Archive for December, 2016

Measuring Information Security Effectiveness

Friday, December 30th, 2016

security

You simply can’t be too careful when it comes to information security. Protecting personal records and commercially sensitive information is critical. But how can you tell that your ISO/IEC 27001 information security management system (ISMS) is making a difference? A new ISO/IEC International Standard can help you out.

The recently updated ISO/IEC 27004:2016, Information technology – Security techniques – Information security management – Monitoring, measurement, analysis and evaluation, provides guidance on how to assess the performance of ISO/IEC 27001. It explains how to develop and operate measurement processes, and how to assess and report the results of a set of information security metrics.

ISO/IEC 27004:2016 shows how to construct an information security measurement programme, how to select what to measure, and how to operate the necessary measurement processes. It includes extensive examples of different types of measures, and how the effectiveness of these measures can be assessed.

Among the many benefits to organizations of using ISO/IEC 27004 are:

  • Increased accountability
  • Improved information security performance and ISMS processes
  • Evidence of meeting requirements of ISO/IEC 27001, as well as applicable laws, rules and regulations

ISO/IEC 27004:2016 replaces the 2009 edition; it has been updated and extended to align with the revised version of ISO/IEC 27001 to provide organizations with greater added value and confidence.  For more information visit the iso.org website.

AS9110:2016 and AS9120 Released

Saturday, December 3rd, 2016

 

This Month

 Events
 
 
February 27-28, 2017 Phoenix, Arizona   

Helpful Links

What We Deliver
  • Operational and Quality Systems
  • Assessments
  • Training
  • Internal Audits
  • Lean Enterprise
  • Six Sigma
  • Kaizen Events 
  • Breakthrough Improvement

Improved Profits and More!

Our newsletters provide information on business management systems and process improvement methods. These systems include ISO 9001 QMS, AS9100 Aviation, Space and Defense, ISO/TS 16949 Automotive, ISO 27001 Information Security, ISO 13485 Medical Devices, ISO 14001 Environmental Management Standard, and others. Subjects include performance improvement methods such as Six Sigma, Lean Enterprise, and other topics of interest to our readers.

Do You have a Subject of Interest for our Newsletter?  Please let us know.

AS9110:2016 and AS9120 Released

astronaut-earth.jpg

The International Aerospace Quality Group (IAQG) has now published AS9110:2016 and AS9120:2016. This completes the revision of the core Aerospace Standards and represents the revised quality standard for aviation, defense and space organizations.

AS9110 QMS Aerospace Requirements for Maintenance Organizations is intended for use by organizations whose primary business is providing maintenance, repair, and overhaul services for aviation sector products. It is tailored for organizations with repair station certification, however it is also suitable for non-certificated organizations, including those that provide maintenance, repair, and overhaul services for military aviation products.

AS9120 QMS Aerospace Requirements for Stockist Distributors is intended for use by organizations that procure parts, materials, and assemblies and sell these products to a customer in the aviation, space, and defense industries. This standard is not intended for organizations that rework or repair products.

The revisions have incorporated essential changes made to international quality management system standard ISO 9001:2015 and additional Aerospace, Space and Defense stakeholder requirements. This will ultimately drive effective operations in increasingly complex environments. Organizations currently certified to AS9100/9110/9120 will need to successfully switch to the relevant 2016 revision by September 2018.

Added requirements beyond ISO 9001:2015 revision include:

Risk Management merged current 9110 requirements with the new ISO requirements and emphasis on risks in operational processes as well as risks during transition period

Product safety / Safety management added in a separate clause and in selected areas with safety performance evaluation requested.

Counterfeit Part and Suspected Unapproved Parts prevention added in a separate clause and in selected areas. Introduction of unsalvageable parts.

New terms introduced in 9110 include “Competent Authority”, “Continuing Airworthiness Management”, “Dismantling”, “Life Limited Part”, “Maintenance Data”, “Product Safety” (same as in 9100), “Qualified Person” and “Unapproved Part”.

 We are here to support all your transition requirements. Contact us for all your AS9100, AS9110 and AS9120 needs.

Quality Objectives – Management Review

bargraph-money.jpg   
 
 
 
 
 
 
 
ISO 9001:2015 now requires when planning to achieve its quality objectives, the organization will determine:
  • what will be done,
  • what resources will be required,
  • who will be responsible,
  • when will it be completed,  
  • how the results will be evaluated.

 

Most likely, your organization was already doing this, but how well, and how effective is the question.

 

An organization needs to verify that the overall quality objectives:

  • have been defined,
  • reflect the quality policy,
  • are substantially logical,
  • are aligned and compatible with the organization’s context and strategic direction,
  • and are aligned with its overall business objectives, including customer expectations. 

 

There is no specified way of identifying or documenting quality objectives, as these may appear for example, through business plans, management review outputs, annual budgets. It is up to

the management team to define that the objectives are adequately documented. Evidence should exist to show the way the quality objectives are suitably cascaded throughout the organization’s structure and processes, linking the general strategic objectives to management objectives and down to specific operational activities.

Standards require top management to review the organization’s quality management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. The management review is a process that should be conducted and audited utilizing the process approach. Organizations need to be able to demonstrate that they have evaluated the effectiveness of actions taken to address risks and opportunities during management review.

Based on factors such as size and organizational complexity an overall management review can be a complex process carried out at various levels in the organization. It will always be a process generated by top management with inputs from all levels in the organization. These activities could vary from daily, weekly, monthly, and organizational unit meetings to simple discussions or reports.

The Value of Documented Systems
laptop-couple.jpg

Why do so many organizations spend valuable time and resources generating and maintaining documented systems? Asking to see documentation often results in responses about no one reads this bureaucratic or time-consuming paperwork.

