Climate change has become a burning issue in recent years and impacts not only individuals but businesses at various levels. Considering this, the International Organization for Standardization (ISO) has taken a big step towards integrating climate change considerations into management systems standards.

This decision, in line with the ISO London Declaration on Climate Change, recognizes the need to consider how climate change affects achieving management system goals. These changes will affect existing standards and all new ones in development.

In this article, we'll explore what these changes are, how they can be implemented into your organization’s management system and the significance of ISO's move towards a greener future.

What are the changes in the amendment?

This amendment is incorporated into various management system standards, including ISO 9001, ISO 45001, ISO 14001, and ISO 27001. The key changes introduced in this amendment impact Clauses 4.1 and 4.2 of the affected standards. Clause 4.1 now requires organizations to consider the "changes in external and internal issues" that may impact their management system, with a specific focus on the effects of climate change. Clause 4.2, on the other hand, mandates that organizations identify the "needs and expectations of interested parties" that are relevant to their management system, including those related to climate change. These changes are effective from the 23rd of February, 2024.

How to implement the new requirements?

It is crucial to understand the implications of these new requirements and how they can be effectively addressed within your organization's management system. The simplest approach will be to incorporate the discussion of climate change impacts and interested stakeholder needs as part of your regular Management Review Meetings or Strategic Planning Meetings. This will enable you to assess the potential risks and opportunities presented by climate change and determine the appropriate actions to be taken. Also note that it is not necessary that your organization will be impacted by climate change or the impact or likelihood of the risk is too low for you to take any action. In such a case, you can document this as part of your management system clearly recording in management review minutes of meetings.

When addressing the ISO Climate Change Amendment, it is essential to consider the specific context of your organization and the management system standards you have implemented.

Let’s discuss a few examples relevant to different ISO standards:

• ISO 9001 (Quality Management System)

In the context of ISO 9001 (Quality Management), your organization may need to evaluate how climate change could affect their ability to consistently provide products and services that meet customer and regulatory requirements.

An example relevant to ISO 9001 could be that climate change may lead to natural disasters which could disrupt the supply chain. Businesses may run the risk of delayed raw material supplies which may impact the delivery of the products and services to the customer. This should be identified as an external issue while determining the context of the organization. This should also be identified as a risk and adequate controls should be implemented to mitigate this risk. An example could include researching an alternative supplier and putting a contingency plan in place.

• ISO 45001 (Occupational Health and Safety Management System)

Similarly, in the case of ISO 45001 (Occupational Health and Safety), you may need to assess the impact of climate change on the health and safety of your employees, particularly in the event of extreme weather events. As climate changes, temperatures are increasing around the globe. This could become a hazardous condition for the employees who work outdoors in extreme heat or in physically demanding jobs. The employees (interested parties) would expect adequate arrangements in the workplace for managing heat-related illnesses, such as heat stroke and exhaustion. This shall be identified as a “need and expectation of the interested party” and a hazardous condition requiring risk planning. Appropriate actions shall be taken to address this risk as part of the organization’s management system. Some examples of the actions could include the provision of weather appropriate Personal Protective Equipment (PPE), access to water and cool spaces and preparedness for emergencies.

• ISO 14001 (Environmental Management System)

ISO 14001 deals with the need to adapt to any change in environmental conditions, including those resulting from climate change. Apart from risks flowing down from the context of the organization, the Environmental Management System (EMS) requires that the organizations also understand greenhouse gas emissions-related environmental aspects and compliance obligations. Risk mitigation shall be planned in these areas which could include risks of failing to meet reduction objectives, risk of interested parties' demands or risk of not meeting the regulations. The organization shall identify methods to adapt to climate change by understanding how environmental conditions affect them and what risks can be posed due to these environmental conditions. Some examples of risks include a water shortage, flooding and solid erosion. The risks could also be related to the organizations’ activities and some examples could include resource shortages or supply chain disruptions.

• ISO 27001 (Information security management System)

ISO 27001-related internal and external issues may include infrastructure vulnerability, workforce unavailability due to extreme climatic conditions or a vendor dependency who may be impacted by climate change. Some examples of risks involved include damage to the infrastructure, supply-chain disruption and power outages (which would then lead to issues with data integrity and availability). Appropriate controls should be put in place to ensure the availability of infrastructure, networks and data that may be disrupted due to climate change-related conditions.

