Whittington & Associates Newsletter

Newsletter sign-upSign up for our monthly email newsletter to get the latest guidance on ISO 9001, AS9100, AS9110, AS9120, ISO 13485, IATF 16949, ISO 14001, ISO 27001, ISO 45001, ISO 20000, and related ISO standards, as well as, Six Sigma.

If you have any questions about the articles appearing in this issue, or you want to suggest topics for future issues, please let us know.

Cybersecurity Framework

Jun 1, 2018 in Newsletter | Comments Off on Cybersecurity Framework

The U.S. Commerce Department’s National Institute of Standards and Technology (NIST) has released version 1.1 of its “Framework for Improving Critical Infrastructure Cybersecurity”, more widely known as the Cybersecurity Framework.

You can download the 44-page “Framework for Improving Critical Infrastructure Cybersecurity” at this NIST web page.

The framework was developed with a focus on industries vital to national and economic security, including energy, banking, communications, and the defense industrial base. It has since proven flexible enough to be adopted voluntarily by large and small companies and organizations across all industry sectors, as well as, by federal, state, and local governments.

Version 1.1 includes updates on, authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain, and vulnerability disclosure.

The five Framework Core Functions are:

Identify – Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.

Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.

Protect – Develop and implement appropriate safeguards to ensure delivery of critical services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event.

Examples of outcome Categories within this Function include: Identity Management and Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.

Detect – Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events.

Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes.

Respond – Develop and implement appropriate activities to act regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident.

Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements.

Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident.

Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.

The Framework is adaptive to provide a flexible and risk-based implementation that can be used with a broad array of cybersecurity risk management processes. It gives examples of cybersecurity risk management processes as the ISO 31000 standard on risk management and the ISO 27005 guidelines for information security risk management.

Later this year, NIST plans to release an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity, which describes key areas of development, alignment, and collaboration.

ISO 14000 Standards

Jun 1, 2018 in Newsletter | Comments Off on ISO 14000 Standards

The ISO 14000 family of standards provides practical tools for companies and organizations of all kinds looking to manage their environmental responsibilities.

The standards listed below that are under development use the following terms to indicate their status:

NP = New Project

AWI = Approved Work Item

WD = Working Document

CD = Committee Draft

DIS = Draft International Standard

FDIS = Final Draft International Standard

You can read about these standards and order the published versions at  www.iso.org.

We offer public courses: ISO 14001:2015 Requirements (2 days), ISO 14001:2015 Internal Auditor (3 days), and ISO 14001:2015 Lead Auditor (4 days), as well as, special onsite courses: ISO 14001:2015 Requirements (1 day) and ISO 14001:2015 Internal Auditor (2 days).

Environmental Management Systems

ISO 14001:2015
Environmental management systems – Requirements with guidance for use

ISO/AWI 14002-1:201x
Environmental management systems – Guidelines for applying the ISO 14001 framework to environmental aspects and environmental conditions by environmental topic areas – Part 1: General

ISO 14004:2016
Environmental management systems – General guidelines on principles, systems and support techniques

ISO 14005:2010
Environmental management systems – Guidelines for the phased implementation of an environmental management system, including the use of environmental performance evaluation

ISO/DIS 14005: 201x
Environmental management systems – Guidelines for a flexible approach to phased implementation evaluation

ISO 14006:2011
Environmental management systems – Guidelines for incorporating ecodesign

ISO/CD 14006 :201x
Environmental management systems-Guidelines for incorporating ecodesign

ISO/CD 14007:201x
Environmental management – Determining environmental costs and benefits – Guidance

ISO/DIS 14008:201x
Monetary valuation of environmental impacts and related environmental aspects – Principles, requirements and guidelines

ISO/WD 14009:201x
Environmental management system: Guidelines for incorporating redesign of products and components to improve material circulation

Environmental Management

ISO 14050:2009
Environmental management – Vocabulary

ISO 14051:2011
Environmental management – Material flow cost accounting — General framework

