Consultants’ Corner A Bi-Monthly e-Journal from
August-September 2014
Issue 89 | Pages 1– 15
Quality Management System—An Overview
Key QMS Processes at MaGC - Gopal Agarwal
- Praveena K R
Challenges in Implementing QMS
ISO/IEC 27001— An Overview
- U S Mohanty
- Ela Vijay
2
Consultants’ Corner
From the Editors
In this Issue
3
Quality Management Systems—A Bird’s Eye View An introduction to Systems approach.
6
the Quality Management
Key changes in MaGC processes after introducing QMS A snapshot of processes that will undergo a change at MaGC after the introduction of ISO 9001:2008.
8 11
Challenges in implementing QMS Some of the key challenges that an organisation could face during the implementation of a QMS.
ISO/IEC 27001— Information Security ISO 27001 is a specification for an information security management system (ISMS).
13
An Exclusive talk with Ela Vijay
14
Quiz Corner
14
What’s up at MaGC? All events during June & July at MaGC and upcoming birthdays of MaGCites
Anyone spending some time at MaGC the last two months could not have missed the buzz around ISO implementation. The last few months have been a methodical preparation for implementing ISO 9001:2008. As has been the MaGC tradition, we get the best out when we do it in-house. Training sessions have been happening in Bangalore and Chennai offices. The team which worked on the QMS manual is confident that at the end of the training we will have a good quality, implementable manual. For the few of us who were fortunate to be part of the manual development process, it has been a great learning experience. Given the buzz around ISO, the topic for this issue of CC was an easy choice for the editors. In fact, CC had already jumped into the ISO action from last issue itself (we had a small update on ISO @MaGC). In this issue, Praveena writes about what a QMS is all about and gives an overview of ISO 9001:2008. She gives an auditor‘s perspective of the QMS. Make sure you read it thoroughly- it will help you breeze through the audit process!. Gopal who has been leading the ISO effort writes about what is going to change for us post-ISO. He has already started piloting the implementation and gives us all the confidence that it is change for the better. Mohanty writes about the typical challenges that an ISO implementation poses in any organization. We at MaGC are bound to come across some of these challenges and this article provides some useful tips on how to handle them. While the initial implementation in MaGC is all about ISO 9001:2008, that is not all that there is to a QMS. Vijay introduces us to ISO 27001 on Information Security. His article gives us a sneak peek into the standard. Probably an indicator of what MaGC should be doing next. Consultants’ Corner thanks all the authors for their contribution. We hope we get more such theme based thought provoking articles for upcoming issues as well. Lets wish ourselves success in the ISO implementation. After all, our profession is all about making life better for our clients and what better place to start than at home!!
Readers’ Corner If you have any comment/suggestion for the editors, please write to us at cc@magc.in. Your views and comments on articles featured here are also welcome!
3
Consultants’ Corner
Quality Management Systems—A Bird’s Eye View
W
ord has been around that MaGC is going to
implement a Quality Management System (QMS) and have it ISO certified. Let us try to understand what QMS is, how it will improve MaGC and our role in this whole exercise. What is QMS? Quality Management System may be defined as a collection of business processes focused on achieving an organisation's quality policy and quality objectives. It comprises of the organizational structure, policies, procedures, processes and resources needed to implement quality management. A properly functioning QMS ensures that procedures are carried out consistently, problems are identified and resolved in a timely manner, and the organization is continuously reviewing and improving its procedures, products and services. It is a mechanism for maintaining and improving the quality of products or services so that they consistently meet or exceed the customer's implied or stated needs and fulfil their quality objectives.
What is ISO 9001:2008? This is the standard that sets out the criteria for a QMS and is the only standard in the family that can be certified to (others are primarily guidelines). It can be used by any organization, large or small, regardless of its field of activity. This standard is based on a number of quality management principles including a strong customer focus, the motivation and implication of top management, the process approach and continual improvement. Certification under this ISO is not mandatory. However, it has been implemented by over one million companies and organizations in over 170 countries. This is because, using ISO 9001:2008 helps ensure that customers get consistent, good quality products and services. This in turn brings many business benefits.
