However, he’d identified that discipline within the business wasn’t good, and that most of the staff were unaware of their operating processes. But although business had a “sloppy” feel, the product range had potential and sales were reasonable.

He had a discussion with the company’s Quality Manager, who tried to quell his fears, proudly producing a set of internal audits. So everything seemed fine. The certification body visited the next week, audited through the business, gave it an all clear and left. So all was well. Or was it?

“But I know the system doesn’t work and the staff don’t know what’s in their operating procedures so can’t be following them ! ” he said to me.

Yes indeed. I often ponder why don’t other people ask this. How do we make ISO9001 truly work?

ISO 9001 provides tools that ensure consistent products and services are provided to a set cost and standard. It offers a process for managing longer term business improvement, helps to change cultures and can instil disciplines and consistent processes. However, many ISO certified companies see their newly-acquired standard as an end, not a beginning. Having the tools does not get the job done. Only using them does.

So back to my prospective customer and his “approved” company with little sign of “Quality”. He’d probably just managed to escape having the ISO 9001 certificate removed by the certification body if things were really as bad as he suggested. But if the system wasn’t delivering because the tools had stayed in the box.

There is overwhelming evidence that the processes which ISO 9001 encourages WILL deliver business improvement, so if they aren’t doing it in your business then it must be something to do with the way you are using them – a saw is always a saw, it will always cut, though if you leave it hanging on your shed wall, it might as well be a blunt pen knife.

An ISO 9001 management system WILL, for example, provide a certificate which should get you through many high-value tender adjudications. Beyond that, it will also provide a framework for continual improvement, encourage the establishment of business measures and metrics, formalise internal processes and procedures and drive consistency in their output. But you need to see the system and the principles behind it as more than a certificate that means you can tender.

So what happened to my gentleman? I explained how the system worked and suggested he start by aligning the Quality Policy and its objectives with his Business Plan. It’s then up to him whether he uses the tools he has or keeps the box firmly shut.

I hope he uses them, we need more British businesses which are strong, innovative and improvement based.

The post ISO 9001 – How to Make it Work appeared first on ISO Consultants.

Bringing a medical device to market presents a few challenges to the manufacturer. Most new product development and launch runs simply along the lines of “design a product and find some customers”. In this situation, ISO certification is a “nice to have” for many manufacturers, (although of course, it shouldn’t be).

Now, in respect of medical devices, regulation tightens, and standards become mandatory for very good and obvious reasons. If you are a producer of garden tools, faulty design and/or manufacture may result in litigation if an intrepid gardener snaps the shaft of one of your spades and falls in the mud. For devices such as pacemakers, heart valves and the like, results of failure are, of course, far more serious. Hence the EU framework and required standards.

And, what, by definition, is a medical device? Surprisingly, thermometers, stethoscopes and bandages are such, although given a different “risk classification” to something that keeps someone’s blood flowing. There is a four-level ranking of hierarchy. You may have detected that it’s an area in which to proceed with due caution and plenty of qualified advice.

Broadly, the standards concern themselves distinctly with the design of a device, and the subsequent quality of production. “A badly-designed device made well” is just as lethal as “a well-designed device made badly”. Product approval is the domain of a “notified body”, that is government-approved independent testing companies, charged with ensuring the product is of sound design and meets the necessary safety standards.

The Manufacturing approval is usually then down to a notified body approving the “management system” against ISO 9001, ISO13485, ISO14971 etc., which ensures that the appropriate steps have been put in place to consistently manufacture, and meet the mandatory elements of the Medical Device Directives MDD93/42/EEC and in certain cases MDD90/386/EEC, the Active Implantable Device Directive. Overseeing the UK industry sits the MHRA, Medical and Healthcare Products Regulatory Agency, charged with policing the entire system. This may seem a fairly cumbersome structure, but it ensures that what is meant to work, is designed to work properly, and is produced to a consistently high standard.

The good news is, once a product and company receives approval, it earns a Certificate of Conformity, gaining the right to CE mark and thus ability to sell throughout the EC. The margin in such products, and corporate competency gained in achieving the standards, usually justifies the effort in ensuring conformity unless, like an infamous French breast implant manufacturer, you get a little greedy!

