ISO 9001:2015 was released on 23 September 2015. For the official communication of IS0 9001:2015 release visit the link http://www.iso.org/iso/home/news_index/news_archive/news.htm?refid=Ref2002.
ISO 9001:2015 marks a significant milestone in the journey of the ISO family of standards. Starting with ISO 27001:2013, the ISO family of standards are being aligned with a standard structure (known as the High-Level Structure). This is very useful for those organizations that comply to more than one of the ISO standards.
In addition to bringing better integration across various standards the new structure improves upon consistency in understanding and implementing the basic principles that constitute a good management system. The most famous of these principles is the PDCA (Plan-Do-Check-Act) or Deming or Shewhart cycle which deeply embedded in the ISO standards.
ISO 9001:2015 also brings in the risk-based approach. This is quite similar to the concept of Enterprise Risk Management (ERM). Viewed logically from a pure business perspective the management systems in any organization essentially have a sole purpose - how to reduce surprises and disruptions to the business?
This aspect is also covered as part of the business continuity management (BCM) strategy of the organization. In some sense, ERM and BCM are trying to solve the same business problem, the difference being in their orientation. BCM talks about how to ensure continuity in case a disruption occurs whereas ERM talks about how not to let disruptions occur in the first place.
The above concept finds explicit recognition in ISO 9001:2015 now. It is interesting to note that similar to ERM the scope of ISO 9001:2015 can be extended beyond the traditional areas of the core operations and its management.
The risks to an organization can be from multiple and varied sources as listed below. Risk originating from core operations and its management.is just one of the sources:
ISO 9001:2015 marks a significant milestone in the journey of the ISO family of standards. Starting with ISO 27001:2013, the ISO family of standards are being aligned with a standard structure (known as the High-Level Structure). This is very useful for those organizations that comply to more than one of the ISO standards.
In addition to bringing better integration across various standards the new structure improves upon consistency in understanding and implementing the basic principles that constitute a good management system. The most famous of these principles is the PDCA (Plan-Do-Check-Act) or Deming or Shewhart cycle which deeply embedded in the ISO standards.
ISO 9001:2015 also brings in the risk-based approach. This is quite similar to the concept of Enterprise Risk Management (ERM). Viewed logically from a pure business perspective the management systems in any organization essentially have a sole purpose - how to reduce surprises and disruptions to the business?
This aspect is also covered as part of the business continuity management (BCM) strategy of the organization. In some sense, ERM and BCM are trying to solve the same business problem, the difference being in their orientation. BCM talks about how to ensure continuity in case a disruption occurs whereas ERM talks about how not to let disruptions occur in the first place.
The above concept finds explicit recognition in ISO 9001:2015 now. It is interesting to note that similar to ERM the scope of ISO 9001:2015 can be extended beyond the traditional areas of the core operations and its management.
The risks to an organization can be from multiple and varied sources as listed below. Risk originating from core operations and its management.is just one of the sources:
- Core operations and management
- Government rules and regulations
- CSR and good corporate citizen duties and responsibilities
- Employee rights and safety
- Customer rights and obligations
- Financial and liquidity position
- Management actions and constraints
Processes stay an important part of the ISO 9001:2015 standard. However, the flexibility in terms of documentation has gone up a few notches higher by introducing the phrase documented information.
On ground, however, this has already been happening. Information in the form of emails and accessible over the screen of information/IT applications has for very long been considered a valid document. The idea is that the data/information should be visible and verifiable, which is clearly met in such a situation.
When it comes to software development and other organizations that are using the CMMI framework, any level 3 or higher implementation would have risk management framework already in place. The focus in CMMI is on project-level risk but it can be easily extended to identify and manage risks to the business at the organization-level.
For those organizations that have ISO 27001:2013 implementation in place, risk management would already be happening on risks to information assets. This concept can be extended further with necessary adaptations to include risks to the business itself at the organization-level.
On ground, however, this has already been happening. Information in the form of emails and accessible over the screen of information/IT applications has for very long been considered a valid document. The idea is that the data/information should be visible and verifiable, which is clearly met in such a situation.
When it comes to software development and other organizations that are using the CMMI framework, any level 3 or higher implementation would have risk management framework already in place. The focus in CMMI is on project-level risk but it can be easily extended to identify and manage risks to the business at the organization-level.
For those organizations that have ISO 27001:2013 implementation in place, risk management would already be happening on risks to information assets. This concept can be extended further with necessary adaptations to include risks to the business itself at the organization-level.
For those organizations that are already ISO 901:2008 certified, the changes required on the ground would be few and far. Some of the changes are as follows:
- Revisit Quality Policy to include a reference to risk-based approach
- Revisit and update Quality Manual by adding a section for risk management both at department-level (which would include departments beyond the core operations and its management) to be manged by the department heads as well as at the organization-level to be managed by the head of the organization.
- Quality Manual may also be restructured in line with the High-Level Structure. This is optional though as long as the Quality Manual covers the ground fully.
- Create or modify existing processes in line with the changes to the Quality Manual
- If only ISO 9001:2008, then lot of effort
- If the above and also ISO 27001:2013. some effort
- If the above and also CMMI maturity level 3 and higher, minimal level of effort
No comments:
Post a Comment