Why QMS certification? There are umpteen advantages of having our core business processes certified for quality by ISO. Some of the key benefits have been listed below:
1.Increased Efficiency - QMS certification process helps organisations rethink their processes and how to maximize quality and efficiency. Once certified for QMS, the processes are established and guidelines in place for anyone to follow easily, making training, transitions, and trouble-shooting easier. 2. Increased Revenue - Studies have shown that ISO QMS certified companies experience increased productivity and improved financial performance, compared to uncertified companies. 3. Employee Morale - The following aspects help improve employee motivation and satisfaction roles and responsibilities get clearly defined, there is accountability of management, training systems get established and employees get a clear picture of how their roles affect quality. 4. International Recognition - The International Organization for Standardization (ISO) is recognized worldwide as the authority on quality management. Getting ISO certified will improve our image, make us more competitive to participate in international bids and attract clients. 5. Factual Approach to Decision Making - The standard sets out clear instructions for audits and process reviews that facilitate information gathering and decision making based on the data. Decision making becomes more objective/process-oriented, rather than employee-oriented. 6. Improves Documentation - The standard requires documentation of all processes and any changes, errors and discrepancies. contd on next page..
Things work out best for those who make the best of how things work out. - John Wooden
4
Consultants’ Corner This ensures consistency across the organisation and accountability of all staff. This also guarantees traceable records are available in case of project delays, lapses, etc. 7. Customer Satisfaction - Client confidence is gained because of the universal acceptance of the ISO standards. Also, implementing QMS improves efficiency, consistency and dedication to providing quality service. 8.
Continual Improvement of Processes Improvements are carefully planned and implemented based on facts, using a system of documentation and analysis, to ensure the best decisions are made for the organisation. Management takes the responsibility of ensuring continual improvement of QMS.
Key QMS components The key components of QMS are the following: Quality Policy and Objectives - QMS has to define its purpose and objectives clearly. Each organisation has to construct its quality policy depending on its scope of QMS, business priorities, values, focus, etc. Also measurable objectives consistent with the policy have to be formulated. This will form the framework of the organisation's QMS. Quality Processes - These are processes to be followed pertaining to core business for managing quality. These processes, related procedures, documents and reports have to be documented and standardised across the organisation. Also, all employees have to be sensitised and trained to follow them.
Quality Manual The Quality Manual is a compendium of the organisation's Quality policy, processes, procedures, document and report formats (components 1 & 2 discussed above). This document lays out the framework of QMS operating in the said organisation. ISO requires that a Quality Manual should form part of the QMS documentation. Internal Audit - Every certified organization must perform internal audits to check how its QMS is working. An organization may decide to invite an independent certification body to verify that it is in conformity to the standard, but there is no mandate for this. At MaGC, we have decided to have the internal audit done by one of our consultants. The Internal Auditor will be appointed in rotation.
Management Review - QMS is a strategic, management-driven system. It is the responsibility of the Management to periodically review QMS for the following:
Adequacy – QMS should be capable of satisfying the organisation's quality objectives and requirements. This includes those specified by the organization, its clients, and any applicable standards and/or regulations.
Suitability – QMS should be able to sustain the current performance levels of the organization utilizing an acceptable amount of organizational resources. Each QMS aspect should be right for the specific purpose.
Effectiveness –QMS should enable the organization to meet its own needs, those of its clients and other interested parties. It has to produce the expected results.
Management will use the inputs from employees, Clients, Internal Auditor and their own experience to evaluate the above. Based on this review they formulate Corrective and Preventive action plans to improve the QMS. The role of the various components in the QMS cycle has been diagrammatically represented below: PLAN Define Quality Policy and Objectives, Quality manual put in place
DO Follow Policies, Processes and support with documentation as per Quality Manual
ACT Periodic Management review to take corrective/preventive action
CHECK Inherent internal controls in processes, Internal Audit of QMS
Figure: QMS - PDCA Approach
Terminology 1. PDCA approach/model - This approach is named after the individual phases - "Plan", "Do", "Check", "Act" and is thus also referred to as the PDCA model. Most ISOs recommend the PDCA approach to designing management systems. Accepting that change is inevitable in business, and incorporating review cycles to embrace such changes is recommended as a healthy management approach. contd on next page
5
Consultants’ Corner 2. Continual improvement - This term is often misconstrued to be the same as 'Continuous improvement'. Continual improvement is broader in scope than continuous improvement. The concept of 'continual improvement' is a strategy that typically consists of both 'continuous process improvements', like regular training programs, reporting, monitoring, etc. and discontinuous function or systemic improvements like organizational ―reengineering‖, throwing out dysfunctional methods of management, etc. An organisation that is continually improving will be, by definition a learning organization. 3. Corrective action - maybe defined as action taken to eliminate the cause of detected non-conformity or other undesirable situation. This is to prevent the repetition of the same non-conformity/incident. For example, process changes made to address the anomalies observed by internal audit is a corrective action. Here non-conformity has been observed and the issue is being addressed to prevent such incidents in future. 4. Preventive action - maybe defined as action taken to avoid the occurrence of any non-conformity or other undesirable situation. This is to prevent the occurrence of non-conformity. For example, introducing a new process to periodically monitor a business activity is a preventive action. Here there is no incident; this is a precautionary introduction of internal control by the management.