And if you were looking for an example of why all this is needed, consider those now infamous breast implants – the original, approved product was fine, and met design stipulations. It was only later that the profit-hungry business owner flaunted that approval, “cost-reduced” the production items, substituting industrial-grade silicon for medical grade. The margin improved. The CEO was jailed. The company closed.

I end where I began. This is a large and varied topic, and one that not every ISO consultant may have a grasp of. Please be in touch if we need to get together.

The post Medical Device Certification. Standards, Safety, and Going to Market. appeared first on ISO Consultants.

From time to time, a scandal emerges which reminds us that although we (supposedly) live in a highly-sophisticated, carefully-controlled, global manufacturing world, things “being right” are only as good as things being “done right”. Your quality management system suddenly becomes very important. Sadly, standards such as ISO9001 are often only seen to truly “matter” when it’s far too late to change events.

Hence, in early 2013, huge retail groups are found out to be selling meat products which are not “what they say on the tin”. Maybe we could expect occasional cross-contamination in vast meat processing plants. But then, in a similar episode, a company making breast implants turned out to have been filling them with silicon which is industrial grade, rather than medical grade. And, circa 1985, Austrian wines were found to have been “improved” with anti-freeze. Most surprising for those strict, methodical, and thorough Germanic types.

How on earth did the mighty fall? Simple. Standards ceased to matter, and/or were not checked for compliance. All this certification and checking costs money, and unlike a new headquarters building, is not a striking statement of corporate success and importance. Standards simply sit out of the way, quietly making sure that things are done properly in order to produce things which are what they purport to be. From time to time, however, something happens that shows that they matter. In fact, really matter…

In a cost-driven, recession-battered world, employing someone who is technically knowledgeable and can verify products and processes is almost as expensive as employing those who develop new products. So, somewhere down the supply chain, someone does not bother to check certifications.

Worse, they don’t bother to “check the checkers” to see if, when certifications are present, they are genuine and properly authorised. Is their standard more than ink on a letterhead? Eventually, this lands organisations in the situation of not knowing the integrity of their supply chains and therefore the quality of what they deliver. Simply, your major corporation ends up with goods wearing their precious and fragile identity, but of which they know neither quality nor origin. This is probably how horse meat turned up in a major supermarket’s product via Eire, France and Romania, no-one knowing precisely how on earth it got there.

Now, being in the quality business, it’s in my interest to convince you that, “save on standards and checking, and you’ll pay dearly later”. I would say that, wouldn’t I? However, it’s useful to reflect on what this particular lapse in quality has cost the companies concerned.

This will be more that what a good quality management system, “checked by checked checkers” will cost. Think “driving without insurance” versus “being sued for causing an accident”. You may save the cost of the premium for a couple of years, but when things do finally go wrong, you’ll wish that you’d paid up for something intangible, maybe seeming a little unnecessary, but vital.

A few gallons of anti-freeze put the multi-million pound Austrian wine industry out of business for around ten years. Reputation and confidence are hard things to fix. Good Quality Assurance will cost. No quality assurance will cost even more.

The post Horse Meat, Wine, and Breasts. – Why Standards Matter. appeared first on ISO Consultants.

And What is ISO9001 Certification? What Are The Requirements?

ISO 9001 Certification follows assessment by independent certification bodies who should be accredited in the UK by a government body, UKAS, the United Kingdom Accreditation Service. The certification process is a competitive commercial activity and hence there are around 120 certification bodies in the UK, the largest being significant International Businesses such as British Standards, Lloyd’s Register, SGS, Bureau Veritas etc.

To gain certification against ISO 9001 a company must establish a “documented management system”, a systematic approach to the management of the company composed of sufficient documented procedures to ensure that critical activities are completed successfully, and which address a small number of (6 in total) mandatory requirements given in the ISO standard itself.  ISO 9001 also introduces the concept of “process management”, where “the process” is the set of activities which are necessary to ensure that customers consistently receive satisfactory products or services. It also encourages the continual improvement of these processes to ensure that business performance continues to develop, and for instance, costs or wastage are gradually removed to improve business efficiency.

So If My Company Adopts ISO 9001, What Do I Gain ?

