Authors Posts by

ISO Update aims to provide information, resources, and updates around the Standards and Certification industry. We believe that organizational standards can help businesses of all shapes and sizes become more efficient and successful on a local, federal, or global scale.

0 41
ISO 8501 - ISO Update

The overall quality, as well as durability, of paint coatings are affected by the condition of the substrate they are applied on. This is especially concerning when dealing with steel. The surface itself needs to be prepared thoroughly beforehand and, in the case of steel which commonly faces issues pertaining to corrosion and rusting, the surface preparation varies depending upon the different grades of rust, the type of paint selected, the exposure of the finished product and possible environmental concerns.

Some widespread methods of surface preparation (used before or even without coating) are dry blast cleaning, power tool or hand cleaning, degreasing, and water jetting. All these treatments have individual pros and cons and need to be carefully selected after a suitable assessment on the existing condition of the steel substrate they will be used on.

Some notable factors to consider would be rust and mill grades, the profile and presence of contaminants such as oil, water, dust and grease. The process of identifying different rust grades and the subsequent preparation can be quite arduous and, therefore, the ISO 8501 standard was created to act as a guide throughout the process.

What is ISO 8501?

ISO 8501 was published in 1988 as a combination of manual content from other standards like the Swedish Standard SIS 055900 and the German DIN 55928. ISO 8501 is meant to be a pictorial guide to different rust grades at various levels of cleanliness and contains supplementary descriptions via text as well. It’s a method of making visual assessments on the rust grades of the cleanliness of steel surfaces and helps determine paint coats and systems to be used on the substrate. It also ranks the processes of cleaning in order of increasing work required:

  • Light Blast Cleaning
  • Thorough Blast Cleaning
  • Blast Cleaning to Visually Clean Steel

What does it consist of?

The standard is divided into 4 parts:
ISO 8501-1 – Includes different rust grades and the preparation of both uncoated steel substrates and steel substrates after overall removal of previous coatings.
This section of ISO 8501 identifies 4 different rust grades most commonly found on uncoated steel surfaces or on stored steel surfaces.
Specifically, the descriptions of rust refer to these 4 types (note that mill scale refers to a flaky blueish surface on hot rolled steel surfaces meant to protect against corrosion):

  • A steel surface mostly covered with the adhering mill scale with little rust if any at all. (possible slight cracks within the mill scale
  • A steel surface which has already begun to rust slightly, mostly the adhering mill scale has begun to flake or shows large cracks which enabled the corrosion.
  • A steel surface on which the adhering mill scale has largely rusted away from or it can be scraped (is severely weakened), but with slight pitting visible under normal vision. (pitting is a localized symptom of corrosion where holes start appearing on metal surfaces)
  • A steel surface on which the mill scale has almost entirely rusted away and on which general pitting is very obviously visible in normal vision.

ISO 8501-1 also identifies different cleanliness grades/ preparation grades for comparison purposes after you have completed preparing your uncoated surface or removed previous coatings from a surface.

Three preparation grades are identified and related to the cleaning method possibly used which is either:

  • Blast Cleaning- Light, thorough/very thorough blast cleaning, or cleaning until visually clean steel.
  • Hand and Power Tool Cleaning
  • Flame Cleaning (rarely used)

ISO 8501-2 – Focuses on steel substrates after the localized removal of their previous paint coatings and their possible preparation processes and grades.

This portion of the standard is based upon the prior experience that dictates that the complete removal of previous paint coatings is not always necessary, practical or economical. This holds true especially when regular maintenance is already being carried out and efforts need to be focused on specific portions exposed to a certain pollutant of rust stimulant.

ISO 8501-3 – Deals specifically with surface ‘imperfections’ such as edges, welds etc. and the preparation grades for them

ISO 8501-4 – Deals with pre-project surface conditions, and relevant preparation grades and flash rust grades for high-pressure water jetting.

To summarize, ISO 8501 proves to be a detailed and helpful guide to identifying various rust grades through different levels of cleanliness of steel substrates.

For a more in-depth look into ISO 8501, read TQC Sheen’s PDF on the standard and its history.

0 150
ISO Benefits Your Business -

Standards, certification, testing and inspection help businesses to reduce costs, increase productivity and access new markets. ISO 9001 certification aims towards continual improvement based on a system of constant feedback and action, which works with your company’s goals and missions to help you achieve company objectives and targets. But, how does ISO 9001 certification benefit your business goals?

Improve Company Performance through Improved Operational and Product Quality and Consistency

Consistency refers to decreased variation in operations and, subsequently, your product. Deviations from desired results should result in upper management not just questioning what went wrong, but how their process allowed for the mistake to be made. With a properly implemented management system, steps and controls are in place to prevent such occurrences. When implemented correctly, your management system should allow for seamless production and effective practices that reduce downtime, confusion, and non-conforming products from reaching the customer.

Consider your quality management processes the well-built foundation that your business is built on and grows upon. Controls are built upon objectives, data metrics, and procedure flexibility, the interaction of all these variables should contribute to a well-established Quality Management System, which should, in turn, improve the quality and consistency of the product.

