Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Consultants’ Corner A Bi-Monthly e-Journal from
Issue 89 | Pages 1– 15 August-September 2014
Quality Management System—An Overview
- Praveena K R
Key QMS Processes at MaGC
- Gopal Agarwal
Challenges in Implementing QMS
- U S Mohanty
ISO/IEC 27001— An Overview
- Ela Vijay
3 Quality Management Systems—A Bird’s
Eye View
An introduction to the Quality Management Systems approach.
6 Key changes in MaGC processes after
introducing QMS
A snapshot of processes that will undergo a change at MaGC after the introduction of ISO 9001:2008.
8 Challenges in implementing QMS
Some of the key challenges that an organisation could face during the implementation of a QMS.
11
ISO/IEC 27001— Information Security
ISO 27001 is a specification for an information security management system (ISMS).
13 An Exclusive talk with Ela Vijay
14 Quiz Corner
14 What’s up at MaGC?
All events during June & July at MaGC and up-coming birthdays of MaGCites
In this Issue
Readers’ Corner
If you have any comment/suggestion for the editors, please write to us at [email protected]. Your views and comments on
articles featured here are also welcome!
Anyone spending some time at MaGC the last two
months could not have missed the buzz around ISO
implementation. The last few months have been a
methodical preparation for implementing ISO
9001:2008. As has been the MaGC tradition, we get the
best out when we do it in-house. Training sessions
have been happening in Bangalore and Chennai
offices. The team which worked on the QMS manual is
confident that at the end of the training we will have a
good quality, implementable manual. For the few of us
who were fortunate to be part of the manual
development process, it has been a great learning
experience.
Given the buzz around ISO, the topic for this issue of
CC was an easy choice for the editors. In fact, CC had
already jumped into the ISO action from last issue itself
(we had a small update on ISO @MaGC). In this issue,
Praveena writes about what a QMS is all about and
gives an overview of ISO 9001:2008. She gives an
auditor‘s perspective of the QMS. Make sure you read it
thoroughly- it will help you breeze through the audit
process!. Gopal who has been leading the ISO effort
writes about what is going to change for us post-ISO.
He has already started piloting the implementation and
gives us all the confidence that it is change for the
better. Mohanty writes about the typical challenges that
an ISO implementation poses in any organization. We
at MaGC are bound to come across some of these
challenges and this article provides some useful tips on
how to handle them.
While the initial implementation in MaGC is all about
ISO 9001:2008, that is not all that there is to a QMS.
Vijay introduces us to ISO 27001 on Information
Security. His article gives us a sneak peek into the
standard. Probably an indicator of what MaGC should
be doing next.
Consultants’ Corner thanks all the authors for their
contribution. We hope we get more such theme based
thought provoking articles for upcoming issues as well.
Lets wish ourselves success in the ISO implementation.
After all, our profession is all about making life better for
our clients and what better place to start than at home!!
From the Editors
Consultants’ Corner 2
1.Increased Efficiency - QMS certification process
helps organisations rethink their processes and
how to maximize quality and efficiency. Once
certified for QMS, the processes are established
and guidelines in place for anyone to follow easily,
making training, transitions, and trouble-shooting
easier.
2. Increased Revenue - Studies have shown that
ISO QMS certified companies experience
increased productivity and improved financial
performance, compared to uncertified companies.
3. Employee Morale - The following aspects help
improve employee motivation and satisfaction -
roles and responsibilities get clearly defined, there
is accountability of management, training systems
get established and employees get a clear picture
of how their roles affect quality.
4. International Recognition - The International
Organization for Standardization (ISO) is
recognized worldwide as the authority on quality
management. Getting ISO certified will improve our
image, make us more competitive to participate in
international bids and attract clients.
5. Factual Approach to Decision Making - The
standard sets out clear instructions for audits and
process reviews that facilitate information gathering
and decision making based on the data. Decision
making becomes more objective/process-oriented,
rather than employee-oriented.
6. Improves Documentation - The standard requires
documentation of all processes and any changes,
errors and discrepancies.
Word has been around that MaGC is going to
implement a Quality Management System (QMS) and
have it ISO certified. Let us try to understand what
QMS is, how it will improve MaGC and our role in this
whole exercise.
What is QMS? Quality Management System may be defined as a
collection of business processes focused on achieving
an organisation's quality policy and quality objectives.
It comprises of the organizational structure, policies,
procedures, processes and resources needed to
implement quality management. A properly
functioning QMS ensures that-
procedures are carried out consistently,
problems are identified and resolved in a timely
manner, and
the organization is continuously reviewing and
improving its procedures, products and services.
It is a mechanism for maintaining and improving the
quality of products or services so that they consis-
tently meet or exceed the customer's implied or stated
needs and fulfil their quality objectives.