By proactively addressing the ISO Climate Change Amendment, small and medium-sized businesses can not only ensure compliance with the updated standards but also position themselves as responsible and forward-thinking organizations. This can lead to enhanced stakeholder trust, improved operational resilience, and ultimately, a stronger competitive advantage in the marketplace.

Improvement is simply an act or a process of making something better.

ISO 9001 Clause 10, which is the last clause of ISO 9001, talks about Improvement, which describes the action steps that an organization shall take to improve their processes, products and services. This clause also describes the process for addressing nonconformities and taking corrective actions to eliminate the root causes as the first step in acting to improve the system. ISO 9001 also requires that the process improvement should not be a one-time activity but should be in-built into the process so that a mechanism of continual improvement is established.

Why is it important?

Today’s world of business is highly competitive; customers have high demands, and they cannot be pleased with just their requirements being met; they want value for money. Companies must bring in differentiating factors in their business to ensure they surpass customer expectations. The differentiating factors can be built-in by delivering faster than others, selling goods of high quality, quick and easy-to-reach after-sales staff, etc. All these need process improvements, which could be bought in by removing the waste or unwanted processes to move the goods faster or by improving your supply-chain processes, ensuring good quality raw material through detailed inspections, etc. This is where your continual-improvement efforts should be focused at. Continually improving the processes is how you create excellence and become highly competitive.

How to identify improvement opportunities?

Clause 10.1 emphasizes the need for an organization to seek out and realize improvement opportunities that will enable the organization to meet customer requirements better and enhance their customers' satisfaction.
When looking to improve, organizations should review their processes, improve their products and services, correct, prevent or reduce undesired effects and improve their QMS results. This clause adds that organizations should not only improve products and services to meet known requirements but also address the “future” needs and expectations of the customer.

Improvement opportunities may be identified at various places throughout your organization's processes. Some of the inputs to improvement opportunities are:

• Risk-Based Thinking requires an organization to take actions to mitigate risks or enhance opportunities. Both of these lead to certain actions which improve the organizational systems.
• Non-Conforming product or processes, whenever encountered, requires you to identify root causes and take corrective actions. This could lead to making changes or process improvements to your QMS to ensure that nonconformities do not occur again. More details on this are given in the next section.
• Future needs of the customers can indicate a lot of areas where you can expand and grow your business.
• Customer feedback analysis and data evaluation against the goals can also point you to a number of process improvements. Measurements and review of achievement against targets are means for revision of various processes and setting of revised goals and targets for the next cycle.

Nonconformity and Corrective Action

Sub-clause 10.2 calls out requirements on how an organization should act when nonconformity is identified. Let’s define a few terms before we move forward:

• Nonconformity - non-fulfilment of a requirement
• Root cause analysis - a technique used to determine the underlying cause of a nonconformity.
• Corrective action - action to eliminate the cause of nonconformity and to prevent a recurrence

When we talk about non-conformity, there are can be many potential sources of non-conformities. These include but is not limited to:

• Internal and External Audit Findings
• Results of monitoring and measurements, for example inspection reports, testing defects, etc.
• Customer complaints
• Non-compliance with regulatory and statutory requirements
• Warranty claims
• Problems reported with external suppliers, For example, delivery issues or incoming inspection results
• Suggestions or problems identified by employees, etc.

When a non-conformity is encountered in a system, an organization needs to take the following steps:

• Take action as necessary to control and correct the nonconformity, and to deal with any resultant consequences (Correction)
• Conduct root cause analysis to identify the root cause of the problem, using appropriate problem-solving tools like 5-why, fishbone, failure mode, Pareto analysis, etc. It is not necessary that you adopt all or any of these methodologies to conduct a root cause analysis, but these methodologies give a structure to your root cause analysis and helps you identify appropriate root cause. We will see in an example below.
  • Take action to eliminate the root cause (corrective action)
  • Ensure timely closure of all corrective action
  • Conduct follow-up reviews to ensure that the action taken has been effective to eliminate the non-conformity and preventing recurrence
  • If evidence of recurrence is found, then perhaps the action or root cause identified is inadequate or incorrect. Conduct root causes analysis again to identify the additional cause and take actions against them.
  • Make corrective action records available for customers and present a summary of corrective action results for management review.
  • Also, consider if any new actions to address risks and opportunities have been identified and if so assess them in accordance with Clause 6.1.