In many markets, a company simply can’t trade unless they hold a certificate. The independent certification scheme is now well established and has been running for over 30 years. There are well over 500,000 individual ISO 9001 management system approvals worldwide. It’s a common standard.

So, to have received such worldwide acceptance, the process must be giving some advantages to those who adopt it! The numbers speak for themselves. Modern businesses have a whole raft of legislation and requirements they have to meet, so they are unlikely to voluntarily adopt further requirements unless it gives them some clear business advantages. Here are some:-

1) Gaining ISO 9001 certification works as a market differentiator. However, as it is now so well adopted, its value as a differentiator may have diminished a little, but, nevertheless, it is now seen as a basic requirement to enter many markets. Indeed, it is an essential for many procurement processes.

2) For newer businesses, certification against ISO 9001 gives credibility, and confirms the maturity of the organisation. Gaining certification without the basic controls a company needs is very unlikely. The “system” cannot be beaten nor compliance faked! Procurement organisations and potential customers know that if a company holds an accredited ISO 9001 certificate, certain requirements are in place. This reduces the risk they accept when introducing a new supplier into their supply chain, and hence gives additional confidence to potential customers.

3) In some businesses, independent third party certification of a company’s management system can be a valuable tool in addressing the concerns of stakeholders such as directors and shareholders who don’t have day to day operational involvement in the company. It can also help to provide the additional transparency needed to be certain of correct corporate governance.

4) The standard encourages the development of effective internal processes, a requirement for all business. But the external independent certification drives the disciplines necessary to make sure that such processes are not only clearly defined, but they are also regularly reviewed, effectively controlled, and clearly communicated throughout the areas concerned. Having staff that all know what they are supposed to be doing, and who are doing it consistently has to be of assistance to any company.

5) ISO 9001, and the equivalents covering other aspects such as Information Security, Environmental Management etc are moving toward a “specific risk”- based approach, which gives additional confidence to a company and its stakeholders, assuring them that their significant common risks have been addressed. Certification majoring on key risk factors increases the overall value of the standard to the company.

And The Bottom Line – What Does ISO9001 Cost?

The costs of adopting ISO 9001 vary according to the size of the organisation, the number and complexity of its internal processes, quantity of locations and number of employees. Systems can be generated internally, but most companies will choose to employ an external consultant to establish the original system, allowing them to gain expert level assistance without taking precious management time needed to climb a very steep learning curve alone.

A typical 20 person, office based organisation operating from a single location shouldn’t need more than 10 days of a consultants time to define and document a suitable system.

When it comes to certification, the duration of a certification visit depends on guidelines defined by the government body, UKAS. The certification process is usually composed of two phases, the first which looks mostly at how the company have addressed the standards documented requirements, and the second that focuses on its implementation.

Our typical 20 person, office-based activity would probably require one or two days of audit time for the stage 1 visit and two to three days for the stage 2. Each certification body has its own pricing policies, but typically costs are around £750 per day, so certification of our 20 person office based business would probably cost between £2250 and £3750 (plus VAT and expenses, 2012/13 prices).

So, What Can We Do For Your Business?

We have over twenty years experience of writing management systems and assisting companies to gain independent third party certification. We are recognised, associate consultants to two of the world’s largest certification bodies, BSi and LRQA and have worked with many of the others who are active in the UK. We have written systems and documents for some of the UK’s largest companies, and we’ve written systems for companies with only one employee working from a single room.

If we had to describe ourselves in one word it would be “Pragmatic”. We seek to make the complexities of certification simple, and the systems businesses have to follow practical. Business is about satisfying customers and making money, not reading lengthy documents and complex process diagrams. We aim to give you concise documentation, and systems with sufficient controls to manage your business, not strangle it. And we understand certification, so will guide you through the process and help you get a good deal on the costs.

We’re always happy to talk, whatever stage you’re at.  0115 932 3770, or via our contact page.

The post So, What is ISO 9001 Actually All About? appeared first on ISO Consultants.

75% of IT directors see BYOD as their major threat.

60% (or more) of all employees are using their own devices at work.

33% see absolutely no problem with doing this in respect of security risks.

Occasionally I wake up in the morning and thank God that I’m not a head of IT. The implications of a breach of security in terms of damage to corporate image, customer relations, and ultimately revenue don’t bear consideration. Or do they?