Interested in learning about real-world applications and successes of ISO Certifications? Read these Case Studies on Improving Company Performance through ISO Standards

Expanding Market Opportunities and Customer Base through Improved Overall Quality of Products and Services

Your organization is constantly striving to improve your processes, adapting and accommodating to a forever changing global landscape and increase in international competition. Implementation of ISO 9001 provides your organization with a guideline for success, and measures to report against to prove your growth. Using a process approach to business, ISO 9001 enables your organization to focus on quality and consistency in your outputs while decreasing waste and increasing efficiency. The reduction, or elimination, of variation and improved consistency results in more efficient procedures that are less wasteful than their previous counterparts. In a case study from Shogyo International, the company leveraged the management system and ISO 9001 to qualify for projects they previously were not able to and to eliminate tedious practices like lengthy questionnaires. They also gained understanding, specifically with regards to nonconformities – when a customer requests corrective action, they now understand what process to follow. ISO 9001 also allowed Shogyo to gain better control of their vendor’s nonconformities, which in turn allowed them to track and monitor trends.

Shogyo International predicted that this increase in market potential and decrease in inefficient practices would result in over $200k in increased sales volume. “Given the reduction in their employees spending less time filling out long questionnaires during bids, they are already saving about $6,000 per year, enabling the business to recover their investment in ISO 9001 certification in less than 2 years.” Source

Interested in learning more about real-world applications and successes of ISO Certifications? Read these Case Studies on Expanding Market Opportunities through ISO Standards

Better Understand Production Procedure

ISO 9001 requires your organization to provide detailed and effective documentation of processes as well as identification of affecting external factors and appropriate courses of action or metrics. With increased attention to procedures, best practices, and improvement, organizations using ISO 9001 see dramatic increases in the understanding and effectiveness of their processes, and how to better them.

Utilizing ISO 55001, one organization improved its risk management and reliability, with work delivered more efficiently towards higher ‘risk to operations’ activities, reducing reactive work by nearly 40%. The organization saw more focus delivered to continuous improvement activities, enabling even more benefits to be realized and saw a 41% reliability improvement over 36 months with their certification. –Source


“Conformity assessment has a range of strands, all of which contribute to giving people confidence and assurance in using and buying products and services. These strands include testing, inspection, certification and accreditation. – Source

They can help to:

  • Build customer confidence that your products are safe and reliable;
  • Meet regulation requirements, at a lower cost;
  • Reduce costs across all aspects of your business; and
  • Gain market access across the world.

If you are interested in learning about how ISO 9001 can help your organization, speak to a local industry professional today:

Find a Consultant

Find a Registrar

0 92
ISO 13485 - ISOUpdate

What is ISO 13485

Specifically developed for the manufacture of medical devices, ISO 13485’s primary objective is to help facilitate harmonized medical device regulatory requirements in the industry. It contains a comprehensive list of requirements meant to guide organizations that belong to the pharmaceutical supply chain by referencing specific requirements for the manufacture, installation and servicing of supplies. Its applicability is extended by the fact that it is useful to companies that operate in any tier of the industry, with a special focus on organizations that service medical device manufacturers.
Despite it being based upon ISO 9001, ISO 13485 shifts its focus from continual improvement to meeting regulatory requirements and risk management. The system aligns its requirements to match those of the FDA and other foreign regulators, which provides it with the framework to expand upon with further regulatory as well as customer requirements.

Why is it important?

The requirements of ISO 13485 are flexible enough to be applicable to any organization within the production line regardless of their size. These organizations could be involved within design, production, distribution, servicing or even external suppliers. ISO 13485 establishes specific requirements for organizations to follow through on to ensure that they can meet customer and regulatory requirements.
Because of its versatility and range within the market, ISO 13485 has become a staple necessity for organizations in the market, especially competitive ones.

How do you become certified?

The process of becoming certified to ISO 13485 involves developing a management system based on the standards’ guidelines customized to your company and then hiring a recognized third party to conduct regular audits.

The primary objective of your management system development process must revolve around your product policy and quality manual; these set the basis for the implementation of the system. Starting with management support and identifying the customer requirements for the management system, you will need to start with defining your quality policy, objectives, and manual which will work to determine the scope and extent of implementation of the management system.
Additional processes and procedures – including mandatory ones, need to be created to ensure efficient delivery of products and services. For this, you must consult the list of mandatory documents required by ISO 13485:2016.
Once all of this is accomplished, your management system will need to be operational for a period to collect necessary records and documentation required for audits and system reviews to become certified. This length of time will be stated by your certification body.

Steps to Get Certified:

Internal audit- Provides the ideal opportunity for you to check that all the records are in place and to verify that all the processes of the management system are being followed and there is total compliance.
It also serves as an opportunity to investigate potential issues and threats and to rectify them prior to a third-party audit. For this reason, the internal audit needs to be followed up with a Management Review.

Management review- A formal review conducted by management to meticulously go over the management system processes and make appropriate decisive plans and assign resources based on them. Certain key variables need to be looked upon based on the results of the internal audit and action plans must be created that will need to be implemented within a reasonable timeframe. These new procedures must be communicated with all relevant parties prior to being set in place.
Corrective Procedures- Any previously identified non-compliances or opportunities for improvement found during the internal audit need to be resolved with procedures set in place to ensure this. Documentation, procedures and results shall be kept for third-party certification auditor’s review.