Let’s now explore with an example how when encountered with a non-conformity, what an ideal process should be and how by effectively using tools like 5-Why, you can eliminate the non-conformity and ensure that it never recurs. To explain the approach, let’s take an example of a Fast-Food Restaurant which promises burritos delivery to home within 30 minutes of the order. The restaurant received a complaint from one of their regular customers, Ms. Olivia. She was quite unhappy with the restaurant and raised her concerns to the Restaurant Manager. The Restaurant Manager called all his team members and used 5-why to understand the root cause of the customer complaint and identify a solution. Let’s see how it went:

• Why was Ms. Olivia unhappy with the delivery?
  • Because Burritos were delivered late
• Why were Burritos delivered late?
  • Her address was incorrect in the software used for orders
• Why was her address incorrect in our records?
  • Customer address changed and it was not confirmed while taking the order
• Why was the address not confirmed while the order was taken?
  • The person taking the order missed verifying the address
• Why did the person miss to confirm the address?
  • The software (used for taking orders) uses the default address in the system and places the order in the system. It does not require any verification of address.

The Restaurant Manager identified the below action to improve the process:
“Software used for taking orders shall have a step to verify the address and should give an indication to the person taking the order to confirm the address. Only after he verifies in the software, the order should be placed in the tool. This way the step would not be missed.”

This action is a full-proof solution to the problem. This will ensure that anyone who works with the software does not miss the step. The non-conformance will never occur again due to this reason. Observe how a small non-conformance of late delivery can lead to a huge process improvement that involved updating the software.

Again, it is not necessary that you will be able to implement corrective action for all non-conformities. For a small restaurant, getting the software updated may involve a huge cost. You need to evaluate the significance of nonconformities on the basis of their impact on operating costs, cost of correction or corrective action, impact on customer satisfaction or any other risks. Based on all these factors, an organization may decide if corrective action is required for the non-conformity or not. In a case where such corrective actions cannot be taken, the organization may reduce the likelihood of non-conformity to an acceptable level. In the example above, if spending a huge amount on getting the software updated is not feasible, you may opt for other methods like training the staff, creating a checklist, and pasting it at the desk of staff taking orders as a constant reminder, etc. This will definitely reduce the non-conformity to an acceptable level even if it is not eliminated from the system.

Continual Improvement

Clause 10.3 requires the organization to work continually to improve its QMS in terms of its suitability, adequacy and effectiveness.

As part of the continual improvement process, the organization is specifically required to use the outputs from analysis and evaluation (see sub-clause 9.1.3) and from management review (see clause 9.3) to determine areas of underperformance and to identify any opportunities for improvement.

Tools and methodologies should be employed as appropriate by the organization to investigate the cause of underperformance and identify actions to support continual improvement. At the time of Management Reviews, where effectiveness of various parameters is reviewed, is an excellent time to identify process improvement opportunities.

Continual Improvement is at the core of ISO 9001 and a key area with which all organizations shall comply with. This is the way businesses can constantly improve and maintain an edge over their competitors.

The new version of ISO 27002 has recently released on February 15, 2022. This new version is restructured, and changes have been done within the controls. In this article, we will discuss key changes that have been bought in the standard in terms of structure, changes in the controls and a brief summary of the new controls.

Structure of the standard

The old standard had 14 sections which have been now reorganized into only four sections.

The new ISO 27002:2022 standard has 93 controls organized in these four sections and 2 Annexures:

• Clause 5 Organizational (37 controls)
• Clause 6 People (8 controls)
• Clause 7 Physical (14 controls)
• Clause 8 Technological (34 controls)
• Annexure A – Using attributes
• Annexure B – Correspondence with ISO 27002:2013

The number of controls in the new version is reduced to 93 from the earlier version, which had 114 controls. The reason for this change may be technological developments and an increased understanding of the application of security practices.

Elements of each control

Two new elements that have been added to the structure describe the attributes and purpose of the control. These elements make it easier for a reader to sort the controls and understand the purpose behind using the control. These are:

• Attribute table: This table define the attributes for each control (refer to section Control Attributes for more details)
• Purpose: Justification for the use of the control

Also, the standard has been simplified in terms of a number of subsections. In the earlier version, there were around 3 subsections; for example: under section ‘7, Human Security’, there was a subsection ‘7.1 Prior to Employment’ and then ‘7.1.1 Screening’. In the new standard, this is now depicted as ‘6 People Control > 6.1 Screening’.