What is ISO 9001:2008? This is the standard that sets out the criteria for a
QMS and is the only standard in the family that can be
certified to (others are primarily guidelines). It can be
used by any organization, large or small, regardless of
its field of activity. This standard is based on a
number of quality management principles including a
strong customer focus, the motivation and implication
of top management, the process approach and
continual improvement.
Certification under this ISO is not mandatory.
However, it has been implemented by over one million
companies and organizations in over 170 countries.
This is because, using ISO 9001:2008 helps ensure
that customers get consistent, good quality products
and services. This in turn brings many business
benefits.
Why QMS certification? There are umpteen advantages of having our core
business processes certified for quality by ISO. Some
of the key benefits have been listed below:
contd on next page..
Things work out best for those who make the
best of how things work out.
- John Wooden
3 Consultants’ Corner
Quality Management
Systems—A Bird’s Eye View
Management Review - QMS is a strategic, manage-
ment-driven system. It is the responsibility of the Man-
agement to periodically review QMS for the following:
Adequacy – QMS should be capable of satisfying
the organisation's quality objectives and
requirements. This includes those specified by the
organization, its clients, and any applicable
standards and/or regulations.
Suitability – QMS should be able to sustain the
current performance levels of the organization
utilizing an acceptable amount of organizational
resources. Each QMS aspect should be right for
the specific purpose.
Effectiveness –QMS should enable the
organization to meet its own needs, those of its
clients and other interested parties. It has to
produce the expected results.
Management will use the inputs from employees,
Clients, Internal Auditor and their own experience to
evaluate the above. Based on this review they
formulate Corrective and Preventive action plans to
improve the QMS.
The role of the various components in the QMS cycle
has been diagrammatically represented below:
Figure: QMS - PDCA Approach
Terminology 1. PDCA approach/model - This approach is named
after the individual phases - "Plan", "Do", "Check",
"Act" and is thus also referred to as the PDCA model.
Most ISOs recommend the PDCA approach to de-
signing management systems. Accepting that change
is inevitable in business, and incorporating review cy-
cles to embrace such changes is recommended as a
healthy management approach.
This ensures consistency across the organisation
and accountability of all staff. This also
guarantees traceable records are available in
case of project delays, lapses, etc.
7. Customer Satisfaction - Client confidence is
gained because of the universal acceptance of the
ISO standards. Also, implementing QMS improves
efficiency, consistency and dedication to providing
quality service.
8. Continual Improvement of Processes -
Improvements are carefully planned and imple-
mented based on facts, using a system of
documentation and analysis, to ensure the best
decisions are made for the organisation.
Management takes the responsibility of ensuring
continual improvement of QMS.
Key QMS components The key components of
QMS are the following:
Quality Policy and Objectives - QMS has to define
its purpose and objectives clearly. Each organisation
has to construct its quality policy depending on its
scope of QMS, business priorities, values, focus, etc.
Also measurable objectives consistent with the policy
have to be formulated. This will form the framework of
the organisation's QMS.
Quality Processes - These are processes to be
followed pertaining to core business for managing
quality. These processes, related procedures,
documents and reports have to be documented and
standardised across the organisation. Also, all
employees have to be sensitised and trained to follow
them.
Quality Manual
The Quality Manual is a compendium of the organisa-
tion's Quality policy, processes, procedures,
document and report formats (components 1 & 2
discussed above). This document lays out the
framework of QMS operating in the said organisation.
ISO requires that a Quality Manual should form part of
the QMS documentation.
Internal Audit - Every certified organization must
perform internal audits to check how its QMS is
working. An organization may decide to invite an
independent certification body to verify that it is in
conformity to the standard, but there is no mandate
for this. At MaGC, we have decided to have the
internal audit done by one of our consultants. The
Internal Auditor will be appointed in rotation.
Consultants’ Corner 4
PLANDefine Quality Policy
and Objectives,Quality manual put in
place
ACTPeriodic Management
review to take corrective/preventive
action
CHECKInherent internal
controls in processes,Internal Audit of QMS
DOFollow Policies,
Processes and support with documentation as
per Quality Manual
contd on next page
3. QMS kills flexibility and innovation - QMS is
designed with the primary objective of improving
quality. So, a system that properly balances good
discipline and structure with certain flexibilities will
definitely facilitate creativity rather than curb it. Also,
this ISO provides for continual improvement. Hence,
any aspects posing as barrier to innovation can be
altered appropriately during management review.
4. QMS distracts an organization from its core
activities - This myth will almost certainly come true
for organizations that use a plug-and-play approach to
implementing QMS, instead of making sure
documents and practices fit their businesses.
Adopting and designing procedures that form part of
routine core activities help overcome this concern.
5. QMS does not guarantee service quality - This is
true to some extent, as nothing can absolutely
guarantee quality of service/deliverable. However,
QMS can go a long way in preventing problems from
occurring in the first place, thus providing dramatic
improvements in results while reducing costs.