After these actions have been performed, the organization will begin the certification process which is further divided into 2 stages, Documentation Review (Stage 1) and Certification Audit (Stage 2).

Documentation Review – Auditors from the selected certification body will review all company documentation to ensure it meets the ISO requirements.

Certification Audit – The certification body will conduct a comprehensive audit of your organization to assess whether your activities conform to ISO 13485 as well as your own provided documentation.

If your certification body deems it fit, your company will become certified after these steps.

0 126
texas quality assurance blog - isoupdate

by Kyle Chambers of Texas Quality Assurance

Competence, Training, Awareness….  Organizational Knowledge too?

When compared to the ISO 9001:2008 standard the requirement in ISO 9001:2015 is more heavily weighted towards Competence.  In facilities, where competence is often based on compliance to a WPS or ASNT training, along with standard common in house training such as Control of Nonconforming Outputs some simple systems are required to effectively identify and track these records.

By utilizing the method detailed in this post, you will be able to develop a complete, comprehensive and well-executed Competence, Training and Awareness program.

Organizational Knowledge | ISO 9001 7.1.6

The ISO 9001:2015 Standard concerning Competence, Training and Awareness technically starts at clause 7.2 Competence.  However, it really has it’s roots going back to 7.1.6 Organizational Knowledge and further still to 5.2.1 Establishing the Quality Policy and 5.2.2 Communicating the Quality Policy.  So much is based on the awareness as described in 5.2.2.  Little is given on what the awareness or any evaluation of it should or should not look like.  We will explore some methods below.  Next, we jump forward to 7.1.6 for Organizational Knowledge.  Organizational Knowledge comes in a variety of forms, some documented such as intellectual property (documented information for specs and manuals generally).  Other undocumented forms include knowledge gained from experience, such as lessons learned, and “undocumented knowledge” from experience.  Somehow, we have to ensure the appropriate people have access to this organizational knowledge.  This is often not in a documented manner that we might have used in the previous 9001:2008 edition of the standard.  In the previous standard, we could easily have reached the conclusion that a Metallurgist with 10 years experience must account for his skills and abilities in a matrix, with required documentation for each new method “tip or trick” developed in his department.  Today, under ISO 9001:2015, we have to ensure everyone has access to such information and can “tell the same story”.

Competence | ISO 9001 7.2

The 2015 edition of the standard is well developed in that one section rolls into the next.  Much, not all, but much of what can be considered organizational knowledge can be evaluated as a part of the Job Descriptions, or Offer Letters, Cross Training Reports, and Annual Evaluations.  It is at these junctures where appropriate documented information can be attained to demonstrate base competence for a particular job without the requirement for more lengthy processes.  By utilizing these methods, keeping Organizational Knowledge in mind, we are able to quickly meet letters a) “determine the necessary competence of person(s)”, b) “ensure that these persons are competent on the basis of appropriate education, [not yet on ‘training’], or experience;”, and much of d) “retain appropriate documented information”

Training (the missing clause) and The Matrix

Clause 7.2 Competence letters b) and c) make it necessary for most (nearly all) organizations to have an official training program.  Below, we will outline one such method.

The training matrix is a simple list that identifies the following:

  1. Training/Competence by title: IE Orientation, WPS-XYZ, Control of Nonconformities Process, ASNT UT Level II, etc….
  2. Departments/Job Title Required
  3. Retrain/Recert frequency
  4. Type of Training (Dem, Comp, Aware) – see below

Dem – Demonstrated Competency trainings require a hands on demonstration, IE qualification for a WPS, or ASNT cert

Comp – Competence Training require a test or simple evaluation of understanding, IE the process of nonconformities

Aware – Awareness only Training require no more documentation than a signing sheet for the training event

Training Records

The training records should be in direct reference to the individual training title, reference the employee, and the date taken.

Follow-up Actions

Follow-up actions can be tough to identify and account for.  Without a Learning Management Tool in place, a simple monthly or even quarterly review is sufficient.  In this case, it is my recommendation that you add an extra value to your training matrix, the “retrain date”.  Then a simple filter or query for dates less than or equal to today (or some interval of days in the future) will quickly and easily tell you who is due for training.

About the Author

Kyle Studied at the University of Houston in the Architecture program for some time and graduated with a degree in Management Information Systems. Soon he began work with a Gas Turbine Repair company as the systems administrator. Having worked himself out of a job as the local systems administrator within a year, he was placed in charge of facilitating the development and implementation of the first health and safety system for his employer in 2009. Soon additional environmental and quality concerns arose, and Kyle was officially the QHSE & IT Manager for a growing company. By the end of 2013, they were certified to ISO 9001, OHSAS 18001 running an ISO 14001 compliant Integrated QMS.

Since then Kyle has gone on to providing custom QMS solutions including QMS Software, Internal Auditing, Consulting and Training. Through knowledge and firsthand experience with the standards that he has learned inside and out, Kyle is able to quickly and effectively conduct audits, and identify positional solutions, and bring organizations into compliance fostering continual improvement.

