Most organizations face challenges when developing a quality management system. These challenges are potentially greater due to:
- Availability of resources;
- Costs involved in setting up and maintaining a quality management system;
- Difficulty in understanding and applying a quality management system, especially concepts such as organizational context, organizational knowledge, process approach and risk-based thinking.
1.What is a quality management system?
A quality management system (QMS) is the way an organization directs and controls its activities that are related to achieving its intended results.
Broadly, it consists of organization’s structure together with the planning, processes, resources and documented information that is used to achieve quality objectives (such as for meeting customers’ and relevant interested parties’ requirements, to improve quality management system, or to improve products and services).
Every organization will already have a management structure and on that basis its quality management system is built. Organization might be fulfilling many of its requirements included in ISO 9001, but has simply not yet organized its activities into a formal quality management system.
2.Why have one?
The adoption of a QMS is a strategic decision that helps an organization to improve its overall performance and to provide a sound basis for its sustainable development initiatives.
Many organizations implement a formal quality management system after finding that their customers want assurance that the products and services they are looking to purchase or obtain will meet their requirements for quality. Those customers are looking for the confidence that can be provided by an organization offering products and services produced under an effective quality management system, such as one conforming to ISO 9001.
A quality management system, on its own, will not necessarily lead to an improvement of work processes or to improvements of products and services. It will not solve all industry problems. It is a means for organizations to take a more systematic approach to fulfilling the organization’s objectives, which in turn should achieve such improvements.
3.What is ISO 9001:2015
ISO 9001:2015 sets out the criteria for a quality management system and is the only standard in the family that can be certified to (although this is not a requirement).
4.What benefits we can assure through the implementation:
- Ensure that customers get consistent, good quality of products and services, which can bring the business benefits;
- Assess the overall context of organization to define who is affected by its work and what they expect from you. This will enable you to clearly state your objectives and identify new business opportunities.
- Put your customers first, making sure you consistently meet their needs and enhance their satisfaction. This can lead to more repeat custom, new clients and increased business for your organization.
- Work in a more efficient way as all your processes will be aligned and understood by everyone in the business or organization. This increases productivity and efficiency, bringing internal costs down.
- Meet the necessary statutory and regulatory requirements.
- Expand into new markets, as some sectors and clients require ISO 9001 before doing business.
- Identify and address the risks associated with your organization.
5.This standard is applicable to:
Any legal dealing with sectors like, Pharma, Chemicals, Food Processing, Iron and Steel, Construction, Automotive, Aerospace, Granite, and Service organizations like Trading Houses, Banks, Hospitals, Diagnostic Centres, Insurance, Educational Institutions, Government Agencies, NGOs, etc. are eligible to implement and get certified.
1.Introduction to ISO 27001:2013-Information Security Management System.
In today’s business environment, information is the lifeblood for any organization. Increasingly, organizations and their information systems are exposed to security threats from a wide range of sources including computer assisted fraud, espionage, sabotage, vandalism, fire, flood etc. Computer viruses, hacking and denial of service attacks have become more common and sophisticated.
- What is ISO 27001-Information Security Management System
An Information Security Management System (ISMS) is a systematic approach for managing sensitive company information and information entrusted to companies by third parties so that it remains secure. It encompasses people, processes and IT systems.
- Why ISO 27001: 2013
- Increase in trust with, respect to partners, customers and the public;
- Systematic detection of vulnerabilities:
- Control of IT risks;
- Reduce the chances of security breaches with the IT environment;
- Keeping the confidentiality of information.
- What are the Benefits:
- To mitigate the risk and information security breaches
- To demonstrate due diligence and due care
- To have a proactive approach to legal compliance, regulatory and contractual requirements
- To assure the internal controls of organizations
- Management’s commitment to the security of business and customers’ information
- Helps organization to have competitive advantage
- Applicable to:
Suitable for any organisation, large or small, in any sector. The standard is especially suitable where the protection of information is critical, such as in the banking, financial, health, public and IT sectors. The standard is also applicable to organisations which manage high volumes of data, or information on behalf of other organisations such as data centres and IT outsourcing companies
1.Introduction to ISO 14001:2015-Environment Management System.