Controls attributes

One of the most significant changes that have been done is the introduction of Control attributes. With the introduction of control attributes, a standardized way of sorting and filtering the controls is provided. This helps in easily identifying the requirements of different departments/groups in an organization.
A sample of how control attributes are depicted in the standard is given below:

Attributes options are described below:

• Control types: Preventive, Detective, and Corrective
• Information security properties: Confidentiality, Integrity, and Availability
• Cybersecurity concepts: Identify, Protect, Detect, Respond, and Recover
• Operational capabilities: Asset management, Governance, Human resource security, Information protection, System and network security, Physical security, Application Security, Identity and access management, Secure configuration, Continuity, Legal and compliance, Supplier relationships security, Threat and vulnerability management, Information security event management, and Information security assurance
• Security domains: Governance and ecosystem, Protection, Defense, and Resilience

Renamed/Merged controls

23 controls have had their names changed. For example: Teleworking has been renamed “Remote working”.

57 controls have been merged into 24 controls. For example: Some of the logging and monitoring controls have been revised and combined into a new control titled “Monitoring activities”

Impact of changes to ISO 27002 on ISO 27000 series

• The ISO 27000 series is a group of standards that are based on an amalgam of best practices on overall Information security management systems (ISMS).
• ISO 27001 is one of the key standards that provide a framework for developing ISMS in organizations, and this is the standard to which the organizations get certified.
• ISO 27002 which we are discussing in this article, provides guidance on how organizations shall implement the controls given in ISO 27001 standard. ISO 27002 is key to the achievement of the ISO 27001 certification as it explains the implementation of the required controls.
• Due to the changes that have been now bought in ISO 27002, we can expect some changes to ISO 27001 as well soon.

New controls

11 new controls introduced in the standard are given below:

• Threat intelligence
• Information security for use of cloud services
• ICT readiness for business continuity
• Physical security monitoring
• Configuration management
• Information deletion
• Data masking
• Data leakage prevention
• Monitoring activities
• Web filtering
• Secure coding

We will discuss these in detail in the next section.

Threat intelligence

Threat Intelligence has gained a lot of importance in recent years and is fast becoming vital to cybersecurity efforts put in by companies. ISO framework has now introduced Threat Intelligence as a new requirement setting a precedence for other standards and regulations to follow suit.

Threat Intelligence helps cybersecurity teams proactively prepare for upcoming threats. This is an important addition to ISO standards looking at how quickly and easily even low skilled threat actors can conduct successful Malware/ransomware campaigns these days.

Threat intelligence involves gathering and analysing information on cyberattacks that are currently running or may occur in future. By meeting this requirement, organizations gain a better understanding of the techniques and processes attackers use to gain access to networks. This helps organizations proactively plan methods to defend themselves against these attacks.

Information security for the use of cloud services

Cloud services have become an integral part of most businesses these days. These services provide access to various applications and resources, which reduces the cost required for establishing internal infrastructure or hardware. Cloud services are fully managed by cloud computing vendors and service providers.

It is important that information security requirements are considered while acquiring, using, managing or exiting cloud services. Information security is a shared responsibility between a cloud service provider and a cloud service customer. ISO framework requires that the organization these responsibilities shall be defined and implemented appropriately.

A cloud service agreement should address the confidentiality, integrity, availability and information handling requirements of the organization, with appropriate cloud service level objectives and cloud service qualitative objectives.

ICT readiness for business continuity

The old version of ISO 27002 addressed business continuity which required organizations to ensure information security to an appropriate extent in the event of business interruptions.

The new control "ICT readiness for business continuity" further expands on the requirements for business continuity for information security. The control includes the availability requirements based on the results of the Business Impact Analysis (BIA).

Based on the outputs from the BIA and risk assessment involving ICT services, the organization shall identify and select ICT continuity strategies that consider options for before, during and after the disruption.

The new version requires a business impact analysis as a basis for ICT emergency planning.

7.4 Physical security monitoring

This control requires an organization to ensure that the premises are continuously monitored for any unauthorized physical access. This can be done by monitoring the physical premises through surveillance systems, which can include guards, intruder alarms, video monitoring systems such as closed-circuit television and physical security information management software either managed internally or by a monitoring service provider.

This control requires that access to the buildings that house critical systems should be monitored to detect any unauthorised access or suspicious behaviour. The monitoring systems should be kept protected from unauthorised access and the design of these systems should be kept confidential.

The standard also requires that the company takes care of any local laws or regulations including data protection and PII protection legislation, especially regarding the monitoring of personnel and recorded video retention periods. For example, This may require a company to carry out a data protection impact assessment (DPIA) for camera surveillance to comply with GDPR requirements.

