What Is ISO 20000 Certification?

The ISO 20000 certification is also known as the ISO/IEC 20000 certification and has been designed to fully replace and improve upon the BS 15000 certification (British Standard). This new international certification details the set standards for which any business much accomplish in their Information Technology service management in order to qualify for the certification. IT services are an integral part of any business with a growing heavy reliance on computerised technology in order to complete every day business tasks.

ISO 20000 certification is designed to ensure your business meets the needs of its staff and customers as well as the needs of the business. In order to achieve this, the ISO 20000 certification has produced what is known as an ITSMS (IT Service Management System). Using this system will enable you to utilise the internationally recognised best practices for IT services management within your business and demonstrate as such to your customers and clients.

The certification is published in two separate sections to cover IT Service Management. The first part specifies the standards required for IT Service Management and is used as the basis for audits and your minimum requirements for certification. The second part of the certification outlines the code of practice that is internationally recognised as the standard for best practices in the IT services area. This details specific practices for the management process to fall in line with the best standards of the ISO 20000 certification.

Any business whether it is large or small is able to participate in the ISO/IEC 20000 certification process. Primarily the course is best suited for business with a large focus on IT services including those with call centres, IT departments, Internal IT providers and even IT outsourcing. This will ensure the ISO/IEC 20000 certification makes a positive impact on your business as it has with many other leading companies in the IT sector from telecommunications to finance.

Not only is the ISO/IEC 20000 certification designed to mirror the best practices of the ITIL framework (Information Technology Infrastructure Library) but it is also designed to support additional frameworks such as the Microsoft’s Operations framework. This enables you to fully integrate the ISO/IEC 20000 standards into the everyday procedures of your working business.

There are many websites available online that can tell you more about the ISO/IEC 20000 certification as well as a variety of training courses and additional resources to help you or your business successfully integrate the ISO/IEC 20000 certification standards. You can also obtain ISO/IEC 20000 certification for yourself as an individual if necessary or you can purchase certification for a business as a whole. Online resources and informational portals can direct you to the right software, programs, training courses and conferences to help you get started on the standardisation of your business IT Service Management practices. You could also choose to obtain ISO/IEC 20000 compliance instead of certification. Whether you choose to complete the compliance route or the certification route both of these can dramatically improve your IT services management and your business as a whole.

ISO 27001 Certification Process

Certification is carried out by independent, accredited certification body. Businesses that are seeking independent certification of their ISMS (Information Security Management System) should always go to an accredited certification body, such as the International Organization for Standardization.

The International Organization for Standardization (ISO) has developed a new series of security standards, the rest of which is ISO 27001. ISO 27001 is the replacement for British Standard 7799. Additional International Organization for Standardization in the 27000 family includes IS) 27003, covering security guidance; ISO 2700, for measurements: and ISO 27005, covering risk. However, claims of obtaining ISO 27001 certification are often misinterpreted, or used as a guarantee where they should not be. The expectation of certification is that its implementation will be in the hands of qualified people. Many certification bodies offer ISO 27001 lead auditor training classes.

ISO 27001 describes how to build what ISO calls ISMS. If an ISMS is developed on a standard of acceptance or rejection of the assessed risk, and using 3rd party certification to provide outside verification of the level of assurance, is an excellent tool and will create a management system for information security.

Why Certify against ISO 27001?
No government codes or regulations require ISO certification, so why bother? ISO certification can support business and marketing goals of the company. It is becoming increasingly common for ISO 27001 certification to be a pre-requisite in service specification procurement documents and, as buyers become more sophisticated in their understanding of the ISO 27001 accredited certification scheme, so they will increasing set out their requirements are specifically, not only in respect to the scope of the certification and the level of assurance they require.

This rapid maturing in the understanding of buyers, as they seek greater assurance from the accredited certification to ISO 27001, is driving organizations to improve the quality of their ISMS and, by definition, to improve the granularity and accuracy of their risk assessments.

Certification is applying a discipline to information security to be better at planning, implementing, and maintaining information security and achieving a highly effective information security program that enables a business to achieve ISO 27001 certification. An external certification auditor should be assessing the ISMS against the published standard, not against the advice of a scheme manager, a consultant or any third party. It is critical that those responsible for the ISMS should be able to refer explicitly to its clauses and intent and be able to defend any implementation steps they have taken against the Standard itself. Outside certification is absolutely needed for any ISO certification. It gives management an initial and ongoing target to aim for and ensures that the organization has effectively implemented the standard.

