24.02.

2017 Whittington&AssociatesNewsletter

Home
Training
Consulting
Auditing
Standards
Newsletter
Resources
About
Contact Us

Searchthissite...

Whittington & Associates Newsletter

Sign up for our monthly email newsletter to get the latest guidance on ISO 9001, AS9100,
ISO 13485, ISO/TS 16949, TL 9000, ISO 14001, ISO 27001, ISO 20000, and related ISO standards,
as well as, Six Sigma.

If you have any questions about the articles appearing in this issue, or you want to suggest topics
for future issues, please let us know.

ISO 9001:2015, Clause 5, Leadership

Feb 1, 2017 in Newsletter | Comments Off on ISO 9001:2015, Clause 5, Leadership

Top Management is defined in ISO 9000:2015, 3.1.1, as the person or group of people who directs
and controls an organization at the highest level (within the scope of the quality management
system). Top Management has the power to delegate authority and provide resources within the
organization.

Clause 5 of ISO 9001:2015 has three sub-clauses:

5. Leadership
5.1 Leadership and Commitment
5.2 Policy
5.3 Organizational Roles, Responsibilities, and Authorities

This article summarizes the ISO 9001:2015 requirements in Clause 5 and highlights the changes
from ISO 9001:2008.

5.1 Leadership and Commitment

5.1.1. General

Top management must demonstrate leadership and commitment with respect to the quality
management system:

https://www.whittingtonassociates.com/newsletter/ 1/8
24.02.2017 Whittington&AssociatesNewsletter

a) take accountability for the effectiveness of the system;

b) ensure the quality policy and quality objectives are established and are compatible with the
context and strategic direction of the organization;
c) ensure the integration of the system requirements into the organizations business processes;
d) promote awareness of the process approach and risk-based thinking;
e) ensure that the resources needed for the system are available;
f) communicate the importance of effective quality management and of conforming to system
requirements;
g) ensure that the quality management system achieves its intended results;
h) engage, direct, and support persons to contribute to the effectiveness of the system;
i) promote improvement;
j) support other relevant management roles to demonstrate their leadership as it applies to their
areas of responsibility.

Note: Reference to business in ISO 9001 can be interpreted broadly to mean those activities
that are core to the purposes of the organizations existence; whether the organization is public,
private, for profit, or not for profit.

Changes:

Replaces old clause 5.1 on Management Commitment

Expands to demonstrate leadership and accountability
Adds that policy and objectives must be compatible with strategic direction
Includes new focus on process approach and risk-based thinking
Adds to integrate system requirements into business processes
Notice the ensure requirements that someone else can do it
(versus take, promote, communicate, engage, and support)
Becomes more of a hands-on role for top management

5.1.2 Customer Focus

Top management must demonstrate leadership and commitment with respect to customer focus:

a) determine, understand, and consistently meet customer requirements and applicable

statutory and regulatory requirements;
b) determine and address risks and opportunities that can affect conformity of products and
services and the ability to enhance customer satisfaction;
c) maintain focus to enhance customer satisfaction.

Changes:

Replaces old clause 5.2 on Customer Focus

Includes determining legal requirements from old clause 7.2.1
Adds the requirement to determine and address risks and opportunities that affect
conformity
Note that the primary clauses on customer requirements are 8.2.2 and 8.2.3.

5.2 Policy
5.2.1 Establishing the Quality Policy

Top management must establish, implement, and maintain a quality policy that:

a) is appropriate to purpose and context of the organization and supports its strategic direction;
b) provides a framework for setting quality objectives;
c) includes a commitment to satisfy applicable requirements;
d) includes a commitment to continually improve the system.

https://www.whittingtonassociates.com/newsletter/ 2/8
24.02.2017 Whittington&AssociatesNewsletter

5.2.2 Communicating the Quality Policy

The quality policy must be:

a) available and maintained as documented information;

b) communicated, understood and applied within the organization;
c) available to relevant interested parties, as appropriate.