8.9 Configuration management

This new control requires that an organization manage the security configuration of hardware, software, services and networks to ensure a proper level of security and to avoid any unauthorized changes. This requires that the configuration is established, documented, implemented, monitored, and reviewed.

To implement this control, organizations need to define and implement processes and tools to enforce the defined configurations including security configurations for hardware, software, services and networks, for newly installed systems as well as for operational systems over their lifetime.

The organization shall also document procedures and assign roles and responsibilities clearly so that there is no ambiguity whenever configuration changes are made. Standard templates shall be defined and reviewed periodically and updated when new threats or vulnerabilities need to be addressed, or when new software or hardware versions are introduced.

This control requires proper documentation of configurations and maintenance of logs whenever there are configuration changes. Any changes to configuration shall follow the change management process. Configurations should be monitored and reviewed on a regular basis.

8.10 Information deletion

This control requires an organization to delete information when no longer required. The purpose of this control is to prevent unnecessary exposure of sensitive information and to comply with legal, statutory, regulatory and contractual requirements for information deletion. The information could be stored in information systems, devices or in any other storage media or cloud services.

To comply with this clause, an organization need to establish a process that defines what data needs to be deleted and what are the methods of deletion and responsibilities.

You may need to use tools for secure deletion of sensitive information, which may be mandated by contractual or legal requirements, or as per internal risk assessments done by the organization.

Where cloud services are used, the organization’s processes should ensure that the deletion methods provided by cloud service providers are acceptable. Similarly, in the case of the transfer of equipment to vendors, sensitive information should be protected by removing auxiliary storage such as hard drives and memory before equipment leaves the organization's premises.

8.11 Data masking

This control requires an organization to use data masking in addition to access control to ensure sensitive data is not exposed. This new control is added because of a number of regulations that apply to managing personal data which would primarily be the sensitive data in an organization, but this could include other categories of sensitive data as well.

To comply with the requirement, an organization need to use anonymization or pseudonymization to mask data if this is required by regulations. An organization may also use other methods such as encryption, nulling or deleting characters, varying numbers and dates, replacing values with hash, etc.

8.12 Data leakage prevention

This control requires that an organization apply various data leakage methods to avoid any unauthorized disclosure or extraction of information by individuals or systems. In the event of data leakage, the organization shall have processes in place to detect these in a timely manner. These measures should be applied to systems, networks and any other devices that process, store or transmit sensitive information.

To comply with these requirements, organizations need to proactively apply measures to avoid any data leakage. Data leakage prevention tools shall be put in place to identify and monitor sensitive information, detect any disclosures of sensitive information and block user actions or network transmissions that expose sensitive information.

Measures can include the implementation of tools to prevent data leakage, for example restricting copy and paste, disabling download to removable storage devices, encryption, email quarantine, etc.

8.16 Monitoring activities

This control requires an organization to monitor its IT systems, networks, and applications to identify any unrecognized activities and take appropriate actions to evaluate potential information security incidents.

The monitoring systems could include outbound and inbound networks, system and application traffic, access to systems, servers, networking equipment, logs from security tools, event logs relating to system and network activity, etc.

An organization should define procedures to respond to positive indicators from the monitoring system in a timely manner and also to identify and address false positives. The purpose is to minimize the effect of adverse events on information security and fine-tune the monitoring software to reduce the number of future false positives.

8.23 Web filtering

This control requires an organization to manage access to certain websites to reduce exposure to malicious content. This will not only protect your systems from being compromised by malware but also prevent users from using illegal materials from the Internet.

To comply with this requirement of the standard, an organization can block access to certain IP addresses, use browsers or anti-malware software, establish rules for safe and appropriate use of online resources, etc.

Also important for compliance with this clause is that organizations create awareness among the employees on the dangers of using the Internet, provide them with the guidelines for safe use, contact points for raising security concerns, and exception process when restricted web resources need to be accessed for legitimate business reasons, etc.

8.28 Secure coding

This control requires an organization to develop secure coding principles and apply them in software development. When secure coding is inbuilt into software, you have reduced the risk of vulnerabilities.

Some of the ways this can be achieved are by separating development, test and production environments, providing guidance on the security in the software development life cycle, embedding security requirements in specification, design, security checkpoints, security testing, etc.

Management review is a regular evaluation exercise where the performance of the quality management system is reviewed to check if the systems are producing the desired results. This process requires the top management to periodically review various elements of the Quality Management System and ensure its suitability, adequacy and effectiveness. That means the top Management shall review that the Quality Management System to check if it still fits its purpose (suitable), is still sufficient (adequate) and is still able to achieve its intended purpose (effective).