Some misconceptions QMS and ISO certifications are not well understood and hence there are a number of misconceptions about them. We have seen these arguments as resistance to change even while implementing process re-engineering projects for clients! Let's bust some of these myths! 1. QMS requires excessive documentation and paperwork - ISO recommends documented procedures to provide transparency, structure, and confidence to the organization. This will vary based on entity size, complexity and competence of employees. Hence regularly maintaining 'essential' documents will be a change to be embraced. However, this does not qualify as 'excessive' paperwork. 2. QMS is just a cost and does not add value QMS helps organizations avoid mistakes and save resources, time, and money. Many studies show that preventing a problem is less expensive than dealing with the consequences after a problem occurs. Hence a properly implemented QMS should result in cost savings and efficiencies.
3. QMS kills flexibility and innovation - QMS is designed with the primary objective of improving quality. So, a system that properly balances good discipline and structure with certain flexibilities will definitely facilitate creativity rather than curb it. Also, this ISO provides for continual improvement. Hence, any aspects posing as barrier to innovation can be altered appropriately during management review. 4. QMS distracts an organization from its core activities - This myth will almost certainly come true for organizations that use a plug-and-play approach to implementing QMS, instead of making sure documents and practices fit their businesses. Adopting and designing procedures that form part of routine core activities help overcome this concern. 5. QMS does not guarantee service quality - This is true to some extent, as nothing can absolutely guarantee quality of service/deliverable. However, QMS can go a long way in preventing problems from occurring in the first place, thus providing dramatic improvements in results while reducing costs. We can clearly see a pattern here; most of the misconceptions are actually concerns that can be overcome by properly designing the QMS. Hence it is essential for all personnel to actively participate in the designing of QMS and provide regular feedback for its betterment.
Conclusion
MaGCTM operates in the highly competitive service sector of Management Consultancy. This requires us to be on our toes and continually improve our competitiveness. Of the several measures to do this, improving the quality of our deliverables and efficiency of our processes are crucial for organisational success. Also, our core values are in line with the requirements of this standard. We are an organisation with strong client focus and commitment to meet deadlines. Implementing and using tools such as Documan (Document management software) has enabled us to standardise many aspects of our processes. So as an organisation we have the wherewithal to implement a QMS and get it ISO certified. This will definitely provide us the competitive edge and help us grow.
Praveena K R can be reached at praveena@magc.in
6
Consultants’ Corner
Key changes in MaGC processes after introducing QMS
M
aGC has a systematic process approach in understanding clients‘ requirements which culminates into clients‘ satisfaction. The Mission Statement and Quality Policy of MaGC too revolves around clients‘ happiness. The Quality Policy and the Quality Objectives of MaGC is given below. 1. Quality Policy: A quality policy has been defined. The policy ensures that the quality to be maintained in performing work will help MaGC to meet client expectations by providing high quality and value added consulting solutions. 2. Quality Objectives: The quality objectives such as client satisfaction, on time delivery, and meeting ISO requirements are defined and will be practiced during project execution. This will help the employees/ consultants to meet these objectives to maintain the quality of the project.
2. Prior QMS the records of clients‘ communication was limited to the extent it affects the project. But now every communication with the client is properly documented and maintained. A Meeting Minute Sheet is prepared. Details such as meeting date, persons met, discussion points, etc. are recorded and updated as and when meetings are held with client. 3. A document for recording the details of documents collected from client is maintained. This helps in tracking the documentation received from the client. 4. A Project Status Tracker is prepared for monitoring the project work. It contains the detailed work breakdown with team allocation and timelines. It is updated periodically or on re -allocation of the tasks to reflect the current status, any change in tasks, dates, etc.
The Quality Management Systems (QMS) at MaGC seeks to smoothen and streamline its business processes. The QMS serves as a user guideline for all its employees and also helps in outlining the employees‘ responsibilities.
5. Periodicity of project review meeting is decided at the beginning of the project. Any challenges faced, major issues, time/cost savings, change in approach, project billing etc. are discussed during the project review meeting.
A Quality Manual has been prepared by MaGC which outlines the processes and procedures to be followed during the execution of all the consulting projects. This manual gives guidelines to the consultants at the time of executing their work and this result in better delivery of projects and ensures higher client satisfaction. .
