Category Archives: ISO 27001

ISO, ISO 27001, IT, Online Collections

ISO Online Collections – IT Management

2 Comments

Online CollectionsOnline collections from ISO.org can be a fantastically good deal. With an online collection you get the most up-to-date versions by paying a yearly or monthly subscription fee. By paying the fee, the various standards in the collection can be accessed via ISO’s “Online Browsing Platform”.

I should point out, by the way, that  I don’t have any kind of “kickback” deal with ISO.org- I’m just pointing to a good deal and saying, “Hey, that’s a good deal!

Online Browsing Platform InterfaceThe online browsing platform for online collections is a tabbed interface where multiple standards can be viewed at once.

Depending on your subscription or purchase license status, documents may be downloaded as well. As with all things in the cloud, however, if you don’t have Internets – you won’t have access to your documents. Not such a big deal these days.

The online collections aren’t exactly inexpensive in themselves, but when compared to the cost of the individual standards – literally thousands can be saved.

IT Management – Online Collections

Recently (last week), ISO.org made available a collection of IT related documents as  one of the online collections. It consists of 80 documents that are intended to assist an Information Technology professional.

It is a surprisingly comprehensive list within the following categories:

  • Governance
  • Project management
  • Service management
  • Information security management (ISO/IEC 27000)
  • Risk management (ISO 31000)
  • Records management
  • Systems and software engineering: application management, software life-cycle processes, system life-cycle processes, architecture description
  • Business continuity and disaster recovery
  • Energy efficiency
  • Quality (ISO 9000)

If you were considering starting down the path of an ISO 27001  or 20001 Registration, this should be one of your first steps.

Hey, I get a quantity discount on space – here’s the whole list:

ISO/Guide 73:2009(en) Risk management — Vocabulary
ISO 5127:2001(en) Information and documentation — Vocabulary
ISO/IEC 7498-1:1994(en) Information technology — Open Systems Interconnection — Basic Reference Model: The Basic Model — Part 1
ISO 7498-2:1989(en) Information processing systems — Open Systems Interconnection — Basic Reference Model — Part 2: Security Architecture
ISO/IEC 7498-3:1997(en) Information technology — Open Systems Interconnection — Basic Reference Model: Naming and addressing — Part 3
ISO/IEC 7498-4:1989(en) Information processing systems — Open Systems Interconnection — Basic Reference Model — Part 4: Management framework
ISO 9000:2005(en) Quality management systems — Fundamentals and vocabulary
ISO 9001:2008(en) Quality management systems — Requirements
ISO 9001:2008/Cor.1:2009(en) Quality management systems — Requirements TECHNICAL CORRIGENDUM 1
ISO 9004:2009(en) Managing for the sustained success of an organization — A quality management approach
ISO 10006:2003(en) Quality management systems — Guidelines for quality management in projects
ISO/IEC 12207:2008(en) Systems and software engineering — Software life cycle processes
ISO 14001:2004(en) Environmental management systems — Requirements with guidance for use
ISO 14004:2004(en) Environmental management systems — General guidelines on principles, systems and support techniques
ISO 14050:2009(en) Environmental management — Vocabulary
ISO/IEC 15288:2008(en) Systems and software engineering — System life cycle processes
ISO/IEC 15504-1:2004(en) Information technology — Process assessment — Part 1: Concepts and vocabulary
ISO/IEC 15504-2:2003(en) Information technology — Process assessment — Part 2: Performing an assessment
ISO/IEC 15504-2:2003/Cor.1:2004(en) Information technology — Process assessment — Part 2: Performing an assessment TECHNICAL CORRIGENDUM 1
ISO/IEC 15504-3:2004(en) Information technology — Process assessment — Part 3: Guidance on performing an assessment
ISO/IEC 15504-4:2004(en) Information technology — Process assessment — Part 4: Guidance on use for process improvement and process capability determination
ISO/IEC 15504-9:2011(en) Information technology — Process assessment — Part 9: Target process profiles
ISO/IEC 15504-10:2011(en) Information technology — Process assessment — Part 10: Safety extension
ISO 15489-1:2001(en) Information and documentation — Records management — Part 1: General
ISO/TR 15489-2:2001(en) Information and documentation — Records management — Part 2: Guidelines
ISO/IEC 15504-5:2012(en) Information technology — Process assessment — Part 5: An exemplar software life cycle process assessment model
ISO/IEC 15504-8:2012(en) Information technology — Process assessment — Part 8: An exemplar process assessment model for IT service management
ISO/TR 15801:2009(en) Document management — Information stored electronically — Recommendations for trustworthiness and reliability
ISO/IEC 17020:2012(en) Conformity assessment — Requirements for the operation of various types of bodies performing inspection
ISO/IEC 17021:2011(en) Conformity assessment — Requirements for bodies providing audit and certification of management systems
ISO/IEC 17025:2005(en) General requirements for the competence of testing and calibration laboratories
ISO 19011:2011(en) Guidelines for auditing management systems
ISO/IEC 20000-1:2011(en) Information technology — Service management — Part 1: Service management system requirements
ISO/IEC 20000-2:2012(en) Information technology — Service management — Part 2: Guidance on the application of service management systems
ISO/IEC 20000-3:2012(en) Information technology — Service management — Part 3: Guidance on scope definition and applicability of ISO/IEC 20000-1
ISO/IEC TR 20000-4:2010(en) Information technology — Service management — Part 4: Process reference model
ISO/IEC TR 20000-5:2013(en) Information technology — Service management — Part 5: Exemplar implementation plan for ISO/IEC 20000-1
ISO/IEC TR 20000-10:2013(en) Information technology — Service management — Part 10: Concepts and terminology
ISO 20121:2012(en) Event sustainability management systems — Requirements with guidance for use
ISO 21500:2012(en) Guidance on project management

