Good quality passwords

June 24th, 2011 By The Quality Manager

One of the key control objectives under ISO 27001 is a user’s responsibility to prevent unauthorised access to systems that could compromise information, enable the information to be stolen or cause the facility holding the information to be compromised.

One of the key safeguards is good security practice in the selection and use of passwords.

Information processing systems should encourage the use of good quality passwords by:

  1. Asking employees to sign an agreement to keep their passwords confidential and including this within their conditions of employment
  2. Providing users with an initial secure temporary password that they are forced to change on first use
  3. Verifying the user’s identity before providing, in a secure manner, a new password
  4. Enforcing a use of “good quality passwords” – see below
  5. Enforcing password changes (after a set period of time, for example)
  6. Preventing re-use of previously used passwords

Good quality passwords are:

  1. Easy to remember
  2. Not easily guessable (not based on your name, telephone number, date of birth)
  3. Not in the dictionary
  4. Do not have consecutive identical, all-numeric, or all-alphabetic characters (not “abc123″ or “123456″ or “abcdef”)

This advice for choosing a memorable password would be a good start.


Posted in Information Security, ISO/IEC 27001, Passwords | No Comments »

Manuals and the Management System Standards

June 22nd, 2011 By The Quality Manager

The requirement for a “Quality Manual” from ISO 9001 is a long standing one from BS 5750 (the precursor to ISO 9001) and was typically a large document (“never mind the quality – feel the width”).

The current version of ISO 9001 still requires a “Quality Manual” as one of its documentation requirements but states that it needs (only) to include:

  • The scope of the QMS
  • The documented procedures established for the QMS or reference to them
  • A description of the interaction between the processes of the QMS

At its simplest this could be a sentence or two covering the scope, a list of procedures, and a system diagram or flowchart of the QMS processes.

ISO 14001 does not specify a manual but also requires documentation covering:

  • The scope of the EMS
  • The documented procedures established for the EMS or reference to them
  • A description of the interaction between the processes of the EMS

BS OHSAS 18001 again does not specify a manual but requires the same three elements to be documented:

  • The scope of the OH&S management system
  • The documented procedures established for the OH&S management system or reference to them
  • A description of the interaction between the processes of the OH&S management system

In summary then, none of these three standards require “manuals” in the physical sense but all three require key elements of each management system to be documented. None of these documents need be large and it should be possible to cover all three requirements in each case in a few pages.

Note that certification bodies sometimes expand the requirements of the standards to suit their own purposes and make their auditing and assessment easier but there is no foundation for this in the basic standards.

ISO is aiming to “standardise” the management standards over the next few years and I expect that the requirement in ISO 9001 for a “Quality Manual” will disappear and the standard will simply ask for the three elements as do the other standards. 

Posted in ISO 14001, ISO 9001, OHSAS 18001 | No Comments »

Integrating your management systems

January 18th, 2010 By The Quality Manager

As organisations adopt more formal management system standards (such as ISO 9001, ISO 14001, ISO/IEC 27001 and ISO/IEC 20000) these are frequently implemented as standalone systems.

However, there are 6 common elements in these management system standards that can be managed as a integrated management system across all these standards (including ISO 22000 and OHSAS 18001 as well) to the benefit of the whole organisation.

These common elements are:

  1. Policy
  2. Planning
  3. Implementation and operation
  4. Performance assessment
  5. Improvement, and
  6. Management review

Although each standard has its own specific requirements that need to be addressed, these six elements are present in all the above management system standards. ISO is working, through its ISO Guide 72, to ensure not only that these elements exist in all management system standards, but that they have the same clause numbers in each standard.

PAS 99:2006 Specification of common management system requirements as a framework for integration has been produced to help organisations benefit from consolidating the common requirements. If your organisation has adopted, or is adopting, more than one of these standards, the use of this integrated approach can reduce duplication and complexity and make internal and external audits more effective and efficient.

Posted in Audits, Certification, ISO 14001, ISO 22000, ISO 9001, ISO 9001:2008, ISO/IEC 20000, ISO/IEC 27001, OHSAS 18001, Standards | No Comments »

ISO 9001:2015

November 4th, 2009 By The Quality Manager

This may be a bit of a surprise when we’re just getting used to ISO 9001:2008 but the next version of ISO 9001 is now being considered and it’s likely to be 2015 before it’s published.

