Whittington & Associates Newsletter

Newsletter sign-upSign up for our monthly email newsletter to get the latest guidance on ISO 9001, AS9100, ISO 13485, ISO/TS 16949, TL 9000, ISO 14001, ISO 27001, ISO 20000, and related ISO standards, as well as, Six Sigma.

If you have any questions about the articles appearing in this issue, or you want to suggest topics for future issues, please let us know.

ISO 9001:2015 Classes in Orlando

May 1, 2017 in Newsletter | Comments Off on ISO 9001:2015 Classes in Orlando

Larry Whittington will be the instructor for these ISO 9001:2015 classes in Orlando, Florida:

ISO 9001:2015 Requirements
June 5-6, 2017
September 18-19, 2017

ISO 9001:2015 Internal Auditor

June 5-7, 2017
September 18-20, 2017

ISO 9001:2015 Lead Auditor 
June 5-8, 2017 
September 18-21, 2017

Click on one of the course titles above to view its course description and enroll in a class.

If you have questions about the training, or the registration process, please call 770-862-1766.

Nokia Threat Intelligence Report

May 1, 2017 in Newsletter | Comments Off on Nokia Threat Intelligence Report

The Nokia Threat Intelligence Report examines the trends for malware infections in devices connected through mobile and fixed networks. The key findings are summarized below.

Mobile Networks

The overall monthly smart phone infection rate averaged 0.90 percent in the second half of 2016. This is up 83 percent from the first half of 2016. Smart phone infections accounted for 85 percent of infections detected in mobile networks.

The infection rate in mobile networks rose steadily throughout 2016, reaching a new high of 1.35 percent of devices in the month of October. Android continues to be the main mobile platform targeted with 81 percent of all smartphone infections.

Windows/PC systems connected to the mobile network using dongles or tethered through phones accounted for 15 percent of the infections. I-phones accounted for 4 percent of the infections.

Fixed Residential Networks

Residential infection rates dropped throughout 2015. There was an upward trend in the first half of 2016 due to a resurgence in moderate threat level adware activity. This, however, dropped off in the second half of 2016 and the downward trend in moderate threat level adware activity continued.

The overall residential infection rate dropped to nine percent in December 2016. The infection rate for high threat level malware such as bots, rootkits, keyloggers, ransomware, and banking Trojans has remained stable at about six percent for some time, and closed out the year at 4.56 percent in December.

This downward trend in the residential infection rates, combined with the upward movement in mobile networks, strongly suggests an overall movement of cybercrime activity to the mobile environment.

Conclusion

The infection rate in mobile networks rose steadily throughout 2016, reaching a new high of 1.35 percent of devices in the month of October. The overall monthly infection rate averaged 1.08 percent in the second half of 2016. This is up 63 percent from the first half of 2016.

In addition, smart phone infections accounted for 85 percent of the infections detected in the mobile network and the overall monthly smart phone infection rate averaged 0.90 percent, representing an 83 percent increase over the first half of 2016.

From these trends, Nokia says that cybercrime is moving to the mobile space and that smart phones are becoming the target of choice. To read the full Nokia Threat Intelligence Report, click on this web page.

Management Review Template

May 1, 2017 in Newsletter | Comments Off on Management Review Template

The main sections of the template are Attendees, Topics, and Minutes. The names of the regular Attendees are listed and you click on the box next to their name to indicate their attendance.

All the required Topics are listed with clickable boxes to indicate which topics were covered at the meeting. The Minutes section includes all the review inputs with space for recording the minutes and decisions. Each topic has fields for New Action, Assigned To, and Due Date.

The special section for the “status of actions from prior reviews” includes clickable boxes for Completed, Open, and Overdue. It has space for describing the action taken, plus fields for Assigned To, Original Due Date, and New Due Date.

The remainder of this article describes the Management Review requirements of ISO 9001:2015, as well as, identifies the changes from ISO 9001:2008.

9.3 Management Review

9.3.1 General

Review the quality management system (QMS) at planned intervals to ensure a suitable, adequate, and effective QMS and alignment with the strategic direction of the organization.

9.3.2 Management Review Inputs

Plan and carry out the management review considering:

a. status of actions from previous management reviews;
b. changes in external and internal issues relevant to QMS;
c. information on performance and effectiveness of the QMS, including trends in:

1. customer satisfaction and feedback from relevant interested parties;
2. extent to which quality objectives have been met;
3. process performance and product and service conformity;
4. nonconformities and corrective actions;
5. monitoring and measurement results;
6. audit results;
7. performance of external providers;

d. adequacy of resources;
e. effectiveness of actions taken to address risks and opportunities (see 6.1);
f. opportunities for improvement.

9.3.3 Management Review Outputs

Outputs from the management review must include decisions and actions related to:

a. opportunities for improvement;
b. any need for changes to the QMS;
c. resource needs.

Retain documented information as evidence of the results of management reviews.

Changes from ISO 9001:2008

  • Replaces old clause 5.6 on management review
  • Moves follow-up actions to top of review inputs
  • Adds review of issues and strategic direction
  • Adds focus on resources, performance, and trends
  • Adds input on actions to address risks
  • Adds specific “input” topic for quality objectives
  • Drops reference to preventive action
  • Revises customer feedback to be customer satisfaction
  • Adds feedback from relevant interested parties
  • Evidence now “results of” not “records from” review

ISMS Guidance in ISO 27003:2017

May 1, 2017 in Newsletter | Comments Off on ISMS Guidance in ISO 27003:2017

ISO 27003:2017, Information technology – Security techniques – Information security management systems – Guidance, has been published. It replaces ISO 27003:2010.

The main changes in the second edition of ISO 27003 are:

1. The scope and title have been changed to cover the explanation of, and guidance on, the requirements of ISO 27001:2013 instead of those in ISO 27001:2005;

2. The structure is now aligned to the structure of ISO 27001:2013 to make it easier for ISO 27003:2017 to be used together with ISO 27001:2013;

3. The previous edition had a project approach with a sequence of activities. This edition instead provides guidance on the requirements regardless of the order in which they are implemented.

ISO 27003:2017 provides guidance on the requirements for an information security management system (ISMS) as specified in ISO 27001:2013 and provides recommendations (should), possibilities (can), and permissions (may) related to the requirements.

Clauses 4 through 10 of ISO 27003:2017 mirror the structure of ISO 27001:2013 and do not add any new requirements for an ISMS and its related terms and definitions. You should refer to ISO 27001:2013 for requirements and ISO 27000:2016 for definitions.

ISO 27003:2017 is generic and intended to be applicable to all organizations, regardless of type, size, or nature. You should identify which part of its guidance applies in accordance with your specific organizational context (see ISO 27001:2013, clause 4).

For example, some guidance can be more suited to large organizations, but for very small organizations (e.g. those with fewer than 10 persons) some of the guidance can be unnecessary or inappropriate.

The descriptions of Clauses 4 through 10 are structured as follows:

Required activity: presents key activities required in the corresponding sub-clause of ISO 27001:2013;

Explanation: explains what the requirements of ISO 27001:2013 imply;

Guidance: provides more detailed or supportive information to implement “required activity” including examples for implementation; and

Other information: provides further information that can be considered.

Ordering Information:

ISO 27003:2017 can be ordered from ISO at this web page for about $158. It can also be ordered from ANSI at this web page for $185 (or $148 for members).

Gap Analysis Checklists

May 1, 2017 in Newsletter | Comments Off on Gap Analysis Checklists

Larry Whittington has developed ISO 9001:2015 and ISO 14001:2015 checklists for the purpose of conducting a gap analysis of your current system against the new and changed requirement of the new standards.

ISO 9001:2015 Gap Analysis Checklist

The 27 page ISO 9001:2015 Gap Analysis Checklist contains 313 questions for organizations new to ISO 9001, and 119 delta questions for ISO 9001:2008 certified organizations.

To read a description of the ISO 9001:2015 Gap Analysis Checklist, and see a sample page, go to this web page. You can buy the checklist for $95.

ISO 14001:2015 Gap Analysis Checklist

The 17 page ISO 14001:2015 Gap Analysis Checklist contains 213 questions for organizations new to ISO 14001, and 96 delta questions for ISO 14001:2004 certified organizations.

To read a description of the ISO 14001:2015 Gap Analysis Checklist, and see a sample page, go to this web page. You can buy the checklist for $95.

Payment

When you click the Buy Now button at the checklist description, you will be taken to PayPal. You do not need a PayPal account to make a credit card purchase. After payment, you will be directed to a checklist download page. The file is supplied in Word format for ease of editing.