Hot Off the Press – ISO 9004-2009! A Review

It’s here. A year after the publication of ISO 9001:2008 the companion document ISO 9004 has been updated. And whilst the most recent changes to ISO 9001 have been minimal and to all intents and purposes largely cosmetic, the changes to ISO 9004 have not. The changes are big. In fact the revised standard is barely recognisable from its predecessor. It’s different…

So what are the changes?

… Where do we start?

OK, gone is the old title “Guidelines for Performance Improvement”. The new title for ISO 9004:2009 is “Managing for the sustained success of an organisation – a quality management approach”. Gone is the old familiar format that mirrored ISO 9001. The ISO 9001 requirements as “boxed text” accompanied by some general hints and tips outside the boxed text, there to help us understand and apply the various requirements of ISO 9001. That is gone

In fact, ISO 9004 no longer follows the structure and requirements of ISO 9001 in any real way. It no longer goes through the ISO 9001 requirements and offers specific clause by clause advice. It actually does more or less what the title implies, it offers guidance on a more general “quality management approach”.

This calls into question what the intended application of ISO 9004 actually is. It can no longer really function as an implementation guide to ISO 9001, firstly because it no longer tries to, but secondly because the scope of its content is now fundamentally different. It contains, for example, guidance on such matters as:

  • Strategy and policy formulation
  • Strategy and policy deployment
  • Financial resources
  • Knowledge, information and technology
  • Natural resources
  • Innovation & learning

Wow. That’s different. Good topics though these might be for any management system, they are, arguably, out-with the current scope of ISO 9001:2008. What is more, it appears that ISO 9004 is starting to use some established terms in a different way to ISO 9001. “Policy” for instance. If we look at the way ISO 9001 uses the term “Policy” (with reference to clause 5.3) it deals very much with the one page “statement of intent” that we all know and (maybe) love. ISO 9004 appears to be using the term “Policy” in a broader sense, something more detailed, meaningful and less neutral. And strategy? Well, ISO 9001 currently does not even go there

The most obvious “hit you in the face” feature of ISO 9004:2009, however, is that it borrows very heavily from the EFQM Excellence Model

All of those new topics I listed above feature heavily in the excellence model, and have done for a couple of decades. We saw a small movement to an “excellence model approach” in 2000 when the “8 Principles” were introduced. These principles were lifted, more or less, from the principles that underpinned the EFQM excellence model at the time. Some of them (Continual Improvement, Customer Focus) even generated some significant new requirements within ISO 9001:2000. Many people expected ISO 9001:2008 to move a little further in that general “excellence” direction. It did not, of course. Some of us were pleased, some of us were disappointed. Maybe ISO 9004:2009 is a kind of half-way house? Maybe it has been developed this way as a means of placating those of us that maintain ISO 9001 standards are old fashioned or not challenging enough? Maybe ISO is saying, “OK you want something more challenging? There you are. Next time be careful what you wish for!”

Either way, as a general observation, I have to say that I am detecting some initial confusion. Not that the contents are in any way badly written or irrelevant, just that practitioners are simply confused as to what the intent of ISO 9004:2009 actually is. How are we to use it? Will certification bodies develop a certification scheme for it? (there’s a thought), how are ISO 9001 auditors meant to use it? All these questions remain for the moment, so far as I can see, unanswered

So, yes, it appears to be a “quality” document, but will it be used in a “quality” way? Only time will tell

Digital Photography – A Quick Guide to ISO

ISO should be one of the easiest aspects of digital photography to master, but many beginners in photography still have a hard time understanding this fundamental camera setting.

I suspect this is because of the way it is being taught. You see, ISO started out as a property of film, and it was much easier to visualise it in terms of the old technology. So that’s where I want to start my explanation, before bringing you into the 21st century with ISO today.

ISO actually started out as ASA, which stands for American Standards Association. Decades ago, a commercial film manufacturer came up with a set of numbers to define the sensitivity of different types of film. That set of numbers was accepted by the American Standards Association, so all American manufacturers could use the same system. Later, the American standard was adopted by the International Standards Organization, so ASA became ISO.

What does all that mean? Well, it means that the letters ISO didn’t really stand for anything except for the name of an organization.

