Authors Posts by admin



0 936

The implementation of ISO 27001 involves a Senior Management Team (SMT) who are committed to the goals and agree fully that the Information Security Management System (ISMS) provides benefits to the organization which may include: a market position enhancement, a lower risk of disruption in business, and an overall boost in the body of work’s compliance with legal requirements. 

For employees, however, a new system or practice being introduced to the workplace could be perceived as additional tasks to be completed, as well as, a hindrance to their daily work routine. The term internal buy-in means the ability of your employees to accept new implementations given by the management. A lack of internal buy-in is a key factor for failure of a new system being put in place. 

Benefits of internal buy-in 

Demonstrating what employees can gain from the change in system is key to a successful transition. Outlining the benefits, which include an increase in stability of the organization, as well as a decrease in disruption of the business, will make it easier for employees to buy into the changes required by an Information Security Management System, instead of trying to repel the changes. This action will make employees easier to manage in the transitional phase. 

 How to obtain a universal buy-in within your organization 

Change is difficult to implement; hence, management must take sufficient steps to ensure transition proceeds as smoothly as possible. Providing lectures, training, and seminars about how employees can benefit from the introduction of ISO 27001 would be a good start. Giving employees the space to voice concerns and inquiries and answering them will provide an honest and transparent environment that will make them trust the change more. Involving the employees, as well as the management team, in the process of development will allow employees to provide more information and concerns on the matter, as well as to become familiarized with the initial, as well as, gradual changes throughout the entire process. Adding content, such as, trivia or games during the process can also foster a light environment where people can be at ease and become more comfortable with the system changes. 

 Provide employees reasons to participate 

Employees must be an important part of the process, as members need to buy-in for the implementations to take full effect. That is why it is important for employees to know the possible consequences if they do not participate. Note that there is a difference between a scare tactic and solidly provided guidelines/expectations. Providing disciplinary procedures for non-compliance, ensuring understanding by the staff of the different guidelines involved, as well as being clear in the communication process on what is expected of the staff will help your organization achieve the utmost results possible. 

 Setting an example 

Embedding an ISMS within an organization’s body of work is an important part of growth and improvement. Senior management must take the lead in ensuring that they themselves follow the changes and guidelines that are implemented. Failure to comply with changes, by means of forgetting or showing that these new changes can be a cumbersome hindrance to everyday work routines, will provide a clear visual to employees that the new changes are ineffective, even for the managerial staff. Leading by example is the way to solve this. Some ways to set a positive example include, having senior management provide a constant line of communication, management participating as early as possible in the process, and providing training sessions on how management should demonstrate order throughout the implementation process. 

Through proper communication with employees, leading by example from senior management, and drawing up clear and definitive expectations for everyone involved, the likelihood of a buy-in to take effect is increased significantly. Just remember that all members of the organization must take part for the changes to fully set in. This means creating an environment that includes the employees in the transition process, rather than just simply issuing orders. Ensuring that a buy-in is successful increases the chances of implementing an effective and comprehensive Information Security Management System.

0 983

ISO standards may seem confusing to the common reader. There are thousands of standards available, and it can sometimes be a burden to distinguish one from another. Here we explain the different functions and purpose of the ISO 9000 family, starting with the ISO 9001 standard that covers the requirements for the Quality Management System (QMS).

The ISO 9000 standards focus on quality management, created and maintained by a vast number of organizations and experts, both from the public and the private sectors. It was created with the sole intention of helping organizations, regardless of the size or the industry the organization is involved with. The ISO 9000 family of standards, when implemented correctly help companies to be better managed, more efficient at their work, and head to a more customer-focused field of view.

The ISO 9000 family of standards are based around eight Quality Management Principles, which include:

  1. Customer focus
  1. Leadership
  1. Involvement of people
  1. Process approach
  1. System approach to management
  1. Continual improvement
  1. Factual approach to decision making
  1. Mutually beneficial supplier relationships

ISO 9000 family has a multitude of standards under its wing. This includes ISO 9000 itself, which creates the path to their target goal by setting a tone for the organizations under it; be it providing fundamentals or supplying the vocabulary for these systems of bodies. The remaining standards cover a variety of specific points, which include documentation of work, training management and supervision, as well as other performance improvements that the organization may need.

ISO 9001 on the other hand determines the requirements of a Quality Management System. Any body of work within the organization responsible for these standards, who are unaware of the current system are urged to acquire ISO 9000 training provided within the organization. This will ensure that all members that govern the group have a sufficient enough grasp on the topics at hand.