6.The changes made to any documents/submittal is clearly identified as all the documents from the commencement, execution till the completion of the project are properly maintained version wise and revision wise.
After introducing QMS in MaGC there have been some noticeable changes in the execution of projects i.e. from the proposal stage to the finalisation of the reports. The main changes in MaGC processes due to QMS are listed below: 1. For every project, a Project Plan is to be prepared containing the deliverables, task breakdown, responsibility and timelines. This is very helpful for tracking completion of project on time.
7. A Quality Checklist covering aspects to be checked before sending any submittal to the client is prepared and followed. The checklist is organized along the lines of the MaGC Documentation Guidelines. .
contd on next page..
No one can make you feel inferior without your consent.
Eleanor Roosevelt
Consultants’ Corner 8. Project Closure checklist is maintained and filled after completion of the project to ensure that all documentation and archival formalities are completed. 9. Informal discussions have been made part of MaGC QMS. These discussions ensure that all the team members are in the know of the projects handled by MaGC at any given point in time. 10. Periodically the QMS is being reviewed to maintain the quality standard of the company and if any changes are needed in the quality policy or objectives, are identified and taken up for changes. 11. The end-to-end processes followed in the execution of the project are verified and validated through QMS. 12. The documents maintained are properly stored in DocuMan and are clearly identifiable. The security and rights to access documents are ensured by access controls that are set in place in the software
Gopal Agarwal
There was a farmer who sold a pound of butter to the baker. One day the baker decided to weigh the butter to see if he was getting a pound and he found that he was not. This angered him and he took the farmer to court. The judge asked the farmer if he was using any measure. The farmer replied, amour Honor, I am primitive. I don't have a proper measure, but I do have a scale." The judge asked, "Then how do you weigh the butter?" The farmer replied "Your Honor, long before the baker started buying butter from me, I have been buying a pound loaf of bread from him. Every day when the baker brings the bread, I put it on the scale and give him the same weight in butter. If anyone is to be blamed, it is the baker." What is the moral of the story? We get back in life what we give to others. Whenever you take an action, ask yourself this question: Am I giving fair value for the wages or money I hope to make? Honesty and dishonesty become a habit. Some people practice dishonesty and can lie with a straight face. Others lie so much that they don't even know what the truth is anymore. But who are they deceiving? Themselves.
Quality Improvement
can be reached at gopal@magc.in
A POUND OF BUTTER
7
Don't be afraid to give up the good to go for the great.. - John D. Rockefeller
8
Consultants’ Corner
Challenges in Implementing QMS Q
MS views an organization functions as a collection of processes. QMS is a philosophy that seeks to integrate all processes of various functions of an organization to focus on meeting client needs and organizational objectives. QMS maintains that organization must always strive to continuously improve these processes by incorporating the knowledge and experiences of experts within and outside. The organization Quality Policy translates into the specific quality objectives for its various functions. As in implementation of any system, there will be challenges in the implementation of the QMS also. Challenges in QMS implementation may be an action or a situation that causes an obstruction. Challenges can be attitude, economic, technology or resource based. The challenges in implementation of QMS are
Such attitude sayings stem from the popular notion that management is always right and therefore employees are‖ only supposed to implement management decisions without questioning. Lethargy is f urther propagated t hrough management‘s failure to train employees on QMS fundamentals that build better attitudes by involving them in teams that identify and solve problems. Such training can transform employees from being part of the problem to part of the solution. This will foster motivation and creativity and build productive and healthy attitudes that focus employees on basic fundamentals, such as: keep Client Happiness needs in mind, constantly look for improvements, and accept personal responsibility. 3. Lack of leadership for quality Excess layers of management quite often lead to duplication of duty and responsibility. This has made the lower employees of an organization to leave the quality implementation to be a management‘s job. In addition, quality has not been taken as a joint respon-
1. Lack of Management Commitment A QMS implementation program will succeed only if top management is fully committed. Success requires devotion and highly visible and articulate champions. Lack of commitment in QMS implementation may stem from various reasons. Major obstacles include the pre-occupation with short-term profits, time constraint in Project Submittals and the limited experience and training of many consultants in Quality Objectives. For example, it is observed that many Consultants have extensive experience in consultancy but not in quality improvement. Similarly the MD does not have to be a quality expert; the QMS implementation program may fail when the MD does not recognize the contribution of the Quality Objectives make toward profitability and customer satisfaction. Top management should, therefore, embrace quality improvement programs no matter how far reaching the programs may appear the monetary implications therein. 2. Lack of Employee Participation in QMS In the competitive environment, poor management practice, lack of higher expectations has contributed to unproductive and unhealthy attitudes. These attitudes often are expressed in popular sayings, such as ―It‘s not my job‖ and ―If I am not broke, don‘t fix it.