We can clearly see a pattern here; most of the
misconceptions are actually concerns that can be
overcome by properly designing the QMS. Hence it is
essential for all personnel to actively participate in the
designing of QMS and provide regular feedback for its
betterment.
Conclusion MaGC
TM operates in the highly competitive service
sector of Management Consultancy. This requires us
to be on our toes and continually improve our
competitiveness. Of the several measures to do this,
improving the quality of our deliverables and efficiency
of our processes are crucial for organisational
success. Also, our core values are in line with the
requirements of this standard. We are an organisation
with strong client focus and commitment to meet
deadlines. Implementing and using tools such as
Documan (Document management software) has
enabled us to standardise many aspects of our
processes.
So as an organisation we have the wherewithal to
implement a QMS and get it ISO certified. This will
definitely provide us the competitive edge and help us
grow.
2. Continual improvement - This term is often
misconstrued to be the same as 'Continuous
improvement'. Continual improvement is broader in
scope than continuous improvement. The concept of
'continual improvement' is a strategy that typically
consists of both 'continuous process improvements',
like regular training programs, reporting, monitoring,
etc. and discontinuous function or systemic
improvements like organizational ―reengineering‖,
throwing out dysfunctional methods of management,
etc. An organisation that is continually improving will
be, by definition a learning organization.
3. Corrective action - maybe defined as action taken
to eliminate the cause of detected non-conformity or
other undesirable situation. This is to prevent the
repetition of the same non-conformity/incident. For
example, process changes made to address the
anomalies observed by internal audit is a corrective
action. Here non-conformity has been observed and
the issue is being addressed to prevent such
incidents in future.
4. Preventive action - maybe defined as action taken
to avoid the occurrence of any non-conformity or
other undesirable situation. This is to prevent the
occurrence of non-conformity. For example,
introducing a new process to periodically monitor a
business activity is a preventive action. Here there is
no incident; this is a precautionary introduction of
internal control by the management.
Some misconceptions QMS and ISO certifications are not well understood
and hence there are a number of misconceptions
about them. We have seen these arguments as
resistance to change even while implementing
process re-engineering projects for clients! Let's bust
some of these myths!
1. QMS requires excessive documentation and
paperwork - ISO recommends documented
procedures to provide transparency, structure, and
confidence to the organization. This will vary based
on entity size, complexity and competence of
employees. Hence regularly maintaining 'essential'
documents will be a change to be embraced. How-
ever, this does not qualify as 'excessive' paperwork.
2. QMS is just a cost and does not add value -
QMS helps organizations avoid mistakes and save
resources, time, and money. Many studies show that
preventing a problem is less expensive than dealing
with the consequences after a problem
occurs. Hence a properly implemented QMS should
result in cost savings and efficiencies.
Consultants’ Corner 5
Praveena K R
can be reached at [email protected]
M aGC has a systematic process approach in
understanding clients‘ requirements which
culminates into clients‘ satisfaction. The Mission
Statement and Quality Policy of MaGC too revolves
around clients‘ happiness. The Quality Policy and the
Quality Objectives of MaGC is given below.
1. Quality Policy: A quality policy has been defined.
The policy ensures that the quality to be
maintained in performing work will help MaGC to
meet client expectations by providing high quality
and value added consulting solutions.
2. Quality Objectives: The quality objectives such as
client satisfaction, on time delivery, and meeting
ISO require-
ments are de-
fined and will be
practiced during
project execu-
tion. This will
help the em-
ployees/
consultants to
meet these ob-
jectives to maintain the quality of the project.
The Quality Management Systems (QMS) at MaGC
seeks to smoothen and streamline its business
processes. The QMS serves as a user guideline for all
its employees and also helps in outlining the
employees‘ responsibilities.
A Quality Manual has been prepared by MaGC which
outlines the processes and procedures to be followed
during the execution of all the consulting projects.
This manual gives guidelines to the consultants at the
time of executing their work and this result in better
delivery of projects and ensures higher client
satisfaction. .
After introducing QMS in MaGC there have been
some noticeable changes in the execution of projects
i.e. from the proposal stage to the finalisation of the
reports. The main changes in MaGC processes due to
QMS are listed below:
1. For every project, a Project Plan is to be prepared
containing the deliverables, task breakdown,
responsibility and timelines. This is very helpful for
tracking completion of project on time.
2. Prior QMS the records of clients‘ communication
was limited to the extent it affects the project. But now
every communication with the client is properly
documented and maintained. A Meeting Minute Sheet
is prepared. Details such as meeting date, persons
met, discussion points, etc. are recorded and updated
as and when meetings are held with client.
3. A document for recording the details of documents
collected from client is maintained. This helps in
tracking the documentation received from the client.
4. A Project Status Tracker is prepared for monitoring
the project work. It contains the detailed work
breakdown with team allocation and timelines. It is
updated peri-
odically or on re
-allocation of
the tasks to
reflect the cur-
rent status, any
change in
tasks, dates,
etc.