ISO 14052:2017
Environmental management – Material flow cost accounting — Guidance for practical implementation in a supply chain

ISO 14055-1:2017
Environmental management – Guidelines for establishing good practices for combatting land degradation and desertification — Part 1: Good practices framework

ISO/TR 14062:2002
Environmental management – Integrating environmental aspects into product design and development

Environmental Auditing and Related Environmental Investigations

ISO 14015: 2001
Environmental management – Environmental assessment of sites and organizations

ISO/CD 14016:201x
Environmental management – Guidelines on assurance of environmental reports

Environmental Labeling

ISO 14020:2000
Environmental labels and declarations – General principles

ISO 14021:2016
Environmental labels and declarations – Self-declared environmental claims (Type II environmental labelling)

ISO 14024:2018
Environmental labels and declarations – Type I environmental labelling – Principles and procedures

ISO 14025:2006
Environmental labels and declarations – Type III environmental declarations – Principles and procedures

ISO 14026:2017
Environmental labels and declarations – Principles, requirements and guidelines for communication of footprint information

ISO/TS 14027:2017
Environmental labels and declarations – Development of product category rules

Environmental Performance Evaluation

ISO/AWI 14030-1:201x
Green bonds – Environmental performance of nominated projects and assets

ISO 14031:2013
Environmental management – Environmental performance evaluation – Guidelines

ISO/TS 14033:2012
Environmental management – Quantitative environmental information – Guidelines and examples

ISO/DIS 14033:201x
Environmental management – Quantitative environmental information – Guidelines and examples

ISO 14034:2016
Environmental management – Environmental technology verification

ISO 14063:2006
Environmental management – Environmental communication – Guidelines and examples

ISO/CD 14063:201x
Environmental management – Environmental communication – Guidelines and examples

Life Cycle Assessment

ISO 14040:2006
Environmental management – Life cycle assessment – Principles and framework

ISO 14044:2006
Environmental management – Life cycle assessment – Requirements and guidelines

ISO 14045:2012
Environmental management — Eco-efficiency assessment of product systems — Principles, requirements and guidelines

ISO 14046:2014
Environmental management – Water footprint – Principles, requirements and guidelines

ISO/TR 14047:2012
Environmental management – Life cycle assessment – Illustrative examples on how to apply ISO 14044 to impact assessment situations

ISO/TS 14048:2002
Environmental management – Life cycle assessment – Data documentation format

ISO/TR 14049:2013
Environmental management – Life cycle assessment – Illustrative examples on how to apply ISO 14044 to goal and scope definition and inventory analysis

ISO/TS 14071:2014
Environmental management – Life cycle assessment – Critical review processes and reviewer competencies: Additional requirements and guidelines to ISO 14044:2006

ISO/TS 14072:2014
Environmental management – Life cycle assessment – Requirements and guidelines for organizational life cycle assessment

ISO/TR 14073:2017
Environmental management – Water footprint – Illustrative examples on how to apply ISO 14046

Greenhouse Gas Management and Related Activities

ISO 14064-1:2006
Greenhouse gases -Part 1: Specification with guidance at the organization level for quantification and reporting of greenhouse gas emissions and removals

ISO/DIS 14064-1: 201x
Greenhouse gases -Part 1: Specification with guidance at the organization level for quantification and reporting of greenhouse gas emissions and removals

ISO 14064-2:2006
Greenhouse gases – Part 2: Specification with guidance at the project level for quantification, monitoring and reporting of greenhouse gas emission reductions or removal enhancements

ISO/DIS 14064-2:201x
Greenhouse gases -Part 2: Specification with guidance at the project level for quantification, monitoring and reporting of greenhouse gas emission reductions or removal enhancements

ISO 14064-3:2006
Greenhouse gases – Part 3: Specification with guidance for the validation and verification of greenhouse gas assertions

ISO/DIS 14064-3:201x
Greenhouse gases -Part 3: Specification with guidance for the verification and validation of greenhouse gas statements