sibility by the management and the employees. Coupled with the notion that management is infallible and therefore it is always right in its decisions, employees have been forced to take up peripheral role in quality improvement. As a result employees who are directly involved in the delivery of services are not motivated enough to incorporate quality issues that have been raised by the Clients they serve since they do not feel as part of the continuous process of quality improvement. Moreover, top management is not visibly and explicitly committed to quality in many organizations. contd on next page
If you can't explain it simply, you don't understand it well enough. - Albert Einstein
9
Consultants’ Corner 4. Deficiency of Cultural Dynamism Every organization has its own unique way of doing things. This is defined in terms of culture of the organization. The processes, the philosophy, the procedures and the traditions define how the employees and management contribute to the achievement of goals and meeting of organizational objectives. Indeed, sticking to organizational culture is integral in delivery of the mission of the organization. In adequate cultural dynamism has made QMS implementation difficult because most of the top level management of many organizations is rigid in their ways of doing things. 5. Inadequate resources for QMS Since most companies do not involve quality in their strategic plan, little attention is paid to QSM in terms of human resources, infrastructure, technology and financial resources. Much of the attention is drawn to increasing profit margins of the organization with little regard as to whether their offers/ supply to client are of expected quality. There is paltry budgetary allocation made towards employee training and development, updation of technology and sufficient infrastructure, which are critical for QSM implementation. Employee training is often viewed as unnecessary cost which belittles the profits margins which is the primary objective for the existence of businesses and as a result QSM has been neglected as its implementation ―may not necessarily bring gains to the organization in the short term‖. 6. Lack of focus on Client Happiness Most strategic plans of organizations are not Client Happiness driven. They tend to concentrate much on profit-oriented objectives within a given time frame. Little (if any) market research is done to ascertain the service performance in the market relative to its quality. Such surveys are regarded by most organizations as costly and thus little concern is shown to quality improvement for Client Happiness. 7. Lack of Effective Measurement of Quality Improvement QSM is centered on monitoring employees and processes, and establishing objectives that anticipate the client's needs so that the client is surprised and delighted. This has posed a considerable challenge to many companies. Measurement problems are caused by goals based on past substandard performance, poor planning, and lack of resources and competitorbased standard.
Life is not about finding yourself. Life is about
8. Poor Planning The absence of a sound strategy has often contributed to ineffective quality improvement. The deficiencies in the original planning cause a process to run at a high level of chronic waste. The pre-planning stage of developing the right attitude and level of awareness is crucial to achieving success in a quality improvement program. Newell and Dale (1990) in their study observed that a large number of companies are either unable or unwilling to plan effectively for quality improvement. Although many performed careful and detailed planning prior to implementation, not one of the firms studied or identified beforehand the stages that their process must endure. Perhaps the root cause of poor plans and specifications is that many owners do not understand the impact that poor drawings have on a project‘s quality, cost, and time. Regardless of the cause, poor plans and specifications lead to a project that costs more, takes longer to complete, and causes more frustration than it should. Companies using QSM should always strive towards impressing upon owners the need to spend money and time on planning. If management took reasonable time to plan projects thoroughly and invest in partnering to develop an effective project team, a lot could be achieved in terms of product performance as these investments in prevention- oriented management can significantly improve the quality of the services offered by an organization. 9. Resistance of the workforce A workforce is often unwilling to embrace QSM for a variety of reasons. Oakland (1989) explained that a lack of long-term objectives and targets will cause a quality implementation program to lose credibility. Keys (1991) warned that an adversarial relationship between management and n o n management should not exist, and he em phasized that a cooperative relationship is necessary for success. A QSM project must be supported by employee trust, acceptance and understanding of management's objectives .Employees ,therefore, should be recognized by the management as vital players in the decision making processes regarding to quality improvement as involving them would have motivating effect on implementation of quality programs.
