Welcome to the Whittington & Associates
e-Newsletter!
Visit and bookmark our web
site.
Our newsletters provide guidance on ISO 9001,
AS9100, ISO 13485, ISO/TS 16949, TL 9000, ISO
14001,
ISO 27001, ISO 20000, and related ISO
standards, as well as, Six Sigma.
If you have any questions about the articles
appearing in this issue, or you want to suggest
topics for future issues, please let us
know.
Future ISO 9001
In October 2010, the ISO technical committee that developed the ISO 9000 series of standards launched a major survey of existing and potential users of ISO 9001 in 122 countries. The survey objective was to better understand user needs, identify opportunities for improvement, and guide the long-term strategic direction for quality management.
The worldwide survey was conducted in 11 languages (Arabic, Chinese, English, French, German, Italian, Japanese, Korean, Portuguese, Russian, and Spanish) and received 11,722 responses. Although the full survey had 58 individual questions, the following is a summary of 10 key questions and answers.
Q1. Are you responding on behalf of your organization, or giving an individual response?
Individual 53%
Organization 47%
Q2. What is the size of your organization in number of employees?
Small 37%
Medium 39%
Large 24%
Q3. What is your generic product category?
Services 43%
Hardware 31%
Processed materials 19%
Software 7%
Q4. Describe your current use of ISO 9001.
Certified user 76%
Non-certified user 13%
Previously certified user 6%
Not a current user 5%
Q5. Which of these factors influence your organization in ISO 9001 certification?
(Multiple response question)
Customer satisfaction, 36%
Market need, 31%
Mandated customer requirement, 28%
Self-declared conformity, 19%
Other, 5%
Q6. What are the most important benefits of applying ISO 9001 to your organization?
(Multiple response question)
Improved customer satisfaction, 50%
Standard business processes, 50%
Increased management commitment, 35%
Effective use of data as a business management tool, 35%
More effective management reviews, 34%
Improved customer communication, 31%
Increased supplier performance, 20%
It is a customer requirement, 19%
Improved supplier communication, 19%
Improved financial performance, 11%
Other, 3%
No benefit at all, 1%
Q7. Ability to integrate an ISO 9001 based QMS with other management system standards or models.
(Multiple response question)
Environmental management systems (ISO 14001), 27%
Occupational Health & Safety Management (OHSAS 18001), 18%
Not attempted, 16%
Other models and standards (e.g., Malcolm Baldrige), 8%
Automotive QMS (ISO/TS 16949), 7%
Information security management systems (ISO 27001), 4%
Aerospace QMS (AS 9100 or EN 9100), 4%
Medical devices QMS (ISO 13485), 3%
Food safety management systems (ISO 22000), 3%
Conformity assessment (ISO 17000 family of standards), 1%
Energy management (draft ISO 50001 - since published), 1%
Telecommunications QMS (TL 9000), 1%
Security management systems for the supply chain (ISO 28000), 1%
European Foundation for Quality Management (EFQM), 1%
Petroleum, petrochemical, and natural gas industries QMS (ISO/TS 29001), 1%
Q8. How would you describe the ongoing relevance of ISO 9001:2008?
Relevant with enhancements, 64%
Fine as is, 27%
No longer relevant, 5%
Other, 4%
Q9. Which of the following options would you prefer for the future of ISO 9001?
Option A - Leave ISO 9001 unchanged, i.e., re-confirm "as is" for a further five years.
Positive : 43%
Negative : 48%
Neutral : 9%
Option B - Revise ISO 9001 based on the suggestions for change arising from this survey, and produce one revised ISO 9001 standard where all requirements remain equally mandatory.
Positive : 53%
Negative : 35%
Neutral : 12%
Option C - Leave ISO 9001:2008 unchanged, but also develop another standard with an enhanced (higher level) set of QMS requirements for sustained success that could be used for certification.
Positive : 25%
Negative : 65%
Neutral : 10%
Option D - Leave ISO 9001:2008 unchanged, but also develop another standard with a reduced (lighter version) set of requirements that could be used for certification of organizations providing low-risk products.
Positive : 24%
Negative : 67%
Neutral : 9%
Option E - Replace ISO 9001:2008 with a series of three documents (QMS 1, QMS 2, QMS 3) with higher, middle, and lower sets of requirements that could be used for certification depending on the risk and criticality associated with the organization's products.