Awareness of environmental problems is growing in most countries and it is believed that current development patterns cannot be sustained in the long term. Governments are increasingly enacting legislation aimed at protecting the environment, and customers are requiring their suppliers to incorporate best practices and demonstrate compliance with environmental requirements.
2. What is ISO 14001:2015
This standard sets out the criteria for an environmental management system. It provides a framework that a company or organization can follow to set up an effective environmental management system.
It can be used by any organization regardless its activity or sector.
This standard can provide assurance to company management and employees as well as external stakeholders that environmental impact is being measured and improved.
3. Why to have ISO 14001:2015
- Meet the company’s legal requirements and environmental impact.
- Keeping the measurable objectives and targets to reduce environmental impact and be in legal compliance.
- Gaining the support for an EMS from the company’s leadership.
- Communicating and sharing the objectives, targets and results with both the internal and external stakeholders.
4. Benefits of ISO 14001:2015
Organizations and companies find that using the standard helps them to:
- Improved control and management of emissions, effluents and wastes;
- avoidance and safe handling of hazardous or potentially polluting materials;
- reduction in generated wastes;
- energy efficiency improvements and cost savings;
- conservation of natural resources, including water, land and precious minerals;
- a comprehensive approach to satisfying legal and other requirements;
- operational efficiency and cost savings;
- pursuing environmental initiatives that are aligned with business priorities.
- increased profitability, better access to markets and improved relationships with stakeholders (e.g. customers, regulators, investors, insurers, neighbours).
5. Standard applicable to
Organizations of all kinds which are concerned with achieving and demonstrating sound environmental management system, performance by controlling the impacts of their activities, products and services on the environment, which include manufacturing like Cement, Steel, Pharma, Chemical, Food Processing etc., and service industries likes Construction, ETP service providers and Software service providers.
1.Introduction to ISO 20000-1:2018-IT Service Management System
Service businesses exist to supply their customers with intangible benefits such as providing amenities, facilities, or advice. Perhaps to an even greater extent than physical goods, success in the service sector means understanding and meeting your customers’ expectations. But, in a fast-paced, digital world, these expectations constantly change.
In today’s dynamic service environment using ISO/IEC 20000-1:2018 can be incorporated with popular management methods (such as Agile, Lean or DevOps), service management frameworks and methodologies (ITIL®, COBIT®, CMMI-SVC®), and additional standards (ISO 9001, ISO/IEC 27001, ISO 31000) into the IT service management system.
- What is ISO 20000-1:2018
It is an international standard for quality management that specifically focused on IT service. It ensures that the organizational service delivery is carried out in a way that drives customer satisfaction through improved service.
This standard specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain and improve an IT SMS. The requirements include the design, transition, delivery and improvement of services to fulfil agreed service requirements.
3.Why ISO 20000-1:2018
- To improve quality of company services;
- Demonstrate organizations ability to meet customer requirements
- To get competitive advantage,
- To demonstrate reliability.
- What benefits it bring to business:
- Reduction in incidents, improved incident management, response time and interruptions to IT service
- Clarity in understanding roles and objectives
- Legal compliance and awareness
- Approach towards an integrated process to deliver IT services
- Improved customer satisfaction and client retention
- Service and delivery consistency
- Whom it is applicable:
- Any organization seeking services from service providers and requiring assurance that their service requirements are fulfilled;
- Any organization that requires a consistent approach by all its service providers, including those in the supply chain;
- Service providers who intend to demonstrate their capability for the design, transition, delivery and improvement that fulfil requirements;
1.Introduction to ISO 27017:2015-Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
World over, organisations are increasingly getting aware of the business value that cloud computing brings and are taking steps towards transition to the cloud. A smooth transition entails a thorough understanding of the benefits as well as challenges involved. One of the key challenges of cloud computing is how it addresses the security and privacy concerns of businesses planning to adopt it and those of cloud service providers (CSPs) implementing it.
