begins with an Audit Summary page that identifies the audit and describes its results. The next page is an Audit Matrix with columns for the audited processes and rows for the applicable clauses (requirements) of the standard.

The third page begins the Audit Record section with evidence listed for each audited area:

• Persons Interviewed:
• Documents Reviewed:
• Activities Observed:
• Records Examined:

This part is repeated for each area included in the audit scope and, depending on the audit scope, may require multiple pages to complete the sampling record. The final Audit Issues section reports any observations and nonconformities.

If you'd like a copy of our audit report, send an email to (larry@whittingtonassociates.com).

How many audit days would a registrar estimate for your initial stage 1 and stage 2 certification audits, ongoing surveillance visits, and re-certification audits?

The International Accreditation Forum (IAF) recently issued a Mandatory Document (IAF MD 5:2009) for certification bodies that contains mandatory provisions and guidance on the time required to audit their clients. The MD 5:2009 document applies to quality management systems (QMS) and environmental management systems (EMS).

The effective number of personnel indicated in the QMS and EMS tables below consists of all full-time personnel within the scope of the certification, including those working on each shift. Non-permanent (seasonal, temporary, and contracted personnel) and part-time personnel who will be present at the time of the audit are included in the numbers. Dependent on the hours worked, the part-time personnel numbers can be converted to an equivalent number of full-time personnel.

Annex A - QMS Audit Duration


Annex B - EMS Audit Duration


The audit duration for all types of audits includes on-site time at a client's premises and time spent off-site carrying out planning, performing document review, interacting with client personnel, and writing the report. The off-site activities should not reduce the total on-site audit duration to less than 80% of the times shown in the tables above.

The audit days are based on eight hours per day. The audit days cannot be reduced by planning on longer hours per working day.

Surveillance Audits

During the initial three-year certification period, surveillance audits should be proportional to the time spent on the initial certification audit. The total amount of time spent annually on surveillance audits should be about 1/3 the time spent on the initial certification audit (stage 1 + stage 2). Surveillance audit duration in future periods should take into account organizational changes and system maturity.

Re-Certification Audits

The re-certification audit is normally 2/3 of the time spent on the initial certification audit (stage 1 + stage 2). Future re-certification audits should be based on the time that would be required for the initial certification audit if it were to be carried out at the time of re-certification (not 2/3 of the original initial certification audit). The audit duration should also take into account the review of system performance.

Adjustment Factors

MD 5:2009 identifies factors to consider for possibly increasing the audit duration, such as complicated logistics, multiple languages, large physical site, highly regulated, and complex processes. Considerations for decreasing the audit duration include factors such as excluded requirements, system maturity, other certifications, identical shifts, multiple sites, and low complexity. The MD 5 guidance states a reduction in audit duration would be unlikely to exceed 30% of the times established from the tables.

The tables are frameworks for audit planning and making adjustments to audit duration for all types of audits. The intent of MD 5:2009 is to lead to consistency of audit duration between certification bodies, as well as, between similar clients of the same certification body.

MD 5:2009 is based upon guidance previously provided in GD2:2005 Annex 2 (for QMS) and GD6:2006 Annex 1 (for EMS). You can download a copy of MD 5:2009 at the IAF web site by clicking on Publications in the menu and then selecting MD 5:2009 from the Mandatory Documents list.

Some of you may have used the ISO 9001:2000 Introduction and Support Package to ease the move to ISO 9001:2000. Well, the package has been revised at the ISO web site to reflect ISO 9001:2008 and may help you with the transition to ISO 9001:2008.

The package consists of the following seven guidance documents:

1. Guidance on ISO 9001:2008 sub-clause 1.2 "Application"

This document explains the concept of excluding an ISO 9001:2008 requirement from a quality management system, as well as, the need to include your justification in the quality manual. The guidance also includes ten examples to illustrate the reasoning used to determine which requirements of ISO 9001:2008 are applicable to an organization.

The examples are:

1. Customer property (personal data) controlled by a bank (7.5.4)
2. Exclusion of design and development by a contract manufacturer (7.3)
3. Regulators permit the exclusion of design and development (7.3)
4. Outsourced design and development activities (7.3)
5. Traceability of component parts (7.5.3)
6. Design of services (7.3)
7. Post-delivery activities (7.5.1)
8. Validation of processes (7.5.2)
9. Monitoring and measuring devices (7.6)
10. Complex organization - claim of conformity

2. Guidance on the documentation requirements of ISO 9001:2008

This part of the package starts with the basics; what is a document and what are the main benefits of documentation. The guidance also goes over the documentation requirements, including required documents, and other documents that may be needed for the effective planning, operation, and control of your processes.