Now, I’m in the quality standards business, so you may be slightly ahead of me here in thinking that I’m matching this threat with something I offer as a service, and this piece is simply a long advertisement. Well, actually, you’d be quite right. Implementation of the ISO27001 standard can be a significant weapon against the very real threat.

Some Suggestions:-

1/ Face The Problem. It’s going to happen anyway, driven by the device market. I’m regularly amazed that many corporates believe that BYOD is a social media-driven fad. The whole business of implementing standards, including ISO27001 is based around application of agreed standards of honesty and (occasionally painful) reality.

2/ Face The Opportunity. A lot less PCs to buy, software upgrades to tackle, and productivity benefits of mobile working across the enterprise. And the chance to spring-clean your IT security policies at the same time.

3/ Have a Strategy. It’s not hard, but it is necessary. BYOD needs fair policing across the business, otherwise inequalities develop and cyber-anrchy may follow. Remarkably, many do not have a plan. See below.

4/Have a Overall IT Strategy. If you’re sorting this particular challenge out, you might as well set policies, standards and procedures across the whole of your IT activity.

5/ Have a Holistic Vision of The IT Function. ISO27001 isn’t actually about IT, but systematic management, which embraces many functions and areas of responsibility. Specifically for BYOD, there are (or need to be) HR, security and legal implications, which will have organisation-wide implications.

6/ Make Policies and Procedures Simple. Less fuss and hassle means buy-in from employees is more likely. A well-written and researched overall ISO27001 policy should serve the business, not the other way around. Willing cooperation and adoption comes easily when the rules are easy and everyone knows them. Nothing breeds non-compliance faster than complexity.

7/ Review and Amend. The 27001 standard should include a process to monitor, evaluate and alter, otherwise it becomes static and irrelevant. It’s a start, not an end. The IT function is likely to be the most dynamic in the company, and hence a regular audit should be made part of the overall procedure. Reviews should seek to simplify rather than supplement and complicate.

8/ It’s Not Just a Security Issue. As the BYOD”challenge” becomes more of a major issue, potential customers are likely to expect it before they release their commercially-sensitive data to you. There are key commercial benefits of holding ISO27001.

So, it’s not difficult to be ready for the issues that are rapidly emerging, neither is it expensive. And it may just benefit many other areas of your business….

The post BYOD Policy, Security Threats, and Eight Ways That ISO27001 Certification Can Help appeared first on ISO Consultants.

In contrast, I recently implemented such a system for a local business for less than £6000, including certification by one of the World’s leading independent bodies. Was it the same? Yes. Did I leave anything out? No. So why the difference ?

And, just one more time, what is ISO 27001?  It’s an International Standard intended to establish an IT and Information Security System in a business.

And “Why ISO 27001?” Hacking, spoofing, virus attacks, and all kinds of cybercrime are a hot topic. Threats to your business are no longer from local criminals, but may come from another continent, and a burglar alarm won’t keep them out. Certain organisations will insist on it as a minimum requirement before even contemplating doing business with your company.

So, why such a difference in cost for an identical service?

First I deliver the system myself, so nobody is taking large commissions for passing it onto people with the right skills. No brokers, middle-men, agencies. I am the actual person with the skills and experience, a strong background in telecommunications and IT, and promise to deliver a fully compliant system first time. Full stop. I’ll even offer you a guarantee that if you don’t pass first time I’ll work for you for free until you do. I don’t have a large expensive office or employ an army of expensive sales and marketing staff.

I’m based in The East Midlands, close to Derby, Nottingham, and Leicester, rather than Central London, so I’m not paying big city overheads, yet can reach all the major business centres of the UK within a few hours. All this means I can bring you an excellent service with the minimum of overheads, the essence of effective consulting but without the superfluous corporate trappings.

But is this “low cost ISO certifcation”, that is, “approval-lite”? Not at all. I used to be an auditor with a world leading certification body, which gives both you and me some significant advantages – I understand ISO systems and certification requirements intimately, sometimes better than those who audit them. I’ve worked for a number of major corporate bodies as head of quality, which involved high levels of security clearance, so I bring experience gained in some of the UK’s most prestigious corporates, but without those associated costs. It also means I have read systems by many world leading companies including those which feature heavily documented procedures and systems which appear to be generated by consultants paid per word.