To ensure integrity is to guard against unauthorized modifications or destruction of information. Integrity ensures a safeguard against unwanted outside access. Availability ensures information is ready to use. A loss of availability is the disruption of access to or the use of information or an information technology. The three cornerstones of information protection are confidentiality, integrity, and availability.

To ensure a proper security plan, business should focus on three cornerstones of security; they are confidentiality, integrity, and availability. How can an organization manage information security and maintain the three cornerstones of security? One answer is to implement an ISMS and use the ISO standards as a guide to develop an effective ISMS. Plan-Do-Check-Act (PDCA) provides an effective ISMS and the ISO 27001 process provides the guidance on the implementation of a ISMS by adhering to the PDCA process.

Using ISO 27001 Consultants For Information Security Audit

In today’s technological development and fast paced innovations, threats to information and data compiled in systems are quite common. IT companies, application developers, web based systems, mobile software developers, and many other sectors have loads of information present in their database. Whenever, so much of data is stocked, getting these breached can be a common phenomenon, if protection is not adequate. To test the adequacy of protection, implemented by companies, the information security audit is to be done from time to time, by companies. This kind of audit helps in exposing the vulnerabilities faced by companies, which they are not aware of, until such auditing is done.

ISO 27001 consultants are experts who have extensive knowledge of ISO 27001 certification. This is a specification for information security, applicable to almost all kinds of commerce activities and not confined only to electronic systems. Every form of information and data storage is possible to be audited by ISO 27001consultants. When this particular certification is obtained, companies can develop the trust in their customers, trading partners, stakeholders and even in their own employees. In the market, the credibility and trust of the company is increased because now people know that the information shared with these companies, is in safe hands. Going for the information security audit by such certification consultants will ensure that information security measures are strictly being adhered to at all levels of the organisation.

From time to time, ISO 27001 consultants can be asked to carry out an external audit of Information Technology company for maintaining the confidentiality, integrity and availability of information. The process of auditing will involve defining objectives, organisation security, communication and operations management, access control, and compliance with the most recent standards in application security.

Under the system of information security audit, a number of processes are involved, which only experts in the ISO 27001 standardisation can be able to carry out. Starting from documentation to the pointing out of lacunas in the system, everything is looked at by ISO 27001 consultants. Applicability of recommendations by internal audit is also checked. After the policies and guidelines are laid down according to the most recent standards, companies need to implement these policies at the earliest. When, at a later date, there is an onside external information security audit, everything should be in place, so that ISO 27001 certification is granted.

A penetration test is basically an ethical means of breaching the security system in place, for an IT related company or developer. By undertaking penetration testing, application security controls are highlighted, particularly those, that can be exploited. In such a scenario, IT companies ask security companies to understand the vulnerabilities by this particular modality of testing, which is a manual method. As a result of penetration testing, complete details are derived related to security issues, exploitation results, tactical and strategic recommendations.

A lot of companies are nowadays having specified ISO 27001 consultants to carry out internal and external audits for their clients. For the best business and information security practises, such standards have been defined, which, if a company is adhering, then there will be a lot of advantages at its end.

ISO 27001 Security Management: What Can It Do For Your Business?

ISO 27001 security management is an example of best practice in information security for any business, whatever its size, and can lead to significant cost savings.

The international standard ISO 27001 covers the planning, implementation, monitoring and improvement of an information security management system. It is cast in general terms, applicable to any size of organisation, and is dependent on human expertise for its application in a specific case. Its sister standard, ISO 27002, is a code of practice for information security, often used together with it.

Since its publication, there has been a growing need for ISO 27001 security management on the part of companies, especially those that are subject to regulation in this area.

There is a wide range of ISO 27001 security strategies, and the details will vary from one organisation to the next. Not every firm will require all possible information security countermeasures. Small firms, especially, may require only a minimum of procedures and technology in order to be compliant with the standard. This makes it all the more important that a firm’s information security management should be carried out by someone with expertise and experience of both the ISO 27001 standard and the field of information security in general, since the standard itself (intentionally) gives very little guidance as to how to apply it to specific situations.