Changes:

Replaces old clause 5.3 on Quality Policy

Adds for policy to support strategic direction
Includes for policy to be available and maintained
Adds for policy to be applied, not just communicated and understood
Adds to make policy available to interested parties, as appropriate

5.3 Organizational Roles, Responsibilities, and Authorities

Top management must ensure that the responsibilities and authorities for relevant roles are
assigned, communicated, and understood within the organization.

Assign the responsibility and authority to:

a) ensure that the system conforms to the ISO 9001 requirements;

b) ensure that the processes are delivering their intended outputs;
c) report on system performance and opportunities for improvement, in particular to top
management;
d) ensure the promotion of customer focus throughout the organization;
e) ensure that integrity of system is maintained when changes to the system are planned and
implemented.

Changes:

Replaces old clause 5.5.1 on Responsibility and Authority

Adds that responsibilities are to be assigned and understood
Identifies some specific responsibilities to be assigned
Drops requirement for management representative

The Management Representative role can be retained or the prior duties can be spread among
top management.

TheISO 9001:2015 Requirements and Transition Guidancecourse can taught at your location by
contacting Larry Whittington at larry@whittingtonassociates.com or 770-862-1766.

RASCI Diagram
Feb 1, 2017 in Newsletter | Comments Off on RASCI Diagram

The RASCI Diagram can be used to clarify the roles and responsibilities for cross functional
processes. It helps determine who is Responsible, Accountable, Supporting, Consulted, and
Informed.

The RASCI Diagram splits activities into five types of roles that make up the acronym RASCI:

R = Responsible: the person(s) who performs the activity

A = Accountable: the person held accountable for completion of the activity

https://www.whittingtonassociates.com/newsletter/ 3/8
24.02.2017 Whittington&AssociatesNewsletter

S = Supporting: the person(s) that provides support for the work

C = Consulted: the person(s) consulted before performing the activity
I = Informed: the person(s) informed after performing the activity

TheResponsibleperson(s) performs the activity. The individual(s) assigned the R in the

diagram is responsible for implementation and action. The degree of responsibility is defined by
the Accountable person. Responsibility can be shared and delegated.

TheAccountableperson is answerable for the correct and thorough completion of the activity.
Each activity can have only one person with ultimate accountability and authority. Therefore, only
one A is listed for each activity in the diagram. The A is assigned to the lowest level of
accountability and is implied at the higher levels. Accountability cannot be delegated. The A
approves the work that R provides.

TheSupportingperson(s) is a resource allocated to the Responsible person(s). Unlike Consulted,

who may aid in the activity, Supporting may be tasked with work.

The opinion and advice of theConsultedperson(s) is sought before a final decision or action is
taken before and during the activity. Two-way communication is involved.

TheInformedperson(s) is kept up-to-date on progress, decisions, and actions. One-way

communication is involved.

The RASCI Diagram identifies activities within a process as the rows of a table. The columns
identify the involved individuals. Each row identifies one A and one or more of R, S, C, and I.

The RASCI Diagram is especially useful when everyone thinks they are responsible and
accountable, resulting in duplicate effort and in-fighting. And, its use is also helpful in the reverse
situation when no one seems to be responsible and some activities are not owned.

In some cases, people may think they need to be consulted, when they just need to be told after
the fact, i.e., kept informed. Or, some people really do need to be consulted, and are not. Without
clear roles, there will be poor communication and unsatisfactory results.

ISO 27004:2016 on Security Measurements

Feb 1, 2017 in Newsletter | Comments Off on ISO 27004:2016 on Security Measurements

ISO 27004:2016, Information technology Security techniques Information security

management Monitoring, measurement, analysis and evaluation, is available.

ISO 27004:2016 provides guidelines to assist organizations in evaluating the information security
performance and the effectiveness of an information security management system to meet the
requirements of ISO 27001:2013, clause 9.1.

It establishes:

a) the monitoring and measurement of information security performance;

b) the monitoring and measurement of the effectiveness of an information security management
system (ISMS) including its processes and controls;
c) the analysis and evaluation of the results of monitoring and measurement.

The results of monitoring and measurement of an information security management system

(ISMS) can be supportive of decisions relating to ISMS governance, management, operational
effectiveness, and continual improvement.

https://www.whittingtonassociates.com/newsletter/ 4/8
24.02.2017 Whittington&AssociatesNewsletter

The 58 page ISO 27004:2016 standard can be purchased at this ISO web page for about $180.

ISO 27004:2016 Outline:

1 Scope
2. Normative references
3. Terms and definitions

4. Structure and overview

5. Rationale
6. Characteristics
7. Types of measures
8. Processes

Annex A: An information security measurement model

Annex B: Measurement construct examples (37)
Annex C: An example of free-text form measurement construction

Please view our 1.5 dayISO 27001:2013 Requirementscourse description atthis web page.

ISO 27011:2016 for Telecommunications Organizations

Feb 1, 2017 in Newsletter | Comments Off on ISO 27011:2016 for Telecommunications
Organizations

ISO 27011:2016, Information technology Security techniques Code of practice for Information
security controls based on ISO 27002 for telecommunications organizations, is available.

The revised standard defines guidelines for supporting the implementation of information
security controls in telecommunications organizations.

It will allow telecommunications organizations to meet baseline information security

management requirements of confidentiality, integrity, availability, and any other relevant
security properties.

The 31 page ISO 27011:2016 standard can be purchased at this ISO web page for about $140.

ISO 27011:2016 Outline:

1 Scope
2. Normative references
3. Terms and definitions

4. Overview
5. Information security practices
6. Organization of information security
7. Human resource security
8. Asset management
9. Access control
10. Cryptography
11. Physical and environmental security
12. Operations security
13. Communications security
14. System acquisition, development, and maintenance
https://www.whittingtonassociates.com/newsletter/ 5/8
24.02.2017 Whittington&AssociatesNewsletter

15. Supplier relationships

16. Information security incident management
17. Information security aspects of business continuity
18. Compliance

Please view our 1.5 day ISO 27001:2013 Requirements course description at this web page.

Top Three IT Concerns

Feb 1, 2017 in Newsletter | Comments Off on Top Three IT Concerns

A Forbes blog says the trends analysis report by the Society for Information Management (SIM)
has identified the CIOs top three concerns for 2017 as being business alignment, security, and
skills shortages.

The SIM 2017 report reflects the continuing evolution of business trends being information
technology trends. Moreover, IT has increasingly become a priority for most businesses. SIM
notes that IT budgets increased in 2016 by an average of 4.15%, short of last years increase of
4.6%, but positive nevertheless.

The report also notes that IT professionals salaries have risen by 3.5%, and IT staff hiring has
also increased. The shift of budgets to cloud computing from hardware and software continues,
and are likely to increase again in the year ahead.

IT executives highlighted these top three concerns:

Business Alignment

This has been the top priority for four years running. It was listed as the top priority for IT leaders
among 41.7% of those executives polled.

Security

36% of IT leaders noted security as their top concern. Just four years ago, security was listed as
the ninth area of concern. Higher profile security breaches and increased emphasis on the topic
by the executive teams and boards of companies will mean that this concern is likely to remain
high for IT executives.

IT Skill Shortages

24% of IT leaders indicated that skills shortages were the top concern. The concern center
around technical skills like analytics, software development, cybersecurity and cloud-centric skill,
but increasingly, there is concern regarding the paucity of soft skills.

IT leaders are increasingly taking on more strategic responsibilities. This is aided by the fact that
46.3% of CIOs now report to the CEO according to the SIM report. This is compared to 28.6% who
report to CFOs and 16.8% who report to COOs. CIOs now meet with various members of the C-
suite on a weekly basis. This represents great progress for the function.

SIM concludes that other than the CEO, the CIO has the most complex, broad, and diverse set of
responsibilities. This is demonstrated by the need to think to the future in aiding the strategies of
every division of the company.

CIOs must also help drive the innovation agenda for the company while also focusing on risk
mitigation associated with security investments. The simultaneous focus on risk taking (a

https://www.whittingtonassociates.com/newsletter/ 6/8
24.02.2017 Whittington&AssociatesNewsletter

necessity with innovation activities) and risk mitigation is but one demonstration of the
complexity of the role.

The SIM report is a free download for SIM members. Otherwise, the price is $995.

AS9120B Requirements and Transition Guidance

Feb 1, 2017 in Newsletter | Comments Off on AS9120B Requirements and Transition Guidance

The new AS9120B:2016 standard replaces the AS9120A:2009 standard. Organizations certified to
AS9120A:2009 must transition to AS9120B:2016 by September 2018, the date that AS9120A:2009
will be withdrawn.

Our new 2.5 day AS9120B Requirements and Transition Guidance course explains the
underlying requirements based on ISO 9001:2015 and the additional requirements unique to
AS9120B.

To help with the transition, the course highlights all the requirement changes from those in the
ISO 9001:2008 andAS9120A:2009 standards. The course also includes transition guidance.

To view thefull course description, go to this web page.

Gap Analysis Checklists

Feb 1, 2017 in Newsletter | Comments Off on Gap Analysis Checklists

Larry Whittington has developed ISO 9001:2015 and ISO 14001:2015 checklists for the purpose of
conducting a gap analysis of your current system against the new and changed requirement of
the new standards.

ISO 9001:2015 Gap Analysis Checklist

The 27 page ISO 9001:2015 Gap Analysis Checklist contains 313 questions for organizations new
to ISO 9001, and 119 delta questions for ISO 9001:2008 certified organizations.

To read a description of the ISO 9001:2015 Gap Analysis Checklist, and see a sample page, go to
this web page. You can buy the checklist for $95.

ISO 14001:2015 Gap Analysis Checklist

The 17 page ISO 14001:2015 Gap Analysis Checklist contains 213 questions for organizations new
to ISO 14001, and 96 delta questions for ISO 14001:2004 certified organizations.

To read a description of the ISO 14001:2015 Gap Analysis Checklist, and see a sample page, go to
this web page. You can buy the checklist for $95.

Payment

When you click the Buy Now button at the checklist description, you will be taken to PayPal. You
do not need a PayPal account to make a credit card purchase. After payment, you will be directed
to a checklist download page. The file is supplied in Word format for ease of editing.

Latest Newsletter

ISO 9001:2015, Clause 5, Leadership

RASCI Diagram
https://www.whittingtonassociates.com/newsletter/ 7/8
24.02.2017 Whittington&AssociatesNewsletter

ISO 27004:2016 on Security Measurements

ISO 27011:2016 for Telecommunications Organizations
Top Three IT Concerns
AS9120B Requirements and Transition Guidance
Gap Analysis Checklists

Search hundreds of articles in our extensive

Newsletter Archive.

Sign up for our monthly email newsletter to get the latest guidance on ISO 9001, AS9100,
ISO 13485, ISO/TS 16949, TL 9000, ISO 14001, ISO 27001, ISO 20000, and related ISO standards,
as well as, Six Sigma.

Whittington & Associates provides training, consulting, and auditing services for management
systems based on ISO 9001, ISO 14001, ISO 45001, AS9100, AS9110, AS9120, IATF 16949, ISO
27001, ISO 13485, and ISO 20000-1.

Copyright 2000 - 2017 Whittington & Associates, LLC. All Rights Reserved.
P.O. Box 1905, Windermere, FL 34786 | 770-862-1766 Frogtown Web Design

https://www.whittingtonassociates.com/newsletter/ 8/8