The committee responsible for ISO 9001 is in the early stages of working out what changes need to be made in the next version of the standard. The first version of ISO 9001 (1987 version) took 7 years to develop. The 1994 edition took another seven years and the major revision ISO 9001:2000 took 6 years. The 2008 version, which had only minor changes, took another 8 years (though that was more to allow the 2000 version to settle rather than the scale of changes in ISO 9001:2008).

The next version could therefore be as early as 2013 but 2015 seems more likely.

One of the difficulties to be faced in the next version is the increase in the number of “management system standards”. ISO 9001 was the first but was followed by others such as ISO 14001 for environment management systems. ISO has stated that all management system standards need to be aligned to the extent that they have as far as possible identical clause titles, sequence of clauses, definitions and as much identical text as feasible.

This drive for commonality amongst the management system standards may detract from the need to include new ideas in ISO 9001. One of the criteria for developing ISO 9001:2000 was that no “new” requirements were added – it was more of a structural change. So many of the concepts in ISO 9001:2000 and the 2008 edition are unchanged from the 1994 version and if the next version doesn’t appear until 2015, and no new concepts are introduced it will contain concepts that are over 20 years old!

In the post about David Hoyle’s ISO 9000 Quality Systems Handbook, I mentioned that the book is openly critical of ISO 9001’s inconsistencies. So, despite the fact that ISO 9001 has become a worldwide baseline for quality management, there are lots of improvements that could be made.

For example, the purpose of ISO 9001 is still largely misunderstood. It is not a “model quality management system”. To many organisations and consultants that advise them seem to think that paraphrasing the ISO 9001 standard is the correct way to document a quality management system. ISO 9001 is a list of the requirements that a quality management system shall meet to enable it to be assessed. It is not a documented quality management system (that’s just one of the requirements to be met).

Another improvement would be to deal with the challenge that ISO 9001 stifles innovation by placing a greater emphasis on compliance that on improvement.

How can you influence what goes in the next version of ISO 9001? Get in touch with your national standards body – the British Standards Institution in the UK – or email the UK representative on the ISO committee Charles.Corrie@BSI-global.com

Posted in ISO 9001, ISO 9001:2008, ISO 9001:2015 | No Comments »

ISO 9000 Quality Systems Handbook

September 28th, 2009 By The Quality Manager

The latest edition of the ISO 9000 Quality Systems Handbook is the sixth revision of this excellent book by David Hoyle.

It has been updated to cover the changes in ISO 9001:2008 that I have already covered in this blog.

In my view, this is all you need to understand and apply ISO 9000 to your business whether it’s in pursuit of ISO 9001:2008 certification or just business improvement in general. Of course, if you’re a quality consultant and auditor like me you’ll find this weighty tome invaluable.

David’s style, and approach in general to the ISO 9000 series, has always been constructive but direct. If he thinks the standard is unclear or ambiguous, as it is in many places, he says so, why he thinks so, and how best to deal with these failings. In this edition he has even considered the views of John Seddon, a long time critic of ISO 9001 (see his book The Case Against ISO 9000).

The ISO 9000 Quality Systems Handbook now has a new structure.

Part 1 Before You Start puts the ISO 9000 family of standards into context, defines quality and why it is important to organisations. It introduces the management principles on which the standards are based. There is a whole chapter on stakeholders, the importance of whom will become much more apparent when the new version of ISO 9004 is available. This part ends with a practical guide to the use of the ISO 9000 family of standards.

Part 2 Approaches to Achieving, Sustaining and Improving Quality covers six different approaches to getting to the level of quality that will lead to sustained success, the benefits and drawbacks of each approach.

Part 3, 4, 5, 6 and 7 deal with Complying with ISO 9001 Sections Requirements. These are the sections most people will turn to who are trying to achieve ISO 9001 certification. It’s a little bit odd that David couldn’t have put another Part in front of these so that they were numbered the same as the ISO 9001 sections! Each requirement is explained in terms of What Does This Mean? Why Is This Necessary?, How Is This Demonstrated?, so that you not only get to know what the standard says but why it says it and what you need to do to comply with it.

Part 8 System Assessment Certification and Continuing Development provides tools to help you prepare for assessment, how assessments are conducted and how to progress beyond ISO 9001 certification.