creating yourself. contd on next page
- Lolly Daskal
10
Consultants’ Corner
10. Lack of proper training/Inadequate Human Resource Development There is evidence that lack of understanding and proper training exists at all levels of any organization, and that it is a large contributor to worker resistance. Schein (1990), for example, mentioned that business school failure to teach relevant process skills contributed to manager ineffectiveness. QSM requires a welleducated workforce with a solid understanding of basic math, reading, writing and communication. Although companies invest heavily in quality awareness, statistical process control, and quality circles, often the training is too narrowly focused. For a company to produce a quality service, employees need to know how to do their jobs. For QSM to be successful, organizations must commit to training employees at all levels. QSM should provide comprehensive training, including technical expertise, communication skills, small-team management, problem-solving tools, and client relations. 11. Competitive markets A competitive market is a driving force behind many of the other obstacles to quality. One of the effects of a competitive market is to lower quality standards to a minimally acceptable level. This barrier to quality is mainly a mental barrier caused by a misunderstanding of the definition of quality. Unfortunately, too many companies equate quality with high cost. Their definition leads to the assumption that a company can‘t afford quality. A broader definition needs to be used to look at quality, not only in the company‘s service, but in every function of the company. All company functions have an element of quality. If the quality of tasks performed is poor, unnecessary cost is incurred by the company and, ultimately, passed to the client or suffered by the company itself. SQM should work by inspiring employees at every level to continuously improve what they do, thus rooting out unnecessary costs. Done correctly, a company involved with QSM can dramatically reduce operating costs. The competitive advantage results from concentrating resources (the employees‘ brainpower) on controlling costs and improving client service.
Conclusion and recommendation The advantages of QSM have been widely discussed, but the challenges of implementation have received little attention. A quality philosophy is required for the successful implementation of a quality project. This philosophy must facilitate a long-term lifestyle change for a company. Commitment of top management is essential. Substantial inflow of resources, adequate training, workforce participation and effective measurement techniques are some of the key success factors. A successful QSM program is unique, and it should motivate middle management to focus on longterm strategies rather than short-term goals. Teamwork is the key to involvement and participation. Groups should be encouraged to work closely and effectively, and should focus on quality improvement and client happiness. All organizations should focus on the following for successful QSM implementation: Create consistency of purpose toward improvement of the service so as to become competitive, stay in business and provide jobs. Cease dependency on top management for mass revision of project submittals. Adopt the new philosophy. We are in a new economic age. We no longer need live with commonly accepted levels of delay, mistake, defective material and defective workmanship. Improve the quality of submittals, internal documents, articles, and notes to clients as well as internal. Adopt the practice of awarding services on the basis of price and value addition; instead, depend on corrective measures of quality, along with time and price. Find the problems; constantly improve the system of service. There should be continual rise in productivity and a decrease in costs. Source: http://ir-library.ku.ac.ke/bitstream/handle/123456789/7167/ Jackline%20Atieno%20Ater.pdf?sequence=1
Uma Shankar Mohanty
Motivation is what gets you started. Habit is
can be reached at mohanty@magc.in
what keeps you going. - Jim Ryun
Consultants’ Corner
11
ISO/IEC 27001— Information Security What is ISO/IEC 27001? Formally known as ISO/IEC 27001:2005, ISO 27001 is a specification for an information security management system (ISMS). ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization‘s information risk management processes. ISO 27001 defines how to organize information security in any kind of organization, profit or non-profit, private or state-owned, small or large. Being a formal specification means that it mandates specific requirements, ISO 27001 is for information security the same thing that ISO 9001 is for quality – it is a standard written by the world‘s best experts in the field of information security and aims to provide a methodology for the implementation of information security in an organization.
Four phases of information security management system: ISO 27001 prescribes how to manage information security through a system of information security management. Such a management system, just like ISO 9001 or ISO 14001, consists of four phases that should be continuously implemented in order to minimize risks to the confidentiality, integrity and availability of information. The phases are: The Plan Phase – This phase serves to plan the basic organization of information security, set objectives for information security and choose the appropriate security controls as the standard contains a catalogue of 114 possible controls. The Do Phase – This phase includes carrying out everything that was planned during the previous phase.
It also enables an organization to get certified, which means that an independent certification body has confirmed that information security has been implemented in the best possible way in the organization. Given the importance of ISO 27001, many legislatures have taken this standard as a basis for drawing up different regulations in the field of personal data protection, protection of confidential information, protection of information systems, management of operational risks in financial institutions, etc. Hence, we could even say, that this standard is the foundation of information security management.
The Check Phase – The purpose of this phase is to monitor the functioning of the ISMS through various ―channels‖, and check whether the results meet the set objectives.
Implementing ISO/IEC 27001: ISO 27001 uses a top down, risk-based approach and is technology-neutral. The specification defines a six-part planning process: Step: 1: Define a security policy. Step: 2: Define the scope of the ISMS. Step: 3: Conduct a risk assessment. Step: 4: Manage identified risks. Step: 5: Select control objectives and controls to be implemented. Step: 6: Prepare a statement of applicability.