While assessing the suitability and adequacy of the Quality Management System this clause requires management additionally consider any changes to the context of the organization and also alignment between the QMS and the strategic direction of the organization. The intent is not only to review the performance of the Quality Management System but to also evaluate the need for any changes in the quality policy, objectives and other elements of the Quality Management System. Management review is an important process that helps in identifying continuous improvement initiatives which are at the core of the ISO 9001 standard.

Why is it important?

Management review is an additional performance evaluation check apart from internal audits and monitoring and analysis which helps in ensuring the effectiveness of the quality management system.

Management oversight is important for any management system or a continuous improvement initiative to succeed. It is, therefore, crucial that management remains committed to holding these meetings on a regular basis to keep themselves abreast with the performance of the management system. Management reviewing the management system at regular intervals helps in understanding changes in the context which is important to ensure that the Quality Management System always remains in sync with changing business scenarios. A key output of the management review meetings is the identification of process improvements which in turn helps in improving quality and customer satisfaction which are key to the success of any company and business growth.

Frequency of Management Reviews

Management review should be conducted at planned intervals; this could be daily, weekly, monthly, quarterly, semi-annually or annually. The frequency should be decided by the Management based on the size and nature of the organization.

It is a common misconception among companies implementing ISO 9001 requirements that management review is a separate exercise that should be done by the top management at a fixed frequency. While this approach is fine but there can be various ways of making the management review more effective, less time consuming and fused with existing processes in place. The goal should be to meet all the requirements of ISO 9001. Top management can look at different aspects of the management system and decide which of the elements can be discussed or is already being discussed in existing ongoing meetings. For example, if top management has a meeting already in place where they review the customer satisfaction survey results; this is one element of the management system that should be reviewed. So, Instead of having this agenda again in the management review, the management team shall continue the existing practice and ensure that the records of the meeting are being maintained.

In a larger organization, where multiple layers of management are there, a more suitable approach would be to have management meetings at different levels to capture data which then can serve as an input to the strategic planning meetings of the Executive Team.

To conclude, an organization may conduct management reviews as a standalone activity or in a combination of related activities (e.g. meetings, reports, etc.) and the frequency at which it needs to be conducted should be based on the business environment, size of the organization and complexity of the work being done.

Preparing Management Review Inputs

ISO 9001 requires that the top management review various elements of the quality management system which include:

• status of actions from previous management reviews
• changes in external and internal issues relevant to QMS
• adequacy of resources
• opportunities for improvement
• effectiveness of actions taken to address risks and opportunities as explained in clause 6.1.
• information on quality performance and effectiveness including trends in:
  • non-conformities and corrective actions
  • customer satisfaction and feedback from relevant interested parties
  • monitoring and measurement results
  • audit results
  • the extent to which quality objectives have been met
  • process performance
  • conformity of product and services
  • the performance of external providers

Data related to all these elements should be gathered as inputs for the management review. Preparation for the meeting may require you to gather data on various quality parameters, risks and opportunities and their status, changes to the context of the organization, non-conformities and their status, customer satisfaction results, audit results, trend analysis, supplier performance, resource requirements, opportunities for improvement, etc. The inputs should be used to determine trends in order to make decisions and take actions related to the quality management system.

An organization can include additional items in management review (such as new product outline, financial outcomes, new business opportunities, issues or opportunities from the business market, etc.) to determine if the organization is achieving its intended results and would be able to do so in future.

Who should attend Management Review?

Top Management or the Executive Team of an organization is required to attend the Management Review. The Management could decide based on the inputs of the management review on other members who could be required to attend the management review. In a larger organization, with multiple layers of management, decisions should be taken on the basis of the relevant stakeholders that are required for the topics being discussed.

Outputs of the management review

Sub-clause 9.3.2 of ISO 9001 specifies certain requirements for the outputs from management reviews.

These must include decisions as to whether there is a need to change any aspect of the QMS including, but not limited to, resources required to support the operation of the QMS, as well as any decisions relating to continual improvement opportunities. The organization must retain documented information to provide evidence of the results of management reviews. Management review records must include minutes of meetings, decisions taken, responsibilities for corrective or improvement actions and related timelines and follow-up actions from previous management reviews. Examples of documented information include presentations, meeting minutes and reports.