Positive : 26%
Negative : 66%
Neutral : 8%
Option F - Replace ISO 9001:2008 with a single standard to include a much broader range of higher and lower sets of requirements, allowing organizations a greater choice depending on risk and criticality associated with the organization's products.
Positive : 41%
Negative : 49%
Neutral : 10%
Option G - Replace ISO 9001:2008 with a single standard to include a full range of higher, middle, and lower sets of requirements, with points-based maturity assessment.
Positive : 44%
Negative : 47%
Neutral : 9%
Of the seven options relating to future ISO 9001 standards, the most popular in order of priority were B, G, A, and F, all involving a single ISO 9001 requirement standard. Options C, E, and D were the least popular options, and involved multiple requirements documents.
Q10. How important is it to incorporate the following concepts into ISO 9001?
(Multiple response question)
Resource management, 75%
Voice of customers, 74%
Measures (e.g., performance, satisfaction, return on investment), 72%
Knowledge management, 72%
Integration of risk management, 73%
Systematic problem solving and learning, 73%
Self-assessment tool, 71%
Strategic planning, 68%
Innovation, 65%
Use of technology to develop and implement requirements, 63%
Life cycle management, 62%
Use of technology to run your business, 61%
Financial resources of the organization, 55%
Supporting quality tools (e.g., Six Sigma), 55%
Conclusions
Users believe ISO 9001 is an effective quality management standard and with enhancements will remain relevant in the future. Users provided over 8,000 comments related to enhancements.
Many respondents suggested that, while major changes were not required, improvements could be made to address the ever changing global and business requirements to ensure ISO 9001 remained the most important standard for QMS implementation. A number of respondents also criticized the way in which ISO 9001 was implemented and recommended better application guidance.
The survey results will provide significant input to the ISO committee's review process and help determine where improvements to ISO 9001 may be needed.
Audit Definitions
The ISO 19011:2011 audit guidance standard has revised audit definitions, expanded related notes, and added new definitions. Some examples of these changes are described below.
The definition of audit remains: a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled. Its revised note clarifies that the purpose of an internal audit may be to confirm the effectiveness of the management system or to obtain information for the improvement of the management system. The note adds that in a small organization, independence can be shown by freedom from responsibility for the activity being audited or freedom from bias and conflict of interest.
The definition of audit findings remains: the results of the evaluation of the collected audit evidence against audit criteria. A note states audit findings indicate conformity or nonconformity. A new note under audit findings clarifies that findings can lead to the identification of opportunities for improvement or recording good practices. Another new note says if the audit criteria are selected from legal or other requirements, the audit finding is termed compliance or non-compliance (instead of conformity or nonconformity).
The definition of audit client remains: the organization or person requesting an audit. Its note states that in the case of an internal audit, the audit client can also be the auditee or the person managing the audit program. The note also says requests for external audit can come from sources such as regulators, contracting parties, or potential clients.
The definition of competence was revised to be: the ability to apply knowledge and skills to achieve intended results. The related note states that ability implies the appropriate application of personal behavior during the audit process.
The new definition for guide is: a person appointed by the auditee to assist the audit team. The new definition for observer is: a person who accompanies the audit team but does not audit. Its notes add that an observer is not a part of the audit team and does not influence or interfere with the conduct of the audit. It says an observer can be from the auditee, a regulator, or other interested party who witnesses the audit.
The new definition for management system is: a system to establish policy and objectives and to achieve those objectives. The related note states a management system of an organization can include different management systems, such as a quality management system, a financial management system, or an environmental management system.
ISO/TR 27008:2011
ISO/TR 27008:2011, Information technology - Security techniques - Guidelines for auditors on information security controls, is a new Technical Report (TR) that provides technical controls and compliance guidelines for auditors to help improve the effectiveness of an organization's information security system.
The document supports a rigorous organizational security audit and review program for information security controls, to enable the organization to have confidence that their controls have been appropriately implemented and operated and that their information security is fit for purpose.
ISO/TR 27008 provides guidance on reviewing the implementation and operation of controls, including technical compliance checking. It is principally aimed at information security auditors who need to check the technical compliance of an organization's information security controls against ISO 27002 and any other control standards used by the organization.