ISO 22300:2012(en) Societal security — Terminology
ISO 22301:2012(en) Societal security — Business continuity management systems — Requirements
ISO 22313:2012(en) Societal security — Business continuity management systems — Guidance
ISO/IEC 24762:2008(en) Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services
ISO/IEC 27000:2014(en) Information technology — Security techniques — Information security management systems — Overview and vocabulary
ISO/IEC 27001:2013(en) Information technology — Security techniques — Information security management systems — Requirements
ISO/IEC 27003:2010(en) Information technology — Security techniques — Information security management system implementation guidance
ISO/IEC 27004:2009(en) Information technology — Security techniques — Information security management — Measurement
ISO/IEC 27005:2011(en) Information technology — Security techniques — Information security risk management
ISO/IEC 27006:2011(en) Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems
ISO/IEC 27007:2011(en) Information technology — Security techniques — Guidelines for information security management systems auditing
ISO/IEC TR 27008:2011(en) Information technology — Security techniques — Guidelines for auditors on information security controls
ISO/IEC 27010:2012(en) Information technology — Security techniques — Information security management for inter-sector and inter-organizational communications
ISO/IEC 27011:2008(en) Information technology — Security techniques — Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
ISO/IEC 27013:2012(en) Information technology — Security techniques — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1
ISO/IEC 27014:2013(en) Information technology — Security techniques — Governance of information security
ISO/IEC TR 27015:2012(en) Information technology — Security techniques — Information security management guidelines for financial services
ISO/IEC TR 27019:2013(en) Information technology — Security techniques — Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry
ISO/IEC 27031:2011(en) Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity
ISO/IEC 27032:2012(en) Information technology — Security techniques — Guidelines for cybersecurity
ISO/IEC 27033-1:2009(en) Information technology — Security techniques — Network security — Part 1: Overview and concepts
ISO/IEC 27033-2:2012(en) Information technology — Security techniques — Network security — Part 2: Guidelines for the design and implementation of network security
ISO/IEC 27033-3:2010(en) Information technology — Security techniques — Network security — Part 3: Reference networking scenarios — Threats, design techniques and control issues
ISO/IEC 27033-4:2014(en) Information technology — Security techniques — Network security — Part 4: Securing communications between networks using security gateways
ISO/IEC 27033-5:2013(en) Information technology — Security techniques — Network security — Part 5: Securing communications across networks using Virtual Private Networks (VPNs)
ISO/IEC 27034-1:2011(en) Information technology — Security techniques — Application security — Part 1: Overview and concepts
ISO/IEC 27035:2011(en) Information technology — Security techniques — Information security incident management
ISO/IEC 27036-3:2013(en) Information technology — Security techniques — Information security for supplier relationships — Part 3: Guidelines for information and communication technology supply chain security
ISO/IEC 27036-1:2014(en) Information technology — Security techniques — Information security for supplier relationships — Part 1: Overview and concepts
ISO/IEC 27037:2012(en) Information technology — Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence
ISO 31000:2009(en) Risk management — Principles and guidelines
ISO/IEC 38500:2008(en) Corporate governance of information technology
ISO/IEC TR 38502:2014(en) Information technology — Governance of IT — Framework and model
ISO/IEC/IEEE 42010:2011(en) Systems and software engineering — Architecture description
ISO 55000:2014(en) Asset management — Overview, principles and terminology
ISO 50001:2011(en) Energy management systems — Requirements with guidance for use
ISO 55001:2014(en) Asset management — Management systems — Requirements
ISO 55002:2014(en) Asset management — Management systems — Guidelines for the application of ISO 55001
ISO/IEC 90003:2004(en) Software engineering — Guidelines for the application of ISO 9001:2000 to computer software
ISO/IEC TR 90006:2013(en) Information technology — Guidelines for the application of ISO 9001:2008 to IT service management and its integration with ISO/IEC 20000-1:2011