Definition of iso 9001

ISO 9001 is the standard that creates the boundaries in which an organization or group must comply with, in order to meet requirements for having a Quality Management System. It is of prime importance in that it is the only standard within the ISO 9000 family that any and all organizations interested can be certified against.

Currently, the complete title of ISO 9001 is ISO 9001:2015, where the 2015 determines the most recent revision date of the said standard. It provides a framework to managing a body of work’s process and inner workings, ensuring that there would be a systematic approach in an organization’s attempt at creating consistency and meeting client demands. The capability of the organization to follow and uphold relevant laws and regulations is also ensured in this process.

is there a need TO USE THE OTHER ISO 9000 STANDARDS?

Most bodies of work do not use the other standards because the ISO 9001 in itself is an incredibly effective and efficient process, especially when used in association with a separate third party certification method. With that said, using the rest of the standards within the family can still help these groups and teams, especially if they are interested in getting the most out of the Quality Management System.

ISO 9004 guidance standard is meant to help bodies of work interested in the system to extend benefits of 9001 to the stakeholders, which adds in creating a sustained success within the company. With these methods at hand, you can assess the satisfaction of all members involved; from the clients, employees, to the suppliers and other groups. These aspects are needed to be checked firmly in order to see any improvement and growth.


ISO 9001 is similar in structure with the ISO 14001 Environmental Management standard. Both are created in structure to be compatible with each other’s ISO management standards, meaning these two standards are an excellent way for organizations to expand their management systems.

0 2243

If your company is in the process of becoming certified to ISO 9001:2015, you’re probably wondering, “What do we need to do to ensure we are prepared?”   There’s no worse feeling than being caught in the middle of an audit unprepared, especially if it is for an ISO certification. Consistent planning and preparation can make sure that you’ll never be caught unaware, but of course, the fact remains that ISO 9001:2015 includes a number of new requirements. Below, we have covered some of the most asked questions organizations have when preparing for an ISO 9001:2015 audit.

What is context of your organization all about?

This question is the benchmark point of ISO 9001:2015 and it appears in section 4.1. The standard question uses the term “context”, but this could be easily translated to Business Environment.  Quite simply it is asking you to understand the environment in which your organization is operating.  It asks you to identify your organization’s internal and external influences. These questions about “context” are usually directed to the top management and the team responsible for the QMS. The auditor will be looking for a clear examination of forces at work within and around the organization. Some organizations use a SWOT analysis (strengths, weaknesses, opportunities, and threats) to help them get a grip of this, but it is not a requirement. What the auditors learn here will be a key input for risk analysis.

Who are your interested parties and what are their requirements? 

This question relates to 4.2 and is trying to ensure organizations understand who can be affected by their organization and who has requirements for them as an organization. The term “interested parties” could also be termed “stakeholders”. The auditor will always make sure that a reasonable range of interested parties has been identified, along with their corresponding requirements.

These first two requirements now lead us to the main requirements surrounding risk in section 6.0 – Planning.

What risks and opportunities have been identified in relation to the above, and what are you doing about them? 

Risks as well as opportunities could accurately be called the foundation of ISO 9001:2015. No fewer than 13 other clauses refer to risks and opportunities, making them the most “connected” section of the standard. If an organization does a poor job of identifying risks and opportunities, then the QMS cannot be effective.

How are you working to achieve your quality objectives?

Measurable quality objectives are not new to ISO 9001. What is new is the requirement to plan actions to make them happen. The plans are intended to be specific and actionable, addressing actions, resources, responsibilities, timeframes, and evaluation of results.

How has the QMS been integrated into the organization’s business processes? 

This question is asked directly to top management (see section 5.1.1c) as they have the overall responsibility to ensure this is happening. ISO 9001 is becoming a more strategic management system. It’s not only about making sure products or services meet requirements. The standard is about managing every aspect of your business using risk based thinking and continuous improvement.

How do you capture and use organizational knowledge?

ISO 9001:2015 wants organizations to learn from their experiences, both good and bad. This could be handled by a variety of means: project debriefs, exit interviews, staff meetings, customer reviews and feedback, examination of data, lessons learned logs. How the organization captures knowledge is up to them, but the process should be clear and functional. The knowledge should also be maintained and accessible. These should be documented in a way that your institution could create its own “Knowledge Base”.

These are some of the most asked questions when preparing for an ISO 9001:2015 audit.  We hope that this gave you a more clear understanding on how to use the standard to ensure a successful outcome for your organization.

0 3415
7 Quality Management Principles

When organizations decide to implement an Information Security Management System they often wonder what is the difference between ISO 27001 and the ISO 27002? To put it simply ISO 27001 holds the requirements of the Information Security Management System Standard and ISO 27002 gives guidelines and best practices intended for organizations who are becoming certified or implementing their own security processes and controls.