5. Periodicity of project review meeting is decided at
the beginning of the project. Any challenges faced,
major issues, time/cost savings, change in approach,
project billing etc. are discussed during the project
review meeting.
6.The changes made to any documents/submittal is
clearly identified as all the documents from the
commencement, execution till the completion of the
project are properly maintained version wise and
revision wise.
7. A Quality Checklist covering aspects to be checked
before sending any submittal to the client is prepared
and followed. The checklist is organized along the
lines of the MaGC Documentation Guidelines.
.
Key changes in MaGC processes
after introducing QMS
6 Consultants’ Corner
No one can make you feel inferior without
your consent.
Eleanor Roosevelt
contd on next page..
A POUND OF BUTTER
There was a farmer
who sold a pound of
butter to the baker.
One day the baker
decided to weigh the
butter to see if he was
getting a pound and
he found that he was
not. This angered him
and he took the farmer
to court. The judge
asked the farmer if he was using any measure. The
farmer replied, amour Honor, I am primitive. I don't
have a proper measure, but I do have a scale." The
judge asked, "Then how do you weigh the butter?"
The farmer replied "Your Honor, long before the baker
started buying butter from me, I have been buying a
pound loaf of bread from him. Every day when the
baker brings the bread, I put it on the scale and give
him the same weight in butter. If anyone is to be
blamed, it is the baker."
What is the moral of the story? We get back in life
what we give to others. Whenever you take an action,
ask yourself this question: Am I giving fair value for
the wages or money I hope to make? Honesty and
dishonesty become a habit. Some people practice
dishonesty and can lie with a straight face. Others lie
so much that they don't even know what the truth is
anymore. But who are they deceiving? Themselves.
8. Project Closure checklist is maintained and filled
after completion of the project to ensure that all
documentation and archival formalities are completed.
9. Informal discussions have been made part of
MaGC QMS. These discussions ensure that all the
team members are in the know of the projects
handled by MaGC at any given point in time.
10. Periodically the QMS is being reviewed to
maintain the quality standard of the company and if
any changes are needed in the quality policy or
objectives, are identified and taken up for changes.
11. The end-to-end processes followed in the
execution of the project are verified and validated
through QMS.
12. The documents maintained are properly stored in
DocuMan and are clearly identifiable. The security
and rights to access documents are ensured by
access controls that are set in place in the software
Don't be afraid to give up the good to go for the great..
- John D. Rockefeller
Consultants’ Corner
7
Gopal Agarwal
can be reached at [email protected]
Qu
ali
ty I
mpr
ovem
ent
8 Consultants’ Corner
Such attitude sayings stem from the popular notion that management is
always right and therefore employees are‖ only supposed to implement management decisions without questioning. Lethargy is
fur ther propagated through management‘s failure to train
employees on QMS fundamentals that build better attitudes by involving them in
teams that identify and solve problems. Such training can transform employees from being part of the problem to part of the solution. This will foster motivation and creativity and build productive and healthy attitudes that focus employees on basic fundamentals, such as: keep Client Happiness needs in mind, constantly look for improvements, and accept personal responsibility.
3. Lack of leadership for quality
Excess layers of management quite often lead to duplication of duty and responsibility. This has made the lower employees of an organization to leave the quality implementation to be a management‘s job. In addition, quality has not been taken as a joint respon-
sibility by the management and the employees. Coupled with the notion that management is infallible and therefore it is always right in its decisions, employees have been forced to take up peripheral role in quality improvement. As a result employees who are directly involved in the delivery of services are not motivated enough to incorporate quality issues that have been raised by the Clients they serve since they do not feel as part of the continuous process of quality improvement. Moreover, top management is not visibly and explicitly committed to quality in many organizations.
QMS views an organization
functions as a collection of processes. QMS is a philoso-phy that seeks to integrate all processes of various functions of an organization to focus on meeting client needs and organiza-tional objectives. QMS maintains that or-ganization must always strive to continuously im-prove these processes by incorporating the knowledge and experiences of experts within and outside.
The organization Quality Policy translates into the specific quality objectives for its various functions. As in implementation of any system, there will be challenges in the implementation of the QMS also.
Challenges in QMS implementation may be an action or a situation that causes an obstruction. Challenges can be attitude, economic, technology or resource based.
The challenges in implementation of QMS are
1. Lack of Management Commitment
A QMS implementation program will succeed only if top management is fully committed. Success requires devotion and highly visible and articulate champions. Lack of commitment in QMS implementation may stem from various reasons. Major obstacles include the pre-occupation with short-term profits, time constraint in Project Submittals and the limited experience and training of many consultants in Quality Objectives. For example, it is observed that many Consultants have extensive experience in consultancy but not in quality improvement. Similarly the MD does not have to be a quality expert; the QMS implementa-tion program may fail when the MD does not recognize the contribution of the Quality Objectives make toward profitability and customer satisfaction.