Pretty Amazing, right?

Pricing, like I noted earlier, isn’t inexpensive – but it is a bargain. The yearly  1 user license is 488 CHF (about $545 USD) and the monthly is only 54 CHF ($60 USD). If one needed to do an intense investigation, a one month license could yield a fast trove of information.

There are also 2-5 and 6-10 user yearly and monthly licenses available.

There are other collections being added – I’ll discuss those in future posts. Here is a link to the current collection of online collections.

I hope you find something you like.

Happy Collecting.

18001, 9001:2015, ISO 14001, ISO 27001, ISO 9001, Training

Training Effectiveness Guide

Leave a comment

An Apple a DayVerification of training effectiveness is required by most of the frequently used management system standards. Even companies with well-established training programs struggle with how to evaluate and moreover, how to realize value from their efforts.

Naturally, I see many methods of verification of training effectiveness in my audits – sometimes inspiring, sometimes – not so much. At the very least, it all makes me think. Without giving away anyone’s secrets, I thought I’d share my own thoughts.

The Requirement for Training Effectiveness

Verification of training effectiveness shows up in several of the popularly implemented standards; 9001:2008  (and in the DIS of the 2015 version), 13485:2003 (Medical devices), OHSAS 18001:2007 (Safety), and 27001:2013 (Information Systems).

You may note the omission of ISO 50001:2011 (Energy management) – verification of training effectiveness isn’t there, at least not directly.

And 14001:2004 (Environmental management), the current version, does not have a requirement to evaluate training effectiveness (old school), but the second draft (CD2) does have it. So, if you’re in that world – best start considering how you’re going to meet that need.

I’ll use the text from 9001 except where there’s a noteworthy difference in one of the other standards:

Competence, training and awareness
The organization shall

a) determine the necessary competence for personnel performing work affecting conformity to product requirements,

b) where applicable, provide training or take other actions to achieve the necessary competence,

c) evaluate the effectiveness of the actions taken,

d) ensure that its personnel are aware of the relevance and importance of their activities and how they contribute to the achievement of the quality objectives, and

e) maintain appropriate records of education, training, skills and experience…

OHSAS 18001 (Safety) is particularly succinct (note how it also addresses risk):

The organization shall identify training needs associated with its OH&S risks and its OH&S management system. It shall provide training or take other action to meet these needs, evaluate the effectiveness of the training or action taken, and retain associated records.

The main point for our discussion today is that people get trained, and the effectiveness of that training must be evaluated.

Something as simple as this:

Basic Requrement

Ideally, though, if the training wasn’t effective one might question the training method. Another natural response, not unwholly unwarranted, is to assume the person being trained is at fault; that he or she just didn’t “get it”. This is, in my experience, the typical reaction –  and usually without justification.