What is important is what ISO referred to, which was the sensitivity of the film. The emulsion on some films reacted quite slowly to light, and on other films much faster. Slower films had a smaller ISO number, like 25, 64, 100. Faster films had a higher number, like 200, 400, 800.

A slow film needed a relatively high level of light to create a well-exposed photo. That meant that to take a photo in darker conditions, you would need to use a fairly wide aperture and/or a fairly slow shutter speed to get a result. On the other hand, a faster film reacted to light a lot more quickly, so it needed much less exposure to light to take a photo.

Fast film sounds pretty good, doesn’t it? A chance to take a photo in any conditions without a tripod, and to freeze moving subjects with very fast shutter speeds. So why didn’t everyone just use fast films all the time?

The answer is that the advantages of fast films came with a trade-off; loss of image quality. The grains of emulsion on a fast film were larger, so a photo taken on a film with ISO 400 or 800 had a rougher, ‘grainier’ look. This may not have been a problem in a small print, but became quite apparent with big enlargements. Consequently, most professional photographers preferred to use slower films of 100 or 64 ISO for most of their work.

So is this just a lesson in ancient history? After all, you have a digital camera, so what does all this have to do with you. Well, it may surprise you to know that despite the huge revolution in technology, the essentials of ISO have not changed one bit.

Your camera should allow you the option of adjusting your ISO setting. Just like in the days of film, if you set your ISO to a low number like 100, you will need more light to create a correct exposure. That means that you may need to keep a tripod handy for cloudy days, and in certain low-light situations you may not always get the aperture and shutter speed settings you want. If you set your ISO to 400 or 800, your camera will become much more sensitive to light; you will be able to shoot in exactly the same conditions without a tripod, and with greater flexibility to choose the aperture and shutter speeds you want.

But here is the amazing part. Higher ISO settings still come with the same trade-off that once existed with film. Along with the speedier sensitivity to light, you can also expect the image to have a grainier finish. I don’t know if it is pixellation, or digital noise, or a combination of both, but it is generally understood that for all their advantages, high ISO photos come with a reduction of image quality that becomes more obvious the more you enlarge the image.

So there you have a quick introduction to what ISO is all about. Perhaps I am just showing my age, but I find this subject easier to explain in old-technology terms. For many people it is easier to visualise when related to something solid like film, rather than something that happens on a computer chip. Anyway, I hope this helps you if you have had trouble understanding what ISO is all about.

ISO 9000 Software Products

For most companies, adhering to the strict regulations regarding document management and implementation of ISO 9000 standards can be a monotonous task. Luckily, since ISO 9000 was first developed almost 20 years ago, a variety of ISO 9000 software products are now available for purchase.

ISO 9000 software is available to suit any business’ needs. Whether it is a large or small company, a software program can be selected from over 300 products to meet the specific requirements of the quality process. Prices range from a couple hundred dollars to a few thousand dollars depending on the resources needed. Even a small start-up company can afford some of the options, and ISO 9000 software solutions can make it easier to implement quality procedures.

On the lower end of the price spectrum is 3C Technologies’ Rapid Start Up Kit. Prices for this program begin at around $145 and include all of the features that are currently available for ISO 9000 software. This program is only compatible with Windows operating systems. A few of the areas in which the program can manage are quality control documents, training, contract review and product identification. This is an ideal program for small or start-up businesses that need assistance in complying with ISO 9000 regulations.

One example of ISO 9000 software designed for medium-sized businesses is designed by Advanced Technologies. This product begins at $395 and is perfect for businesses ready to take the next step in quality control management. Like other programs, it offers a wide range of solutions for the management process. Process control, testing and inspection, and corrective and preventative management represent only a few of the areas covered.

For larger corporations and those with advanced needs, a more expensive and thorough program should be considered. Blue Mountain software is one ISO 9000 software management system for large companies. With prices beginning at $1500, the cost may be a little steep for small businesses. This program is designed as a calibration manager and has been praised as an asset in maintaining the rigid standards of ISO 9000 certification.

Competition among businesses is fierce. ISO 9000 certification can give your company an advantage of the competition because customers know they can expect a high level of service from both the company and the products. The standards set forth for ISO 9000 certification and management thereof can become overwhelming and daunting tasks. Reviewing and purchasing a comprehensive ISO 9000 software program can make the process of implementing and managing your quality processes much easier.