About Texas Quality Assurance

Based in Friendswood, just outside of Houston, TX, Texas Quality Assurance was developed out of a need to save time and energy managing quality systems. The end goal is to save folks time, and make business more efficient, and more profitable for everyone in the process.

0 151
Getting ISO Certified -

So, your organization has decided to obtain an ISO Certification, perhaps to ISO 9001:2015 or ISO 14001:2015. You have already taken the necessary steps to implement the system into your organization, either through your own Quality Manager, hiring a consultant, or are in the process of doing so. Now what? Now is the time to start seeking quotes for accredited certification to ISO 9001 or ISO 14001 or whichever standard you are striving towards. How should you choose a Certifying Body, and more importantly, how do you choose the best Certification Body for your organization?

The process of becoming ISO certified involves an independent or third-party auditor visiting each of your company’s sites and conducting a site audit annually.

Learn more about the Certification process.

When employing a Certification Body, it is essential you make an informed decision as you will be working closely with the CB you choose over an extended period, and trusting their work is essential.


Ensure you are looking for this distinction when you are selecting your CB. Accreditation to ISO/IEC 17021 is the minimum standard you should consider when selecting a CB, without it your certificate cannot be considered valid in the marketplace. Consider accreditation like your government-issued photo ID; while you may have a library card or another piece of photo ID, only the government issued photo ID is accepted when you are travelling or being verified for your identity, as it is regulated and trusted. Accredited certification is the same concept.


Consider your CB’s reputation in the industry when you are selecting your quotes. Referrals from other companies you trust or published customer satisfaction testimonials are a great way to understand the company’s reputation in the industry. Reputable organizations will also have a proven track record and experience in your industry. Consider asking your suppliers who they are currently certified with as you can access a lot of new avenues for future business growth through these connections, and it can aid in linking you to similar companies or even potential clients or business partners. Remember that the reputation of the CB that issues the certification is also reflective of your company, and it is in your best interest to employ a CB that has a strong reputation for success.


Look for a Certification Body that specializes in, or has experience with, auditing your niche of services or goods. Most CB’s who have been in the industry for a number of years have vast prior knowledge of how a certain type of organization is meant to operate. This can save you time during your audits from having to explain the processes to your third-party auditor.

Important Note: Auditors are curious by nature though, so prepare for your audits to have curious questions, meant to help understand your specific interpretation of the standard, not to prove non-compliance with the standard. Auditors are not in the business to ‘catch you’. They should be auditing to establish conformance, not non-conformance. If you feel your auditor is not auditing in this way, speak with your CB to resolve the situation, and they should be more than willing to accommodate your request.


Travel expenses for the auditor(s) are your organization’s responsibility during each audit. This is one expense that you as the client have control over, and it is in your best interest to research beforehand the location of your CB and their auditors in relation to your sites. Having a CB with an auditor who is local to your organization is a huge benefit, as this drastically reduces the travel and accommodation expenses associated with each audit.

The location may also prove to be an issue in flexibility. Scheduling audits with your long-distance CB can be more restricted regarding the dates for audits, and they may not be as flexible regarding date changes if travel arrangements have already been made.


It is important to look for Certification Bodies and auditors whose values align with your organization. As per ISO standards, recertification is required every 3 years and you will have to work with your chosen CB over an extended period of time. For example, scheduling your audit each year may be a lengthy process of communication with multiple departments within your organization, and your CB point of contact, with multiple back and forth conversations.

Research each CB on their company policies and ensure their key business model aligns with what you consider the highest value to meet your needs. You are their client and should be treated exactly as such. Establish open and clear communication with your CB and your auditor in order to fully reap the benefits of the services they provide. The CB you work with can quickly become third-party supports allowing you to improve consistently. While a CB cannot act as a consultancy service, most offer a range of workshops, training and valuable guidance via online resources should you require.


The cost of an ISO Certification should also be considered, but also weighted in comparison to the benefits offered by your chosen CB. Do your due diligence in researching various rates around you and conduct a simple cost-benefit analysis to determine whether the services they’re offering are indeed worth the price they quote. Your cost-benefit analysis should include Accreditation, Reputation, Specialization, Location, Compatibility, and Cost, as well as any other criteria you deem important for your organization.

Ensure you are quoted for both the 3 year certification period costs as well as the initial charges and ask about the services that are included or excluded from the quoted costs.

0 190
How To Survive an Audit - ISOUpdate

Written by Nathaniel Smith of Beyond Improvement

Preparation is Not Everything

Contrary to common belief, there is only so far you can go to prepare for an audit and, depending on the nature of the audit, sometimes it is best not to prepare at all.

The reality may be that you don’t have the time or resources to make EVERYTHING ‘perfect’, or even just to make it look perfect for the audit.

What’s more, even with an agreed agenda, the challenge is often knowing what specific direction the auditor may take, and what evidence trails they will follow.

Consider for a moment, that if you went out for a meal with some friends to a restaurant you had not been to before, could you correctly predict what everyone would order to eat and drink?

Everyone has different tastes, which can vary from one day to the next depending on a whole raft of variables and factors.