ISO 27000 is a series of international standards all related to information security. The ISO 27001 standard has an organizational focus and details requirements against which an organization’s ISMS (Information Security Management System), can be audited. ISO 27001 is a management system standard and therefore establishes specific requirements in which it can be certified by a third party accredited registrar.  If an organization wants to certify its Information Security Management System (ISMS) it needs to comply with all requirements in ISO 27001.

On the other hand, ISO 27002 is more focused on specific examples, guidelines and provides a code of practice for use by individuals within an organization. You cannot get certified against ISO 27002 because it is not a management system standard.

Instead it was established based on various guidelines and principles for initiating, implementing, improving and maintaining information security management within an organization. The actual controls in the standard address specific requirements through a formal risk assessment. The standard consists of specific guidelines for the developments in organizational security standards and effective security management practices that would be useful in building confidence within inter-organizational activities.

There are a dozen other standards in the ISO 27000 series which are all designed to assist companies is securing their organizational information. These include ISO 27005 for organizations looking for more detail on how to carry out risk assessment and risk treatment and ISO 27004 which provide guidelines intended to help organizations with monitoring, measurement, analysis and evaluation of their information security performance and the effectiveness of their ISMS.

Every standard from the ISO 27000 series is designed with a certain focus in mind but if you want to build the foundations of information security in your organization, and devise its framework, you should use ISO 27001; ISO 27002 is design to be a tool to help organizations with the implementation of ISO 27001 or for organizations who want to implement their own management guidelines and controls surrounding Information security.

0 1604
What Does Schedule 16 of Bill 70 Really Mean for Companies in Ontario?

On the 8th of December in 2016 Schedule 16 of Bill 70, the Building Ontario Up for Everyone Act (Budget Measures), 2016, gained royal assent and its amendments to the Occupational Health and Safety Act came into effect:

Schedule 16 – Occupational Health and Safety Act – says:

“The Schedule amends the Occupational Health and Safety Act to give the Chief Prevention Officer the power to accredit health and safety management systems, and to give recognition to employers who use accredited health and safety management systems. The Chief Prevention Officer may also establish standards and criteria that must be met by health and safety management systems or employers in order to receive accreditation or recognition. Related amendments are also made.”

What Schedule 16 Means

What this means in a nutshell is that once the CPO (Chief Prevention Officer) has defined the requirements through bill 70 for an accredited health and safety management system, companies could then become certified to that system. Certified companies that are then able to demonstrate their commitment to using a coordinated system to improve their OHAS would then be able to benefit from things such as reduced routine inspections through the MOL.

In addition, the CPO will need to put in place a system that will recognize and incentivize companies to become certified. Details of those companies and their performance can then be made publicly available through the CPO.

Currently the CPO has not yet released any standards for accredited health and safety management systems and has said that they will be holding an “extensive consultation” to develop an “accreditation standard and employer recognition program”. Until the CPO actually defines the standards for accredited health and safety systems, the changes implemented by this act will have no real effect on anyone.

ISO 45001 as a Framework for OHS Standards in Ontario

Of course, an accredited standard is currently on the verge of being released should the CPO want to use the framework provided by ISO. The new standard ISO 45001 Occupational health and safety management system – requirements will follow a similar framework to that of ISO 9001 and 14001 giving companies an accredited standard against which they can be certified by a third party. This new worldwide standard will become available hopefully towards the end of 2017.

Assuming that this will meet the expectations of the CPO and interested parties then this would be a perfect way for companies to start putting in place processes, procedures, and other measures to drive continuous improvement in occupational health and safety.

0 4619

Documented Information for ISO 9001:2015

As we move into the final months for transitioning to ISO 9001:2015, many companies are still asking themselves what documentation is required. Back with the 2008 release, most companies were comfortable with the six mandatory procedures that were expected of them as well as the need for a quality policy and manual. The update to 2015 has however removed the requirement for a quality manual and blurred the distinction between procedures and records.

With the new release, both documents and records are termed “documented information” and must be controlled and maintained. This is what will form the evidence required to show that you are conforming to the requirements of your quality management system.

Clause 4.4 of ISO 9001 requires your organization to maintain the documented information that is required to support the operation of your processes and to retain that information to be able to have confidence that those processes are being completed as planned.

So what is required by the standard?