Internal audit is an objective assurance exercise carried out by independent and trained auditors. The purpose of this exercise is to add value and improve the organizational processes. With the help of an internal audit which is a systematic and disciplined approach to evaluate the effectiveness of the Quality Management System, an organization can achieve the objectives set for its Quality Management System. ISO 9001 provides guidance on how these internal audits can be conducted in a systematic and efficient manner to evaluate if the organization is meeting the requirement of its own quality management system, ISO 9001, customer and regulatory requirements.

Why is it important?

Having Internal Audits helps to find non-conformities and prevent them so that they do not lead to non-conforming products in future. To understand this better let's take an example of a Builder. During an audit on builder operations, the auditor could not locate review records of building design and raised a non-conformity on that. When the management came to know of the issue, they analysed the situation and found that the design review was done without following the complete process. The design records were not in place which raised doubts on how efficiently the review was done. As a correction, the review was done again with the help of proper documents and a number of design faults were found and corrected. Such issues when found on time, can help management take corrective actions so that they do not appear in future. A casual approach to a critical process could have led to many faults in the building design and the organization will bear the cost later when customer complaints start pouring in. A simple lapse in the process can lead to bad product quality and can fetch you a bad reputation.

Establishing an audit program

ISO 9001 requires that an organization establishes an audit program with some key elements included. These are:

Methods: Methods include the techniques that you will use to gather objective audit evidence. These will form the basis of determining non-conformities in the system. Examples of audit methods may include an interview with auditees, review of documents, and observation of activities. Some organizations also develop checklists against their Quality Management Systems and tools to plan and conduct audits.

Frequency: ISO 9001 does not prescribe any frequency for the internal audit. But since this is a mandatory requirement, many companies opt for keeping the frequency just once a year. While this is acceptable from an ISO 9001 compliance point of view, this should not be the criteria for determining the frequency. A more logical frequency that suits the needs of your organization and helps you identify issues at the right time should be criteria for determining the frequency of the audits. This decision should be based on factors such as:

• Importance of the processes;
• Managerial priorities;
• Performance of the processes;
• Changes affecting the organisation
• Results from previous audits
• Trends in customer complaints
• Statutory and regulatory issues.
• Health of the Quality Management system
• Complexity of the products and services delivered
• Organization Size

Responsibilities: An organization needs to define the responsibilities of auditors and auditees. Auditors will conduct audits and report audit findings and auditees will take the corrective action in a timely manner.

Planning requirements: You need to establish how audits will be planned, this may include an annual audit calendar, audit plan or schedule.

Reporting: You need to define the level of reporting of audit findings to the management.

Conducting Audits

Once the audit program is established, the next step is to conduct audits. You need to take the below steps to conduct effective audits in your organization:

Establish audit criteria:

Audit criteria is the criteria against which the audit will be conducted. The auditor may evaluate the current implementation of processes against Quality Management System policy and procedures, ISO 9001 requirements, regulatory or customer requirements, etc. This needs to be established for each audit or whole audit program.

Select Auditor:

While selecting auditors for conducting audits, you should establish the minimum qualification required for internal auditors. Internal auditors need to be trained in the ISO 9001 standard as they also audit for conformity to ISO 9001 requirements. They should also have a good understanding of your quality management system processes and their interaction, customer or regulatory requirements, audit process and techniques established in your audit program.

Another important requirement of the standard is to conduct impartial and objective audits. To ensure this is done, the independence of the auditor is important. The auditor should not be from the same work area or department being audited.

Conduct audits and report findings:

During the audit, auditors should look at objective evidence, interview auditees and review the evidence obtained against the audit criteria established for the audit. In case the auditor finds that the actual process is not implemented appropriately, the auditor should raise a non-conformity in that area. All audit findings should be reported to the auditees/process owners in the formats provided by the organization.

Take correction and corrective actions:

On all the non-conformities raised by the auditor, auditees must take immediate corrections and plan corrective actions. A correction is taken to correct the problem immediately while corrective action is taken on the root cause identified for the non-conformity. Appropriate action taken against these root causes should be tracked to closure and follow-up needs to be done to ensure that the root cause has been eliminated.

Audit Reporting to Management:

Audit results should be reported to appropriate levels of management. The results of each audit and overall annual audit program may be analyzed to determine opportunities of improvement in Quality Management System processes, their interactions, products, Services etc.

Retain evidence of audit:

ISO 9001 requires you to retain records of Audit, these include annual audit calendar, records of audit planning containing audit criteria, Audit scope, methods used, auditor assigned, etc. Other records may include auditor training records, audit checklists, audit notes, nonconformity details, corrective actions, analysis of non-conformities and overall audit program.