So the question then becomes one of either developing an in-house ISO 27001 function, or hiring specialist expertise from a security firm. Many factors determine which is the best solution for your business, such as: the size of your business, the skill-sets of existing employees, the complexity of your computers and networks, what regulations the business is subject to, and (of course) the available budget.

For larger organisations, it can be more cost-effective to develop their own in-house function for undertaking ISO 27001 security management, which can then become a resource for all other sections of the company. This applies even if the company is multinational, since the ISO 27001 standard is an international one.

In the case of smaller companies, however, it might be difficult to justify committing significant resource to a function which is not a core business process. It may be more cost-effective to outsource their ISO 27001 security management to a specialist information security firm, especially if information security requirements are fairly straightforward. This type of management solution will avoid the need to hire a full-time dedicated employee at a professional-level salary, and will also minimise the need to buy specialised software.

Whichever the type of solution, appropriate ISO 27001 security management can lead to cost savings:

It is clear that ISO 27001 security management is a major aspect of information security for any business, whatever its size, and deserves to be taken seriously – not least because it can lead to significant cost savings.

ISO Focus+ Zeroes in on Crisis Management, ISO Celebrates With MPEG

The May 2012 issue of ISO’s official magazine, ISO Focus+, is off the press. The latest issue, according to ISO, focuses on crisis management amidst recent natural and manmade disasters, hack attacks on IT networks, and terrorist threats.

Dealing with the aftermath of disasters is a major management undertaking and so emergency preparedness becomes the linchpin of the strategy to containing the aftereffects. The latest issue offers readers an overview of the various types of calamity, as well as how international standards can be used to best advantage to manage the different stages to recovery.

The new issue, although certainly not as immediate in its effect on everyday life as is the impact of, say, the standards ISO 9001 or of ISO 27001, demonstrates how truly widespread the need is today for ISO standards and the training associated with them (for instance, ISO 9001 training and ISO 27001 training).

Of special interest to crisis managers are the topics on: mitigating the consequences of a nuclear accident, ISO safety signs and graphic symbols for helping lessen risks to people, and future ISO guidelines for crisis management to help protect the all-important water utilities. The issue also features the lessons learned from the recent earthquake disaster that befell Christchurch, New Zealand.

In addition, ISO Focus+ May has an exclusive interview with Jim Ingram, CEO of Medair, a nongovernmental organization that delivers life-saving relief and rehabilitation to areas of disaster, conflict, and other crises.

Meanwhile, coming up in a future issue of the ISO Focus+ is the “MPEG 100 Event,” the hundredth meeting of the Moving Picture Experts Group, better known as MPEG for their spectacularly successful digital compression products led by the similarly named MPEG-2.

MPEG 100 Event, held from April 30 to May 4, 2012 in Geneva, Switzerland, attracted top-tier executives of ISO (International Organization for Standardization) and the International Electrotechnical Commission (IEC). ISO and IEC work together under the joint technical committee ISO/IEC JTC 1, Information technology, under which MPEG operates as subcommittee SC 29, Coding of audio, picture, multimedia and hypermedia information, working group WG 11, Coding of moving pictures and audio.

The event celebrated nearly 25 years of progressive innovation-involving thousands of digital media experts from hundreds of companies in dozens of countries coordinating to advance digital compression technology-that have seen MPEG develop and put into homes worldwide audio and video digital compression standards such as MP3, MPEG-2, MPEG-4, and popularize in unprecedented ways digital multimedia enterprises such as the multimillion-dollar MP3, set-top box, DVD, and mobile communication industries.

Also attending the event was the International Telecommunication Union (ITU). MPEG and ITU have collaborated on two video compression standards in the past and are currently working on the High Efficiency Video Coding (HEVC) standard, and the World Intellectual Property Organization (WIPO).

ISO Certification – Hidden Revenue Streams For ISO Registrars

The problem:

Despite significant developments in the IT and Internet technologies, many organizations, including those of significant sizes, continue to use ineffective and inefficient paper-based processes for collecting and analyzing quality, environmental and other management systems data. Delays in availability of system performance indicators negatively affect management ability to make timely tactical and strategic business decisions. While there are numerous electronic and Internet-based solutions on the market offering computerized approaches to handling elements of and entire management systems, cost of such solutions is prohibitive for majority of small- and medium-size enterprises.

The solution:

A simple solution is to develop and offer a competitive and economical Internet-based management system application that provides an attractive margin for the provider registrar and measurable added value to the client.