The following is a clause-by-clause breakdown of what is required by the standard. However, some of these clauses can be excluded if the company does not perform the relevant processes:

Mandatory records:

  • – Monitoring and measuring equipment calibration records
  • 7.2 – Records of training, skills, experience and qualifications
  • – Product/service requirements review records
  • 8.3.2 – Record about design and development outputs review
  • 8.3.3 – Records about design and development inputs
  • 8.3.4 – Records of design and development controls
  • 8.3.5 – Records of design and development outputs
  • 8.3.6 – Design and development changes records
  • 8.5.1 – Characteristics of product to be produced and service to be provided
  • 8.5.3 – Records about customer property
  • 8.5.6 – Production/service provision change control records
  • 8.6 – Record of conformity of product/service with acceptance criteria
  • 8.7.2 – Record of nonconforming outputs
  • 9.1.1 – Monitoring and measurement results
  • 9.2 – Internal audit program
  • 9.2 – Results of internal audits
  • 9.3 – Results of the management review
  • 10.1 – Results of corrective actions

Other Mandatory Documents:

  • 4.3 – Scope of the QMS
  • 5.2 – Quality policy
  • 6.2 – Quality objectives
  • 8.4.1 – Criteria for evaluation and selection of suppliers

So what does this mean?

You should still tailor your quality management system to meet the requirements of your own business and all of the interested stakeholders. This can be done in any way that your organization sees fit; although a quality manual is still one of the easiest methods. As long as these processes and associated records can be shown to meet the requirements of ISO 9001:2015 effectively then that is fine. If not then the relevant action should be taken to ensure that all of the required clauses are covered.

0 1584

Even if you have an informal quality management system within your business it is often difficult to implement the requirements of ISO 9001:2015. Depending on the size of your business this could be a task that may take six to twelve months to complete depending on the established current systems. It is vital that your staff are fully trained and engaged to make any implementation a success. The following 10 tips are vital to smoothly and effectively implementing an ISO 9001 management system:

  1. Get senior management commitment; while this may sound a little cliché, without the full commitment of your management team throughout the business it is going to be very difficult to drive home the changes and improvements that are required.
  1. Provide training at all levels in the business. Your staff needs to understand not only about the requirements of ISO 9001 but also the different quality principles that they should strive to implement within their every day work. Training should be provided on an ongoing basis according to perceived needs.
  1. Ensure that you have effective internal communication. Without this you are not going to be able to maintain the constancy of purpose that is required.
  1. Establish an implementation team with the authority to make things happen. You cannot just implement an ISO 9001 management system by assigning a management representative and expecting them to do everything in isolation. You need to identify the staff that will be required at all levels throughout the business to craft your system.
  1. Conduct a Gap Analysis; you need to fully understand where your current system meets or fails to meet the expectations of ISO 9001:2015 so that you can allocate resources accordingly.
  1. Involve customers and suppliers in analyzing your current systems. It is important to understand how others view the effectiveness of what you currently do and what they expect from you to improve things.
  1. Plan your implementation fully; responsibilities, roles and schedule. As with any project, the better that you plan it the more likely you are to have success.
  1. Create clear and concise policies and objectives for quality to provide the company with a common direction. Well communicated and understood these will help your company to move forward together.
  1. Encourage everyone to question and improve. It is not enough to only have auditors looking for issues with the systems; everyone should continually seek better ways to do things.
  1. Conduct regular reviews of your ISO 9001 management system through your auditing process to ensure that you are continually improving how your systems function.

In addition to the above, foster a good relationship with your certification body. Your auditor is not there to catch you out. They will want to help you to develop and grow a system that will significantly benefit your business, so use them fully.

0 1826
Lean System

Introduction to the Lean System

As with anything in life, you will get out as much from your ISO 9001 management system as you put into it. If you treat it as a documentation requirement and burden on your business just to get certification then you are unlikely to see any real benefits; in fact, you may even stifle your own growth.

The aim of any ISO 9001 QMS is to enhance your businesses product or service quality by standardizing and continually improving all of your business processes. This in turn will help you to increase productivity and drive out waste of all forms within your business.

Why Use Lean System with ISO 9001?

ISO 9001 outlines what is required for a certifiable QMS. However if you read ISO 9004 you will see that it suggests a huge amount more than 9001 requires as a minimum. Merely aiming for what the standard requires so that you achieve certification is not going to help you actually improve your business in a way that is going to help you grow it.

A QMS should always consider the customer first, not the standard. It should also be put in place to continually improve the business and its output. Something that is also provided through implementing a Lean system.

Lean Manufacturing has grown out of what is known as the Toyota Production System (TPS), and is why Toyota managed to dominate the world automotive market in such a short space of time. Lean is in its simplest form just another QMS; when you implement Lean you put in place the controls and systems to provide the customer exactly what they want, where they want it, when they want it, in the right quantity, without any waste or delays.