Trying to predict specifically what an auditor will look at can be a shot in the dark. Perhaps you have repeat audits with the same auditor, looking at the same processes each time. However, in my experience, many auditees have spent late nights preparing for an audit in an effort to cover all possible areas. Ever had that feeling of please don’t look in ‘that’ file or cupboard?

Priority is key here, focussing on bigger gaps, areas you know to be not right, not compliant or could be most severe. Your auditor is likely to look at the biggest risks first.

Consider what your business priorities are, and the type of audit i.e. regulatory compliance, insurance, customer, supply chain, certification. All will have biases or ‘risks’ they will focus on, use these as key start points. And try to at least formally record/identify those areas you know are gaps but have not yet been able to address, as this at least demonstrates self-awareness and intention.

There can be a good reason to not prepare at all…

If the audit is internal, or you are paying for a third-party audit to improve your business/maintain certification, then consider not preparing at all. This will better reflect your current situation (i.e. business as usual) and can maximise the benefit and value from the audit process. Should documents/processes not occur normally throughout the year?

Audit findings can provide great impetus and buy-in from stakeholders to address areas for improvement or get any necessary resources.

Be Open and Honest

It should go without saying, but being open and honest will always be better received by the auditor. Most auditors will be able to tell if you are trying to pull the wool over their eyes, fictitious stories and fabrication of evidence can often fall apart, possibly making an auditor more determined to catch you out and resulting in more severe findings.

Try to also look at these situations from the auditor’s point of view – would you like to be conned or lied to? Auditors have a job to do too. Sometimes they can be helpful allies, providing further guidance or insight into any issues. They are not always out to ‘get you’ and are often keen to make a difference to help improve your business, so don’t see them as the enemy.

An audit may help to keep people safe, aid the business to be legally compliant or financially secure, boost customer satisfaction, be environmentally sustainable – and much more.

If you have gaps, talking about them proactively can be very beneficial, especially if you have already identified or recorded along with your plans to address it. The auditor may still raise it as an issue but they may mitigate this or reduce the severity in recognition of your plans to address it.

A third-party auditor may have even more experience, visiting up to hundreds of businesses each year, seeing what works and what doesn’t, resulting in genuinely helpful feedback.

So, look for the benefits rather than dreading the outcome.

And Breathe!

Understandably some people can get very nervous, before and during an audit. Try to relax, taking on board the points above.

Remember that whilst the audit has a purpose and the auditor has a job to do, many auditors (including those of a regulatory purpose), like to help.

Asking relevant questions, examples of best practices or ideas (where they can be given) can be very valuable to you and your business.

I personally have seen many auditees go from a state of physical nervous shaking at the start to a happy, warm smile at the end of the audit, finding it informative, helpful and even sometimes fun!

About the Author

Nathaniel Smith has over 20 years’ experience in management systems, including working as an assessor at BSI (British Standards Institute), a leading global certification body.

Nathaniel is passionate about implementing best practice and providing real value going beyond small basic improvements – he helps businesses go further and can help you create real significant change, improving growth, performance and reducing risk.

About Beyond Improvement

Having seen and experienced the challenges working with some consultants, Beyond Improvement strives to offer a genuine value-led solution based on the following principles:

– You and your business needs come first

– A tailored approach to your business, its culture, and how you would like to work

– Consistency. You won’t be passed between a team of consultants; services will always be delivered by me, Nathaniel Smith, the person who understood your original requirements and brings the experience and expertise that you need

– Coaching-led, so that you and your business understands the system and can maintain it, your business/system doesn’t depend on me

– Ongoing support, only if you need it and always value based

Learn more about Beyond Improvement

0 162
Simple Tips for Implementing ISO 9001:2015 - Video

Ready to implement ISO 9001 in your organization? Here are some simple ISO 9001 tips for the process to be aware of and prepare for.


Tip: Implement ISO 9001 for the Right Reason

When implementing a quality management system (QMS) for ISO 9001, management should be clear about the purpose of the QMS. If the only driver is to get on customers’ tender lists or because a competitor has already got one, it’s highly likely that the QMS will remain a set of documents for certification purposes only.

Management should aim for a QMS that will help the organization produce quality products or services, continuously improve its process, and provide confidence to customers that the organization is capable of meeting their requirements all the time.

Tip: Motivate your Workforce

In order for organizations to achieve a desired level of quality, people need to get involved. People are the essence of organizations and their full involvement is essential to implement and maintain ISO 9001.

Employees can be motivated by:

  • Ensuring that everyone knows and understands the organization’s quality policy;
  • Defining and communicating responsibilities and authorities within the organization;
  • Building the competence of employees;
  • Providing adequate infrastructure and work environment;
  • Initiating improvements, e.g. by implementing employees’ suggestions.

Tip: Take the Necessary Time

All too often organizations are in a hurry to obtain certification and do not spend the time needed to implement the system effectively. Before applying for certification, your QMS needs to be in place and its effectiveness checked through an internal audit, followed by corrective actions on audit findings.

Tip: Go Easy with the Paperwork

Many believe that everything in the system needs to be elaborately documented. Often, organizations are better off sticking to what is required and keeping those documents simple; additional procedures and records should be considered only if they add value to the system.

