What are (The International Organization for Standardization) (ISO) standards?
Using the standards aids in the creation of products and services that are safe, reliable and of good quality. The standards help businesses increase productivity while minimizing error and waste. By enabling products from different markets to be directly compared, they facilitate companies entering new markets and assist in the development of global trade on a fair basis. The standards also serve to safeguard consumers and end-users of products and services, ensuring that certified products conform to the minimum standards set internationally. ISO is based upon the Deming Plan-Do-Check-Act cycle.
This is a model for improvement that is sustained, rather than just a one-time quick fix, and it is for this reason that it is applied to all ISO standards. The ISO standards have, as a main goal, continual improvement within all their Management Systems.
How is Plan-Do-Check-Act (PDCA) defined in the ISO 9001 Standard Requirements?
In the introduction to ISO 9001, there is an explanation of the Process Approach and how critical it is to implementing a Quality Management System that is compliant with ISO 9001 requirements. In addition,, there is a note about the PDCA methodology application for all processes. It shows an overview of how the standard requirements fit within a PDCA cycle. Following is a description of the cycle of improvement within the QMS (with the ISO 9001 clause numbers in brackets).
Plan – Planning is one of the biggest parts of Quality Management Systems (QMS) and starts with understanding the context of the organization and the needs of parties interested in the QMS (4.1 & 4.2), which is then used to define the scope of the QMS and the QMS processes (4.3 & 4.4). This is followed by the commitment of leadership in the company to drive the organization to a customer focus by defining the organizational roles and responsibilities and by establishing a quality policy to give the overall QMS a focus (5.1, 5.2 & 5.3). The next level of planning is to identify and address risks and opportunities of the QMS, including setting and planning for quality objectives and changes to support continual improvement (6.1, 6.2 & 6.3). The final level of planning is to identify and implement the support structure to allow you to carry out your plans. This includes resources (7.1), identifying competence (7.2), awareness (7.3), communication (7.4) and to set the processes for creation and control of documented information (7.5).
Do - Planning is useless unless the plan is carried out. Controls need to be identified for the QMS operations, product or service requirements need to be identified (8.2), designs developed (8.3), controls placed on externally provided processes, products and services (8.4). The process of producing the product or service needs to be carried out with control of product and service release (8.5 & 8.6), any non-conforming products or services need to be addressed (8.7). In short, the activities of creating and providing products or services to the customers’ needs to be done.
Check – There are several requirements in the standard to check the processes of the QMS to ensure they are functioning properly and as planned. There is a need to monitor, measure, analyze and evaluate the products or services to ensure they meet requirements, the processes used are adequate and effective, and customer satisfaction is being met (9.1). Internal Audit (9.2) of the processes is key to assessing the effectiveness of the system. Further is the Management Review process (9.3), which reviews and assesses all the monitored data to make changes and plans to address the issues.
Act – Action involves the actions needed to address any issues found in the check step. “Improvement” (10.1 & 10.3) is the overall heading for these action steps (10.1). The first step to improving the system is addressing nonconformity and Corrective Actions (10.2) to eliminate the causes of actual or potential nonconformities.
Plan – As stated, this cycle starts again to ensure there are plans in place for further improvement. Findings during the Internal Audit in the “Check” phase may have led to corrective actions from the “Act” phase, which in turn will require changes in planning to meet the updated requirements in the “Do” phase. The Management Review looks at the outcomes of Internal Audit, Corrective Actions and outputs resource plans to support any changes. Resources are assessed and increased, decreased or re-assigned as the business needs dictate. This leads into another cycle of PDCA.
An example: Your company planned to reduce scrap by 5% by making certain changes to a process. The changes were made and the process ran. Checking showed that you reduced the amount of scrap by 3%, and you acted to make further changes to improve. A planning step for this process might be to make changes to reduce the scrap by an additional 4% in the following year.
Why should Organizations, Charities, Trusts, Foundations or Business’s become ISO certified?
Do you run a charity? Are you responsible for raising its profile, attracting supporters and recruiting employees or volunteers? Then you should consider our ISO certification for charities service.
Gaining ISO certification is the clearest way of demonstrating your commitment to running a safe, efficient and responsible organization. The ISO standards can help you reduce your environmental impact, improve health and safety, strengthen information security and deliver effective business continuity management.
Whether your charity opts for the ISO 9001 Quality Management standard or one of the many other standards, it will benefit from improved management processes. By improving your internal processes, you can reduce costs and use your funding more efficiently, so delivering maximum value to your frontline services.
How will ISO assist your Organizations, Charity, Trust, Foundation or Business? An example:
“NewCo” is a organization supporting homeless, vulnerable and isolated people in Alaska. At risk are children, young people and aging adults with support around housing, education and employment, and their mental health and wellbeing. Solutions need to be created for housing, waste management (garbage, sewage, and human waste treatment), electricity and reliable sources of potable water.