An established registrar already has customer base with developed business relations, credibility and trust. Marketing and customer acquisition in this environment is expected to be noticeably more efficient than “starting from scratch” with a new product in the marketplace. Prospects may be offered a free trial period for 1 – 3 month. Client’s investment of time and effort to enter the data and high usability of the system will contribute to transitioning a trial user into a paying subscriber. 

Differentiation – unique selling points:

The following unique selling points of this service should be considered: low cost to attract and retain wide range of customers; possible consideration of “seat number”-independent subscription fees to simplify customer cost structure and financial planning; intuitive navigation to win customer loyalty; screen-specific recorded training sessions to reduce customer support costs.


To estimate return on investment (ROI) the following assumptions were made:

– Client base (prospects) – 3,000. This number is twice of the existing customer base and conservatively represents the number of locations that will have separate licenses;
– Customer acquisition rate per month – 1% of client base
– Subscription fees per location – $199.00
– Customer retention rate – 95% per month
– Development cost – $150-200,000
– Marketing, technical support and maintenance costs -$5,000 per month
– First year ROI for one module equals to 96%
– Breakeven point, based on the assumptions above, is reached on the twelfth month of operation for one module
– The second year ROI for one module, based on the assumptions above, equals to some 580%. 

Development and implementation strategies:
On the initial stage, one major management system module (such as documentation management or NC-CAPA) should be developed, validated and implemented. Initial module will include system administration, log-in and security features. Subscription services will be offered to the existing clients. Through the Registrar’s Website and Internet marketing this subscription may be offered to general public as well. While subscriber base growth for the first module, other modules such as calibration, preventive maintenance, training, auditing and others should be developed, implemented and offered to the clients generating additional revenues. Multi-lingual option may be developed to accommodate needs of non-English speaking customers.
Copyright Quality Works

How to Set the ISO For Canon EOS 5D Mark II

The technology of ISO settings on digital cameras replicates the rated speeds of the films of yesteryear. In very general terms, ISO is the sensitivity to light of the sensor in the same way that film speeds were more or less sensitive to light. But there are differences between film and digital sensors; specifically, as the sensitivity setting increases on a digital camera, the output of the sensor is also amplified. This was referred to as grain when we used high-speed films. So, although you have the option of increasing the ISO sensitivity at any point in shooting, the tradeoff in increased amplification or the accumulation of an excessive charge on the pixels is an increase in digital noise. And the result of digital noise is an overall loss of resolution and image quality.

Partly because the 5D Mark II has relatively large pixels on the sensor and because Canon has done a fine job of implementing advanced internal noise-reduction processing, the 5D Mark II stands out as the top performer even at high-sensitivity settings, particularly at exposure times of 30 seconds or less.

In this smart mode borrowed from point-and-shoots, Auto ISO controls the sensitivity of your sensor depending on the Shooting mode you ‘re in. In Full or Creative Auto, P, Tv, or Av, the camera selects between a 100-3200 ISO range. Switch to M, B, or add a Speedlite, and Auto ISO locks in at 400. Auto ISO is shown as an A on the LCD panel when selected and is located at the bottom of the scale by rotating the Main dial counterclockwise after pressing the ISO selection button.

ISO range and Custom Function options

The 5D Mark II offers a wide ISO range, including Auto and settings from 100 to 6400 in 1/3-stop increments or 1/2-stop increments, set by using the options in C.Fn I-01. The ISO range can be expanded to include ISO 50 (shown as L), 12800 (shown as H1), and an incredible 25600 (shown as H2) by setting C.Fn I-03 to On. Be aware that ISO 50 reduces the dynamic range in the highlights by approximately 1 stop, which makes this sensitivity less useful in high contrast light. ISO 50 can be useful in a studio setting by providing flexibility in aperture choice.

With the 5D Mark II, Canon offers an option to reduce or eliminate noise in long exposures.

Using the long-exposure noise-reduction option, available by using C.Fn II-01, noise is totally or virtually eliminated by processing in-camera that ‘s very capable but takes almost as long as the exposure to complete.

Setting the ISO and extended range ISO

To change the ISO setting on the 5D Mark II, follow these steps:

1. Press the ISO selection button above the LCD panel. The current ISO setting appears on the LCD panel and in the viewfinder.

