Category: Cyber Security

What is ISO 9001

What is ISO 9001

The  ISO/IEC 9001 standard is the international standard for quality management. It focuses on two key aspects: meeting customer requirements and enhancing customer satisfaction. The ISO 9001 standard specifies several specific aspects within it.

The attached figure visually represents the impact of the relevant parts of the ISO 9001 standard on an organization. Eight components are defined, forming the Quality Management System (QMS). The QMS is the basis for ISO 9001 implementation, ensuring that services meet customer requirements and satisfy customers.

The Plan-Do-Check-Act cycle is shown in the red highlighted parts, central to ISO 9001 implementation. It involves planning from customer requirements, measuring execution, and evaluating to improve the quality of overall operations.

Implementing an effective quality management system is a solid foundation for the sustainable development of your organization and can contribute to overall performance improvement. ISO 9001 employs a process approach and risk-based thinking.

ISO 9001:2015

The revised ISO 9001 standard, ISO 9001:2015, was published in September 2015. Three key adjustments include the introduction of the High-Level Structure (HLS), increased focus on risks, and the requirement for management commitment. The HLS modularizes various components, facilitating easier integration of diverse ISO standards. These changes not only provide a quality management tool but also a framework for business improvement.

ISO 9001 CERTIFICATION

To qualify for ISO 9001 certification, you must demonstrate continuous improvement of processes in your organization and emphasize communication with customers, partners, and suppliers. Your organization is aware of its role in society, collaborates with suppliers to improve processes, and, of course, serves its customers.

ISO 9001 Quality Check

ISO 9001 Quality Check

Like all ISO standards, ISO 9001 undergoes a systematic review every five years to decide whether the standard remains valid or needs updating. This is necessary to ensure that the standard remains globally relevant and meets the needs of its users.

Additionally, the subcommittee responsible for the standard has undertaken a number of activities, including discussions with committee members and a survey of ISO 9001 users. The result was that no revision was necessary, and the latest version of ISO 9001 still provides as much value to those implementing the standard as when it was last updated in 2015.

A special task force within the committee will continue to evaluate and monitor any potential market or other changes that may affect the standard and propose a revision if and when necessary.

Benefits of ISO 9001

Benefits of ISO 9001

The ISO/IEC 9001 standard is the international standard for quality management. The ISO 9001 standard focuses on two key aspects: meeting customer requirements and enhancing customer satisfaction. To achieve this, the ISO 9001 standard specifies several specific aspects outlined in requirements. When implementing this standard, there are many benefits.

  1. Increased revenue: by leveraging the reputation of ISO 9001, you can secure more tenders and contracts, while improving efficiency benefits customer satisfaction and retention.
  2. Enhancement of credibility: when organizations seek new suppliers, having a QMS based on ISO 9001 is often a requirement, especially for those in the public sector.
  3. Improved customer satisfaction: by understanding your customers’ needs and reducing errors, you increase customer confidence in your ability to deliver products and services.
  4. Higher business efficiency: by following industry best practices and focusing on quality, you can reduce costs.
  5. Improved decision-making: you can detect and signal issues promptly, enabling you to take quick steps to prevent the same mistakes in the future.
  6. Increased employee engagement: by improving internal communication, you ensure everyone works with one agenda. Involving employees in designing process improvements makes them happier and more productive.
  7. Better process integration: by examining process interactions, you can more easily find efficiency improvements, reducing errors and benefiting from cost savings.
  8. A culture of continuous improvement: this is the third principle of ISO 9001. It means embedding a systematic approach to identifying and exploiting improvement opportunities.
  9. Improved supplier relationships: using best-practice processes contributes to more efficient supply chains, and certification will signal these to your suppliers.

Dealing with Suppliers (Sub-Service Organizations) in 4 Steps.

Dealing with Suppliers

(Sub-Service Organizations) in 4 steps.

This article provides 4 steps to better oversee the audit process and work more efficiently.

Step 1. Is there a subservice organization?

The so-called subservice organizations represent a special class of suppliers. These are defined as “a service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal control over financial reporting.”

Subservice organizations may appear in an SOC 1 or SOC 2 report, and this may determine whether it is a Type 1 or a Type 2 report. The following providers are typical examples of a subservice organization:

  • Datacenter
  •  IT service providers
  • -Software als service of platform als serviceprovider

Step 2. Split or inclusive reporting?

Once the organization has been able to identify whether there is a subservice organization, that is actually just the tip of the iceberg. For the report, it still needs to be decided whether to use the carve-out method or the inclusive method.

Carve-out method

This method involves CSOCS coming into play. The controls performed by the subservice organization are not included in the report. Only an overview of what the subservice organization means for the service organization and how it interacts with it in combination with your system and the different expected controls so that you can achieve control objectives for trust services.

Inclusive method

With this method, the relevant aspects of the subservice organization’s operations and related internal control measures at the subservice organization are fully included in the report. The inclusive method can also be seen as a merger of separate SOC reports from two entities. What is important is that the same level of work that is used for the service organization must also be used for the subservice organization. This can be discouraging and therefore the use of the inclusive method is rarely seen in practice. Entities of the brother/sister type, such as an operational unit supported by a separate IT department, both from the same parent company, are an example of when inclusive could be used. Another example would be when the subservice organization carries out almost all its activities with an unrelated service organization.

Step 3. Demonstrate how your organization manages the split subservice organizations

Now you need to ensure that if there is a split subservice organization, the organization documents well how it is managed. With subservice organizations, a typical supplier management program where you evaluate the services, quality, policy, and procedures (e.g., IT security) and insurance coverage of the supplier is not sufficient. With a subservice organization, as a service organization, you need to take steps to determine whether the types of CSOCS you expect the subservice organization to have are actually present. This is done by one of the easiest ways is to obtain the subservice organization’s SOC report, assuming they have one.

If there is no SOC report available, the organization should gather information from the management of the subservice organization, read other internal reports that the subservice organization may produce, and/or conduct on-site visits to assess your required CSOCS.

Step 4. Understand and comply with complementary controls over user entities Arriving at the final step.

Most service organizations have expectations of their user entities, which auditors also refer to as CUECs. CUEC stands for “Complementary User Entity Controls.” The subservice organization also expects the organization as a user entity to engage in certain types of internal control measures. And now the final step is to understand and determine how the organization complies with these.