But it need not be so. This is a larger topic, and mostly beyond the detail level of this post, but books and careers are made on the study of learning. If you’re interested in a fairly detailed work on that topic there’s How Learning Works: Seven Research-Based Principles for Smart Teaching. It’s geared more toward a university environment but it gives a fairly thorough understanding of the challenge.

For those of us juggling the job you were hired for plus the task of training, a great book choice is Design For How People Learn (Voices That Matter) by Julie Dirksen. It is certainly a practical and useful guide to the fundamental concepts of instructional design.

Failing that, simply showing someone a powerpoint or loading a VHS tape doesn’t necessarily have any chance to provide an effective learning experience for some people – even if you do make them sign a piece of paper afterwards saying their eyes were mostly open most of the time.

A better flow diagram may look like this:

Slightly more advanced training flowchart

Or, how about this? We’ve added a “lessons learned” that will modify the materials or methods for next time.

More enlightened Essentially, what I’m saying is before you train – evaluate what types of training would be suitable for both the task and the individual. Then, execute the training and make the evaluation of effectiveness. With this information in hand, go back and tweak the materials while providing any feedback to the training methodology for next time – and provide any needed retraining.

This is simply an extension of the Plan, Do, Check Act (PDCA) methodology and is at the core of these standards.

Some Specific Methods to Evaluate Training Effectiveness

Let’s look at some common ways to evaluate training effectiveness.

Testing

Tried and true, and most corporations’ go-to method of determining training effectiveness. Written tests do lend themselves well to safety-related training, or clear requirements-based content such as ITAR or even general policies with “dos and don’ts”.

Just be sure that if testing is used that there is a minimum score needed. I’ve reviewed test results and have found individuals that have received fairly close to a zero and still “pass”.

What happens in this situation is that if there is a low hurdle to jump it soon leads to corrections needed or non-conformances found in the process or product.

Typically these initial non-conformances have found the root cause to be related to training and this type of method defect is weeded out early.

Having said that, Testing is a simple solution and is likely going to be in your bag of evaluation options, if done properly.

An On-going Review of Process Metrics

Essentially, the rationale is saying, “Hey, we have trained people, we measure the important metrics and our trends are good; within limits and we are improving where possible.

It definitely can work. Naturally, the challenge is twofold; defining the meaningful metrics and measuring them in a consistent manner. Goals should be established already in response to The Standards’ other requirements.

If this method is used, be sure to clearly define how it works and have data to back it up. Remember, one of the other requirements is to maintain records to show the verification of training effectiveness – so clearly define what the record is.

Inquiry

It could be as simple as asking the individual who was trained, “How do you think the training went?” – this could be coupled with a short “trip report” (or not). This does tend to have limitations in terms of when it can be used, however. It is well-suited to external trainings or trainings to executive or higher-end technical positions, though it likely can be adapted to any situation.

A Review of an External Certification

Specific to externally performed trainings where the attendee completes a course and is given a post-course test or other plausible evaluation. Again, records would be needed to show this.

At Employee Reviews

A bit tricky in practice since these reviews often take place once a year but it is quite a common solution. Works particularly well for procedure or work-instruction-based trainings.

Similar to the “review of ongoing process” method described above, this technique would predetermine  criteria for success; coupling training that has occurred over the period.

The rationale being that successful completion of tasks and assignments; the day-to-day job would indicate effective training. Again, defining this process in detail, including records, is key to success.

Note that claiming effective training through the lack of problems or defects is not the same thing, especially if no one is formally looking at metrics in the first place.

So, That’s five methods for evaluating training effectiveness to consider:

  • Testing
  • An on-going review of process metrics
  • Inquiry
  • A review of external certification
  • At employee reviews

There are certainly more, particularly software-driven solutions as part of an HRIS application (Human Resource Information Systems) – but typically these need a little coaxing to fit the need (and are generally expensive).

I’m quite interested in other methods you might know of.

In Search of Value

The key though, is that your methods of training effectiveness, whatever they are, give something back to the organization.

The whole point is that it is a waste of resource to take up someone’s time with a training that isn’t absorbed and incorporated into the position.