2. Turn the Quick Control dial clockwise to set a higher sensitivity or counterclockwise to set a lower sensitivity. The camera displays the ISO settings as you turn the dial. If you have ISO expansion turned on by using C.Fn II-01, then ISO 50 is shown as L, ISO 12800 is shown as H1, and 25600 is shown as H2. The ISO option you select remains in effect until you change it again.

To turn on ISO expansion, follow these steps:

1. Press the Menu button and then tilt the Multi-controller until the Custom Function (orange) menu appears.

2. Press the Set button. The Custom Function screen appears, and the Custom Function number control in the top-right corner of the screen is activated.

3. Turn the Quick Control dial to set the C.Fn I number to 03 and then press the Set button. The ISO expansion control is activated.

4. Turn the Quick Control dial clockwise to select option 1: On and then press the Set button. ISO expansion remains turned on until you change it.

ISO 9001 – A Process Interaction Matrix


One of the requirements of ISO 9001:2000, specified in the paragraph 4.2.2 c), requires a company to develop a quality manual that, among other attributes, shall contain “a description of the interaction between the processes of the quality management system.” Through my experience, as a professional auditor, with dozens of companies around the world, I found that very few businesses had developed practical approaches to address this requirement. Attempts to document process interactions range from busy and hard to read flow charts to establishing cross-reference tables in the quality manual. I observed one of the best tools to address process interaction requirement at Quality Works, a small on-line publishing company.

Initiation of the project

Quality Works, a small Internet-based publishing company, has set a goal to establish compliance with ISO 9001:2000 standard. The Management Team assigned the company’s Business Manager to develop and implement documentation to address new requirements of the standard. While most of the new requirements were simply addressed through preparation of the corresponding procedures and work instructions, documentation of the interaction of the processes created some difficulties. Attempts to document interaction of processes through traditional flow-chart resulted in a hard to read busy document that did not impress the management team.


To address this issue, the management group conducted a brainstorming session to search for a new tool. The group determined that there were two types of the processes: processes related to product realization and processes related to the management system as follows:

Business management processes:

– Documentation management
– Management review
– Internal audit program
– Non-conformity and Corrective & Preventive Action (NC-CAPA) System
– Communication
– Resource management
– Record management
– Information technology

Product realization processes:

– Market analysis
– Product design
– Verification
– Validation
– Product release
– Order processing
– Product delivery
– Customer satisfaction
– Continual improvement

Identification of process interactions

Analyzing system and product realization processes, the management team concluded that virtually all system processes are interrelated. For example, management review may receive inputs from corrective actions, communication, internal audits, etc. Internal audit process receives inputs from all processes within the company and provides feedback or input into all those processes.

Product realization process was found to be more linear than system processes. For example, results of the market analysis initiate product design. Product design leads to verification. If verification is successful, validation of the product takes place. Validation of the product results in product release and finally communication regarding availability of the product. Customer satisfaction and continual improvement close this sequence with a possibility of providing inputs into Product delivery, Order processing, Product release, etc.

To document process interactions, the company elected two tools. The first, top-level definition of the process interaction was documented in the Process Interaction Matrix shown in Figure 1 (see links below). The second tool was a well-known technique of flow-charting for those processes that required graphical illustration.


Use of the Process Interaction Matrix at Quality Works proved that it is a helpful concise method of defining and documenting interaction of processes for an ISO 9001:2000 quality management system. Based on our experience, we also realized that the same matrix might be successfully used for other standards requiring definition of the interaction of the processes, such as ISO 13485:2003, ISO/TS 16949 [3] and others.


The author would like to express his gratitude to Maria Allen, the President of Quality Works, for her willingness to conduct and publish this case study.


[1] ISO 9001:2000 Quality management systems – Requirements

[2] ISO 13485:2003 Medical devises – Quality management systems – Requirements for regulatory purposes

[3] ISO/TS 16949 Quality management systems – particular requirements for the application of ISO 9001:2000 for automotive production and relevant service part organizations.

Copyright Quality Works

Managing Risk in Information Technology

As information technology increasingly falls within the scope of corporate governance, so management must increasingly focus on the management of risk to the achievement of its business objectives.

There are two fundamental components of effective management of risk in information and information technology: the first relates to an organization’s strategic deployment of information technology in order to achieve its corporate goals, the second relates to risks to those assets themselves. IT systems usually represent significant investments of financial and executive resources. The way in which they are planned, managed and measured should therefore be a key management accountability, as should the way in which risks associated with information assets themselves are managed.