To satisfy the requirements of many of their locations, governing bodies, and/or countries, NewCo was advised they needed to show their commitment to giving reliable charity services. After evaluation by the Board of Directors it was decided that the only true international solution was that the organization must be certified to several ISO standards; ISO 9001, ISO 14001, ISO/IEC 20000-1, ISO/IEC 27001, and ISO 45001. These standards provided Information Security, policy, objectives, risk management, document organization, tracking, environmental, health and safety processes to ensure the effectiveness of their efforts.
The board adopted a program that allowed for them to address the 5 major risk and opportunity areas that they identified within their research. NewCo was able to incorporate a customized rollout schedule, implementing and certifying the five identified ISO management systems on their budget-based time-frame. This implementation process assisted the cash flow, ease of education, incorporated the desired culture and maintained a consistent and steady implementation process that incorporated the simplest ISO program to the most complex program. The 5 programs they choose were:
· ISO 9001:2015 (Quality Management)
· ISO 14001:2015 (Environmental)
· ISO/IEC 20000-1:2018 (IT Services)
· ISO/IEC 27001:2013 (Information Security)
· ISO 45001:2018 (Health and Safety)
NOTE: Not all organizations require all five ISO standards.
RISK and OPPORTUNITY
The most recent releases of the ISO standards have incorporated Risk and Opportunity requirements.
Risk management is the identification, evaluation, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.
Several risk management Standards have been developed including the Project Management Institute, the National Institute of Standards and Technology, actuarial societies, and ISO standards.
Strategies to manage threats (uncertainties with negative consequences) typically include avoiding the threat, reducing the negative effect or probability of the threat, transferring all or part of the threat to another party, and even retaining some or all the potential or actual consequences of a particular threat, and the opposites for opportunities (uncertain future states with benefits).
Types of risk?
Negative and Positive Risks. An opportunity with a positive outcome may be considered a positive risk.
Although the range of risks a business can face is wide, some common examples are:
Information security risk
ISO Compliance, Certification & Accreditation explained.
The International Organization for Standardization (ISO) produces thousands of standards every year covering multiple topics and disciplines. A certain group of those standards, known as management system standards, are designed to support organizations in delivering products and services which are higher in quality, safer, more secure, more resilient and environmentally friendly. These standards are well known such as ISO 9001 (Quality Management), ISO/IEC 20000-1:2018 (IT Services), ISO/IEC 27001 (Information Security), ISO 14001 (Environmental), and ISO 45001 (Health and Safety).
Within the industry there is a lot of “noise” about compliance, certification and accreditation, and the difference between these terms.
Any organization can choose to implement a management system standard and use the standard to drive improvement and manage risk. They can choose to meet the requirements and perform internal audits as part of their overall management system. When an organization implements such standards there are no mandatory requirements (demanded by the standards themselves) to undergo an external audit. Essentially any organization can implement the standard and claim to be compliant.
Customers of such organizations may ask that their suppliers meet certain standards, and, in some cases, suppliers may simply state that they are compliant however some customers may go one step further and ask for evidence or choose to audit their supplier. For organizations with multiple customers, this could certainly be a large burden having to handle multiple customer audits through the year. This costs time, resources and often money, to produce the same evidence time after time.
Certification to ISO standards for an organization is simply a way of proving that an organization does indeed comply with the relevant standard(s). It does not involve implementing extra requirements or controls, and if an organization has already become truly compliant, certification should be a simple next step.
Certification involves an audit being performed by an independent organization known as a certification body. A certification body will usually perform an audit in two stages:
Stage one is a high-level review of the management system, whereas stage two is used to look at the management system in much closer detail to provide evidence of compliance in various areas.
A good certification body and its auditors will approach the audit from a positive perspective, attempting to find evidence of conformity and are not looking to “catch” or deceive people. If non-conformities are found by failing to fulfill requirements of the standard, then agreements can be made on how this will be addressed, which in some cases may need a re-visit, and in others it may be acceptable to correct the non-conformity over a longer period.
If an organization meets the requirements and is recommended for certification, then the certification is awarded for a period of three years. During that time, the organization must undergo annual surveillance audits. Surveillance audits are much smaller than the original audit and are designed to check whether the organization is maintaining and improving its management system.
What are the benefits of being certified?
If an organization has taken the time to become compliant then getting certified can have the following benefits:
Does my certification body have to be accredited by the accreditation authority in my country?
There is a simple motto “one accreditation international recognition”. Some certification bodies such as International Auditors (IAI), BQC-Certifications, LMS, etc. work globally and undergoing accreditation audits in every single country in which they operate in would not make sense. All GAF members recognize each other. It is a requirement for accreditation authorities to do so “Accreditation body members must declare their common intention to join the GAF Multilateral Recognition Agreement (MLA) recognizing the equivalence of other members’ accreditations to their own.”
If your certification body is accredited by a member of the IAF, that is the major point.
Sign up to hear from us about specials, sales, and events.