Tip: Set the Example

Some employees may find it difficult to change their ways of doing and may have a tendency to deviate from defined procedures. To change this, top management should ‘walk the talk’, i.e., should not allow deviations from set procedures or permit the release of materials with deviations.

Under such an approach, employees will start respecting system requirements and everyone will take account of their responsibilities for the success of the QMS.

Learn more about ISO 9001 and how to engage top-level management to ensure the success of your QMS.

0 208
Questions for your CB -

Choosing a Certification Body (CB) should be considered as an opportunity to question and verify the capabilities of the team that will be assessing and auditing your organization each and every year. This process can be daunting, especially to those of us who are new to the industry. ISOUpdate has a Directory of CB’s you can use to start your hunt, but we understand it might be confusing if you don’t already know what to look for and what questions to ask during the process. Here’s an assorted list of some questions that you need to ask your potential Certification Body.

Are you Accredited?

This should be the first and most important question you ask your CB when you are requesting quotes and determining who to select as your future CB. Confirm that the organization you are working with is accredited to ISO/IEC 17021 to ensure that your certification will be recognized. ISO/IEC 17021 is the conformity assessment standard that applies to bodies providing audit and certification of management systems.

Where will my certification be recognized?

If you are working with international suppliers or looking to do business in a certain country, you will need to ensure your new certification is recognized internationally. Ensuring your certification body is accredited by an Accreditation Body that has joined the IAF Multilateral Recognition Agreement (MLA) will confirm that your certification is recognized globally, but more specifically, in the markets you are interested in pursuing.

Can you supply a Letter of Certification Intent?

If you have been asked by an organization to obtain an ISO certification to do business with them, it would be worth pursuing a letter of certification intent to then offer your supplier for the time period leading up to your achievement of certification. This may be sufficient for the supplier as proof of your active commitment to becoming certified, and sufficient to start a contract with your organization for work.

What is the requirement of QMS maturity before certification can take place?

A Certification Body cannot implement a system for your organization, it can only audit an existing system. You may need the services of an Internal Auditor or Consultant to help your organization meet the requirements of the standard before you can move forward with your CB. In general, if you are running a successful business, you are already achieving a large portion of the standard, but an Internal Auditor or Consultant will be able to maximize efficiency, reduce documentation and wasted time and energy to ensure you meet and exceed all requirements. Some CB’s may require your system to be in place for a certain time period before they can audit it – ensure you are able to meet those deadlines.

What is your NPS for client satisfaction?

NPS or Net Promoter Score is a metric that organizations use to measure customer satisfaction. Organizations ask current clients their likelihood to recommend this organization to a friend. This is a great metric to consider when picking any organization you are planning to work with, as it indicates overall customer satisfaction of the whole process when dealing with a company. High NPS’s can give you, a potential client, a good indication of what you can expect from this company.

Other important customer service related questions you should be asking:

  • How flexible can you be in terms of scheduling issues? Can you accommodate our expected registration date, or close to it?
  • If we have questions and call in, can we expect a prompt response?
  • What happens if we have a difference of opinion with one of your auditors? Who do we contact?

If your organization has a deadline to meet or an expiration to worry about for recertification, you will need to make that clear to the sales representative when they are quoting you a price. Time constraints will be a factor when they are selecting available auditors.

It is also valuable to know who your point of contact will be throughout the certification process, especially if you and your auditor come to a disagreement. This stage in your quoting journey is a good opportunity to understand what levels of communication this organization has for dealing with common questions, scheduling, and non-conformities.

What relevant industry experience do you have?

This question is especially pertinent if you are working in a specialised industry. Having an auditor who is familiar with your industry will make the whole process much easier.

Do you have local auditors?

Having a local auditor is an extreme advantage to you as a client, as it reduces the expenses incurred during your surveillance audits. A local auditor will have reduced travel, accommodation, and food expenses.

Other Questions to ask related to your auditor:

  • Does the registrar use the same lead auditor/auditors each time?
  • How many auditors would you use on this particular project?
  • What is the frequency of surveillance audits and what is covered?
  • Can we meet the auditors who would work on this project? And could we interview the lead auditor assigned to our company?
  • Are travel and subsistence expenses built-in or additional? And if they are additional could you quote me an estimated figure?

You may want to dive into the CB’s process for hiring auditors; most certification bodies are extremely particular about who they hire as auditors, but it might be worthwhile to ask their base level of experience needed. Another important note to consider if your organization is pursuing re-certification, are you maintaining impartiality with your auditor team? The purpose of certification audits is to have an impartial, outside view of your QMS to eliminate bias. While it is wonderful if your organization has a pre-existing and positive relationship with your auditor, it can sometimes create bias. Consider switching up your auditor every few years and don’t become too reliant on your current third-party auditor to ensure you are getting the most out of each certification audit.

Do you offer certification to other standards? Do you offer integrated audits for more than one standard?

If you are looking to achieve ISO 9001:2015 and ISO 14001:2015 for example, having an integrated audit could be an option for your organization to save costs and time.

What sort of “off-site” time (such as report preparation, document reviews, etc.) could we be charged for?