How Much Does ISO 27001 Implementation Cost?

This is usually one of the first questions I receive from the potential client. To their disappointment, I cannot give them the exact figure right away – here is why.

First of all, the total cost of implementation will depend on the size of your organization (or the size of the business unit(s) that will be included in the ISO 27001 scope), the level of criticality of information (for instance, information in banks is considered more critical and demands a higher level of protection), the technology the organization is using (for instance, the data centers tend to have higher costs because of their complex systems), and the legislation requirements (usually the financial and government sectors are heavily regulated with regards to information security).

Second, you won’t be able to calculate the exact costs before you know which level of protection you need – first you have to perform risk assessment, because such analysis will tell you which security measures are required.

When you know the results of risk assessment, you will have to take into account the following costs:

1. The cost of literature and training

Implementation of ISO 27001 requires changes in your organization, and requires new skills. You can prepare your employees by buying various books on the subject and/or sending them to courses (in-person or online) – the duration of these courses varies from 1 to 5 days.

And don’t forget to buy the ISO 27001 standard itself – too often I run across companies implementing the standard without actually seeing it.

2. The cost of external assistance

Unfortunately, training your employees is not enough. If you don’t have a project manager with deep experience in ISO 27001 implementation, you’ll need someone who does have such knowledge – you can either hire a consultant or get some online alternative (this is what we do at Information Security & Business Continuity Academy ).

The greatest value of someone with experience helping you with this kind of project is that you won’t end up in dead end streets – spending months and months doing activities that are not really necessary or developing tons of documentation not required by the standard. And that really costs.

However, be careful here – do not expect the consultant to do the whole implementation for you – ISO 27001 can be implemented by your employees only.

3. The cost of technology

It might seem funny, but most companies I’ve worked with did not need a big investment in hardware, software or anything similar – all these things already existed. The biggest challenge was usually how to use existing technology in a more secure way.

However, you do need to plan such investment if it proves to be necessary.

4. The cost of employees’ time

The standard isn’t going to implement itself, neither can it be implemented by a consultant only (f you hire one). Your employees have to spend some time figuring out where the risks are, how to improve existing procedures and policies or implement new ones, they have to take some time to train themselves for new responsibilities and for adapting to new rules.

5. The cost of certification

If you want to obtain public proof that you have complied with ISO 27001, the certification body will have to do a certification audit – the cost will depend on the number of man days they will spend doing the job, ranging from under 10 man days for smaller companies up to a few dozen man days for larger organizations. The cost of man day depends on the local market.

You have to be very careful not to underestimate the true cost of ISO 27001 project – if you do, your management will start looking at your project in a negative light. On the other hand, forecasting all costs correctly will show your level of professionalism; and don’t forget – you always have to present both the cost and the benefits.

ISO 9001 – 2008 Frequently Asked Questions (FAQ)

What Is The ISO 9001: 2008 Standard?

The latest edition of the ISO 9001 standard ISO 9001: 2008, Quality Management Systems Requirements, was officially published by (ISO) the International Organization for Standardization on November 14, 2008. It is the fourth edition of the ISO 9001 standard since it was first published in 1987.

ISO 9001:2008 is a standard that provides a generic set of requirements for organizations wishing to develop a quality management system (QMS). The ISO 9001:2008 standard focuses on improving an organizations business processes. It does not specify any requirements for product or service quality.  Customers typically set product and service quality requirements. However, the expectation is that an organization with an effective ISO 9001 based QMS will indeed improve its ability to meet customer, statutory and regulatory requirements.

This is the only QMS standard to which an organization may obtain formal third party certification. Because requirements are generic and not specific, organizations have flexibility in tailoring their QMS to fit their business, culture and risks.

ISO 9001 requirements complement contractual and applicable statutory and regulatory requirements. Those implementing a QMS conforming to ISO 9001 must ensure that the specific requirements of their customers and relevant statutory and regulatory agencies are met.

Who Is Responsible For Revising QMS Standards?

The ISO Technical Committee no.176, Sub-committee no.2 (ISO/TC 176/SC 2) is responsible for the revision process in collaboration with consensus among quality and industry experts nominated by ISO Member bodies, and representing all interested parties.

Does ISO 9001:2008 Have Additional Requirements Beyond ISO 9001:2000?