The document provides guidance for organizations preparing to implement a QMS, as well as, for organizations adapting an existing QMS to ISO 9001:2008. The guidance discusses how to demonstrate conformity with the standard and lists all the required records.

3. Guide to the Terminology used in ISO 9001 and ISO 9004

This document provides a list of important words and terms used in ISO 9001:2008. The authors took great care during the development of ISO 9001 and ISO 9004 to use the correct English words and terms for readability and translation. The objective was to use simple technically accurate terms, and to the greatest extent possible, rely on common dictionary definitions. However, as with most technical subjects, there are terms with meanings that are different from common dictionary definitions.

4. Guidance on the concept and use of the process approach for management systems

This document provides an understanding of the concepts, intent, and the application of the "process approach" to the ISO 9000 family of standards. The purpose of the process approach is to enhance an organization's effectiveness and efficiency in achieving its defined objectives. For ISO 9001:2008, that means enhancing customer satisfaction by meeting requirements.

The guidance document defines a "process" and identifies the different types of processes. It also describes the steps to implement the process approach: identification, planning, implementation, measurement, analysis, corrective action, and improvement.

5. Guidance on 'Outsourced processes'

This document provides guidance on the intent of ISO 9001:2008, clause 4.1, regarding the control of outsourced processes. It defines an "outsourced process" and describes the control of an outsourced process through the application of clauses 4.1 and 7.4.

6. Implementation guidance for ISO 9001:2008

This guidance was developed to help understand the issues that need to be considered during the co-existence period of ISO 9001:2000 and ISO 9001:2008. The new standard clarifies the existing requirements of ISO 9001:2000, as well as, improves compatibility with ISO 14001:2004.

ISO 9001:2008 does not introduce additional requirements, nor does it change the intent of the ISO 9001:2000 standard. The guidance document includes a background section on the ISO 9001:2008 revision process, plus an implementation timeline for the transition to ISO 9001:2008.

7. Frequently Asked Questions (FAQs)

This document provides a list of Frequently Asked Questions (FAQs) that were prepared by ISO/TC 176/SC 2 to support the publication of ISO 9001:2008 and the revision of ISO 9004. Input was obtained from experts and users of the ISO 9000 standards.

The FAQs list will be reviewed and updated on a regular basis to maintain its accuracy, and to include new questions where appropriate. This list will also provide a good source of information for new users of the standards.

You can view these guidance documents at this ISO web page. In addition, see my article in the December 2008 newsletter, "Move to ISO 9001:2008", and my paper, "ISO 9001:2008 Differences".

Root Cause Analysis

ISO 9001:2008
Understanding ISO 9001:2008
Implementing ISO 9001:2008
Quality System Documentation
ISO 9001:2008 Internal Auditor
ISO 9001:2008 Lead Auditor

ISO 14001:2004
Implementing an EMS
ISO 14001:2004 Internal Auditor
ISO 14001:2004 Lead Auditor

ISO/TS 16949:2002
ISO/TS 16949:2002 Internal Auditor
ISO/TS 16949:2002 Lead Auditor
Understanding and Implementing ISO/TS 16949:2002

Core Tools
Advanced Product Quality Planning
Design Failure Modes Effects Analysis
Process Failure Modes Effects Analysis
Production Part Approval Process
Statistical Process Control
Measurement System Analysis

AS9100B:2004
AS9100 Internal Auditor
Implementing AS9100
AS9100 Lead Auditor

ISO 27001:2005
ISO 27001 - Understanding an ISMS
ISO 27001 - ISMS Implementation
ISO 27001 - ISMS Internal Auditor
ISO 27001 - ISMS Lead Auditor

ISO 20000-1:2005
Understanding ISO 20000
Implementing ISO 20000
ISO 20000 Internal Auditor

ISO 13485:2003
Understanding ISO 13485:2003
ISO 13485:2003 Internal Auditor
Implementing ISO 13485:2003
ISO 9001 Lead Auditor - ISO 13485 Emphasis

Capability Maturity Model Integration
Introduction to CMMI v1.2

Six Sigma
Introduction to Statistics
Green Belt Certification
Black Belt Certification

Books
See our list of ISO 9001, Auditing, and Six Sigma books. Includes book descriptions and links to Amazon.

© 2000-2009 Whittington & Associates, LLC

email: larry@whittingtonassociates.com

phone: 770-517-7944

web: http://www.whittingtonassociates.com