Sal, Author at QMSC - Page 20 of 21

All posts by Sal

30 years in the Quality field including experience as QA Manager for a Fortune 100 company and as a Quality System Certification auditor for the top Registrars in the field - plus over 10 years of Information Technology Management in dual roles. Specialties:ISO 9001 Quality, ISO 14001 Environmental, OHSAS 18001 Safety, ISO/IEC 27001 Information Security, RAB QSA Certified Assessor,

ISO 14001 is currently undergoing the final stages of revision. I wanted to provide you a quick update on where things stand. Keeping it brief because much of this was discussed in June, so information abounds.

The current target publication date is the end of January, 2015 and as of 11 May of 2013 it was at the “30.60” or “close of voting/ comment period” stage of development.

If you’d like to see what all the stages of development are, click here. These stages are applicable to any standard, not just 14001. Down the left column are the basic stages, inward from that are the substages; easy to follow.

Essentially, the most recent Committee Draft (CD) is being reworked, and we can likely expect a Draft International Standard (DIS) near the end of this year. It will take until the summer of 2014 for the Final DIS (FDIS) to be released – then in January, 2015 – the next version is Published.

From what I understand, the technical committee responsible for Environmental Standards, TC 207, has two meetings next month, so progress is being made – in addition to whatever electronic correspondence is occurring.

If you happen to be in Bogota, Columbia on the 13th of September you might be allowed into TC 207’s Working Group 6 meeting on “Validation and verification of greenhouse gas assertions and bodies for use in accreditation or other forms of recognition”. Then again, you might not. Bring your sunscreen, just in case you end up at the beach.

And, it looks like there’s a meeting for ISO 14004’s 3rd working draft on the 9th of September (14004 is “Environmental management systems — General guidelines on principles, systems and support techniques”) – very exciting, isn’t it? No? Seriously, this whole suite of EMS standardization is long overdue for an update.

That’s a summary of where ISO 14001 is at in terms of timing, I will let you know as soon as I hear anything else. I’m trying to get a copy of the last Committee Draft – unfortunately it’s been pulled from the normal channels. When I do, I’ll give it a run through.

In the meantime, go forth – and calibrate thyself – and when you do, please do it in an environmentally responsible way. Keep an eye on your greenhouse gas emissions, for example.

Thanks!
Sal

ISO 27001 is the main information security management system standard – it is being revised, with the new version due out next October. They’re long past the CD stage that 9001 is in, and into the second FDIS stage. Next, is Publication (IS).

I’m leaning toward the opinion that it is a significant change, and from what I can see it also brings the standard, originally made in the early 2000’s (a completely different Informational Age), into a more consistent level with the other popular ISO Management System Standards, like ISO 9001.

In fact, in some ways ISO 27001 will beat 9001 to the punch. For example, as mentioned in an earlier post, 9001 is doing away with Preventive Action and folding it into Risk – 27001 is doing the same thing, but sooner.

That aside, and because, this standard will be compliant with what is know as Annex SL of ISO/IEC Directives, Part 1, Consolidated ISO Supplement, 2013. This is to increase compatibility with other ISO management system standards.

They will all get these parts:

Introduction
Scope
Normative references
Terms and deﬁnitions
Context of the organization
Leadership
Planning
Support
Operation
Performance evaluation
Improvement

Here is a run-down of the major changes:

Interested parties

The huge importance of interested parties, which can include shareholders, authorities (including legal and regulatory requirements), clients, partners, etc., is recognized in the new ISO 27001 – there is a separate clause that specifies that all the interested parties must be listed, together with all their requirements.

This is definitely an excellent way of defining key inputs into the ISMS.

Documented information

The concepts of “documents” and “records” are merged together; so, now it is “documented information.” Consequently, all the rules that are required for documentation control are now valid for both documents and records; the rules themselves haven’t changed much from the old ISO 27001.

The requirement in the old standard for documented procedures (Document control, Internal audit, Corrective action, Preventive action) is gone – however, the requirement for documenting the output from those processes remains in the new standard. Therefore, you don’t need to write those procedures, but you need to maintain all the records when managing documents, performing internal audits, and executing corrective actions.

Also, the clause from the old standard where all the required documents are listed (4.3.1) is gone – there is no central list of required documents.

Risk assessment and treatment

The requirement now is to identify the risks associated with the confidentiality, integrity and availability . Formerly, it was assets, vulnerabilities and threats. Risk based on consequences and likelihood remains unchanged. Seems subtle, but this essentially gives more freedom in the way the risks are identified. Having said that, I don’t expect too many folks to move away from the assets-vulnerabilities-threats methodology.

And now, while the risk assessment process needs to be defined in advance, the Methodology does not need to be documented.

And lastly, the term”Asset owner” is replaced with “Risk owners” – subtle, right? But you see what that does – separates the asset from the risk; putting the responsibility on people.

Objectives, monitoring and measurement

Now there are separate clauses with rules establishing the need to set clear objectives, defining who will measure them, when; who analyzes and evaluates – and the need for action plans to meet them.

Fairly significant, and hugely vital. It should also serve to mesh requirements from other parts of the enterprise.

Corrective & preventive actions

As mentioned, preventive actions are history as a separate thing, now merged with the requirements for improvement and Risk Management.

Corrections made as a direct response to a nonconformity, as opposed to corrective actions that are made to eliminate the cause of a nonconformity are now made more clear. Essentially what was sometimes called “Short-term” and “Long-term” corrective actions.

Communication

This is also a new clause where all the communication requirements are summarized – detailing the specifics; the what, when, who, how. Again, should bring IT and IS departments into the full fold of the operation.

Annex A Controls

There are now three more sections, bringing the total to 14 – while the number of controls has dropped from 133 to 113. Not that there are really fewer requirements, there’s a fair bit of combining and moving going on. I should also mention that there is now only Annex A.

Getting into each section and control is a bit more than I want to do here, but this is list of the new arrangement – glean what you will:

5 Security Policies
6 Organization of information security
7 Human resource security
8 Asset management
9 Access control
10 Cryptography
11 Physical and environmental security
12 Operations security
13 Communications security
14 System acquisition, development and maintenance
15 Supplier relationships
16 Information security incident management
17 Information security aspects of business continuity
18 Compliance

All in all, a pretty significant update and somewhat overdue. I’m afraid it won’t last more than a few years, given the rate of change in this industry.

Very much looking forward to how it all plays out.

Thanks for listening! Go forth, and calibrate thyself –

Sal