Organizations are required to apply these controls appropriately in line with their specific risks and Third-party accredited certification is recommended for ISO 27001 conformance.
The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organization. The Four Phase approach is considered to be the most successful implementation methodology, ‗The PD-C-A Cycle‘, which comprises of the four phases of ISMS.
The Act Phase – The purpose of this phase is to improve everything that was identified as non-compliant in the previous phase The cycle of these four phases never ends, and all the activities must be implemented cyclically in order to keep the ISMS effective.
The ISO/IEC Standards Family: ISO 27002 and 27003 The ISO 27002 standard was originally published as a rename of the existing ISO 17799 standard, a code of practice for information security. It basically outlines hundreds of potential controls and control mechanisms, which may be implemented, in theory, subject to the guidance provided within ISO 27001. The standard "established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization". The actual controls listed in the standard are intended to address the specific requirements identified via a formal risk assessment. -contd on next page..
12
Consultants’ Corner
The standard is also intended to provide a guide for the development of "organizational security standards and effective security management practices and to help build confidence in inter-organizational activities". In 2013 the current version was published. ISO 27002:2013 contains 114 controls, as opposed to the 133 documented within the 2005 version. However for additional granularity, these are presented in fourteen sections, rather than the original eleven. However, it should be noted that over the years a number of industry specific versions of ISO 27002 have been developed, or are under development, (for example: health sector, manufacturing, and so on). We could also consider this as it keeps on improvising on a never ending cycle as the technology grows and gets better every day.
Extended Benefits: Aligning Business and Technology Objectives: As the standard forces business management and technical staff to cooperate to meet certain management and information control objectives, it can dramatically improve alignment between these sometimes disjointed groups. ISO recommends this to foster continuous-and sustainable-improvement.
ISO 27002 contains the following major sections:
Benchmarking: ISO 27001 provides additional opportunities for benchmarking, helping companies more readily implement best practices and reach stretch goals. Detailed, expanded comparisons with others in the same industry leads to breakthrough improvements. This standard also encourages everyone in the organization-from management to technical staff-to get on the same page regarding goals and objectives, improving communication and ultimately results.
1. 2. 3. 4. 5. 6. 7. 8. 9.
Introduction Scope Normative references Communication Security System Acquisition, Development and Maintenance Supplier Relationships Information Security Incident Management Information Security aspects of Continuity Management Compliance
ISO 27003 (ISO27003) Its suggested title at the present time is—"Information technology - Security techniques. Information security management system implementation guidance". The purpose of this proposed development is to provide help and guidance in implementing an ISMS (Information Security Management System). This will include focus upon the PDCA method, with respect to establishing, implementing reviewing and improving the ISMS itself. The following is the current structure, some other content originally planned are still under development: 1. 2. 3. 4. 5.
Scope Normative References Terms & Conditions Structure of this International Standard Obtaining Management approval for initiating an ISMS Project 6. Defining the scope, boundaries and ISMS policy 7. Conducting information security requirements analysis 8. Conducting risk assessment and planning risk treatment 9. Design the ISMS
Advantages or benefits of implementing ISO: Prime Benefits: 1. Best framework for complying with information security legislation 2. Better organizational image because of the certificate issued by certification body. 3. Lower costs because of the prevented incidents. The operations in the organization are optimized because the responsibilities and business processes are clearly defined.
Data Protection: Applying a standard process to the selection and maintenance of existing and new security procedures that involves both management and information technology (IT) personnel helps prevent problems before they occur. It also addresses legal compliance through standardized internal and external audits.
Conclusion: The ISO/IEC 27001 standards can be implemented successfully if the organization realizes the value of being certified as an ISO 27001 organization, could enhance their brand image in the competitive market compared with their competitors. However, the successful implementation depends on the support from the Management, effectiveness of the project team and on the awareness of the employees about the collective goal to be achieved in terms of ISMS Implementation. The duration and cost involved for the implementation could be other concerns but the duration depends on the planning and Cost involved may not be calculated successfully since, the risk assessment has to be completed and relative applicable controls are to be identified. On the whole, ISO/IEC 27001 implementation, if planned and executed in a phased approach (P-D-CA) would help the organization to become standardized in terms of globally recognized measures of Standards – The ISO/IEC 27001 successfully. Visit to know more: http://www.iso.org/iso/home/standards/certification/iso- survey.htm? certificate=ISO/IEC%2027001&countrycode=AF#standardpick
Ela Vijay can be reached at elavijay@magc.in
13
Consultants’ Corner
An Exclusive talk with Ela Vijay ElaVijay B.Sc., M.H.R.M., M.Phil. Pursuing LL.B (2014 -2017), MCSE – Security, MCSA – Messaging, MCTS - BDD, MCTS – Vista, MCTS – Win Server 2003
Consultant 9th July 1984 elavijay@magc.in and personal email: elavijay84@gmail.com +91 90253 15682