Question Everything

What is the training trying to accomplish? If it is training to a procedure or work instruction – is the document needed in the first place?

Is it actually a training? Sometimes what companies call “training” is really only a communication – there is a difference, even if subtle.  Typically a training teaches, while a communication informs – the distinction is up to the company to decide. It’s important to make that distinction since if it is training, the hoops come up (as I like to say). Training means evaluate training effectiveness; they go hand-in-hand.

If a process must be documented in order to ensure things go smoothly, then it is worth training people to follow that process. To ensure the training is valuable, ensure that the process is doing what it is supposed to be doing.

From the Top Down

The business is there for a reason; a policy is stated and goals and objectives support that policy.

People are hired with the needed competencies. When there is a gap between what they know coming into the organization and what they need to know to meet the goals and objectives – then training is needed.

Processes and documents are defined to realize the policy – these are often the things that must be learned. And when people know what they are doing – it all works according to plan.

It all points back to monitoring the processes, goals and objectives – this is the key to providing training that provides value. Verifying that the training does what it is supposed to do – evaluating training effectiveness – is simply protecting that investment in time and money.

 

Thanks for reading, I hope it helps – but don’t worry, it won’t be on the test.

9001:2015, Annex SL, ISO, ISO 14001, ISO 27001, ISO 9001

Annex SL’s Impact

2 Comments
What does Annex SL have to do with an interesting table leg?
Some supports are interesting

While it might have been the intent that Annex SL would be the template for all new standards and revisions to standards – this isn’t exactly the reality.

Annex SL was described in the last post – you may review that HERE if you like.

As a quick summary, “Annex SL” is an ISO document that defines a framework – the basic structure with common terms and requirements – for a generic management system. A standard would be this structure PLUS any additional sector specific requirements.

Understanding this is the key to new ISO releases, such as DIS ISO 9001:2015.

ISO 9001:2015 will not be the first ISO management standard to employ Annex SL – nor will it be the last.

Already released and compliant with Annex SL:

  • ISO/IEC 27001, Information technology: Security techniques, Information security management systems
  • ISO 30301:2011, Information and documentation: Management systems for records
  • ISO 22301:2012, Societal security: Business continuity management systems
  • ISO 21101:2014, Adventure Tourism
  • ISO 20121:2012, Event sustainability management systems
  • ISO 39001, Road-traffic safety (RTS) management systems
  • ISO 55001, Asset management – Currently on CD ballot with publication scheduled for 2014.

What this means is, for one thing, organizations that have one management system in place will have the basic structure needed to adopt another one – or several.

En route via Annex SL:

  • ISO 9001:2015 (General Quality Management) – I’m guessing you knew that one
  • ISO 14001:2015  (Environmental management) – Also expected in 2015.  I have been following the development of this standard and you’ll find related articles on the site
  • ISO 13485 (Medical devices. Quality management systems. Requirements for regulatory purposes) – Released as a Draft International Standard (DIS) on 20 Feb 2014.  The voting period for that closes on 20 July of this year.

Probable Defections to Annex SL:

These standards, for various political and structural issues I can’t pretend to understand, probably will not utilize Annex SL as their template in the coming updates:

  • ISO/TS 16949 – International Automotive Task Force standard. Cars – the big automotive companies dictate what takes place in this rarefied playing field
  • AS9100/10/20 – International Aerospace Quality Group (IAQG) standards  –  Essentially these folks are the Vegans of the management system world . If you don’t know what I mean by that then I am sorry. Actually, I am also sorry either way
  • ISO 45001 (formerly OHAS 18001) – Occupational Health and Safety. A bit of a controversial one to end on because the ultimate format isn’t set in stone. There are those who believe complying with the Annex SL structure will add too much “bloat” to the document.  Apparently bloat is a bad thing.

That’s approximately the current Annex SL situation, with a few less notable omissions.

Personally, I’m hoping the structure holds firm and far as it should serve to make it easier for clients to adopt – and for auditors and certification bodies to consistently understand.

Can it be better? Probably – but it’s a start, and more importantly – a basis for common ground.

Thanks for checking in – and for calibrating yourself.

And now a word from our sponsor: