You are on page 1of 33

ISO 9001:2015 How

to apply Risk-based
Thinking to Quality
Processes [Part I]
Why taking a risk-based approach is a
requirement of ISO 9001
Risk-based thinking is a sore point among many Quality professionals. Even so,
identifying risk, analyzing the consequences, probability and level of risk (i.e. risk
analysis) and risk evaluation using formal techniques are becoming increasingly
important tasks in the global business world.
ISO 9001:2015 incorporates what the draft version of the International Standard has
termed Risk-based Thinking in its requirements for the establishment,
implementation, maintenance and continual improvement of the quality management
system. If you are already familiar with the DIS or have read the many discussions on
the subject that have appeared on LinkedIn groups and elsewhere, you will already be
aware that formal risk management is not mandated. However, organizations can, in

the words of the TC 176 Committees draft standard (May 2014) choose to

develop
a more extensive risk-based approach than is required by this International Standard,
and ISO 31000 provides guidelines on formal risk management which can be
appropriate in certain organizational contexts.
I am sceptical about the subject of demonstrating risk-based thinking to a certification
auditor when they assess your quality management system. Of course, its possible that
you wont be subject to an intensive grilling if the Standard does not require you to
produce the outputs from your risk assessment processes or evidence of a formal risk
management system. Although if risk-based thinking is required by ISO 9001:2015 to
plan and control the quality management system (QMS) and component processes and
activities, it is unlikely to be ignored in the certification audit process.
Which begs the question:

How do you show risk-based thinking


during a certification audit?
Assessing Risk-based thinking is likely to form a sizeable section of the ISO 9000
Guidance documents that, along with the ISO 9001:2015 Standard, are yet to be
published. And since waiting until September may not be an option for those of you
looking to transition from the 2008 Standard as rapidly as possible in 2015-2016, I
thought that it would be a fun idea to look at how you might go about this interesting
thinking task so as to produce (a) evidence that you could show to an assessor [HEALTH
WARNING: nobody yet knows exactly what they will be asking for and they dont know

themselves either, unless they are the ones writing the guidelines!], and (b) a useful way
of identifying, evaluating and treating the kind of risks that apply to the processes used
in Quality Management.

Starting point for risk-based approach


applied to quality processes
In my post ISO 9001:2015 The likely impact (Part II), February 4, 2015, I suggested the
following basic checklist of tasks
Analyse and prioritize the risks and opportunities in your organisation:

What is acceptable?

What is unacceptable?

Then plan actions to address the risks. Ask yourself:

How can I avoid or eliminate the risk?

How can I mitigate the risk?

Then

Implement the plan take action

Check the effectiveness of the actions does it work?

Learn from experience continual improvement

However, this list presupposes that you have identified risks and opportunities.
So if you havent yet, how do you approach risk identification in your context?
Read on

Will ISO 31000:2009 help in taking a


risk-based approach to the quality
management system, component
processes and activities?
Short answer: it can do, depending [entirely?] on your organizations context.

The ISO 9001 DIS says that ISO 31000 provides guidelines on formal risk management
which can be appropriate in certain organizational contexts.
This fact will be well understood by those working for large, indeed global entities that
have long since adopted risk management methodologies and have risk managers on
their team who are familiar with ISO 31000.
But what is ISO 31000 attempting to achieve, and is it relevant to the majority of
organizations that are trying to gain or transition to ISO 9001?
ISO 31000 describes an overall approach to risk management, not just risk analysis or
risk assessment. It deals with the links between risk management process and both
strategic direction and day to day actions and treatments 1. Which on the face of it
sounds an ideal recipe for risk-based thinking. Pick up the Standard and read it, and this
thought is quickly dispelled, since ISO 31000 takes a generic approach that has to be
developed in considerable detail to be useful in a given context.
Great for the Strategic aims of the senior management, but not of any great value to the
poor bloody infantry of quality managers out there.
Perhaps the first (and most frustrating) conclusion that you will come to, having spent
120 ($180 USD) on your personal copy is that you next need to buy ISO.IEC 31010:2009
Risk management Risk assessment techniques. A slightly steeper 226 from BSI, or
$337 USD, on 24/03/15.
So your boss says, OK, buy the one that you actually need, but dont come back to me
asking for any more. Weve got by without risk-based thinking in the past [insert
number of years or decades]; surely we will do so this time? And you thank her or him
for authorizing the purchase.
The pdf arrives on your machine. You open it. There are 92 pages, 6 of which in Annex A
are a comparison of risk assessment techniques (some useful tables here) before you
arrive at Annex B, consisting of 61 pages describing the 31 risk assessment techniques;
all for the kind of people who enjoyed Mathematics (statistics especially) at school but
who may not be that interested in helping you to design effective quality processes.
Yes, theres a worthy (absorbing even?) preamble about risk assessment concepts and
processes. There also a Clause describing how techniques for risk assessment may be
selected, which starts with the valid advice:
Risk assessment may be undertaken in varying degrees of depth and detail and using
one or many methods ranging from simple to complex. The form of assessment and its
output should be consistent with the risk criteria developed as part of establishing the
context. [Clause 6.2]

There is no point in making life more complicated than it needs to be; thus:
In general terms, suitable techniques should exhibit the following characteristics:

it should be justifiable and appropriate to the situation or organization


under consideration;

it should provide results in a form which enhances understanding of the


nature of the risk and how it can be treated;

it should be capable of use in a manner that is traceable, repeatable and


verifiable. [Ibid]

Great!
By now, youre probably fired up with the possibility of finding a suitable risk
assessment technique that fits the context of your organization and its quality
management system? You cant wait to get started on the job.
(Come on humour me!)
You turn to
Annex A
(informative)
Comparison of risk assessment techniques
And quickly realize that there are more risk assessment techniques than you thought
existed, and even a cursory reading suggests that some are complex. Notable the ones
that are strongly applicable to each step of the full risk assessment process; specifically:

risk identification;

risk analysis consequence analysis;

risk analysis qualitative, semi-quantitative or quantitative probability


estimation;

risk analysis assessing the effectiveness of any existing controls;

risk analysis estimation the level of risk;

risk evaluation.

Below is the list of the 31 tools. Depending on the industry you are working in, you will
almost certainly recognise at least some of them, even if you havent actually used any
of the techniques to assess risk.
Table A.1 Tools used for risk assessment

1.

Brainstorming

2.

Structured or semi-structured interviews

3.

Delphi

4.

Check-lists

5.

Primary hazard analysis

6.

Hazard and operability studies (HAZOP)

7.

Hazard Analysis and Critical Control Points (HACCP)

8.

Environmental risk assessment

9.

Structure What if? (SWIFT)

10.

Scenario analysis

11.

Business impact analysis

12.

Root cause analysis

13.

Failure mode effect analysis

14.

Fault tree analysis

15.

Event tree analysis

16.

Cause and consequence analysis

17.

Cause-and-effect analysis

18.

Layer protection analysis (LOPA)

19.

Decision tree

20.

Human reliability analysis

21.

Bow tie analysis

22.

Reliability centred maintenance

23.

Sneak circuit analysis

24.

Markov analysis

25.

Monte Carlo simulation

26.

Bayesian statistics and Bayes Nets

27.

FN curves

28.

Risk indices

29.

Consequence/probability matrix

30.

Cost/benefit analysis

31.

Multi-criteria decision analysis (MCDA)


Not everybody of course will have the resources and capabilities within the organization
to attempt some of these e.g., Fault tree analysis, Cause / consequence analysis,
Monte-Carlo analysis, Bayesian analysis.
Quality managers working for smaller enterprises (SMEs) may only dream of conducting
analysis at the level required by some techniques in the list. The sheer complexity of
some types of risk assessment will render the tool useless in most organizations

employing between 1 and 250 people. However, that doesnt mean to say that ISO
31010 isnt a valuable reference should you ever be required to think about risk in these
terms.
Bear with me, though, because in the next few posts, I am going to show you a method
to assess risk by turning Complexity into Simplicity!
1

Project risk management guidelines: managing risk with ISO 31000 and IEC 62198, Dale F Cooper,

et al, Wiley, 2014.

ISO 9001:2015 How to


apply Risk-based
Thinking to Quality
Processes [Part II]
ISO 31000 Risk management techniques:
A selection of risk assessment tools you
might like to consider
Although risks and opportunities have to be determined and addressed, there is no
requirement in ISO 9001:2015 for a formal risk management or a documented risk
management process. Even so, the concept of preventive action is expressed in the
2015 wording through the risk-based approach to formulating quality management
system requirements. It follows that we will most probably want to show our reasoning
in this respect. In other words, how our thinking about risk led to these actions?

In my view, this doesnt have to be an


onerous task even at the high-risk end of the context spectrum. However, to completely
ignore the risks and opportunities aspect of planning your QMS [see 6.1], regardless of
the degree of risk involved, would surely be to risk a major non-conformity?
ISO 9001 Risk-based thinking could (and I am not saying that it should) be
demonstrated by showing the outputs from one or more of the risk assessment tools in
ISO 31010 in your documented information.
To give you a flavour of what these tools are intended to achieve and how they work, I
intend to describe a selection of the 31 listed in ISO 31010. At the same time and over
the next two posts, I will attempt to link these tools to QMS processes in a meaningful
way; however, I do not anticipate my work in this respect to be in any way definitive as a
reliable reference. There is no common consensus on how best to employ risk
assessment techniques in quality management at least none that I am aware of yet!
[That said, I am studying with interest the ICH guideline Q9 on quality risk management,
which provides principles and examples of tools for quality risk management applied to
different aspects of pharmaceutical quality. If you have experience of this guideline, Id
welcome your input!]
Note: the text is based on the contents of Table A.2 Attributes of a selection of
risk assessment tools [Source: IEC/FDIS 31010:2009].

LOOK UP METHODS
Check-lists
A simple form of risk identification. A technique which provides a listing of typical
uncertainties which need to be considered. Users refer to a previously developed list,
codes or standards.
Check-lists and reviews of historical data are, naturally enough, a sensible step if you are
serious about identifying the risks and opportunities in accordance with the
requirements of ISO 9001:2015 Clause 6.1, and intend to plan and implement the
appropriate actions to address them. Although you could enhance the quality of the
output by following a systematic process to identify risks by means of a structured set of
prompts or questions for the experts see Structured interview below.
Personally, I would start by making a check-list of the known issues in the environment
that can (a) affect conformity of products and services [risk] and (b) have the ability to
enhance customer satisfaction [opportunity].
No ISO 9001 assessor is likely to fault you for making this much effort; whether or not
you have addressed these risks and opportunities in the design of your quality
management system and its associated processes.
However, it is also worth remembering that check-lists are most useful when applied to
check that everything has been covered after a more imaginative technique that
identifies new problems has been applied.

Preliminary hazard analysis


A simple inductive method of analysis whose objective is to identify the hazards and
hazardous situations and events that can cause harm for a given activity, facility or
system.
Note: the term hazard is always used in the context of physical harm.
At first sight, not a very promising tool but it does have advantages; namely: it is able to
be used when there is limited information; and it also allows risks to be considered very
early in the system lifecycle. In some organizational contexts, preliminary hazard
analysis could be appropriate as a risk assessment tool for quality when its use helps
prevent Critical Non-conformities; which could, for example, result in hazardous or
unsafe conditions for individuals using, maintaining or depending on the product.

SUPPORTING METHODS
Structured interview and brainstorming
A means of collecting a broad set of ideas and evaluation, ranking them by a team.
Brainstorming may be stimulated by prompts or by one-on-one and one-on-many
interview techniques.

So what should
we plan to collect in terms of ideas and evaluation?
Lets remind ourselves first of what ISO 9001:2015 says
we should do.
When planning for the quality management system, ISO 9001:2015 requires
organizations to consider the issues referred to in 4.1 [Understanding the organization
and its context] and the requirements referred to in 4.2 [Understanding the needs and
expectations of interested parties] and determine the risks and opportunities that need
to be addressed, in order to:
a) give assurance that the quality management system can achieve its intended
result(s);
b) prevent, or reduce, undesired effects;
c) achieve continual improvement.
We should integrate and implement the actions into the organizations quality
management system processes (see clause 4.4) and evaluate their effectiveness.

Brainstorming as a technique could be particularly useful when, for example, identifying


risks of new technology where there is no data or where novel solutions to problems
are needed. To quote ISO 31010 it encourages imagination which helps identify new
risks and novel solutions. However, it is not applicable to risk analysis tasks of
consequence, probability or level of risk. It therefore has its limitations and along with
the Look-Up Methods of Check-lists and Primary hazard analysis, and most of the
Supporting Methods of Structured interviews, Delphi technique, SWIFT (Structured
what if) and, it does not provide any quantitative output although this is not a
requirement of ISO 9001.
[Note: in the section Supporting Methods, Human reliability analysis (HRA), which deals
with the impact of humans on system performance and can be used to evaluate human
error influences on the system, is able to provide quantitative output and is strongly
applicable to risk analysis and applicable to risk evaluation see Table A.1 in ISO
31010.]
However, before we get bogged down in too much detail with regard to the other
Supporting Methods, Scenario Analysis, Function Analysis, Controls Assessment and
Statistical Methods, we should ask what are we trying to achieve here, and how will any
of these assessment tools help?
Lets take a step back.
If I were considering risks in relation to a quality management system and its associated
processes, I would be asking the following questions:
1.

What are the risks associated with the organizations context and
objectives and why does each risk occur? [identifying the risk and the reason
for its occurrence].

2.

What would be the likely negative consequences of process, product,


service or system nonconformities? [consequences if the risk occurs].

3.

How likely is it that the organization will deliver nonconforming products


and services in relation to the risks we have identified? [probability of the risk
occurring].
There are other possible questions worth considering at this stage for example, How
effective are our existing controls? in order to identify factors that reduce the
consequences or probability of the risk; however, in terms of what we actually need to
know, these will make a good start.

What can we learn from ISO 31000 risk


assessment processes?
ISO 31000 states that risk assessment attempts to answer the following fundamental
questions:
what can happen and why (by risk identification)?
what are the consequences?
what is the probability of their future occurrence?
are there any factors that mitigate the consequence of the risk or that reduce
the probability of the risk?
Providing that you adhere to this basic structure, you are following the framework that
is set out in the International Standard ISO 31000:2009.
Rather than spending several days reading the Standard and having long meetings with
colleagues to see how it might be applicable, why not look for methods that would help
you to meet the requirements of ISO 9001?
For me, a good start would be:
Documenting the results of any consideration of risks and opportunities exercise as
evidence of your management teams risk-based thinking.
Even if it is clear from the design of your processes that you have taken account of
Clause 6.1 and determined the risks and opportunities that need to be addressed,
having a record of your risk assessment processes might prove useful, if only as a
reminder to keep matters under review!
Then, evaluate the risk assessment tools (numbering 31 in total) in ISO 31010 to see if
they are applicable to your organizational context.
Its probably not the time to use them in anger yet (see below), but at least you will know
they exist and that some tools could help to identify risks and opportunities and be
useful in carrying out risk analysis (if you consider consequences, probability and level
of risk) and risk evaluation?

Are structured interviews and


brainstorming 9001 requirements?
No, of course not. Although if you dont currently use risk assessment tools to identify
the typical uncertainties that need to be considered, and there is no previously

developed list available of hazards, risks or control failures, either resulting from a
previous risk assessment or past failures,- where do you begin? This is likely to be a
especially vexing question for organizations that are new to ISO 9001 quality
management and have to develop appropriate documented information for their
quality processes.
However: a cautionary note:
Before you despair and start writing out check-lists based on your own observations in
an effort to tick the box, remember that your colleagues in other departments and
business units may already be using some of the formal techniques of risk assessment
and risk management process (in a silo-centric way of course), without you even
knowing about this.
To quote from the Introduction to ISO 31000:2009:
The current management practices and processes of many organizations include
components of risk management, and many organizations have already adopted
a formal risk management process for particular types of risk or circumstances 1.
It follows therefore that it is worth interviewing them (in a structured or unstructured
way) or bringing them together for a brainstorming session if only to find out what
qualitative and quantitative risk assessments have been made that could help you to
address the requirements of ISO 9001!
Whether or not though anyone is carrying out risk assessments, with or without the use
of the tools in ISO 31010, ISO 9001:2015 expects the organization to understand its
context (see clause 4.1) and determine the risks and opportunities that need to be
addressed (see clause 6.1).
For example:The ISO assume that one of the key purposes of a quality management
system is to act as a preventive tool, taking account of identified risks. Consequently, ISO
9001:2015 does not have a separate clause or sub-clause titled Preventive action.
Rather, the wording states unequivocally:
The concept of preventive action is expressed through a risk-based approach to
formulating quality management system requirements.2
Although there are undoubtedly a number of quality professionals who feel
uncomfortable talking about risk in relation to preventive actions, assessing risk is
something that managers in most (all?) organizations do already in one form or another.
They may not always use the term risk to describe their activities, which could include
for example conducting a sensitivity analysis of a financial projection, or scenario
planning for a project appraisal, assessing the contingency allowance in a cost estimate,

negotiating contract conditions, or developing contingency plans ; but even so,


thinking about risks and opportunities is central to their work3.
IF it can reasonably be argued that managing risk is an integral part of good
management (and I think that it can) and that risk-based thinking is fundamental to
achieving good business and project outcomes and the effective procurement of goods
and services, THEN identifying, analysing and evaluating risk should be processes
familiar to all quality managers?
Not everyone agrees with this statement of course, but understanding the context (see
clause 4.1) and determining the risks and opportunities that need to be addressed
(clause 6.1) are requirements of ISO 9001:2015. Therefore, before you reject the idea of
using risk assessment tools on the grounds that they are too complicated and not part
of your job, its worth pondering this quote from the Introduction to the ISO
31000:2009:
The generic approach described in this International Standard provides the principles
and guidelines for managing any form of risk in a systematic, transparent and credible
manner and within any scope and context.4
Notes:
ISO 31000:2009 Principles and Guidelines on Implementation
Draft BS EN ISO 9001 Quality Management Systems Requirements, Date: 14 May
2014, A.4 Risk-based approach
3
Project risk management guidelines: managing risk with ISO 31000 and IEC 62198, Dale
F Cooper, et al, Wiley, 2014.
4
ISO 31000:2009 Principles and Guidelines on Implementation, Introduction, p.V
1
2

Next time: More risk assessment tools described in ISO 31010 How useful could
they be to quality professionals in different contexts?

ISO 9001:2015 The


likely impact (Part III)
February 17, 2015

What documented information is


required by ISO 9001:2015?
An Executive Summary could read as follows
ISO 9001:2015 will probably merge documents and records under the term
documented information and there will be no mandatory quality manual,
procedures or quality records. These significant changes may lead to much
greater flexibility in how information is managed within the quality management
system, but some envisage a potential downside; i.e.

Newcomers to ISO 9001:2015 may be


confused about where to start documenting their system; also, exactly what they
need to record and document in relation to the requirements of the standard; and
hence, when their organisations documented information is ready for audit?

What does the 2014 committee draft of


ISO 9001 actually say?
The Draft BS EN ISO 9001 Quality Management Systems Requirements
published in 2014 (the DIS) defines documented information as that which is
required to be controlled and maintained by the organization.
The Notes make it clear that this documented information can be in any format
and media and from any source. It can refer to the quality management system
(3.33), including related processes (3.12), or it can be information (3.50) created
for the organization (3.01) to operate (i.e. documentation). It can also be
evidence of results achieved (records).
The source for the above references is ISO DIS 9000:2014, 3.8.1.1.1.

ISO 9001:2008 was designed to allow an organization greater flexibility in the


way it chooses to document its quality management system (QMS).
Clause 4.2.1. General provided an explanation of what quality management
system documentation and records were required; specifically:
a) documented statements of a quality policy and quality objectives;
b) a quality manual
c) documented procedures required by this International Standard
d) documents needed by the organization to ensure the effective planning,
operation and control of its processes, and
e) records required by this International Standard;
In 2012, the ISO Document ISO/TC 176/SC 2/N 525R2, titled: ISO 9000
Introduction and Support Package: Guidance on the Documentation
Requirements of ISO 9001:2008, asked the question What is a document? and
defined at least some of the main objectives of an organizations documentation.
These were:
a) Communication of Information
b) Evidence of conformity
c) Knowledge sharing
In terms of category a), both the type and extent of documentation depended on
the nature of the organizations products and processes, the degree of
formality of communication systems and the level of communication skills within
the organization, and the organizational culture. [Ibid, page 1].

Out with the old in with the new ISO


9001 terms and definitions
Which terms and definitions are going to be defined and used when ISO
9001:2015 is published?
And does it matter?

For a start, due to the introduction of Annex SL, the requirements for
documents and records (documented information) are now contained within each
of the clauses numbered 4 through 10 in the new structure. See further down.
At the same time, familiar document references will be erased from the standard.
As mentioned, one of the most notable deletions is Quality Manual. This might
be a shocker for those whose QM careers date all the way back to the
introduction of ISO 9001 in 1987.Yet this is only one among a number of changes
that set ISO 9001:2015 apart as a major revision of the QMS Standard.
Documented information now means both documents and records.
A.6 Documented information explains, [due to the introduction of Annex SL
common management system framework] a common clause on Documented
Information has been adopted without significant change or addition. This
means that the terms documented procedure and record have been replaced in
ISO 9001 with documented information.
I counted the text documented information appearing a total of 34 times in the
committee draft of ISO 9001 between Clauses 4 to 10.
From that figure alone, you can appreciate that ISO 9001:2015 will require the
creation/maintenance of a sizeable number of documents!

How should you manage your required


documented information?
The wording in the DIS sets out requirements for creating and updating:

identification and description (e.g. a title, date, author, or reference


number);

format (e.g. language, software version, graphics) and media (e.g. paper,
electronic);

review and approval for suitability and adequacy.

Documented information should also be controlled to ensure:


a) it is available and suitable for use, where and when it is needed;
b) it is adequately protected (e.g. from loss of confidentiality, improper use,
or loss of integrity).

To address these requirements, the following activities are necessary:


a) distribution, access, retrieval and use;
b) storage and preservation, including preservation of legibility;
c) control of changes (e.g. version control);
d) retention and disposition.
You should also identify and control documented information of external origin
which is necessary for the planning and operation of your QMS.
It is and will continue to be necessary to regularly review documents to make
sure they are up-to-date, suitable and reflect your practices. Review processes
should also check for changes in relevant standards, regulations, specifications
and other external documented information.
Documented information will be used to support the operation of processes and
be retained to the extent necessary to have confidence that the processes are
being carried out as planned [4.4 Quality management system and its
processes]. Audit criteria will include a set of policies (3.07), documented
information (3.11) or requirements used as a reference against which audit
evidence (3.61) is compared.
What the questions that you need to ask to ensure that your documented
information meets the requirements? Here are just a few suggestions:

Who in your organisation approves documented information for release?

How do you know that the documented information has been approved?

What are the steps in your process for reviewing, updating and reapproving documented information? Does it include a regular review of
changes and who is responsible for the different parts of this process?

How do you identify changes?

How do you manage your documented information so that you know


which version you are looking at, and whether it is the current version?

Who has access to the documented information and is the current version
available where it is needed, for example by teams operating in the field?

What means are used to provide access (e.g. document management


system on the organisations server, cloud application, paper documents)?

Who is responsible for distributing documented information to where it is


needed both electronically (e.g. via intranet access, document attachments,
download links, etc) and in paper form?

Is documented information from external sources, such as relevant


standards, current legislation, product specifications from your suppliers,
being reviewed, updated and made available via controlled processes?

Are you deleting, destroying, or obsoleting old documented information


so that only the current version is in use? And who is responsible for checking
that end users only have access to the current version?

How will you archive and segregate obsolete documented information that
you want retain?

Which items of documented information contain confidential data?

What information security measures are you taking to protect data?

Once again here, this is not an exhaustive list, but it does highlight the
complexity of the task of managing the documented information.
You can find a further discussion of this topic on an earlier CogniDox blog; see:
Document Control, ISO 9001 and CogniDox DMS
Mark Hammars post on the excellent ISO 9001 Blog (dated May 20, 2014) has
some helpful tips and advice on ISO 9001 document control:
Some Tips to make Document Control more useful for your QMS
Given the sheer number of new documents that are likely to be required, a
document management system (DMS) hosted on your server or in the cloud is
worth considering before you transition.
In our earlier post (see above) on the subject of using a DMS versus other
approaches, we showed how CogniDox maps to the list in Mark Hammars post to
give you much greater control over your documented information.
Marks useful tips will help to make your controls better suited to your
organisations needs. He lists them under the following seven categories:
1.

Approve for Adequacy (who is responsible for approving this)

2.

Review/Update and Re-Approve

3.

Changes and Revision Status identified

4.

Relevant Versions at point of use

5.

Legible and identifiable.

6.

Control of External Documents

7.

Prevent use of Obsolete Documents

As we said on May 28, 2014: To rattle through a quick mapping of tips to


CogniDox features, we would find that the ability to create workflows with
mandatory approvers delivers #1. The review and notification process takes care
of #2. Version history and the event log provides #3. A clear link to latest and
approved-latest versions solves #4 (as does the ability to hide any version other
than the approved-latest one). Tip #5 is supported by embedded metadata in the
documents, so readers can see what they are using. Wed look to limited
partner access and/or the extranet portal functionality for #6. Finally, tip #7 can
be achieved by marking the document as obsolete.
Increased flexibility in terms of the documented information required by ISO
9001:2015 will not lessen the daunting challenge of controlling the large amount
of data contained within your quality management system. A DMS can greatly
improve the efficiency and effectiveness of your QMS.
But regardless of how you manage documented information, it will soon be time
to say a heartfelt Hasta la vista! to your trusty Quality Manual.

Sources referenced plus recommended


reading
The following sources are useful in understanding the development process that
has led to the publication of the ISO 9001 Committee Draft (the DIS), including
the much debated topic of risk-based thinking.
Firstly, the Draft International Standard (DIS) issued for public comment:
Draft BS EN ISO 9001 Quality Management Systems Requirements,
Date: 14 May 2014, which is available from the ISO Store, BSI Shop, IT
Governance Ltd, and other distributors worldwide.
Even though the FDIS (final draft international standard) is expected soon,
possibly later this month? the ISO/DIS 9001 draft issued in May 2014 makes for
interesting and necessary reading, especially the Clause 0.5 Risk-based
thinking and the schematic (Figure 2 on page 9) with the box labelled Plan the
Process (Extent of planning depends on RISK)!

For those looking for straightforward answers to the simple questions regarding
the 2015 version and transition process, I recommend BSIs FAQ on ISO
9001:2015 in the ISO Revisions series see reference below:
ISO 9001:2015 Revision, Frequently Asked Questions Approaching change, BSI
Group, July 2014 [PDF]
For a more detailed discussion about the importance of risk in quality
management and why this idea is not new, BSIs white paper is useful:
ISO 9001 Whitepaper, The importance of risk in quality management
Approaching change, BSI Group, December 2014 [PDF]
The BSI White Paper ISO 9001: Understanding the changes from ISO Revisions is
also useful in explaining the likely impact of ISO 9001:2015:
ISO 9001 Whitepaper, Understanding the changes, Approaching change, BSI
Group, July 2014[PDF]
I also recommend an earlier white paper by Evgeny Avanesov, D.B.A., Prof. at
TEST-St.-Petersburg, and (as stated on the document in 2009) a Member of
Russian delegation in ISO/TC 176, ISO/TC 207, see the link:
Risk Management in ISO 9000 Series Standards [PDF]
Although this document was published in 2009, it is interesting to revisit because
it came out when the common concepts and ideas for future activities ISO/TC
176 on the revision of ISO 9001 were being formulated.
The author provides Examples of the requirements of ISO 9001:2008, indirectly
associated with the risk management. The Table on page 6 of 11 is worth
reading whether you believe that risk-based thinking is a new idea, or
something that you do already (see the Conclusion of BSIs 2014 white paper
and the ISOs white paper titled ISO 9001 and Risk).
For the ISOs own (easily digested) explanation of Risk-based Thinking, view their
slideshare presentation at:
http://www.slideshare.net/timdwill/iso9001-risk-basedthinking
Note slide 4 of 12: What is risk-based thinking? which features a version of the
statement found in the DIS, Clause 0.5, Risk-based thinking; i.e. the concept

of risk has always been implicit in ISO 9001 this revision makes it more explicit
and builds it into the whole management system.
The ISO white paper on the same subject of ISO 9001 and Risk can be
downloaded from Public information on the ISO TC/176/SC2 Home Page:
http://isotc.iso.org/livelink/livelink/open/tc176SC2public
Note the frequently quoted line: Risk-based thinking has always been in ISO
9001 - this revision builds it into the whole management system. [Source: ISO
Document N1222, July 2014, page 2], which appears, in a longer and more
detailed form, in the committee draft of the standard.

What does the Chair of the ISO 9001 subcommittee have


to say?
Watch the video of the Google hangout where Nigel Croft, Chair of the ISO
subcommittee responsible for ISO 9001 talks to us about how the revision is
progressing:www.youtube.com/watch?v=BrP94_ogRSY
This addresses the thorny subject of risk-based thinking, which as he points out,
does not necessarily mean using formal risk management.
In small, low-risk organisations, the risk-based thinking may simply be
intuitive; in others, a full risk management process may be appropriate

Cyber Essentials: Why


your organisation
should Get Badged!
Part IV

Requirement 2. Secure configuration, and


3. User access control
The second Cyber Essentials Requirement references secure configuration. At this
point, I am reminded of The Security Configuration Benchmarks that are distributed free
of charge to propagate their worldwide use and adoption as user-originated, de facto
standards.

The CIS Benchmarks are described


as consensus-based, best-practice security configuration guides both developed and
accepted by government, business, industry, and academia. The Benchmarks are
recommended technical control rules/values for hardening operating systems,
middleware and software applications, and network devices.
There are used by thousands of enterprises as the basis for security configuration
policies and the de facto standard for IT configuration best practices. Download
here:https://benchmarks.cisecurity.org/about/
How does the CES Requirement 2 compare with the CIS Benchmarks?
2. Secure configuration
Objectives Computers and network devices should be configured to reduce the
level of inherent vulnerabilities and provide only the services required to fulfil
their role.
Computers and network devices cannot be considered secure upon default
installation. A standard, out-of-the-box configuration can often include an
administrative account with a predetermined, publicly known default password,
one or more unnecessary user accounts enabled (sometimes with special access
privileges) and pre-installed but unnecessary applications (or services).

Default installations of computers and network devices can provide cyber


attackers with a variety of opportunities to gain unauthorised access to an
organisations sensitive information, often with ease. By applying some simple
security controls when installing computers and network devices (a technique
typically referred to as system hardening), inherent weaknesses can be
minimised, providing increased protection against commodity cyber attacks.
Basic technical cyber protection for secure configuration
Computers and network devices (including wireless access points) should be
securely configured. As a minimum:
1.

Unnecessary user accounts (e.g. Guest accounts and unnecessary


administrative accounts) should be removed or disabled.

2.

Any default password for a user account should be changed to an


alternative, strong password.

3.

Unnecessary software (including application, system utilities and network


services) should be removed or disabled.

4.

The auto-run feature should be disabled (to prevent software programs


running automatically when removable storage media is connected to a
computer or when network folders are accessed).

5.

A personal firewall (or equivalent) should be enabled on desktop PCs and


laptops, and configured to disable (block) unapproved connections by default.

Commentary:
For SME organisations employing <50 people, among the first things that I would
definitely recommend checking are the default configurations of routers, including
converged wireless routers with access points (AP) and often an Ethernet switch, which
offer little security in their default setting.
Wireless routers are very common in micro-businesses and home office set-ups in
particular; hence I would have named these devices by saying:
Computers and network devices (including wireless routers/wireless access
points) should be securely configured
It is good practice to begin hardening your configuration by ensuring that your router is
secure as this is one of the best initial lines of defence. Consult the users guide, which
will direct you to a predefined URL or IP address where you can do the following:

Configure the wireless network to use WPA2-AES encryption for data


confidentiality.

Change the default login username, if permitted (refer to the users


guide), and password. (The default passwords are published in
manufacturers publications and are readily accessible.)

Conduct MAC address filtering (a form of whitelisting, or identifying


wireless connected computers you trust).

Change the default wireless SSID.

I would also have stressed that many wired networks base their security on physical
access control, trusting all the users on the local network, but if wireless access points
are connected to the network, anybody within range of the AP (which typically extends
farther than the intended area) can attach to the network. Your security stance will be
compromised if it is easy to attack your network using unencrypted wireless access
points.
Control in management means setting standards, measuring actual performance
and taking corrective action. Control is a continuous process.
I would have added to the Cyber Essentials Requirements that you should remove
unnecessary software and disable nonessential services, and modify unnecessary
default features to eliminate opportunities for attack, on a continuous basis. Your
system technology is constantly evolving and new software/software upgrades can
introduce security vulnerabilities see below. Only through system hardening measures
can you hope to maintain an optimum level of protection when connected to the
internet; and even then unmitigated vulnerabilities will be exploited by the hackers.
From the initial installation onwards, review the features that came enabled by default
on your computer and disable or customise those you dont need or plan on using. As
with nonessential services, be sure to research these features before disabling or
modifying them. Recent operating systems are configured more securely by default and
are preferred. However, all systems should be continuously hardened. Besides the
operating system, some user-installed applications provide network services to
communicate with other devices. In many cases these services are required for the
intended operation of the device, and are therefore permitted. However, some
applications install gratuitous network services that are either not required or are
configured to provide network access when only local access is required. Hence, it will
not be enough to apply this requirement once a year or every 6 months and still be
confident that you have these issues under control. Cyber security is not a steady state..
Next up: access control. In computer security, general access control
includes authorisation,authentication, access approval, and audit.
Cyber Essentials Control 3. User access controls adopts elements of the this definition in
the Requirements including a regular review of special access privileges. It stops short
though of calling the process an audit.

3. User access control


Objectives User accounts, particularly those with special access privileges (e.g.
administrative accounts) should be assigned only to authorised individuals,
managed effectively and provide the minimum level of access to applications,
computers and networks
User accounts with special access privileges (e.g. administrative accounts) typically
have the greatest level of access to information, applications and computers.
When privileged accounts are compromised their level of access can be exploited
resulting in large scale corruption of information, affected business processes and
unauthorised access to other computers across an organisation.
To protect against misuse of special access privileges, the principle of least
privilege should be applied to user accounts by limiting the privileges granted and
restricting access.
Basic technical cyber protection for secure configuration
User accounts should be managed through robust access control. As a minimum:
1.

All user account creation should be subject to a provisioning and approval


process.

2.

Special access privileges should be restricted to a limited number of


authorised individuals.

3.

Details about special access privileges (e.g. the individual and purpose)
should be documented, kept in a secure location and reviewed on a regular basis
(e.g. quarterly).

4.

Administrative accounts should only be used to perform legitimate


administrative activities, and should not be granted access to email or the
internet.

5.

Administrative accounts should be configured to require a password


change on a regular basis (e.g. at least every 60 days).

6.

Each user should authenticate using a unique username and strong


password before being granted access to applications, computers and network
devices.

7.

User accounts and special access privileges should be removed or


disabled when no longer required (e.g. when an individual changes role or leaves
the organisation) or after a pre-defined period of inactivity (e.g. 3 months).
The first step towards securing a small business network or indeed any other kind of
computer network is to understand what vulnerabilities an attacker is likely to exploit.

You put yourself in the position of an attacker. What is your primary task once you have
infiltrated (i.e. got into) a network? Its not really a brain teaser question: just ask
yourself what you would do in the real-world to gain access to valuable data assets?
Your job the moment you are in the system is to initiate escalation of privileges, which is
how an attacker attempts to gain more access from the established foothold that they
have created. After an escalation of privileges has occurred, there is little left in the
systems defences to stop an intruder from whatever intent that attacker has. Attackers
employ many different mechanisms to achieve an escalation of privileges (too many for
this post!), but primarily they involve compromising existing accounts, especially those
with administrator equivalent privileges.
In most cases the bad guys need hours to compromise (>75% of the cases) where the
good guys rarely get their job done in less than months (incredibly, only about 25% of
the breaches are detected in days or less). [Source: The 2014 Verizon DBIR Report:
Time-to-Compromise vs. Time-to-Discovery]
After an attacker has compromised a network to the point where a critical account with
high privileges is compromised, the entire network can never be considered as
completely trustworthy again unless it is flattened and completely recreated. Therefore
the level of security for all manner of accounts is a very important aspect of any network
security initiative.
In the words of Microsoft Developer Network: The matter of managing the security
for all account types in a network is very important to managing risk for a midsize
business network. Internal and external threats must be taken into account, and the
solution to these threats must balance the need for security with the functionality a
midsize business demands from their network resources. As a small business grows,
the number of all types of accounts increases, and so too do the number of exploitable
vulnerabilities. However, this is often forgotten in the priorities set by management in
the commercial pressure to expand.
Personally, I consider the control themes in this Requirement to be one of the most
useful aspects of Cyber Essentials. Administrative accounts should only be used to
perform legitimate administrative activities, and should not be granted access to email
or the internet. SMEs and quite a few large organisations need to understand the cyber
risks associated with administrative, service, application-related, and default accounts.
At this point it is worth remembering that the National Security Agency (NSA) is the font
of information security wisdom for the US defence and intelligence communities. Yet,
despite this obvious reason for cyber security, NSAs network security was apparently so
weak that a single administrator was able to hijack the credentials of a number of NSA
employees with high-level security clearances and use them to download data from the
agencys internal networks so the problem really exists.

The administrator referred to here was, allegedly, Edward Snowden!


[Source: Sysadmin security fail: NSA finds Snowden hijacked officials logins, Ars
Technica, Sean Gallagher Aug 29 2013, 10:40pm GMTDT].
Perhaps it isnt just the smaller enterprises that need Cyber Essentials?

Cyber Essentials: Why


your organisation
should Get Badged!
Part V
Part V: Requirements 4. Malware
protection, and 5. Patch management
Malware protection software is a necessary cyber security requirement. We all have
knowledge of malware threats in one form or another and experience teaches us to be
wary of certain links and email attachments.

Cyber Essentials starts with the


assumption that computers connected to the internet are vulnerable to attack from
malware and therefore malware protection is seen as a key feature of basic cyber
hygiene requirements.
4. Malware protection
Objectives Computers that are exposed to the internet should be protected
against malware infection through the use of malware protection software.
Malware, such as computer viruses, worms and spyware, is software that has
been written and distributed deliberately to perform unauthorised functions on
one or more computers.
Computers are often vulnerable to malicious software, particularly those that are
exposed to the internet (e.g. desktop PCs, laptops and mobile devices, where
available). When available, dedicated software is required that will monitor for,
detect and disable malware.
Computers can be infected with malware through various means often involving a
user who opens an affected email, browses a compromised website or opens an
unknown file on a removable storage media.
Basic technical cyber protection for malware
The organisation should implement robust malware protection on exposed
computers. As a minimum:

1.

Malware protection software should be installed on all computers that are


connected to or capable of connecting to the internet.

2.

Malware protection software (including program code and malware


signature files) should be kept up-to-date (e.g. at least daily, either by
configuring it to update automatically or through the use of centrally managed
deployment).

3.

Malware protection software should be configured to scan files


automatically upon access (including when downloading and opening files,
accessing files on removable storage media or a network folder) and scan web
pages when being accessed (via a web browser).

4.

Malware protection software should be configured to perform regular


scans of all files (e.g. daily).

5.

Malware protection software should prevent connections to malicious


websites on the internet (e.g. by using website blacklisting).
The scope of malware protection in this document covers desktop PCs, laptops
and servers that have access to or are accessible from the internet. Other
computers used in the organisation, while out of scope are likely to need
protection against malware as will some forms of tablets and smartphones.
Website blacklisting is a technique used to help prevent web browsers connecting
to unauthorised websites. The blacklist effectively contains a list of malicious or
suspicious websites that is checked each time the web browser attempts a
connection.
Commentary:
Cyber Essentials assumes that robust malware protection will help to protect your
system. That protection comes from malware protection software (the Objectives
section avoids the outdated term antivirus).
The aim of course is to protect against human nature and the inevitable introduction of
commonly found types of malicious software to a system. Theres no mention here of
highly sophisticated, targeted, zero-day and persistent advanced malware threats that
Advanced Malware Protection (AMP) for Networks is designed to provide at a price few
could afford.
Malware is commonly spread by people clicking on an email attachment or a link that
launches the malware. Therefore, the best general advice to any organisation is: tell
your staff about the risks before you get infected!
Dont open attachments or click on links unless youre certain theyre safe, even if they
come from a person you know. Some malware sends itself through an infected

computer. While the email may appear to come from someone you know, it really came
from a compromised computer.
Relying purely on your malware protection software is not a good idea. You should take
steps to raise staff awareness of the external threats, and what steps they can take as
individuals to avoid malware infection.
Personally, I would like to have seen a reference to training employees in cyber security
awareness and incident reporting rather than total reliance on software tools: both are
important in reducing the risk of data breach.
Likewise, there should be a health warning about advanced persistent threats to dispel
the notion that Cyber Essentials controls are effective against 100% of the malware
attacks perpetrated by determined hackers.
However, what Control 4 attempts to do is probably a realistic goal for essential
security given the limited aims of Cyber Essentials certification.
And so, finally, we arrive at the fifth and final Cyber Essentials Control:
5. Patch management
Objectives Software running on computers and network devices should be kept
up-to-date and have the latest security patches installed.
Any computer and network device that runs software can contain weaknesses or
flaws, typically referred to as technical vulnerabilities. Vulnerabilities are common
in many types of popular software, are frequently being discovered (e.g. daily),
and once known can quickly be deliberately misused (exploited) by malicious
individuals or groups to attack an organisations computers and networks.
Vendors of software will typically try to provide fixes for identified vulnerabilities
as soon as possible, in the form of software updates known as patches, and
release them to their customers (sometimes using a formal release schedule such
as weekly). To help avoid becoming a victim of cyber attacks that exploit software
vulnerabilities, an organisation needs to manage patches and the update of
software effectively.
Basic technical cyber protection for patch management
Software should be kept up-to-date. As a minimum:
1.

Software running on computers and network devices that are connected to


or capable of connecting to the internet should be licensed and supported (by the

software vendor or supplier of the software) to ensure security patches for known
vulnerabilities are made available.
2.

Updates to software (including operating system software and firmware)


running on computers and network devices that are connected to or capable of
connecting to the internet should be installed in a timely manner (e.g. within 30
days of release or automatically when they become available from vendors).

3.

Out-of-date software (i.e. software that is no longer supported) should be


removed from computer and network devices that are connected to or capable of
connecting to the internet.

4.

All security patches for software running on computers and network


devices that are connected to or capable of connecting to the internet should be
installed in a timely manner (e.g. within 14 days of release or automatically when
they become available from vendors).
Commentary:
Reasonable steps in a sensible approach. I particularly like the reference to removal of
out-of-date software. If you dont need it, get rid of it fast! Theres no point in leaving
redundant, unpatched application software on a system to help the hacker in their job.
De-cluttering improves security.
Defining time limits for applying software updates i.e. within 30 days of release or
automatically when they become available from the vendor, and, for security patches,
14 days or automatically, for software running on computers or network devices, is, I
think, a useful security benchmark.
Less helpful, there are no specific remarks about patching and updating Firewalls, IDS
and NIDS (Network Intrusion Detection Systems) that often get a low priority in relation
to applying OS patches but are in constant need of attention and monitoring. The
alternatives to doing this yourself or building a dedicated in-house team are: (a)
outsourcing to a systems security or networking company experienced at dealing with
installations and on-going configurations of devices on a daily basis; or (b) using cloud
services from public cloud providers like Google Inc. and Amazon Inc. to host services
and applications, thereby side-stepping with the need for a complex, time-consuming
and expensively-owned network architecture.
But how then do you provide assurance that external service providers, especially for
cloud services, comply with Cyber Essentials requirements?

How does Cyber Essentials deal with


cloud service provision?
As the Cyber Essentials Scheme Assurance Framework document states:
Many organisations use cloud services or other externally provided IT services.
Cloud services of course vary considerably. Cyber Essentials applies in different ways
depending on whether the applicant retains responsibility for implementation of the
relevant set of controls, or whether the cloud service provider has the responsibility. If
externally provided IT services are included within the scope of a Cyber Essentials
assessment, then:
For Cyber Essentials, the organisation will need to attest that its service
providers system delivering that service meets the Cyber Essentials requirements
for which the service provider is responsible. Existing evidence (such as that
provided through PCI certification of a cloud service and appropriately scoped ISO
27001 certifications) may be considered as part this process.
For Cyber Essentials Plus, the organisation will need to ensure that its service
providers system delivering that service is tested as meeting the Cyber Essentials
requirements for which the service provider is responsible.
[Source: Cyber Essentials: Assurance Framework, [PDF] June 2014, section on
Cloud Services, p. 10].

Who will test cloud services for


compliance with Cyber Essentials?
Penetration testers and ethical hackers are increasingly being called upon to evaluate
the security of cloud-based applications, services, and infrastructures. In my view, the
popularity of penetration testing will increase as public cloud services change the world
of physical server-based IT into a virtual one. The type of cloud will dictate though
whether pen testing is possible. For the most part, Platform as a Service (PaaS) and
Infrastructure as a Service (IaaS) clouds will permit pen testing. However, Software as a
Service (SaaS) providers are not likely to allow customers to pen test their applications
and infrastructure, even if they are applying for cyber Essentials with the exception
of third parties performing the cloud providers own pen tests for compliance or
security.

You might also like