It remains to be seen what the effect of the new version of ISO 9004 will be (called ISO 9004:2009 though it’s struggling not to become ISO 9004:2010!). In the meantime, beyond obtaining a copies of ISO 9000:2005 and ISO 9001:2008, this is the only other publication you might need.

Posted in Certification, David Hoyle, ISO 9000, ISO 9004, John Seddon | No Comments »

BS EN 16001 Energy Management

September 14th, 2009 By The Quality Manager

BSI is adding to the range of standards you can be certified to by releasing BS EN 16001 Energy Management Systems.

This standard recognises that businesses need to become more energy efficient to be competitive.

This new standard, which follows the Plan, Do, Check, Act approach of previous management standards, such as BS EN ISO 9001, BS EN ISO 14001, and more recently BS EN 12001, provides:

  • A structured approach to identifying your energy-related assets

  • A framework for controlling, monitoring and measuring your energy consumption

  • A means to identify opportunities to cut energy costs and increase energy efficiency

The standard defines the requirements of an energy management system (EnMS).

BS EN 16001 can help you to:

  • Reduce operating costs by controlling in-house energy costs

  • Improve your reputation by demonstrating that you are controlling greenhouse gas emissions

  • Deal with the growing amount of legislation including the Carbon Reduction Commitment which becomes mandatory in April 2010 for organisations using more than 6,000MWh/yr

An energy management system, designed around BS EN 16001, will help to embed best practice energy management into normal operations, everyday decisions and behaviour.


BS EN 16001 can be obtained from the BSI Shop priced £100 (£50 to BSI Members).

There is also a companion guide BIP 2187:2009 Energy Management Principles and Practice providing expert insights on implementing BS EN 16001 and having an effective energy management system in place. This is £30 (no discount for BSI Members) and offers a practical and easy to follow introduction to the technical considerations, human factors and management aspects of energy saving in commerce, industry and the public sector.

Posted in BS EN 16001 | No Comments »

ISO 9004:2009

August 24th, 2009 By The Quality Manager

The latest draft of ISO 9004 has received broad approval and the final draft of this International Standard (FDIS) is due to be released at the end of August 2009 with the publication of the revised standard in October or November 2009.

ISO 9004 has a new title “Managing for the sustained success of an organisation – A quality management approach” and is shorter than its predecessor, ISO 9004:2000 at 44 pages compared to 56. This reduction is in part due to the removal of the ISO 9001 text that appeared at the start of each section. Although ISO 9001 and ISO 9004 are still “a consistent pair” of standards, ISO 9004 no longer has the same clause by clause naming as ISO 9001. This helps to emphasise that it is not a guide to ISO 9001.

The contents of ISO 9004 (at the draft stage) are:

1. Scope
2. Normative references
3. Terms and definitions
4. Managing for the sustained success of an organisation
5. Strategy amd policy formulation, planning and deployment
6. Resource management
7. Process management
8. Monitoring, measurement, analysis and review
9. Improvement, innovation and learning
Annex A – Self-assessment tool
Annex B – Quality management principles
Annex C – Correspondence between ISO 9004-2009 and ISO 9001:2008
Bibliography

The aim of ISO 9004 is to help users of ISO 9001 to obtain long-term benefit from a broader, in-depth, quality management system (QMS) based on their existing QMS. It uses the same quality management principles as ISO 9001. It is not to be used for assessment or certification purposes.

ISO 9001 focusses on customers. ISO 9004 extends the focus to include all interested parties including society, suppliers, employees and shareholders.

One of the main areas of comment on the ISO 9004 draft has been the relationship between the main body of the standard and the guidance on self-assessment in the annex. This self-assessment is based around 5 maturity levels (now, where have we come across that before?)

  1. Beginner – focus is on products, processes are ad-hoc, results not predictable, improvement actions forced by customers
  2. Proactive – QMS implemented, corrective and preventive actions well-organised
  3. Flexible – process management implemented, predictable results, strategy focussed on customers and some other stakeholders
  4. Progressive – balanced focus on all stakeholders, consistent positive results, continual improvement based on learning and sharing of knowledge
  5. Successful - capable of maintaining good performance over time and developing further in the long term

From this it would seem that an organisation that has just been certified to ISO 9001 would not be higher than Level 2.

In addition to the ISO 9004 standard, a guide to this self-assessment tool is being produced along with an implementation guide for ISO 9004:2009.