This latest (4th) edition of ISO 9001 contains no new requirements compared to the (3rd) year 2000 edition, which it replaces. What it does is provide clarification to the existing requirements of ISO 9001:2000 based on eight years experience of worldwide implementing of the standard and introduces changes intended to improve consistency with the environmental management system standard, ISO 14001:2004.

The clarifications and changes in ISO 9001:2008 represent fine-tuning, rather than a thorough overhaul. It focuses on changes that organizations might make to better comply with the spirit of the standard without adding, deleting, or altering its requirements. The changes are minor in nature and address such issues as the need to clarify, provide greater consistency, resolve perceived ambiguities, and improve compatibility with ISO 14001. The numbering system and the structure of the standard remain unchanged. As a result, the new standard looks much like the old standard.

ISO has organized the changes incorporated in this ISO 9001:2008 edition into the following categories:

– No changes or minimum changes on user documents, including records

– No changes or minimum changes to existing QMS processes

– No additional training required or minimal training required

– No effects on current certifications

In contrast, the 3rd edition, ISO 9001:2000 published in 2000, represented a major overhaul of the standard, including new requirements and a sharpened customer focus, reflecting developments in quality management and experience gained since the publication of the initial version.

Then Why Was It Necessary To Introduce This Revision?

All ISO standards, currently more than 17 400, are periodically reviewed. To ensure that ISO standards are maintained at the state of the art, ISO has a rule requiring them to be periodically reviewed and a decision taken to confirm, withdraw or revise the documents. The review process must be initiated within 3 years of publication of a standard. The review considers several factors such as technological evolution, new methods and materials, new quality and safety requirements, or questions of interpretation and application.

The review of ISO 9001 resulting in the 2008 edition was carried out by subcommittee SC 2 of ISO/TC 176. This subcommittee, which is responsible for the ISO 9000 family, unites expertise from 80 participating countries and 19 international or regional organizations, plus other technical committees.

This review has a number of inputs that help it:

o A global user questionnaire/survey 

o A market Justification Study 

o Suggestions arising from the ISO/TC 176 interpretation process 

o Opportunities for increased compatibility with ISO 14001 

o The need for greater clarity, ease of use, and improved translation

o Current trends – keeping up with recent developments in management system practices.

How Does The New ISO 9001 Standard Affect Existing ISO 9001 Quality Management Systems?

As currently certified organizations start looking at ISO 9001:2008, they will wonder to what extent the changes will affect them. To a large extent, the new standard will not result in significant change to existing quality management systems (QMS).

ISO/TC 176 was careful in not making change for change sake. The changes that have been incorporated into this edition of the ISO 9001 standard include changes that should lead to a better understanding across a broader range of product types, including service organizations; use of deliberate wording to minimize the potential for incorrect user interpretation; and reflect nuances of similar word concepts. Lastly, some of the changes to specific clauses were made based on the 2004 International User Feedback Survey. This survey was conducted after the publication of ISO 9001:2000 and had invited respondents to identify areas they most wanted to see improved.

What Is The Transition Time Frame To Comply With This Revision And Does My Organization Require Full Re-Assessment For Certification?

Certification to ISO 9001:2008 is not considered an upgrade.  The rules for transition are as follows:

1. The new edition will not require any specific reassessment for certification. Certification Bodies will evaluate conformity to the new ISO 9001:2008 standard during regular surveillance visits and full reassessment will only take place once your current certificate expires.

2. ISO and the IAF have agreed that all certificates to ISO 9001 should be transitioned to ISO 9001:2008 within 2 years of publication date, (i.e., by November 14, 2010). Your organization can request your Certification Body (Registrar) to asses your QMS to ISO 9001:2008 at your next Surveillance audit.

3. One year after publication of ISO 9001:2008 (i.e., by November 14, 2009), all certifications issued (new certifications and re-certifications) must be to ISO 9001:2008.

4. Two years after publication of ISO 9001:2008 (i.e., by November 14, 2010), existing ISO 9001:2000 certifications will not be valid.

5. Organizations in the process of certification to ISO 9001:2000 are recommended to apply for certification to ISO 9001:2008.

This transition plan is deemed realistic, because ISO 9001:2008 introduces no new requirements. So basically, you have a two year transition window starting from November 14, 2008, so don’t leave it to the last moment to make the transition.

