You must have heard several times within your company either directly from your management or Quality/Risk functions busily preparing for the annual audits and using super jargons like CCAT, ISO etc...and some crazy long numbers.
Well lets deep dive to know more about some of these audits and standards
I have gone through several Internal and External Audits in my career, the first question I had the moment I heard CCAT audit was, what is the abbreviation and who are they?
Did you ever google what it is?
People who are part of these audits for years may not even know the abbreviations or the actual purpose of doing it. So it's important to educate your teams on the purpose of these audits.
So getting back What is CCAT?
Connecticut Center for Advanced Technology, Inc. ( in short CCAT)
In Simple words
CCAT program is designed to provide practical tips and skills for auditing ISO 9001-based quality management systems to ensure that required standards are met.
In short, CCAT provides internal auditing techniques (audit preparation, planning and reporting) for companies to get certified as ISO 9001.
What is ISO and their purpose? - ISO - International Organization for Standardization
ISO is derived from the Greek 'isos', meaning equal. the founders just called it ISO though it has different names
ISO is an independent, non-governmental international organization with a membership of 165 national standards bodies. Through its members, it brings together experts to share knowledge and develop voluntary, consensus-based, market relevant International Standards that support innovation and provide solutions to global challenges.
Think of them as a formula that describes the best way of doing something.
It could be about making a product, managing a process, delivering a service or supplying materials – standards cover a huge range of activities.
Standards are the distilled wisdom of people with expertise in their subject matter and who know the needs of the organizations they represent – people such as manufacturers, sellers, buyers, customers, trade associations, users or regulators.
ISO 9000 Family - Quality management standards to help work more efficiently and reduce product failures.
ISO 14000 Family - Environmental management standards to help reduce environmental impacts, reduce waste and be more sustainable.
ISO 45001 - Health and safety standards to help reduce accidents in the workplace.
ISO 50001 - Energy management standards to help cut energy consumption.
ISO 22000 - Food safety standards to help prevent food from being contaminated.
ISO/IEC 27001 - IT security standards to help keep sensitive information secure.
Above mentioned standards are defined and explained in depth here - ISO - Standards
PS: I have experience covering Quality Management Principles and Security Audits so my coverage will be mainly around these areas. Please feel free to go through the above links to learn more about the rest of the standards or best practices
How did this all get started?
In London, in 1946, 65 delegates from 25 countries meet to discuss the future of International Standardization. In 1947, ISO officially comes into existence with 67 technical committees (groups of experts focusing on a specific subject).
Go through the ISO Story here on how they started and where they are: ISO - About us
ISO does not perform certification or issue certificates instead they develop international standards and the actual audits are performed by external certification bodies. ISO - Certification
ISO 9001:2015 - Quality Management System
Quality management system is a strategic decision for an organization that can help to improve its overall performance and provide a sound basis for sustainable development initiatives.
The potential benefits to an organization of implementing a quality management system based on this International Standard are:
the ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements;
facilitating opportunities to enhance customer satisfaction;
addressing risks and opportunities associated with its context and objectives;
the ability to demonstrate conformity to specified quality management system requirements.
The ISO 9001 standard requires your organization address seven key areas
The seven quality management principles are:
Customer focus - Increase benefits towards Customer Value, CSAT, loyalty, repeat business, reputation of your organization, customer base, revenue and market share
Leadership - establish unity of purpose and direction and create conditions in which people are engaged in achieving the organization’s quality objectives.
Engagement of people - Competent, empowered and engaged people at all levels throughout the organization are essential to enhance its capability to create and deliver value.
Process approach - Consistent and predictable results are achieved more effectively and efficiently when activities are understood and managed as interrelated processes that function as a coherent system.
Improvement - an ongoing focus on improvement.
Evidence-based decision making - Decisions based on the analysis and evaluation of data and information
Relationship management - For sustained success, an organization manages its relationships with interested parties, such as suppliers.
Quality management principles - This document provides the key principles, why the set principles are important, examples of benefits associated with the principle and actions to improve
An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization's information risk management processes.
Here are some of the ISO 27001 requirements which is clearly explained in detail - ISO 27001:2013 - Requirements and Annex A Controls
4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of interested parties
4.3 Determining the scope of the information security management system
4.4 Information security management system
5.1 Leadership and commitment
5.2 Information Security Policy
5.3 Organizational roles, responsibilities and authorities
6.1 Actions to address risks and opportunities
6.2 Information security objectives and planning to achieve them
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
8.1 Operational planning and control
8.2 Information security risk assessment
8.3 Information security risk treatment
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.3 Management review
10.1 Nonconformity and corrective action
10.2 Continual improvement
Above certification helps you to identify the risks, assess them and put in systemized control in place.
work with your Risk Management Team to set up appropriate controls in place.
Note: while displaying your certificate ISO - Certification
Don't say: "ISO certified" or "ISO certification"
DO say : "ISO 9001:2015 certified" or "ISO 9001:2015 certification" (for example).
Conclusion
Setting up all these standards effectively as part of your governance model and delegating some of these key tasks within your team members will increase the understanding towards these audits and enhances your delivery teams to provide better value to stakeholders (both internal & external)
More importantly you don't have to spend too much time preparing the documents for these audits as you shall have all these prepared and thoroughly updated as part of your configuration management.
Do you have any interesting stories you went through while preparing for these audits, please leave your comments below
Comments