When the final draft International Standard (FDIS) is available further detail will be provided.

Posted in ISO 9001:2008, ISO 9004:2009 | No Comments »

Preventive Action, Corrective Action and Correction

August 17th, 2009 By The Quality Manager

What’s the difference between corrective action and preventive action? Are separate procedures required by ISO 9001?

The corrective action process is a problem-solving process and the preventive action process is a risk-analysis process.

Corrective action

Corrective action is defined in ISO 9000 as “action taken to eliminate the cause of a detected nonconformity or other undesirable potential situation” and notes that corrective action is taken to prevent recurrence. ISO 9000 also points out that corrective action differs from correction which is defined in ISO 9000 as “action to eliminate a detected nonconformity”. Put simply, if something has gone wrong then the action you take to fix that instance is correction. For example, if a part comes off the production line with a screw missing, then putting the missing screw back is correction. The action you take to stop it happening again is corrective action. Using the same example, making sure the correct number of screws are supplied for each part would be corrective action. It gets confusing when that is referred to as preventing a recurrence. In ISO 9000 terminology that action is not preventive.

Correction

There has to be a problem for you to take corrective action. If no problem exists but there is a possibility that a problem might occur, preventing that potential problem is preventive action.

Preventive action

Preventive action is defined in ISO 9000 as “action taken to eliminate the potential causes of a nonconformity or other undesirable potential situation”. ISO 9000 distinguishes preventive action from corrective action by noting that “preventive action is taken to prevent occurrence” as opposed to recurrence which characterises corrective action. In the example used above, planning the production of the part to ensure that all the screws are fitted would be preventive action.

A risk management process is a good example of preventive action. Assessing the impact and likelihood of a risk occurring and taking action to prevent occurrence is preventive action.

Other examples of methods for identifying potential nonconformities are:

  • trend analysis for process and product characteristic (where a worsening trend indicates a potential problem)
  • monitoring of customer feedback
  • evaluation of problems in similar processes or products
  • planning of new processes and products

Procedure RequirementsNote that in the above discussion, reference is made to ISO 9000 and not ISO 9001. ISO 9000 contains the concepts and terminology on which ISO 9001 is based and is essential reading to gain a full understanding of ISO 9001.

On the question of procedures, ISO 9001:2008 makes it clear that a procedure is required for corrective action and also a procedure is required for preventive action. But there is no stipulation that these should be separate documents (see the NOTE 1 under 4.2.1 in the standard). However, the combination of a corrective action procedure and a preventive action procedure into a single document is not recommended as it then becomes more difficult to clearly separate the two distinctly different approaches. You may also find it difficult to demonstrate to an external assessor that the processes are separate and that you actually perform both types of action.

Posted in Corrective Action, ISO 9001, ISO 9001:2008, Preventive Action | No Comments »

BS 10012:2009 Data Protection – Specification for a Personal Information Management System

August 10th, 2009 By The Quality Manager


The Data Protection Act applies to any organisation in the UK that holds personal information about living individuals. Compliance with the Data Protection Act is required by law and this standard will help you demonstrate compliance.

The BS 10012 standard:

  • provides a framework for developing an infrastructure to maintain and improve compliance
  • allows you to assess your current level of compliance, recognise weaknesses and provide opportunties for improvement
  • enables effective assessment of compliance by internal auditors and external assessors

This is provides in a straightforward format following the management system style of “plan-do-check-act”, also known as the Deming cycle, used in ISO 9001, ISO 14001, ISO 27001, etc.

The standard is available in hardcopy and PDF download for £100 (or £50 for BSI members) from BSI.

BSI also publish a simple guide to the Data Protection Act – Data Protection Pocket Guide – Essential Facts at Your Fingertips.

Posted in BS 10012, BSI, Data Protection, Deming, Deming Cycle, ISO 14001, ISO 9001, ISO/IEC 27001, Plan-Do-Check-Act | No Comments »

ISO 9001:2008

August 3rd, 2009 By The Quality Manager

The fourth edition of the ISO 9001 standard “ISO 9001:2008 Quality Management Systems – Requirements” was published in November 2008.

This was a minor amendment rather than a revision and was meant to clarify the standard to address feedback on the use of the standard over the eight years since the major revision in ISO 9001:2000.

The amendments include:

  • 0.1, 1.1, 1.2 The term “regulatory” in relation to requirements has been changed to “statutory and regulatory”.
  • 0.2 The term “identify” has been changed to “determine” implying that rather than just recognising and establishing something, a degree of reason needs to be applied and a decision reached.
  • 4.1 The requirement to “measure” in subclause e) has been changed to “measure (where applicable)”. Some organisations believed they needed to measure every process.
  • 4.1 The reference to outsourced processes also now requires them to be “defined” and not just “identified”. In the Notes it is now made clear that processes need to include those for analysis and improvement. Also in the Notes it is made clear that an outsourced process is one that is needed for the organisation’s quality management system but the organisation has decided to have it performed by an external party. A new note identifies the factors that influence the control of an outsourced process. All these changes require much more careful thought about outsourcing. 7.4.1 is equally applicable to outsourcing.
  • 4.2 A note has been added to say that more than one procedure requirement may be covered in a single document. For example, the separate requirements for a procedure for corrective action and a procedure for preventive action may be met in a single document. The ISO 9001 requirement for six procedures does not mean six documents.
  • 4.2.3 Subclause f) has been amended to make it clear that only those external documents needed for the planning and operation of the quality management system need to be identidied and controlled – not all external documents.
  • 5.5.2 The management representative must be a member of the organisation’s own management. Some organisation outsourced this role to a different organisation or to a quality consultant. This is now not allowed.
  • 6.2.1 A clarification has been made to the effect that anyone performing work that impinges on product requirements needs to be competent. The implication before was that only quality control and quality assurance staff needed to be competent.
  • 7.1 Measurement has been added as a required activity in the planning of product realisation. A new note aims to ensure that organisations take full account of post-delivery activities in product realisation.
  • 7.3.3 A new note reminds organisations that in considering design and development output, the product packaging needs to be considered.
  • 7.6 A new note explains that confirmation of software used in monitoring and measuring would include verification and configuration management.
  • 8.2.1 A new note has been added to illustrate some of the ways of monitoring customer satisfaction other than carrying out customer satisfaction surveys which were often seen as the only way of meeting this requirement.
  • 8.2.2 The requirement is to keep records throughout the audit and not just the report produced at the end of the audit. The need to apply immediate correction of any nonconformity is made clear in addition to any corrective action to be taken later.
  • 8.2.3 The monitoring and measurement of processes needs to be appropriate to the process, the impact on requirements, and the effectiveness of the quality management system. Again, not just measurement for measurement’s sake.
  • 8.2.4 Evidence of release of product is rquired only when it is released to the customer – not at each stage of the process leading up to delivery.
  • 8.3 It is now made clear that one or more of the four ways of dealing with a nonconformity can be used as applicable. This section is worth re-reading as the text has been reorganised to make its intent clearer. In particular the requirement for dealing with rework is clarified.
  • 8.5.2 and 8.5.3 It is now clear that the effectiveness of corrective and preventive action needs to be verified and not just that actions have been taken.

Annex A has been brought up to date to reference ISO 14001:2004. Annex B now shows the correspondence of ISO 9001:2008 with ISO 9001:2000 rather than with ISO 9001:1994 as this is no longer relevant.

The list of standards in the Bibliography has been brought up to date.

Many sections of the 2000 version remain unchanged in the 2008 amendment including:

  • 4.2.2 Quality manual
  • 5.1 Management commitment
  • 5.2 Customer focus
  • 5.3 Quality policy
  • 5.4 Planning
  • 5.5.1 Responsibility and authority
  • 5.5.3 Internal communication
  • 5.6 Management review
  • 6.1 Provision of resources
  • 7.2.3 Customer communication
  • 7.3.4 Design and development review
  • 7.3.5 Design and development verification
  • 7.3.6 Design and development validation
  • 7.3.7 Control of design and development changes
  • 7.4 Purchasing
  • 8.5.1 Continual improvement

Organisations with ISO 9001:2000 certificates need to be compliant with ISO 9001:2008 by December 31st, 2009. You should contact your certification body to help with this. In most cases they will audit you against the new version of the standard at your next surveillance visit.

If you would like your quality management system assessed against ISO 9001:2008 please leave your a comment below and we will get in touch. Please also get in touch via a comment below if you require further information on any of the changes in ISO 9001:2008.

Posted in ISO 9001, ISO 9001:2000, ISO 9001:2008 | No Comments »