ISO 14065:2013
Greenhouse gases – Requirements for greenhouse gas validation and verification bodies for use in accreditation or other forms of recognition

ISO/CD 14065: 201x
Greenhouse gases – Requirements for greenhouse gas validation and verification bodies for use in accreditation or other forms of recognition

ISO 14066:2011
Greenhouse gases – Competence requirements for greenhouse gas validation teams and verification teams

ISO/FDIS 14067:201x
Greenhouse gases – Carbon footprint of products – Requirements and guidelines for quantification and communication

ISO/TR 14069:2013
Greenhouse gases – Quantification and reporting of greenhouse gas emissions for organizations — Guidance for the application of ISO 14064-1

ISO/FDIS 14080:201x
Greenhouse gas management and related activities – Framework and principles for methodologies on climate actions

ISO/DIS 14090:201x
Adaptation to climate change – Principles, requirements and guidelines

ISO/WD 14091:201x
Adaptation to climate change – Vulnerability, impacts and risk assessment

ISO/AWI TS 14092:201x
GHG Management & related activities: requirement & guidance of adaptation planning for organizations including local governments and communities

ISO/NP 14097:201x
Framework and principles for assessing and reporting investments and financing activities related to climate change

Leadership Principle

Jun 1, 2018 in Newsletter | Comments Off on Leadership Principle

Leadership is one of the quality management principles defined in ISO 9000:2015, the Fundamentals and Vocabulary standard. The seven quality management principles are:

1. customer focus;
2. leadership;
3. engagement of people;
4. process approach;
5. improvement;
6. evidence-based decision making;
7. relationship management.

Leadership

Leaders establish unity of purpose and direction and create conditions in which people are engaged in achieving the organization’s quality objectives.

Rationale

Creation of unity of purpose, and the direction and engagement of people, enable an organization to align its strategies, policies, processes and resources to achieve objectives.

Benefits

Potential leadership benefits include:

  • increased effectiveness and efficiency in meeting the organization’s quality objectives;
  • better coordination of the organization’s processes;
  • improved communication between levels and functions of the organization;
  • development and improvement of the capability of the organization and its people to deliver desired results.

Actions

Possible leadership actions include:

  • communicate the organization’s mission, vision, strategy, policies and processes;
  • create and sustain shared values, fairness, and ethical models for behavior;
  • establish a culture of trust and integrity;
  • encourage an organization-wide commitment to quality;
  • ensure that leaders at all levels are positive examples to people in the organization;
  • provide people with required resources, training, and authority to act with accountability;
  • inspire, encourage, and recognize the contribution of people.

Leadership Requirements

Jun 1, 2018 in Newsletter | Comments Off on Leadership Requirements

ISO 9001:2015, clause 5.1, states that top management must demonstrate leadership and commitment with respect to the quality management system.

Top management is defined in ISO 9000:2015 as the person (or group of people) who directs and controls an organization at the highest level. Top management has the power to delegate authority and provide resources within the organization.

We should remember that a Manager administers, controls, and directs; a Leader influences, motivates, and inspires trust.

The sub-clauses of clause 5.1.1 state that top management must demonstrate their leadership and commitment by:

a) taking accountability for the effectiveness of the quality management system;

This means to be responsible for its activities, be able to explain its results, and be answerable for the expected results. Although some responsibilities and authorities may be delegated, top management remains accountable.

b) ensuring that the quality policy and quality objectives are established for the quality management system and are compatible with the context and strategic direction of the organization;

The quality policy and quality objectives may be established or reviewed during meetings of top management, such as those for strategic planning or management review purposes.

c) ensuring the integration of the quality management system requirements into the organization’s business processes;

In other words, the processes necessary to address the requirements should be integrated and managed within the overall business processes, and not treated as add-on or conflicting activities.

d) promoting the use of the process approach and risk-based thinking;
 
For example, ensure the effective interaction between processes, with a systematic approach designed to achieve effective flow of inputs and outputs and cooperation in addressing risks and opportunities.

e) ensuring that the resources needed for the quality management system are available;

This will require monitoring the current and projected workload and schedules to ensure that adequate resources, e.g., persons, funding, tools, and equipment are provided, when and where needed.

f) communicating the importance of effective quality management and of conforming to the quality management system requirements;

The value and benefits of the quality management system, and adhering to its requirements, can be communicated through internal meetings, email, personal discussions, organizational intranet, etc.

g) ensuring that the quality management system achieves its intended results;

An organization can do this by monitoring the system outputs, and at times, taking actions to correct or improve the system or its component processes. Top management should ensure that whatever actions are needed are properly assigned and resourced.

h) engaging, directing and supporting persons to contribute to the effectiveness of the quality management system;

Communicate with employees to encourage them to contribute to the system results. Top managers can serve as the champions of projects when improvements are needed, and encourage employees and others to participate as members of improvement teams.

i) promoting improvement;

Ensure that information and recommendations from management reviews, audits, and other evaluations are provided to the responsible persons for improvement considerations. Also, provide feedback to employees on the value and benefits of enacted improvements.

j) supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.

This activity could include mentoring and supporting other managers to make specific decisions which may help the organization conform better to requirements, or to drive improvements.

IATF 16949:2016

The automotive quality standard, IATF 16949:2016, uses ISO 9001:2015 as the base for its requirements, but adds the following Leadership requirements:

Corporate Responsibility
Top management must define and implement corporate responsibility policies, including at a minimum an anti-bribery policy, employee code of conduct, and ethics escalation policy (whistle-blowing policy).

Process Effectiveness and Efficiency
Top management must review product realization processes and support processes to evaluate and improve their effectiveness and efficiency. Include results of the process review activities as input to the management review.

Process Owners
Top management must identify process owners who are responsible for managing the processes and related outputs. Process owners must understand their roles and be competent to perform those roles.

Organizations using ISO 9001:2015 should consider adding these extra policies for their quality management system.

Customer Focus

Jun 1, 2018 in Newsletter | Comments Off on Customer Focus

ISO 9001:2015, clause 5.1, Leadership and Commitment, includes requirements in sub-clause 5.1.2 for Customer Focus. It states that top management must demonstrate leadership and commitment with respect to customer focus by ensuring that:

a) customer and applicable statutory and regulatory requirements are determined, understood and consistently met;
 
b) the risks and opportunities that can affect conformity of products and services and the ability to enhance customer satisfaction are determined and addressed;
 
c. the focus on enhancing customer satisfaction is maintained.

The aerospace quality standard, AS9100:2016, is based on ISO 9001:2015 and adds an additional customer focus requirement:

d. product and service conformity and on-time delivery performance are measured, and appropriate action is taken if planned results are not, or will not be, achieved.

According to ISO/TS 9002:2016, the intent of the “customer focus” sub-clause is to ensure that top management visibly demonstrates leadership and commitment in maintaining the organization’s focus on meeting customer requirements and enhancing customer satisfaction.

Customers are generally the people or organizations that purchase the organization’s products and services. However, individuals or organizations such as citizens, clients, patients, and students can also be the recipients of the organization’s products and services.

Top management needs to ensure that effective processes are in place to determine customer requirements and legal requirements related to the organization’s products and services, and that these requirements are understood. A focus on delivery performance and customer complaints can provide insights into the actions that might be needed to achieve or improve customer satisfaction.

Top management needs to ensure that actions are implemented to address risks and opportunities, so that expected results are consistently achieved. If not, then a Plan-Do-Check-Act approach should be followed to ensure that responsibilities are assigned for implementing further improvements, until customer needs and expectations are achieved.

Top management can focus on enhancing customer satisfaction by using the results of analysis and evaluation of customer satisfaction data. Using this analysis, top management may direct a change in the customer-related processes and the operations of the organization, including the allocation of resources.