Clearly, well managed information technology is a business enabler. Every deployment of information technology brings with it immediate risks to the organization and, therefore, every director or executive who deploys, or manager who makes any use of, information technology needs to understand these risks and the steps that should be taken to counter them.

ITIL has long provided an extensive collection of best practice IT management processes and guidance. In spite of an extensive range of practitioner-orientated certified qualifications, it is not possible for any organization to prove – to its management, let alone an external third party – that it has taken the risk-reduction step of implementing best practice.

More than that, ITIL is particularly weak where information security management is concerned – the ITIL book on information security really does no more than refer to a now very out-of-date version of ISO 17799, the information security code of practice.

The emergence of the international IT Service Management ISO 27001 and Information Security Management (ISO20000) standards changes all this. They make it possible for organizations that have successfully implemented an ITIL environment to be externally certificated as having information security and IT service management processes that meet an international standard; organizations that demonstrate – to customers and potential customers – the quality and security of their IT services and information security processes achieve significant competitive advantages.

Information Security Risk

The value of an independent information security standard may be more immediately obvious to the ITIL practitioner than an IT service management one. The proliferation of increasingly complex, sophisticated and global threats to information security, in combination with the compliance requirements of a flood of computer- and privacy-related regulation around the world, is driving organizations to take a more strategic view of information security. It has become clear that hardware-, software- or vendor-driven solutions to individual information security challenges are, on their own, dangerously inadequate. ISO/IEC 27001 (what was BS7799) helps organizations make the step to sytematically managing and controlling risk to their information assets.

IT Process Risk

IT must be managed systematically to support the organization in achieving its business objectives, or it will disrupt business processes and undermine business activity. IT management, of course, has its own processes – and many of these processes are common across organizations of all sizes and in many sectors. Processes deployed to manage the IT organization itself need both to be effective and to ensure that the IT organization delivers against business needs. IT service management is a concept that embraces the notion that the IT organization (known, in ISO/IEC 20000 as in ITIL, as the “service provider”) exists to deliver services to business users, in line with business needs, and to ensure the most cost-effective use of IT assets within that overall context. ITIL, the IT Infrastructure Library, emerged as a collection of best practices that could be used in various organizations. ISO/IEC 20000, the IT service management standard, provides a best-practice specification that sits on top of the ITIL.

Regulatory and Compliance Risk

All organizations are subject to a range of information-related national and international legislation and regulatory requirements. These range from broad corporate governance guidelines to the detailed requirements of specific regulations. UK organizations are subject to some, or all, of:

* Combined Code and Turnbull Guidance (UK)

* Basel2

* EU data protection, privacy regimes

* Sectoral regulation: FSA (1) , MiFID (2) , AML (3)

* Human Rights Act, Regulatation of Investigatory Powers Act

* Computer misuse regulation

Those organizations with US operations may also be subject to US regulations such as Sarbanes Oxley and SEC regulations, as well as sectoral regulation such as GLBA (4), HIPAA (5) and USA PATRIOT Act. Most organizations are possibly also subject to US state laws that appear to have wider applicability, including SB 1386 (California Information Practice Act) and OPPA (6) . Compliance depends as much on information security as on IT processes and services.

Many of these regulations have emerged only recently and most have not yet been adequately tested in the courts. There has been no co-ordinated national or international effort to ensure that many of these regulations – particularly those around personal privacy and data protection – are effectively co-ordinated. As a result, there are overlaps and conflicts between many of these regulations and, while this is of little importance to organizations trading exclusively within one jurisdiction, the reality is that many enterprises today are trading on an international basis, particularly if they have a website or are connected to the Internet.

Management Systems

A management system is a formal, organized approach used by an organization to manage one or more components of their business, including quality, the environment and occupational health and safety, information security and IT service management. Most organizations – particularly younger, less mature ones, have some form of management system in place, even if they’re not aware of it. More developed organizations use formal management systems which they have certified by a third party for conformance to a management system standard. Organizations that use formal management systems today include corporations, medium- and small-sized businesses, government agencies, and non-governmental organizations (NGOs).

Standards and Certifications

Formal standards provide a specification against which aspects of an organization’s management sytsem can be independently audited by an accredited certification body and, if the management system is found to conform to the specification, the organization can be issued with a formal certificate confirming this. Organizations that are certificated to ISO 9000 will already be familiar with the certification process.