What Will Happen To The Other Standards And Documents In The Current (2000) ISO 9000 Family?

The four primary standards of the current ISO 9000 family are the following:

o ISO 9000:2005 already published  – no major changes expected for 2009 

o ISO 9001:2000 to be superseded by ISO 9001:2008 

o Significant changes are planned for ISO 9004 with a planned publication date of late 2009. 

o ISO 19011:2002 is currently in the initial stages of the revision process, with a new version expected in 2011.

The other standards and documents will be reviewed and updated as necessary.

How Much Is The Implementation Of The New Standard Going To Cost?

One of the goals of ISO/TC 176/SC 2 is to produce standards that will minimize any potential costs in implementation or transition.  Any additional costs may be considered as a value-adding investment. A key factor in the development of ISO 9001:2008 was to limit the impact of changes and costs on users. So don’t flinch at negotiating with your certification / registration body, if they try to increase costs of certification.

What Do Auditors Need To Know About ISO 9001:2008 Standard? 

Auditors, whether external or internal, should be able to demonstrate their competence on the structure, content and terminology of the standards listed below, and also on the underlying Quality Management Principles.

The standards require that auditors are able to understand the organization’s activities and processes and appropriately audit against the requirements of the ISO 9001 in relation to the organization’s objectives. Auditors should be able to demonstrate competency in:

o The requirements of the ISO 9001:2008. 

o The concepts and terminology of the ISO 9000:2005. 

o The eight Quality Management Principles 

o A general understanding of  ISO 9004 

o Familiarity with the auditing guidance standard ISO 19011. 

How Will ISO 9001:2008 Relate To The Needs Of Specific Business Sectors? 

ISO 9001:2008 remains compatible with existing management systems standards for specific business sectors like ISO/TS 16949, AS 9000/EN 9100 and TL 9000. 

Users of a specific sector scheme should refer to the organization that is responsible for that sector scheme, e.g. for:

o           ISO/TS 16 949 refer to the IATF, 

o           TL 9000 refer to the QuEST Forum 

o           For AS 9000/EN 9100 refer to the IAQG

The ISO Brand

The ISO brand has several features that characterize the development process and nature of its standards. Some of these features have been enumerated below:

1. Democratic: Every member of the ISO is entitled to participate in the developmental procedure of all standards that are considered important by the member for the economy of its country. Regardless of the strength or size of that country’s economy, every member of the ISO has a vote. Thus, every country has an equal footing in terms of being able to influence the practical content of ISO’s individual standards as well as the course of ISO’s efforts at a strategic level

2. Market-driven: ISO develops only those standards that have some market requirement. Thus, most work is performed under the surveillance of professionals from the technical, business, and industrial sectors which require standards, and which are subsequently going to put them into practice.

3. Voluntary: ISO resembles a non-governmental organization in that it has no lawful authority to impose its standards. It does not legislate or regulate. However, nations may decide to accept ISO standards – mostly those concerning health, environment, or safety – either as policies or use them for providing a technical basis to the legislation.

4. Globally Relevant: ISO standards can be considered technical agreements that offer a framework for technology that is compatible all over the world. Thus, they have been specifically planned to be useful everywhere i.e. be globally applicable.

5. Consensus: ISO standards have been developed after obtaining international consensus from experts in every field. Like technology, consensus also continues to evolve and hence, ISO takes both into consideration – the evolving interests and evolving technology by taking a periodic evaluation of all its standards every five years in order to plan whether they must be updated, withdrawn, or maintained.

Commercial Door Hardware – The ISO’s Role in Maintaining Quality

Every day millions of people around the world enter and exit public buildings. We work, shop, study and play in commercial buildings. Most people take for granted that public buildings are safe, and that components like doors are going to perform properly and as expected every single time. If we had to stop and think about how the door might work every time we entered a property, it would put a serious damper on how we do business and go about daily life. Fortunately, it’s organizations like the ISO that help make daily living easier, providing peace of mind for consumers and users of everyday products, like commercial door hardware. 
 
