All posts by Jane Boler

ISO/IEC 27004 to Measure Information Security Effectiveness

Newly updated ISO/IEC 27004:2016, Information technology – Security…

Newly updated ISO/IEC 27004:2016, Information technology – Security techniques – Information security management – Monitoring, measurement, analysis and evaluation, provides guidance on how to assess the performance of information security management system standard ISO/IEC 27001.

ISO/IEC 27004:2016 explains how to develop and operate measurement processes, while also assessing and reporting the results of a set of information security metrics.

Replacing the 2009 edition of the standard, ISO/IEC 27004:2016 has been updated and extended to align with the revised version of ISO/IEC 27001 to provide organizations increased value and confidence.

Edward Humphreys, convenor of the working group that developed the standard,  said cyber attacks are among the greatest risks an organization can face.

“This is why the much improved version of ISO/IEC 27004 provides essential and practical support to the many organizations that are implementing ISO/IEC 27001 to protect themselves from the growing diversity of security attacks that business is facing today,” Humphreys said.

ISO/IEC 27004:2016 details how to construct an information security measurement program, select what to measure, and operate the necessary measurement processes. The standard also includes examples of different types of measures, and how to assess their effectiveness.

Benefits of implementing ISO/IEC 27004 include:

  • Increased accountability
  • Improved information security performance and ISMS processes
  • Evidence of meeting the requirements of ISO/IEC 27001, applicable laws, rules, and regulations

The post ISO/IEC 27004 to Measure Information Security Effectiveness appeared first on The Auditor.

Feedback Sought on International Consumer Product Information Guide

The American National Standards Institute (ANSI) is…

The American National Standards Institute (ANSI) is seeking feedback on the latest revision of ISO/IEC Guide 14, Product Information for Consumers.

ISO/IEC Guide 14 provides general principles intended to make it easier for consumers to effectively compare products or services before buying them. The primary purpose of the guide is to advise those responsible for drafting national or international standards what information prospective purchasers require and expect. Additionally, the guide may assist those who write purchase information, such as suppliers, as well as enforcement authorities.

Although the draft guide doesn’t address conformity assessment, it does include the following changes from the second edition:

  • An improved scope and introduction
  • Inclusion of new purchase information labeling tools
  • Relationship with ISO/IEC Guide 37, Instructions for use of consumer products and ISO/IEC Guide 41, Consumer needs in packaging
  • Consideration of vulnerable persons’ product information needs
  • Addition of information on recycling and used goods
  • Improved treatment of risk, sustainability, and privacy issues
  • Addition of new clauses on performance and conditions of use and dependability considerations
  • Deletion of purchase information bodies and purchase information systems

Click here to view the draft of ISO/IEC Guide 14 on Product Information for Consumers. 

Relevant stakeholders are invited to send comments on the draft by close of business January 6 to ANSI Senior Director of International Policy Steven Cornish at

Based on the input received, the ANSI ISO Council will be asked to approve an ANSI position and submit its comments to ISO before its April 7 deadline.

The post Feedback Sought on International Consumer Product Information Guide appeared first on The Auditor.

ASQ Salary Survey Reveals Modest Increase for U.S. Quality Professionals

The average salary for quality…

The average salary for quality professionals in 2016 remained relatively flat, according to ASQ Quality Progress magazine’s 30th annual salary survey.

The Quality Progress Salary Survey helps to outline the health of the quality profession and breaks down salary information—submitted by ASQ members—in 26 sections and sorts the results by variables including job title, education, years of experience and geographic location. This year’s survey was completed by more than 7,200 quality professionals from a range of industries and market sectors.

According to the 2016 results, average salaries increased 0.86 percent to $91,659 for full-time professionals in the United States. However, average salaries for quality professionals in Canada decreased 2.6 percent to $86,923*. The decrease can be attributed to the smaller number of respondents.

In 2016, the titles of the highest-paid quality professionals in the United States include vice president/executive (earning an average of $169,350), statisticians ($132,468), and directors ($130,902). In Canada, the top salary belongs to Master Black Belts and educators/instructors, who earn an average of $177,230.

While salaries in the United States remained flat, the percentage of respondents dissatisfied with their salaries decreased from 35 percent in 2015 to 27 percent this year—the lowest level since Quality Progress began monitoring employee satisfaction in 2014. Respondents are most satisfied with their pay when their employers pay for quality-related training and ASQ certifications, according to the survey.

“While salaries for quality professionals remain mostly unchanged from last year, support from senior leaders and their willingness to pay for quality training and ASQ certifications play a major role in the satisfaction of their employees,” says Pat La Londe, ASQ chairman. “It’s that training and those certifications that can help employees add value to the organization and increase its quality.”

While the average salary for full-time quality professionals increased slightly, there are steps workers can take to boost their pay, such as earning ASQ certifications.

Consistent with past results, those who hold ASQ certifications earn more than their non-credentialed colleagues. According to the survey, U.S. respondents with one ASQ certification earn more than $3,800 than those without any certifications. Those with two certifications earn nearly $6,200 more than those with only one certification.

Specifically, quality engineers who hold ASQ manager of quality/organizational excellence certification earn nearly 21 percent more than non-certified quality engineers. Specialists with ASQ quality auditor certification earn 17 percent more than non-certified specialists.