Data forms a crucial part of any business today. In our article on Clause 9.1.1 - ISO 9001, we discussed how an organization need to establish monitoring and measurement methods which will lead to a lot of data and information gathered and collected within the organization. Clause 9.1.3 - Analysis and Evaluation requires that the organization should analyse and evaluate appropriate data and information arising from monitoring and measurement. These results of the analysis should be used to evaluate:

Methods to analyse data can include statistical techniques.

Why is this important?

Monitoring and measurements established within the organization will generate a lot of data and information. To fully utilize this information, analysis and evaluation of data is required to help the management in decision making. Just gathering and looking at numbers without any analysis and evaluation will just be a futile exercise that will take a lot of effort without any real value derived out of it.

Let’s take an example to understand this better. If you are just tracking the number of returned pieces of your product and not analysing the trends over a period of time, you cannot improve your products or services to your customers. Benchmarking or setting up goals on the achievement of your objectives is a useful method that can be used to identify any red flags beforehand. If your goal (looking at your previous performance) indicates that you do not have more than 2 returns in a month, but suddenly in a month you get 4 return requests, it is an alarm for you to look into the issue and find out the root causes behind it. This will help you in taking timely action before the issue goes out of control and fetch you some bad reputation.

It is, therefore, important that data is analysed, a conclusion drawn out of it, and plans and actions made whenever an unfavourable trend or condition is observed. That is why analysis and evaluation of data is important for any organization. This will help you seize all opportunities of improvement that exist.

Analysis and Evaluation

ISO 9001 requires that an organization collects, analyses and evaluates Quality Management System data. Both analysis, as well as evaluation of data, is important; that means data analysis through statistical techniques, trend analysis, etc. and interpretation of the analysed data so that it can be used in an appropriate manner, for example- for decision making and action planning.

The data may be analysed and evaluated for the below areas:

• Conformity of products and services

Data collected may include defect rates, on-time delivery, number of returns, product or service related complaints, etc. This will help you identify issues in the processes involving the delivery of products /services through the analysis of such data.

• Degree of customer satisfaction

Customer satisfaction data analysis will help you determine key areas where improvement is required. With improvement in processes and addressing all customer concerns, you will be able to enhance customer satisfaction further.

• Performance and effectiveness of the quality management system.

Performance and effectiveness of quality management system may be derived through analysis of data like Cost reduction improvement (including the cost of poor quality), number of internal audit issues, etc. This will give a good indication of the health and effectiveness of the Quality Management System.

• Effective implementation of planning elements

Typically schedule, effort, cost and risks are the elements that may be measured to evaluate the effective implementation of planning. The metrics where you track on-time deliveries, your cost on service against the parameters planned can provide you with a good indication of how planning was effective.

• Effectiveness of actions taken to address risks and opportunities

You can derive how effective was the implementation of mitigation actions planned against the risks by evaluating the reduction in the probability or impact of risks.

• Performance of external providers

ISO 9001 doesn’t just focus on your internal processes but also requires that you evaluate the performance of external providers based on the targets given to them. For example, if you have a vendor who supplies a critical material used in your product, you can set a target for them to provide you with the right and good quality material within a specified time period and then evaluate their performance on basis of targets met or not. This could also be done based on the number of issues found at your end during the inspection when the material is delivered to you.

• Improvements within the quality management system

You can measure these by the number of process improvements suggestions given on the quality management system or on the basis of non-conformities found during internal/ external audits, etc.

Data Analysis and Evaluation Process

Statistical techniques are referenced in the ISO 9001 requirements for data analysis, but these are not mandatory and may not apply in every company’s scenario. Simple trends may be used to monitor progress and identify opportunities for improvement.

Such trends and data should be presented in management review meetings where they should be evaluated further and used for decision making. The exercise becomes meaningful when analysis of data is used as an input to identify opportunities for continual process improvements and corrective actions are taken to address all negative trends.

When developing a process for measurement and metrics collection, analysis and evaluation, it should address the following:

To conclude, ISO 9001 defines a detailed process for monitoring, measurement, data collection, analysis and evaluation. This clause provides you with all the guidance to establish an effective management system whose performance is monitored and measured, analysed and evaluated over a period of time. The objective is to help the organization identify continual improvement opportunities which will further lead to higher customer satisfaction and business growth for your organization.