The ISO (International Organization for Standardization) was formed in 1947. It is a network consisting of the national standards institutes of 157 different countries around the world. It collaborates with scientists, manufacturers and various industry experts worldwide to create product standards that “meet both the requirements of business and the broader needs of society.” The ISO helps to ensure that international standards for products and technology are developed, encouraged and adhered to by products manufacturers and industries in general. International Standards “provide a reference framework, or a common technological language, between suppliers and their customers.”

 
What does this mean for the consumer? Essentially, consumers and members of the public can be assured of two things:
 
1) Products will perform in the same manner no matter what part of the world they come from. In the case of commercial door hardware, such as exit devices, the device will perform safely and in the expected and acceptable manner in the United States even if it was manufactured in another country.
 
2) Technology is shared. ISO member countries work in partnership with one another. They share information and technology. This means that products (i.e. exit devices, door closers) are manufactured to perform in a uniform manner. While individual commercial door hardware companies are free to improve on existing products and to create new ones, they will still perform according to the technological guidelines as set out by the ISO.
 
The 1903 Iroquois Theater Fire in Chicago, Illinois is an example of human tragedy that resulted, at least in part, from a lack of product/technology standardization. The theater was rushed to an opening several months ahead of schedule, despite the lack of safety precautions, such as working fire escapes. As such, the Iroquois Theater had a beautiful architectural and interior design façade, but lacked working safety systems.
 
When fire broke out during a matinee, hundreds of patrons were unable to escape the burning theater. Many of the theater’s fire doors had been locked, trapping patrons inside. Other doors were outfitted with bascule locks. While they were more common in European countries, they were virtually unheard of in the United States. Just a mere handful of visitors were able to work the bascule locks. Those who could not perished in the flames.

 
Had international standards existed in the early 1900’s, it’s probable that many more lives could have been saved. Over six hundred died in the Iroquois Theater Fire. The ISO exists, in part, to help ensure that these kinds of tragedies do not occur.
 
Today’s commercial door hardware can be expected to perform to the standards set out by the ISO. These standards apply to the United States, as well as the other 156 member countries around the world. 

What Is ISO IEC 20000?

ISO/IEC 20000 is the first international service management standard, a multi-part series of related documents. It defines the requirements for a service provider to deliver managed services of an acceptable quality for its customers. To achieve ISO/IEC 20000 certification, an organization needs to demonstrate that it uses management systems and practices in order to be compliant to the standard.

ISO/IEC 20000 is aligned ISO/IEC 9001 and ITIL®. ITIL is a comprehensive set of best practice for IT Service Management with a supporting professional qualification scheme and world-wide user community. ITIL and ISO/IEC 20000 share a common sense approach to this – do what works. One of the most common routes to achieving the requirements of ISO/IEC 20000 is via the adoption of ITIL management best practices.

Formal certification schemes for international standards provide confidence in the level of capability that a service provider has achieved certification for ISO/IEC 20000-1. These schemes required audits to be performed by accredited certification bodies and accredited assessors that have to demonstrate that they work to internationally agreed standards of quality and service.

Who uses ISO/IEC 20000? Service providers have a crucial role in delivering services and products that enable their business and customers to deliver value. One of the key factors to success is to think about the service that is enabled by the technology, not the technology itself. Many service providers adopt service management best practices and standards to improve their interaction with their customers and integrate IT service delivery across their suppliers and partners. They also want to be able to benchmark their service management capability effectively and efficiently.

The ISO/IEC 20000 series is used by organizations that

l go out to tender for their services;

l require a consistent approach by all providers in a supply chain;

l wish to benchmark their IT management;

l wish to perform an independent assessment;

l needs to demonstrate the ability to provide services that meet customer requirements

l aims to improve quality through the effective application of processes to monitor and improve service quality.

What is the ISO/IEC 20000 series? The series includes: (All in Service Management category)

l ISO/IEC 20000-1: 2005 – Information Technology – Part 1: Specification

l ISO/.IEC 20000-2:2005 Information technology – Part 2: Code of Practice

l ISO/.IEC 20000-3:2005 Information technology – Part 3: Scope and applicability

l ISO/IEC TR 20004- Information technology – Part 4: Process Reference Model

l ISO/IEC TR 20000-5:2010 Information technology – Part 5: Exemplar implementation plan for ISO/IEC 20000-1

l ISO/IEC TR 15504-8 – Process Assessment Model for IT – under development.