Integrated Management Systems

Organizations can choose to certify their management systems to more than one standard. This enables them to integrate the processes that are common – management review, corrective and preventative action, control of documents and records, and internal quality audits – to each of the standards in which they are interested. There is already an alignment of clauses in ISO 9000, ISO 14001 (the environmental management system standard) and OHSAS 18001 (the health and safety management standard) that supports this integration, and which enables organizations to benefit from lower cost initial audits, fewer surveillance visits and which, most importantly, allows organizations to ‘join up’ their management systems.

The emergence of these international standards now enables organizations to develop an integrated IT management system that is capable of multiple certification and of external, third party audit, while drawing simultaneously on the deeper best-practice contained in ITIL. This is a huge step forward for the ITIL world.


(1)Financial Services Authority

(2)Markets in Financial Instruments Directive

(3)Anti-money laundering regulations

(4)Gramm-Leach-Bliley Act

(5)Health Insurance Portability and Accountability Act

(6)Online Personal Privacy Act

ISO 9001 Consulting – A Risk Management Approach

The Problem With How Consultants Implement ISO 9001 Quality Management Systems

ISO 9001 requires that an organization identify and implement effective controls over its quality management processes. Businesses will typically identify its processes under typical categories such as operational processes, support processes and outsourced processes. Collectively the controls exercised over these processes will make up their quality management system (QMS). Many ISO 9001 Consultants and organizations go about implementing QMS process controls in a very superficial manner resulting in a system that does not provide any value to the organization and consequently any return on the cost of its investment. The main reason they got certification was to satisfy a customer contractual requirement.

But ISO 9001 can do a whole lot more for an organization if implemented the right way. Effective risk management control over each QMS process and the interaction between processes can result in huge improvements in an organizations productivity and bottom line.

The Solution: So how does an organization use risk management to control its processes?

A process typically has inputs, outputs and value-adding activity. Each of these process characteristics use various resources. These resources include manpower, materials, machinery and equipment, facility and environment, methods, management, etc. These resources are all variables and subject to risk in their use.

An organization must identify the nature and degree of such risk and implement appropriate controls over them. Tools such as Fishbone analysis or FMEA’s (Failure Mode and Effects Analysis) may be used to perform this risk analysis. A discussion on how to use these risk analysis tools will be left to another article.

Listed below are some of the controls an organization should consider for each of the resources used in any QMS process.


– Inventory management

– Inspections & Tests

– Standards & Specifications

– Supplier Management

– Identification & Traceability

– Turnover & Preservation


– Capability, capacity and & technology

– Engineering & support

– Inspection, measuring & test equipment

– Tools, dies & fixtures

– Maintenance & supplies

– Equipment layout


– Skills, knowledge & experience

– Training

– Responsibility & Authority

– Empowerment, Motivation & Morale

– Adequate staffing

– Health & Safety


– Building & facilities

– Environment controls

– HVAC and other utilities

– Housekeeping, health & safety

– Lighting, air quality & noise

– Contingency/emergency measures


– Systems & Procedures

– Inspection & Tests

– Quality Plans & Checklists

– Work Instructions

– Bill of manufacture/assembly

– Technology/automation/robotics

– operational and administrative software

– Process flowcharts

– FMEA’s & process controls

– Drawings & blueprints


– Objectives/tracking/review/improvement

– Standards/codes/regulations

– Specifications/tolerances/criteria/tolerances

– Operational data/statistics/SPC

– Efficiency & effectiveness

– Customer Satisfaction

– Bench-marking


– Leadership & Planning

– Policies & Objectives

– Commitment & involvement

– Organization & resources

– Follow-up & review

– Communication

How To Use These QMS Process Variables:

– Determine which of these resources variables apply to each process identified in your QMS.

– Determine which combination of controls apply to that process variable – process input, output or value-adding activity.

– Implement the controls you have identified and verify their effectiveness.

This article provides a brief overview to using a risk management approach to effectively implementing ISO 9001 in an organization. Keep in mind that ISO 9001 is a business management tool. So the benefits you get from using it is directly related to how effectively you use it. The risk management approach is a very powerful way to use ISO 9001 to effectively control your business and benefit significantly in terms of customer satisfaction and profitability.