ISO/TR 27008 will help the auditors to:
Identify and understand the extent of potential problems and shortfalls of information security controls
Identify and understand the potential organizational impacts of inadequately mitigated information security threats and vulnerabilities
Prioritize information security risk mitigation activities
Confirm that previously identified or emergent weaknesses or deficiencies have been adequately addressed
Support budgetary decisions within the investment process and other management decisions relating to improvement of the organization's information security management
ISO/TR 27008 is part of a series of standards (ISO 27000) on information security management systems:
ISO 27000:2009, Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary
ISO 27001:2005, Information technology -- Security techniques -- Information security management systems -- Requirements
ISO 27002:2005, Information technology -- Security techniques -- Code of practice for information security management
ISO 27003:2010, Information technology -- Security techniques -- Information security management system implementation guidance
ISO 27004:2009, Information technology -- Security techniques -- Information security management -- Measurement
ISO 27005:2011, Information technology -- Security techniques -- Information security risk management
ISO 27006:2011, Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems
ISO 27007:2011, Information technology -- Security techniques -- Guidelines for information security management systems auditing
ISO/TR 27008:2011, Information technology -- Security techniques -- Guidelines for information security management systems auditing
We offer training on the requirements and auditing of information security management systems. You can view a course description and select a class by clicking on a course title below:
The ISO 19011:2011 auditing standard has a new name, "Guidelines for Auditing Management Systems". The prior edition, ISO 19011:2002, limited its audit guidance to just quality and environmental systems.
The new standard has broadened its scope to the auditing of any management system, but has reduced its focus to internal (first-party) and supplier (second-party) audits. Requirements for management system certification (third-party) audits are provided in ISO 17021:2011 (see my March 2011 article).
ISO 19011:2011 provides guidance on:
Management of an audit program
Planning and conducting an audit
Competence and evaluation of auditors and teams
The guidance is intended to be flexible. Its use can differ based on:
Size and maturity level of the management system
Nature and complexity of organization to be audited
Objectives and scope of the audit to be conducted
The standard introduces the concept of risk to auditing:
Risk of the audit process not achieving its objectives
Potential for an audit to interfere with the auditee activities
ISO 19011:2011 does not give guidance on an organization's risk management process, but it does recognize an organization can focus its audit effort on matters of significance to the management system.
Clause 3 sets out the key terms and definitions used in ISO 19011:2011. Clause 4 describes the principles on which auditing is based. These principles are important in understanding the guidance provided in Clauses 5 to 7.
Clause 5 provides guidance on establishing and managing an audit program, establishing the audit program objectives, and coordinating auditing activities. Clause 6 provides guidance on planning and conducting an audit of a management system. Clause 7 provides guidance relating to the competence and evaluation of management system auditors and audit teams.
Annex A illustrates the application of the guidance in Clause 7 to different disciplines. After Annex A.1, General, the disciplines with examples are:
A.2 Transportation safety
A.3 Environmental management
A.4 Quality management
A.5 Records management
A.6 Resilience, security, preparedness, and continuity management
A.7 Information security management
A.8 Occupational health and safety management
Annex B provides additional guidance for auditors on planning and conducting audits.
B.1 Applying audit methods (remote and onsite)
B.2 Conducting document review
B.3 Sampling (judgment and statistical)
B.4 Preparing work documents
B.5 Selecting sources of information
B.6 Guidance on visiting the auditee's location
B.7 Conducting interviews
B.8 Audit findings
As mentioned in my December 2011 article on ISO 19011:2011, the main differences of the second edition compared to the first edition are:
Expanded from 38 pages to 56 pages, a 47%size increase
Relationship between ISO 19011 and ISO 17021 has been clarified
Remote audit methods and the concept of risk have been introduced
Confidentiality has been added as a new principle of auditing
Clauses 5, 6, and 7 have been reorganized and expanded upon
Competence determination and evaluation process has been strengthened
Examples of discipline-specific knowledge and skills are in new Annex A
Additional information is in new Annex B, resulting in removal of help boxes
Our onsite ISO 9001:2008 Internal Auditor has been updated for the new ISO 19011:2011 standard. To see the course description, go to this web page.
Whittington & Associates provides training, consulting and auditing services for
management systems based on
ISO 9001, ISO/TS16949, ISO/TS 29001, TL 9000, AS9100, ASS9110, AS9120, ISO 13485,
ISO 27001, ISO 20000, and ISO 14001.