Top management should, therefore, embrace quality improvement programs no matter how far reaching the programs may appear the monetary implications therein.
2. Lack of Employee Participation in QMS
In the competitive environment, poor management practice, lack of higher expectations has contributed to unproductive and unhealthy attitudes. These attitudes often are expressed in popular sayings, such as ―It‘s not my job‖ and ―If I am not broke, don‘t fix it.
Challenges in Implementing QMS
If you can't explain it simply, you don't under-
stand it well enough.
- Albert Einstein
contd on next page
8. Poor Planning The absence of a sound strategy has often contributed to ineffective quality improvement. The deficiencies in the original planning cause a process to run at a high level of chronic waste. The pre-planning stage of developing the right attitude and level of awareness is crucial to achieving success in a quality improvement program.
Newell and Dale (1990) in their study observed that a large number of companies are either unable or unwilling to plan effectively for quality improvement. Although many performed careful and detailed planning prior to implementation, not one of the firms studied or identified beforehand the stages that their process must endure. Perhaps the root cause of poor plans and specifications is that many owners do not understand the impact that poor drawings have on a project‘s quality, cost, and time. Regardless of the cause, poor plans and specifications lead to a project that costs more, takes longer to complete, and causes more frustration than it should. Companies using QSM should always strive towards impressing upon owners the need to spend money and time on planning. If management took reasonable time to plan projects thoroughly and invest in partnering to develop an effective project team, a lot could be achieved in terms of product performance as these investments in prevention- oriented management can significantly improve the quality of the services offered by an organization. 9. Resistance of the workforce A workforce is often unwilling to embrace QSM for a variety of reasons. Oakland (1989) explained that a lack of long-term objectives and targets will cause a quality imple-mentation pro-gram to lose credibility. Keys (1991) warned that an adversarial re la t ionsh ip between man-agement and n o n -management should not exist, and he em phas ized that a coop-erative relationship is necessary for success. A QSM project must be supported by employee trust, acceptance and understanding of management's objectives .Employees ,therefore, should be recog-nized by the management as vital players in the deci-sion making processes regarding to quality improve-ment as involving them would have motivating effect on implementation of quality programs.
4. Deficiency of Cultural Dynamism
Every organization has its own unique way of doing
things. This is defined in terms of culture of the
organization. The processes, the philosophy, the
procedures and the traditions define how the
employees and management contribute to the
achievement of goals and meeting of organizational
objectives. Indeed, sticking to organizational culture is
integral in delivery of the mission of the organization.
In adequate cultural dynamism has made QMS
implementation difficult because most of the top level
management of many organizations is rigid in their
ways of doing things.
5. Inadequate resources for QMS
Since most companies do not involve quality in their
strategic plan, little attention is paid to QSM in terms
of human resources, infrastructure, technology and
financial resources. Much of the attention is drawn to
increasing profit margins of the organization with little
regard as to whether their offers/ supply to client are
of expected quality. There is paltry budgetary
allocation made towards employee training and
development, updation of technology and sufficient
infrastructure, which are critical for QSM implementa-
tion. Employee training is often viewed as unneces-
sary cost which belittles the profits margins which is
the primary objective for the existence of businesses
and as a result QSM has been neglected as its
implementation ―may not necessarily bring gains to
the organization in the short term‖.
6. Lack of focus on Client Happiness
Most strategic plans of organizations are not Client
Happiness driven. They tend to concentrate much on
profit-oriented objectives within a given time frame.
Little (if any) market research is done to ascertain the
service performance in the market relative to its
quality. Such surveys are regarded by most
organizations as costly and thus little concern is
shown to quality improvement for Client Happiness.
7. Lack of Effective Measurement of Quality
Improvement
QSM is centered on monitoring employees and
processes, and establishing objectives that anticipate
the client's needs so that the client is surprised and
delighted. This has posed a considerable challenge to
many companies. Measurement problems are caused
by goals based on past substandard performance,
poor planning, and lack of resources and competitor-
based standard.
9 Consultants’ Corner
Life is not about finding yourself. Life is about
creating yourself.
- Lolly Daskal
contd on next page
Conclusion and recommendation
The advantages of QSM have been widely discussed,
but the challenges of implementation have received
little attention. A quality philosophy is required for the
successful implementation of a quality project. This
philosophy must facilitate a long-term lifestyle change
for a company. Commitment of top management is
essential. Substantial inflow of resources, adequate
training, workforce participation and effective meas-
urement techniques are some of the key success
factors. A successful QSM program is unique, and it
should motivate middle management to focus on long-
term strategies rather than short-term goals.
Teamwork is the key to involvement and participation.
Groups should be encouraged to work closely and
effectively, and should focus on quality improvement
and client happiness.