Lean provides you with a host of tools such as 5S, which helps you to set up a highly visual, organized and efficient working space, through to continuous improvement techniques such as Kaizen. Lean fits perfectly within any ISO 9001 QMS and can only help you to further improve and grow your business using proven tools and techniques.

0 3249
Top 5 Tips for Effective Procedures

The ISO 9001 quality management system requires for organizations to write different procedures to prevent non-conformances and to guaranty that specific jobs and processes are carried out correctly.

When writing these effective procedures it is essential to take the following into account:

1. Identify what type of procedure or document needs to be developed.


Different documents are essential in the QMS and each type of procedure or document has a specific role and objective. Some of the most commonly used documents in an ISO 9001 QMS are:

  • Manuals: define the general aspects of business management (Quality Management Manual).
  • Operating Procedures: Explain how an activity or process unfolds. Usually the most common documents.
  • Technical notes and instructions: further develop the content of an activity. They are mainly focused on fieldwork.
  • Guides: These are similar to the procedures and technical notes, but with the proviso that they are not binding guidance.

2. Know in detail the structure of a procedure or document.

Organizations need to define a structure and a standard way to write these effective procedures in order to guaranty that they are written in a consistent manner. Knowing the structure will facilitate the process of gathering the essential information necessary to write an effective procedure.

The structure may vary from organization to organization; however, a structure that many organizations use is provided below:

  • Home: the first page of the procedure usually includes the title, code, date of writing, version number (or revision), table of contents, total number of pages, name and signatures of the persons who have prepared, reviewed and approved it.
  • Purpose and Scope: Describes a summary of the purpose and content of the procedure.
  • References: documents that have influenced the development of the procedure are listed.
  • Definitions: technical words that are used in the content of the procedure.
  • Responsibilities: list of individuals or departments responsible for carrying out the activities described in the procedure.
  • Development (or description): describe in detail the activity performed.
  • Annexes: everything that is considered important but that takes up too much space to include it in the description section (tables, drawings, diagrams).

3. Review the document with the people that will use it.

In order for a procedure or any document to be effective, it must be understood by the people who will ultimately use it. That’s why it is important for these people to review the document at different stages of its development. Effective procedures have been reviewed directly by the people who will be using it the most.

4. Consider different people’s views and perspectives.

A procedure should not be developed with the view or information of just one person. Most processes or activities that need to be document could be complex and having different perspectives can enrich the procedure. Effective procedures will multiple views into account.


5. Make it simple.

Procedures should not be difficult to read. On the contrary, they must be clear and concise. Sentences must be as short as possible to make sure that it is comprehensive and easy to read. If procedures are never read or understood by the intended audience, they are not likely to serve as an effective tool in any process. Effective procedures need to be readable by everyone involved in the process.


0 2595

ISO 9001 and ISO 9004 are standards that complement each other and their implementation aims to ensure quality success and reach improved performance in any organization. Both these standards can be implemented independently or simultaneously; however, the most common scenario is for organizations to implement ISO 9001 and later use ISO 9004 to improve their processes and to obtain long term benefit from a more broad-based Quality Management System.

These standards are both similar in terms of structure and terminology used to allow easy integration. They are also based on the same quality management principles, therefore, when an organization has successfully implemented ISO 9001, it is relatively simple to integrate ISO 9004 and achieve an improved performance.

The best way to integrate these complementary standards is by doing the following:

Organizations need to identify and rank their quality needs, where the most basic needs are at the bottom and address ISO 9001 requirements and at the top are the needs to achieve improved performance. After identifying and ranking these needs, organizations must work up from ISO 9001 to ISO 9004 one step at a time.


One of the basic needs that should be addressed is the effectiveness of the quality management system, that include areas such as

  1. meeting customer requirements;
  2. prevention of customer dissatisfaction;
  3. recalls and defects; and
  4. the production of safe products.


After meeting the effectiveness of the system, the efficiency should be then addressed. Here the focus should be

  1. the efficient use of resources;
  2. the reduction of material costs;
  3. the decrease of cycle times; and
  4. the increase of the organizations productivity.

Competitive Advantage

Achieving competitive advantage should be the last need to address; here it is essential to focus on ensuring delighted customers, increasing market share and increasing profitability.

This process is continuous, because an organization may never relegate it’s basic needs to address its top ones. It must constantly work in meeting all of them and ISO 9004 gives guidance on how to achieve this continuous improved performance.

Before attempting to integrate ISO 9001 and ISO 9004, it is essential to fully understand them both; even though they complement each other, they have different roles and different approaches. They each have a role to play in providing value to any organization that decides to embrace them both to improve their quality management system and achieve long term success.