The fact that the valuable enterprise data will reside outside the corporate firewall raises serious concerns. Hacking and various cyber-attacks to the cloud infrastructure can have a domino effect and affect multiple clients even if only one site is attacked.
As the global usage of cloud technology continues to grow, businesses must strategically consider the risk of storing protected information and explore viable security options in order to protect their information systems.
2. What is ISO 27017?
ISO/IEC 27017 is a standard developed for cloud service providers and users for securing the cloud-based environment and minimising potential risk of a security incident.
ISO/IEC 27017 is designed to assist in the recommendation and implementation of controls for cloud-based organisations. This is not only relevant to organisations which store information in the cloud, but also for providers which offer cloud-based services to other companies who may have sensitive information.
This standard is built upon the ISO 27002 standard, but allows for specific controls to be added for the needs of cloud organisations and their end-users.
The assessment is normally structured in tailor-made steps of verification. The output of this verification process can be made available both internally within the company and publicly. The organisation may also choose to define a boundary for assessment in relation to the core issues of the standard, focusing on the ones that are most crucial to the organisation itself and their business practices
3. Why is ISO/IEC 27017 Important?
Cloud data security is vital, as clients will want to be sure that their data is safe while stored in the cloud. ISO/IEC 27017 standard allows the organisation to commit to a long-term goal.
The organisation will have an internationally standardised framework to base their Cloud Security. Upon the internalisation of the requirements needed, the organisation will be able to reduce operational and reputation risks and work towards a sustainable future.
The standard extensively covers topics like asset ownership, recovery action if the CSP gets dissolved, disposal of assets with sensitive information, segregation and storage of data, alignment of security management for virtual and physical networks and others.
- What benefits it brings to business:
- Develop a long-term strategy;
- Increase transparency;
- Reduce reputation risks;
- Win customer trust;
- Inspires trust in your business;
- Competitive advantage;
- Protects your brand reputation;
- Protects against fines;
- ISO 27017: 2017 is applicable to
Cloud service providers and cloud service customers.
1.Introduction to ISO/IEC 27018:2019-Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.
This standard provides guidance aimed at ensuring that cloud service providers (such as Amazon and Google) offer suitable information security controls to protect the privacy of their customers’ clients by securing Personally Identifiable Information entrusted to them.
The standard will be followed by ISO/IEC 27017 covering the wider information security angles of cloud computing, other than privacy.
- What is ISO 27018:2019:
It specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.
3. Why ISO 27018:2019:
- Vast quantities of data are held in the public cloud, necessitating thorough protection requirements.
- Data breaches can include individual loss of rights and freedoms, identity theft, monetary penalties and huge loss of reputation for the responsible data controller.
- Compliance to protect personal data and ensure it is treated in accordance with the law.
- What benefits ISO 27018 brings to business:
- Competitive advantage,
- Protects your brand protection,
- Reduces risks – ensures that risks are identified, and controls are in place,
- Protects against fines,
- Help grow your business.
- Applicable to
- Any organisation, large or small, in any sector. The standard is especially suitable where the protection of personal data such as payroll, HR or clients payment details are stored in a cloud environment.
- If your organisation is already implementing ISO 27001 ISMS then you are covered for 70% of the regulations within ISO 27001. However, if you are operating using cloud base technologies then ISO 27018 has been seen as an effective bolt-on standard as companies wish to demonstrate GDPR compliance specifically with data that is stored on the cloud
1.Introduction to ISO/IEC 27701:2019-Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management
ISO/IEC 27701:2019 is a data privacy extension to ISO 27001. This newly published information security standard provides guidance for organizations looking to put in place systems to support compliance with GDPR and other data privacy requirements. ISO 27701, also abbreviated as PIMS (Privacy Information Management System) outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage data privacy. Privacy information management systems are sometimes referred to as personal information management systems.
This can be used by all types of organizations, which are Personally Identifiable Information (PII) controllers and/or PII processors processing PII, within an ISMS, irrespective of their size, complexity or the country they operate.