All organizations should focus on the following for
successful QSM implementation:
Create consistency of purpose toward improvement of
the service so as to become competitive, stay in
business and provide jobs.
Cease dependency on top management for mass
revision of project submittals.
Adopt the new philosophy. We are in a new economic
age. We no longer need live with commonly accepted
levels of delay, mistake, defective material and
defective workmanship.
Improve the quality of submittals, internal documents,
articles, and notes to clients as well as internal. Adopt
the practice of awarding services on the basis of price
and value addition; instead, depend on corrective
measures of qual-
ity, along with time
and price. Find the
problems; con-
stantly improve the
system of ser-
vice. There should
be continual rise in
productivity and a
decrease in costs.
Source: http://ir-library.ku.ac.ke/bitstream/handle/123456789/7167/
Jackline%20Atieno%20Ater.pdf?sequence=1
10. Lack of proper training/Inadequate Human
Resource Development
There is evidence that lack of understanding and
proper training exists at all levels of any organization,
and that it is a large contributor to worker resistance.
Schein (1990), for
example, men-
tioned that busi-
ness school fail-
ure to teach rele-
vant process skills
contributed to
manager ineffec-
tiveness. QSM
requires a well-
educated work-
force with a solid understanding of basic math, read-
ing, writing and communication. Although companies
invest heavily in quality awareness, statistical process
control, and quality circles, often the training is too
narrowly focused. For a company to produce a quality
service, employees need to know how to do their jobs.
For QSM to be successful, organizations must commit
to training employees at all levels. QSM should pro-
vide comprehensive training, including technical ex-
pertise, communication skills, small-team manage-
ment, problem-solving tools, and client relations.
11. Competitive markets
A competitive market is a driving force behind many of
the other obstacles to quality. One of the effects of a
competitive market is to lower quality standards to a
minimally acceptable level. This barrier to quality is
mainly a mental barrier caused by a misunderstanding
of the definition of quality. Unfortunately, too many
companies equate quality with high cost. Their
definition leads to the assumption that a company
can‘t afford quality. A broader definition needs to be
used to look at quality, not only in the company‘s ser-
vice, but in every function of the company. All
company functions have an element of quality. If the
quality of tasks performed is poor, unnecessary cost
is incurred by the company and, ultimately, passed to
the client or suffered by the company itself. SQM
should work by inspiring employees at every level to
continuously improve what they do, thus rooting out
unnecessary costs. Done correctly, a company
involved with QSM can dramatically reduce operating
costs. The competitive advantage results from
concentrating resources (the employees‘ brainpower)
on controlling costs and improving client service.
Motivation is what gets you started. Habit is
what keeps you going.
- Jim Ryun
Consultants’ Corner 10
Uma Shankar Mohanty
can be reached at [email protected]
-contd on next page..
Four phases of information security management
system:
ISO 27001 prescribes how to manage information
security through a system of information security
management. Such a management system, just like
ISO 9001 or ISO 14001, consists of four phases that
should be continuously implemented in order to
minimize risks to the confidentiality, integrity and
availability of information.
The phases are:
The Plan Phase – This phase serves to plan the
basic organization of information security, set
objectives for information security and choose the
appropriate security controls as the standard contains
a catalogue of 114 possible controls.
The Do Phase – This phase includes carrying out
everything that was planned during the previous
phase.
The Check Phase – The purpose of this phase is to
monitor the functioning of the ISMS through various
―channels‖, and check whether the results meet the
set objectives.
The Act Phase – The purpose of this phase is to im-
prove everything that was identified as non-compliant
in the previous phase
The cycle of these four phases never ends, and all
the activities must be implemented cyclically in
order to keep the ISMS effective.
Organizations are required to apply these controls
appropriately in line with their specific risks and
Third-party accredited certification is recommended
for ISO 27001 conformance.
The ISO/IEC Standards Family: ISO 27002 and
27003
The ISO 27002 standard was originally published as
a rename of the existing ISO 17799 standard, a code
of practice for information security. It basically outlines
hundreds of potential controls and control
mechanisms, which may be implemented, in theory,
subject to the guidance provided within ISO 27001.
The standard "established guidelines and general
principles for initiating, implementing, maintaining, and
improving information security management within an
organization". The actual controls listed in the
standard are intended to address the specific
requirements identified via a formal risk assessment.
What is ISO/IEC 27001?
Formally known as ISO/IEC 27001:2005, ISO 27001
is a specification for an information security
management system (ISMS). ISO 27001 was
developed to "provide a model for establishing, imple-
menting, operating, monitoring, reviewing, maintaining
and improving an information security management
system."An ISMS is a framework of policies and
procedures that includes all legal, physical and techni-
cal controls involved in an organization‘s information
risk management processes. ISO 27001 defines how
to organize information security in any kind of organi-
zation, profit or non-profit, private or state-owned,
small or large.