Understanding the entirety of the process for auditing is important. Certification is not just an individual looking at your documents. They are taking a sample of your work and understanding how you effectively run your business using the requirements of an international standard. Auditors spend hours before and after each audit, preparing, going through the evidence, reporting findings, and interpreting the standard. By understanding this, you are able to better understand the quoting process, and the variables in place with each and every audit. By asking what is included in the quote, and even understanding the role and administration involved in the process, these numbers make much more sense.

Do you offer training for the standard you are looking to obtain?

If your organization wants to maximize your system, having your management team and employees attend training to fully understand the processes and guidelines of the standard is highly recommended.

For example, in ISO 9001:2015, there is increased attention on the involvement of upper management to ensure the success of the QMS. Upper management is required to have an active interest in the system and is responsible for ensuring its success. Attending training can only help your organization more easily obtain your certification.

How do you determine how much time to spend on a full system/surveillance audit?

This question should make or break your decision-making process, and it will confirm to you if your potential CB is truly accredited to ISO/IEC 17021. Organizations who are accredited are required to quote audit days based on the number of employees your organization has on staff and the risk level of your management system. Ensure you know the exact and correct number of employees you employ when you are in the quoting phase, as this will be asked. Discrepancies in quotes from the initial quote to actual billing are often due to misrepresentation from the organization on the true number of employed staff. To avoid surprises, ensure your number is accurate.


These are some key questions to ask prior to employing a CB. They have been designed with the intent to give you valuable insight into the CB, which is critical to selecting the right registrar for your organization’s needs. These are generic questions to help your organization by directing your questioning to ensure you are well informed about their practices. We highly encourage you to customize each and every question to fit your company’s agenda.

1 296
Predict, Survive, Grow -

ISO 31000 is a standard on risk management developed by the International Organization for Standardization firstly in 2009 and updated in 2018. It is the international codification of the principles and guidelines of risk management, which emerged as a necessity to have one international standard which applied to all industries and organizations of all sizes. In other words, because there were a number of standards on risk management that different organizations in different industries were implementing, experts deemed it necessary for a new family of standards to emerge and to unify all the concepts in one single standard which would provide guidelines and strategies for implementing risk management. Later on, we will discover how ISO 31000 and ISO 22301 can be intertwined, and how can ISO 31000 deepen the risk management control in an organization that has already implemented ISO 22301 – business continuity management system.

Uncertainty is an inseparable part of every business, and as such, every company has to tackle the risks associated with uncertainty in every dimension of business operations. First, risks have to be identified, after which they are categorized and preventive and responsive measures for each identified risk are implemented. The nature of risk nowadays has evolved into unprecedented complexity, because the amount of data that goes in and out of companies is rapidly increasing. As such, unsurprisingly, contracts and insurance companies require mechanisms in place which make sure that the company is identifying and tackling risks.

ISO 31000 helps organizations protect their assets as well as increase the likelihood of achieving objectives by providing direction and risk management strategies. It is adaptable to the context of every organization and it helps mitigate risk within the organization by implementing risk-based decision-making and risk-based corporate culture. That is to say that both employees and stakeholders make decisions by always bearing in mind the risks associated with each decision, but at the same time, apart from seeing negative consequences, it helps a company also identify positive opportunities.

On the other hand, one of the most famous international standards which deal with the continuation of business operations and business security is ISO 22301. This is a standard on business continuity management and it is widely-implemented in organizations of all sizes and all industries. Differing from ISO 31000, ISO 22301 does lead a company to certification if the latter proves to have implemented the standard and its requirements.

The main goal of this standard is to offer a management system which makes sure that in case of incidents, of every nature, an organization can continue its crucial business operations – in other words, it can survive. Incidents can have a very different nature from each other, ranging from natural disasters to cyber-attacks, and ISO 22301 includes all of these kinds of incidents. It also helps a company to mitigate risk and to evaluate which risks are more imminent and more probable.

Based on these factors, and a proper understanding of the organization and its context, a Business Continuity Plan should be developed (BCP). This plan includes actions and measures to be taken in case of different scenarios, the persons in charge of every scenario and how to contact these persons in case that one of the scenarios happens. In other words, a BCP should be composed, but there should also be instruments to activate the BCP and responsible managers should be appointed for every situation, and the information should be communicated clearly so that every employee is aware of who to contact in different scenarios.

So, among other things, risk assessment and risk management are integral parts of business continuity, and this is where ISO 31000 and ISO 22301 intersect. In ISO 22301 there are two important clauses which deal specifically with risk: close 6.1 on “Actions to address risks and opportunities” and clause 8.2 on “Business impact analysis and risk assessment”.

Every business is exposed to risk, ranging from market risks, investment (or stock) risks, natural risks, cyber risks and so on. Depending on the scale of risk exposure, a company might choose to implement and get certified against ISO 22301, but at the same time have ISO 31000 as a guiding tool for risk-based thinking, risk strategies and risk-based corporate culture. It is a very good integration (but not an integrated management system, since ISO 31000 does not offer requirements but guidance) of two standards which can produce a very detailed and accurate platform, that can serve a business well in difficult times – and as history has often proved, it can help a company stay in business when faced with risks and challenges.

It is often argued that civilization started when the first humans learned to domesticate plants and were able to farm and harvest. In order to be able to farm, one must at least be able to recognize and know seasons, humidity and temperature as minimum requirements to be successful. So, in other words, it was the event of being able to predict which marked the beginning of civilization and its continuation and evolution to this point. We have developed immaculate methods (e.g. scientific method) to predict and forecast in order to survive, thrive and evolve. The same concepts apply to a business if you see it as thinking, living organism which is striving to evolve and thrive, but which also has to deal with the bad days where survival is the main objective. We can consider standards such as ISO 22301 and ISO 31000 as the scientific methods of the world of management, which help a business as a living organism to survive in these bad days while helping them reach their objectives and grow in good times.

About PECB

PECB is a certification body for persons, management systems, and products on a wide range of international standards. As a global provider of training, examination, audit, and certification services, PECB offers its expertise on multiple fields, including but not limited to Information Security, Business Continuity, Resilience and Recovery, Governance, Risk Management, and Compliance, Quality Management, IT Governance & Service Management, Health, Safety, and Sustainability.

About the Author

Julian Kuci is the Marketing Quality Assurance Manager at PECB. He is an honour graduate of RIT in Economics & Statistics and Public Policy & Governance. Julian holds a diploma in Transitional Justice from the Regional School of Transitional Justice and is certified against ISO 9001 – Quality Management and ISO/IEC 27001- Information Security Management.

0 162
PAS 99 Integrating Common Management Systems -

Management systems are designed to add value to the organization by saving resources, time, and money. PAS 99, developed according to the ISO standards for writing management system standards, is a single framework developed by the British Standards Institution (BSI) which assists in proficient management of all ISO certified systems. PAS 99 was developed in response to the need for a reference document for the implementation of a real and effective integrated management system. Prior to the publication of PAS 99, there was confusion in the market about what should be considered an integrated management system as organizations were only able to merge the reference documentation (manuals, procedures, etc). This approach was far from a real integrated management system and insufficient for many organizations.

PAS 99:2006 was created to enable organizations to integrate common management system requirements into one framework. PAS 99:2012 is based upon the structure of ISO Guide 83, and now sets a common structure to be followed by all management system standards moving forward.

PAS 99 is designed to be used by organizations that have a management system standard or are implementing various management system standards. It applies to organizations of all sizes and industries.

To integrate different management systems, some elements of the standards were restructured to enable easier integration of various management systems. The high-level structure as adopted by many of the new standards has the following elements:

  1.  Scope
  2. Normative Reference
  3. Terms and Definitions
  4. Context of the Organization
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance Evaluation
  10. Improvement

Benefits of PAS 99 Integrated Management Systems:

PAS 99 has gained success because it provides a great number of benefits to users.

Some of the benefits of implementing the PAS 99 system include, but are not limited to:

  1. Meet differently implemented standard requirements of your business with a single set of policies and procedures. This helps govern the standards in a more coherent and less cumbersome manner, which results in a more streamlined and smooth approach to meeting the multiple different requirements.
  2. A single audit can cover all the various management systems in place, providing a way to achieve the same end goal but with far fewer resources involved.
  3. Improve the overall efficiency of your business by systematically removing redundancy and duplicate tasks. The duplicate tasks with different targets are now replaced by singular tasks that cover all the different targets of the individual management systems.
  4. Roles and responsibilities are clearly defined with roles now being responsible for all the areas that have an overlap causing the merger of multiple roles into one. This new role will now be responsible for all the common objectives that were previously being looked after by multiple different roles.
  5. Continuously improve multiple management systems by providing an integrated overview of the systems which allows growth to be driven without handling and executing improvements on multiple disparate systems.

Implementation and certification of PAS 99 Integrated Management Systems:

PAS 99 can be tailored for specific business needs and can be built to suit any organization that utilizes multiple certified systems. The developers of your organization’s specific PAS 99 will help your management design and implement a tailored PAS 99 integrated management system. Then, your staff must be trained to ensure effective implementation of PAS 99. The type of training your staff receives can vary and is based on your organization’s specific needs.

In the process of getting PAS 99 certified you can expect the following:

1. Gap analysis

It is during a Gap Analysis that discrepancies between PAS 99 requirements and the organization’s existing integrated management system are assessed before any further formal assessment.

2. Formal Assessment

It is during a Formal Assessment that, firstly, your organization is assessed for preparedness for the assessment of PAS 99 controls and procedures. If there is any gap found, it will be communicated to you for rectification. Then, if the primary requirements are fulfilled, an assessment of the actual implementation of controls and procedures is carried out.

3. Certification and beyond

After the Formal Assessment, a PAS 99 certificate is issued having validity for three years and during this time the client manager of PAS 99’s developers would stay in touch with the user’s organization and would help in any improvements.

Compliance with this specification does not in itself ensure conformity with any other management system standards or specifications. The requirements of each management system standard will still need to be addressed to achieve certification. Organizations that wish to certify compliance with PAS 99, can do so to demonstrate that an effective integrated management system is in place.