2. What is 27701:2019
ISO/IEC 27701 specifies the requirements and provides guidance for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS). It builds on the requirements in ISO/IEC 27001, the information security management system (ISMS) standard, and the code of practice for information security controls in ISO/IEC 27002.
ISO/IEC 27701 provides the management system framework to protect personally identifiable information (PII). It covers how organizations should manage personal information and assists in demonstrating compliance with applicable privacy regulations.
3. Why is ISO/IEC 27701
This reduces risk to the privacy rights of individuals and to the organisation by enhancing an existing Information Security Management System.
This standard is a great way of demonstrating to customers, external stakeholders and internal stakeholders that effective systems are in place to support compliance to GDPR and other related privacy legislation.
Organizations looking to get certified to ISO 27701 in order to comply with GDPR will either need to have an existing ISO 27001 system or implement ISO 27001 and ISO 27701 together as a single management system. ISO 27701 is a natural expansion to the requirements and guidance set out in ISO 27001.
This standard is essential for every organization that is responsible and accountable for PII as it provides requirements on how to manage and process data and safeguard privacy. It enriches an already implemented ISMS, to properly address privacy concerns, by assisting the organizations to understand the practical approaches involved in the implementation of an effective management of PII.
4. What benefits it brings to business:
- Protect the organization’s reputation
- Build customer’s trust
- Increase customer satisfaction
- Increase transparency of the organization’s processes and procedures
- Maintain the integrity of customers’ and other interested parties’ information
- Ensure information within the company secure and effective
- Ensures information is available on time
- Prevents loss, abuse and unauthorized modification of information
- Ensures information is only accessible to authorized persons
- Assists compliance with legal requirements and data protection
- Whom ISO 27701 is applicable:
Software development, Cloud companies, and IT support, Banks, Insurance companies, brokerage houses, Internet providers, Government agencies, Healthcare, pharmaceutical and food processing.
- Our Consulting approach:
- Gap Analysis: Assessment of existing management system practices against the selected standard requirements.
- Project Plan: Prepare a implementation project plan based on the time lines looking for;
- Orientation Training: Top/Senior Management orientation on selected standard requirements and implementation action plans preparation;
- Developing different levels of documentation ( Tier 1-3/4): Identification of processes required for the products produced and services provided; External and internal issues affecting the business, interested parties needs and expectations, Framing draft quality policy, organizational objectives, role, responsibility and authority, various risks affecting and opportunities arises, functional and system procedures, different implementation formats and checklists;
- System Implementation: Implementation of the selected management system as per the developed documentation;
- Company-wide Training: Training on detailed clause wise requirements and relating them to their departments and Internal audit.
- Internal Audits: Periodic assessment of system implementation and corrective actions.
- Pre assessment: Initial audit by Certifying agency, and, implementation of corrective actions.
- Final Assessment: Certification audit by the Certifying agency and recommendation for certification.
Relevant IT/ITeS Industry Standards
- ISO 9001-Quality Management System,
- ISO 14001-Environmental Management System,
- ISO 27001-Information Security Management Systems,
- ISO 20000-IT service management,
- ISO 22301-Business Continuity Management,
- CMMI-Capability Maturity Model Integration,
- Lean Six Sigma
Professional Trainings for individuals:
Internal Auditor-1) ISO 9001-Quality Management System-QMS, 2) ISO 14001-Environmental Management System-EMS, 3) OHSAS 18001-Occupational Health and Safety Assessment Series, 4) IS0 27001-Information Security Management System-ISMS, 5) ISO 20000-IT Service Management System-ITSM , 6) SSYB-Six Sigma-Yellow Belt, 7) SSGB-Green Belt and 8) SSBB-Black Belt.
Lead Auditor-1) ISO 9001-Quality Management System-QMS, 2) ISO 14001-Environmental Management System-EMS, 3) ISO 27001-Information Security Management System-ISMS, 4) ISO 20000-IT Service Management System-ITSM.