Being a formal specification means that it mandates
specific requirements, ISO 27001 is for information
security the same thing that ISO 9001 is for quality – it
is a standard written by the world‘s best experts in the
field of information security and aims to provide a
methodology for the implementation of information
security in an organization.
It also enables an organization to get certified, which
means that an independent certification body has
confirmed that information security has been
implemented in the best possible way in the organiza-
tion. Given the importance of ISO 27001, many
legislatures have taken this standard as a basis for
drawing up different regulations in the field of personal
data protection, protection of confidential information,
protection of information systems, management of
operational risks in financial institutions, etc. Hence,
we could even say, that this standard is the founda-
tion of information security management.
Implementing ISO/IEC 27001:
ISO 27001 uses a top down, risk-based approach and
is technology-neutral. The specification defines a
six-part planning process:
Step: 1: Define a security policy.
Step: 2: Define the scope of the ISMS.
Step: 3: Conduct a risk assessment.
Step: 4: Manage identified risks.
Step: 5: Select control objectives and controls to be
implemented.
Step: 6: Prepare a statement of applicability.
The specification includes details for documentation,
management responsibility, internal audits, continual
improvement, and corrective and preventive action.
The standard requires cooperation among all sections
of an organization.
The Four Phase approach is considered to be the
most successful implementation methodology, ‗The P-
D-C-A Cycle‘, which comprises of the four phases of
ISMS.
ISO/IEC 27001— Information Security
11 Consultants’ Corner
Extended Benefits: Aligning Business and Technology Objectives: As the standard forces business management and technical staff to cooperate to meet certain management and information control objectives, it can dramatically improve alignment between these sometimes disjointed groups. ISO recommends this to foster continuous-and sustainable-improvement.
Data Protection: Applying a standard process to the selection and maintenance of existing and new security procedures that involves both management and information technology (IT) personnel helps prevent problems before they occur. It also addresses legal compliance through standardized internal and external audits.
Benchmarking: ISO 27001 provides additional opportunities for benchmarking, helping companies more readily implement best practices and reach stretch goals. Detailed, expanded comparisons with others in the same industry leads to breakthrough improvements. This standard also encourages everyone in the organization-from management to technical staff-to get on the same page regarding goals and objectives, improving communication and ultimately results. Conclusion: The ISO/IEC 27001 standards can be implemented successfully if the organization realizes the value of being certified as an ISO 27001 organization, could enhance their brand image in the competitive market compared with their competitors. However, the successful implementation depends on the support from the Management, effectiveness of the project team and on the awareness of the employees about the collective goal to be achieved in terms of ISMS Implementation. The duration and cost involved for the implementation could be other concerns but the duration depends on the planning and Cost involved may not be calculated successfully since, the risk assessment has to be completed and relative applicable controls are to be identified. On the whole, ISO/IEC 27001 implementation, if planned and executed in a phased approach (P-D-C-A) would help the organization to become standard-ized in terms of globally recognized measures of Standards – The ISO/IEC 27001 successfully. Visit to know more: http://www.iso.org/iso/home/standards/certification/iso- survey.htm?certificate=ISO/IEC%2027001&countrycode=AF#standardpick
The standard is also intended to provide a guide for the development of "organizational security standards and effective security management practices and to help build confidence in inter-organizational activities". In 2013 the current version was published. ISO 27002:2013 contains 114 controls, as opposed to the 133 documented within the 2005 version. However for additional granularity, these are presented in fourteen sections, rather than the original eleven. However, it should be noted that over the years a number of industry specific versions of ISO 27002 have been developed, or are under development, (for example: health sector, manufacturing, and so on). We could also consider this as it keeps on improvising on a never ending cycle as the technology grows and gets better every day. ISO 27002 contains the following major sections: 1. Introduction 2. Scope 3. Normative references 4. Communication Security 5. System Acquisition, Development and Maintenance 6. Supplier Relationships 7. Information Security Incident Management 8. Information Security aspects of Continuity Management 9. Compliance
ISO 27003 (ISO27003) Its suggested title at the present time is—"Information technology - Security techniques. Information security management system implementation guidance". The purpose of this proposed development is to provide help and guidance in implementing an ISMS (Information Security Management System). This will include focus upon the PDCA method, with respect to establishing, implementing reviewing and improving the ISMS itself. The following is the current structure, some other content originally planned are still under development: 1. Scope 2. Normative References 3. Terms & Conditions 4. Structure of this International Standard 5. Obtaining Management approval for initiating an ISMS
Project 6. Defining the scope, boundaries and ISMS policy 7. Conducting information security requirements analysis 8. Conducting risk assessment and planning risk treat-
ment 9. Design the ISMS
Advantages or benefits of implementing ISO: Prime Benefits: 1. Best framework for complying with information
security legislation 2. Better organizational image because of the
certificate issued by certification body. 3. Lower costs because of the prevented incidents. The operations in the organization are optimized because the responsibilities and business processes are clearly defined.