CC. The meaning of your name Vijay: Victory CC. Nick name. Vijay: VJ / Ela
CC. Team work Vs Individual work – your comments.
Vijay: Individual work = winning Wimbledon However,
CC. CEO, Corporate Legal Consulting Firm
Team Work = ICC World Cup or FIFA World Cup
Vijay: Team work made dreams work J
Thanks to Michael Jordan J for his inspiring quote.
CC. What personal/emotional characteristic of yours do you want to change?
Vijay: Excessively caring for others, should learn to ‘LET GO’
CC. Money or job satisfaction? Vijay: Job satisfaction
CC. Do you make efforts to get others to laugh and smile?
Vijay: Certainly, sometimes my contribution happens even when I don’t take any special or specific effort J
CC. Your heart rules your head or your head
CC. Your stress buster.
rules your heart?
Vijay: Reading comics and playing with my
Vijay: Heart rules head in personal matters, but
friend’s kids
in profession head rules my heart
CC. Do you have a small circle of close friends,
CC. Special talent.
rather than a large number of friends?
Vijay: Tough question, is there an option to say
Vijay: Small circle of trusted close friends, who
Pass or Phone a Friend or Audience Poll? :)
do everything before I ask for and large number of friends to support with anything if I ask for.
CC. Hobbies.
CC. What do you most like about a person?
Philately, reading comics, watching movies, travelling, cooking.
Vijay: Simple, down to earth and humble CC. What do you most hate in a person? Vijay: Lack of discipline, which could be observed by everyone, creating a negative impression about the person. However I believe in “Never Judge, just Accept how a person is”
14
Consultants’ Corner
What’s up at MaGC?
Ashok Rao with Director General Dept. of Public Accounts, Bhutan as part of ―Peer Review of Financial Rules and Regulations‖ project in July 2014
MaGC team headed by Dr. RSM attended the MacMillan Woods regional conference on 18th and 19th July 2014 at Bangalore
Kishore enjoying an off day during his Financial Advisory project for IST Egypt in July 2014
Karthik M V gave a guest lecture on ‗Altman Z Score‘ at the Acharya Bangalore Business School, Bangalore on 17th June 2014
1. Sydney has started installing ‗reverse vending machines‘. What are these? 2. Govt wants to promote the use of debit cards issued by National Payment Corp of India. What is the name of this network? 3. British airways has introduced ‗Happiness blanket‘. What does it do? 4. Modi has made yet another new coinage. B4B. What does it stand for ? 5. In the Amazon logo, there are 2 subliminal messages being hinted with the yellow arrow. What are they? Send in your answers to the editor at cc@magc.in Participants with the correct entry will be awarded with a Recognition Certificate by MaGC. Last Quiz Corner Answers: 1. Honda Activa; 2. Largest Hindi search portal; 3. IDFC and Bandhan Financial Services; 4. Google; 5. McKinsey Moms are former McKinsey employees who left McKinsey to raise a family.
Right answers for the previous issue quiz was given by Bhavana !!! Congratulations !!!
Birthday wishes
Mamtha 5th Aug
RS Murali 5th Sept
Karthikeyan 1st Sept
Bhavana 14th Sept
US Mohanty 4st Sept
Roopa kamath 22nd Sept
Our Mission is to apply our professional capabilities with a holistic approach for the happiness of clients, through values and social commitment.
Editorial Board
Contact
C S Suresh, Executive Director Ashok Rao, Executive Director
Editors Vinod M, Consultant Karthik M V, Consultant
Published by MaGC Private Limited, Chennai & Bangalore
Email to cc@magc.in
Management and Governance Consulting Pvt. Ltd.
Registered Office: 2nd Floor, New No. 4, Old No. 23, C P Ramasamy Road, Alwarpet, Chennai - 600 018, INDIA Ph:+91 44 2466 0955/ 24986850 Email: chennai@magc.in Branch Office: #107, 1st Floor, Railway Parallel Road, Kumarapark West, Bengaluru - 560 020, INDIA Phone/Fax: +91 80 23560265 Email: bengaluru@magc.in
Website: www.magc.in
Our Business Associates
N.C.R & Co.