I’ve had to endure them, and I don’t want my customers to do so. They waste time, and hence money. I write concise, easy to understand documents where they are truly necessary, and educate and train your staff where the requirement is simply one of competence.

This means I can be quicker and more relevant than many, with simpler systems and hence with fewer areas of potential failure. Now, if you are a World Leading Bank or Insurance Company and have lots of other people’s money to spend, you are welcome to engage someone in from a world famous consultancy with a double-barrelled name and pay them £1500 a day.

On the other hand, if you need a working Information Security System your staff can easily use, certified to the same standard by the same independent certifiers but for a fraction of the cost, I’d love to hear from you.

Colin Brown

IAIS Ltd

Contact me now

The post Cost Effective ISO 27001 Certification and Why Most Companies Pay Too Much… appeared first on ISO Consultants.

But business needs creativity too, heavy discipline and overly enforced rules stifle creativity, and without creativity in our business we go stale and competitors can overtake us quickly.

The ISO standards PROPERLY interpreted should set a minimum set of guidelines to give your business the structure it needs to keep it on the road and functioning correctly, while also leaving room for flexibility and creativity.

ISO 9001, once renowned for demanding reams of paperwork and stacks of forms now has a mandatory list of only six documented procedures, and whatever you need to control any unique products or processes your business relies on. The experience of putting such systems into around 40 companies has shown me that most business with less than 30 employees rarely need more than 2 additional procedures, and most of those procedures only need a single sheet of A4.

So the whole system should take little more than a dozen sheets of paper, but it will install a business model or template into your company which will enable and control its growth, delivering repeatable products and services which meet the requirements of your customers.

And on top of installing repeatable processes and improved structure into your business, gaining certification against the ISO standard suitable for you business will also get you access to greater tender opportunities and larger markets – Big customers need to select suppliers they can rely on, sooner or later they use certification against an ISO standard as way by which they select their suppliers. For a small investment, and a short project taking around three months you can hold ISO 9001 Quality Management, ISO 14001 Environmental Management or OHSAS 18001 Health and Safety Management Certification, and own a business qualification which will enhance your position in the market as well as installing forming order out of chaos and structure where its needs.

Want to build a better business? Get yourself an ISO9001 system, see the change it brings then add more standards as you markets dictate them.

The post Chaos and Order in Business appeared first on ISO Consultants.

Welcome – find somewhere reasonably quiet and provide a warm drink. He has to complete an opening meeting and gather/confirm some basic data. Having somewhere with a power point for a laptop, something to put it on and a warm drink is always welcome.

Who – Make sure those to be audited know what their job title is, what their main role is and where they fit in the organisation. If Directors are to be involved remind them what objectives they’ve set, and where the evidence of their performance against those objectives can be found.

What – Ensure auditee’s know where their operating procedures are to be found and what it is they are supposed to do. Encourage them to be able to describe their processes without throwing in additional information and wherever possible, without making things up. Lies are very easy to identify, and most auditors respond very badly to being lied to. Auditors follow leads, they rarely have those leads before they speak to you. So be careful how you respond to them, unless you want something to be followed up of course. Don’t throw in additional, unrequested information, even if you think it’s harmless. You never know where it will lead.

Where – Any auditor worth his non-compliance pad is going to want to see where you do whatever it is you do, your shopfloor, warehouse, manufacturing plant. A quick tidy up the night before is always worthwhile in creating the correct impression. If more than a quick tidy up is required then your ISO system isn’t working properly so perhaps it’s worth risking leaving it as it is and getting the auditor to help you find ways of motivating your team to improve it !

When – Try and plan suitable time slots to see those on the auditors programme. The auditor should have left you with a list of what processes he was planning to review, so have a look at it and try and plan out who he needs to see. This is also a good time to weed out the people you don’t want him to see. Unfortunately not everyone makes a good auditee and personally I can’t see any problem with avoiding those who represent your business badly if you possibly can.

The post Five Ways to Get an External Auditor on Your Side appeared first on ISO Consultants.