Consultants’ Corner 12
Ela Vijay
can be reached at [email protected]
An Exclusive talk with Ela Vijay ElaVijay
B.Sc., M.H.R.M., M.Phil. Pursuing LL.B (2014 -2017), MCSE – Security,
MCSA – Messaging, MCTS - BDD, MCTS – Vista, MCTS – Win Server 2003
Consultant
9th July 1984
[email protected] and personal email: [email protected]
+91 90253 15682
CC. The meaning of your name
Vijay: Victory
CC. Nick name.
Vijay: VJ / Ela
CC. CEO, Corporate Legal Consulting Firm
Vijay: Team work made dreams work J
CC. What personal/emotional characteristic of
yours do you want to change?
Vijay: Excessively caring for others, should
learn to ‘LET GO’
CC. Money or job satisfaction?
Vijay: Job satisfaction
CC. Your stress buster.
Vijay: Reading comics and playing with my
friend’s kids
CC. Do you have a small circle of close friends,
rather than a large number of friends?
Vijay: Small circle of trusted close friends, who
do everything before I ask for and large number
of friends to support with anything if I ask for.
CC. What do you most like about a person?
Vijay: Simple, down to earth and humble
CC. What do you most hate in a person?
Vijay: Lack of discipline, which could be ob-
served by everyone, creating a negative im-
pression about the person. However I believe in
“Never Judge, just Accept how a person
is”
CC. Team work Vs Individual work – your com-
ments.
Vijay: Individual work = winning Wimbledon
However,
Team Work = ICC World Cup or FIFA World Cup
Thanks to Michael Jordan J for his inspiring
quote.
CC. Do you make efforts to get others to laugh
and smile?
Vijay: Certainly, sometimes my contribution
happens even when I don’t take any special or
specific effort J
CC. Your heart rules your head or your head
rules your heart?
Vijay: Heart rules head in personal matters, but
in profession head rules my heart
CC. Special talent.
Vijay: Tough question, is there an option to say
Pass or Phone a Friend or Audience Poll? :)
CC. Hobbies.
Philately, reading comics, watching movies,
travelling, cooking.
13 Consultants’ Corner
What’s up at MaGC?
MaGC team headed by
Dr. RSM attended the MacMil-
lan Woods regional conference
on 18th and 19
th July 2014 at
Bangalore
Kishore enjoying an off day dur-
ing his Financial Advisory project
for IST Egypt in July 2014
Birthday wishes
Mamtha 5th Aug
Ashok Rao with Director General
Dept. of Public Accounts, Bhutan as
part of ―Peer Review of Financial
Rules and Regulations‖ project in
July 2014
1. Sydney has started installing ‗reverse vending machines‘. What are these?
2. Govt wants to promote the use of debit cards issued by National Payment
Corp of India. What is the name of this network?
3. British airways has introduced ‗Happiness blanket‘. What does it do?
4. Modi has made yet another new coinage. B4B. What does it stand for ?
5. In the Amazon logo, there are 2 subliminal messages being hinted with the
yellow arrow. What are they?
Send in your answers to the editor at [email protected]
Participants with the correct entry will be awarded with a Recognition Certifi-
cate by MaGC.
Last Quiz Corner Answers: 1. Honda Activa; 2. Largest Hindi search portal; 3. IDFC and
Bandhan Financial Services; 4. Google; 5. McKinsey Moms are former McKinsey employees who
left McKinsey to raise a family.
Right answers for the
previous issue quiz was
given by
Bhavana
!!! Congratulations !!!
Karthik M V gave a guest lecture on ‗Altman Z Score‘ at the Acharya Bangalore Business School, Bangalore on
17th June 2014
Karthikeyan 1st Sept US Mohanty 4st Sept
RS Murali 5th Sept Bhavana 14th Sept Roopa kamath 22nd Sept
Consultants’ Corner 14
Editorial Board
C S Suresh, Executive Director
Ashok Rao, Executive Director
Editors
Vinod M, Consultant
Karthik M V, Consultant
Published by
MaGC Private Limited, Chennai & Bangalore
Email to [email protected]
Our Mission is to apply our professional capabilities with a holistic approach for the happiness
of clients, through values and social commitment.
Branch Office: #107, 1st Floor, Railway Parallel Road, Kumarapark West, Bengaluru - 560 020, INDIA Phone/Fax: +91 80 23560265 Email: [email protected]
Contact
Website: www.magc.in
Our Business Associates
Registered Office: 2nd Floor, New No. 4, Old No. 23, C P Ramasamy Road, Alwarpet, Chennai - 600 018, INDIA Ph:+91 44 2466 0955/ 24986850 Email: [email protected]
N.C.R & Co.
Management and Governance Consulting Pvt. Ltd.