 
The following are key benefits to help understand the importance of documentation in all operational processes:

 

1. Accountability: If a process requires documentation, it is much more likely to occur and be utilized. Effective documentation identifies process connections. For example, contract approval would require a documented review of the terms before being accepted.

2. Completeness: If standard forms or checklists are incorporated into a process, these tools become roadmaps to ensure process consistency. Good documentation should show a clear relationship of required inputs and outputs. For example, a machinist might feel tempted to omit measurement data to speed product delivery. But if the inspector ensures the documentation is complete, the process owner will have to include all data requirements to complete the job.   
 
3. Consistency: If given the chance, individuals will complete a given task in many ways. A consistent approach creates organizational efficiency. For example, if a form being used is understood and standardized, the processes used to create the documentation also are standardized.

 

5. Communication: Documentation increases the communication flow between team members. With the increased speed of project activities using e-mail and software, the need for documentation is ever increasing. For example, good meeting minutes and documented action plans allow individuals accessibility to electronic information formats at all times.

 

6. Record: A documented record of actions, decisions, product data can provide the necessary information for years later and protect the company and its employees. For example, a customer’s claim of design error can end up in litigation. If good records are kept, the records would be invaluable for any subsequent actions.

Remember, if documentation is required and not yet completed, the task is not done. The doing and documenting of systems and processes are complementary and very necessary. Thanks to Dan Domalik for his information insights.

Customer Complaint Information
  

An effective organization requires a robust customer complaint system. Complaints communicate customer perceptions of quality, and  compose the largest determinant of customer satisfaction.

Unfortunately, the majority of complaint systems are completely reactive: You’re not reaching out to your customer-you’re relying on the customer to reach out to you. This is a risk laden proposition and for every complaint your organization receives, there may be four, five or more you’ll never know about.

 

Because of its reactive nature, a complaint system should be used in combination with one or two proactive tools.

Here are some suggestions to help you implement an effective system that is capable of improving your customer satisfaction connection.
Get the Details!

 

In addition to your customer service personnel expressing empathy, the person receiving the complaint must gather the correct details. Exactly what went wrong? Allow the customer to provide a general description, then begin to drill down. Typical information includes the following details:

  • What was the exact nature of the problem? Generalities won’t cut it. The problem statement must provide enough detail and depth to facilitate investigation.
  • When did the problem occur? The date is certainly necessary, as might also be the time.
  • Where did the problem occur? The state, city, plant, retail outlet, department, production line and machine all might be important.
  • Who was involved in the situation? What roles did they play?
  • What product was involved? What were the part or style numbers?
  • Were there any specific batch numbers, serial numbers or other identifiers that provide traceability?
  • Was the problem isolated or generalized across all products?

Consistently gathering this expansion of information is difficult without a structured format. Most organizations custom-design complaint forms based on their individual needs and the most effective forms allow customers to go online and submit.  Decide exactly what information you need to investigate customer complaints and take effective corrective action; then design your form around these needs.

 

news3.jpg

In the News
 

Is Job Hopping Inevitable?
       

It’s fair to say that many millennials are job-hoppers.  According to Gallup 6 of 10 members of this generation say they’re open to different job opportunities; only one in two plan to be with their company one year from now; and 50% say they’d consider taking a job with a different company for a raise of 20% or less.

Job-hopping among millennials (born between 1980 and 1996) is problematic because these workers currently make up 38% of the U.S. workforce; some estimate that they will make up as much as 75% of it by 2025.

This job-hopping reality is harsh, but leaders should not accept it as the new norm. Not all millennials are prone to leave, and their engagement at work is at the heart of the issue. Millennials who are engaged at work are 26% less likely than millennials who aren’t engaged to say they would consider taking a job with a different company for a raise of 20% or less. Engaged millennials are also 64% less likely than actively disengaged millennials to say they will switch jobs if the job market improves in the next 12 months.

For more information, visit the Gallup Website.

 

ISO 9001:2015 Transition Progress

We recently viewed a webinar presented by the ISO/TC 176 working group defining results of certification body audits to the new standard.  Witnessed results included:  

 

  1. Not fully established internal and external issues,
  2. Changes to internal and external issues are not a management review requirement/input.  Any upcoming changes or concerns with current system?    
  3. Lack of a balance of issues, other than a focus on product,
  4. What are the organizations largest concerns, including opportunities?  Note: Action may not be required on each external and internal issue.
  5. What are you doing to address growth opportunities?   

These results are key objective evidence requirements of ISO 9001:2015, including industry specific QMS standards.  Ensure your organization takes a comprehensive review of these needed requirements.

 

Training Courses
 
All courses can be delivered at your company or at our training centers. We do provide training beyond our home state of Arizona. Click on the course title for description, schedule, registration and payment. Group discounts are available. We also provide custom designed training to fit your specific needs. All training is fully documented for your training records and certificates of training are awarded.
 
Don’t see a course or schedule that fits your needs?  Contact us.
 

During the ISO 9001:2015 transition webinar we viewed last month, which is referenced above, the speaker stated that just over 10 percent of organizations have successfully transitioned to the new ISO 9001:2015  and 14001:2015 EMS standards.

If your organization has not begun or started to plan the transition for 2017, your time line is getting shorter!

Remember, future certification body audits from June 2017 will be conducted to the ISO 9001:2015 requirements. This timeframe also includes further QMS industry-specific standards.

Happy Holidays and Best Regards,

Walter Tighe and SES Team
Sustaining Edge Solutions, Inc.
Toll Free 888-572-9642