Another way to boost pay is completing Six Sigma training. The average salary increased from $83,004 to $100,361 for U.S. quality professionals who completed one or more Six Sigma training programs. In Canada, the average salary increased from $81,759 to $94,234 for those with Six Sigma training.

While any level of training offers a boost in pay, completing higher levels of Six Sigma training offers an opportunity for larger salary increases, according to the survey.

In the U.S., the greatest disparity is between Master Black Belts, who earn an average of $130,878, and Black Belts, who earn an average of $104,974. In Canada, the greatest premium comes with Black Belts, who earn nearly $18,000 more than Green Belts.

Results from the Quality Progress Salary Survey can be found in the December issue of Quality Progress magazine.

*All Canadian figures are noted in Canadian dollars.

The post ASQ Salary Survey Reveals Modest Increase for U.S. Quality Professionals appeared first on The Auditor.

U.S. Representation Sought for Automation Standards Development

As a result of the…

As a result of the rapid expansion of industries that rely on automation, the International Organization for Standardization’s Technical Committee 184, Automation systems and integration (TC 184), requires additional expertise.

As the U.S. member body to ISO, the American National Standards Institute is seeking additional U.S. participants with expertise reflecting the diverse nature of the committee to work within the ANSI-accredited U.S. Technical Advisory Group to ISO TC 184. The committee and its subcommittees work on a variety of standards related to automation, especially in areas involving manufacturing systems and integration.

Examples of the required expertise include experts who represent smart manufacturing and enterprise resource planning.

ISO TC 184 has developed a strategic business plan to highlight how its standards add value, including:

  • More efficient and effective capture, organization, and expression of the requirements for integration and operation of physical, human, and IT elements. Reduced cost of implementing the required technologies in a combined e-manufacturing and e-business environment.
  • The ability to adapt to changing business requirements by addressing the capabilities needed for enterprises to quickly respond and adapt to new supply chain demands and to flexibly configure their human, physical, and information resources to support continuous product and process improvements. TC 184 standards facilitate changes to the configuration of system elements while retaining the investment in individual elements.

Currently, stakeholders involved in ISO TC 184 standards development represent a diverse range of industries including automotive, aeronautics, space and defense, and electrical device sectors, along with leading IT companies, research institutes, trade associations, consortia, and academia. Twenty countries, including the United States, participate in the TC, which has published more than 800 standards since its creation in 1983.

The post U.S. Representation Sought for Automation Standards Development appeared first on The Auditor.

What to Expect From the ISO 19011 Revision

By Elisabeth Thaller This year…

By Elisabeth Thaller

This year the International Organization for Standardization (ISO) approved a project to revise ISO 19011:2011—Guidelines for auditing management systems. ISO Project Committee PC 302 was established with experts from numerous countries to revise the standard. The first of four plenary meetings was held during the second week of November in Orlando, Florida.

While it is too soon to say exactly what the new revision of ISO 19011 will look like, here is a brief overview of the most relevant topics that were discussed at the first meeting.

Terms and definitions: ISO 19011 isn’t a management system standard, therefore it’s not required to use the same terminology as other standards. However, it was decided that it’s in the interest of users of the standard that the terms and definitions be aligned with the high-level structure in Annex SL of the ISO directives. One example is the use of the term “documented information,” which will be integrated in ISO 19011 whenever possible.

Risk and risk-based thinking: The committee decided that it’s not necessary to include a new section about risk. However, the concepts of risk and opportunities will be included throughout the standard as applicable.

Remote auditing: The main idea and argument to justify the need to include remote auditing in the revision was that some companies only exist virtually, or that some or all information may not be stored in a physical location. The committee decided that an audit is an audit, no matter where it’s completed. Therefore, there are different tools and methods that can be used—remote auditing being one of them.

Small and medium enterprises (SME): It was determined that it’s not necessary to include a specific section regarding SMEs because the language used in the standard should be generic enough to apply to any type of organization and audit. If any specific guidance is needed for SMEs, it may be included within an annex or notes.

Audit team competence: ISO 19011 and ISO 17021 are compatible and will remain this way. There will be some changes to reflect current challenges regarding auditor and audit team competence—in particular in relation to risk, combined audits, and auditing clauses 4.1, 4.2, and 4.3 of the high-level structure, along with remote auditing.

In summary, we can expect the revision of ISO 19011 to be better aligned with the terminology, business practices, and audit needs of current times. The revision will incorporate concepts such as risk-based thinking and remote auditing, and will also include updated terminology and auditor competence requirements. This will provide a contemporary approach to complex organizational structures and audits.

About the author

Elisabeth Thaller has provided management system consulting, auditing, and training for the past 20 years. During this time, Thaller has coached private and government organizations on the implementation of diverse management system and conformity assessment standards, including ISO 17024 and ISO 17021.

As a contracted evaluator with Exemplar Global, Thaller has performed training provider and course certification audits in the US, Europe, Mexico, and South America.

Thaller is a member of the US TAG to ISO/PC 302 Guidelines for auditing management systems and is actively involved in the current review of ISO 19011. Thaller previously participated in the ISO/TC 176 STTG (ISO 9001:2015), ISO/TC 207 STTF (ISO 14001:2015), and ISO/CASCO/STTF (ISO 17021:2015).

The post What to Expect From the ISO 19011 Revision appeared first on The Auditor.

Awards Program to Promote ISO 50001

An awards program has been…

An awards program has been created to recognize organizations that are transforming their businesses through ISO 50001, which applies to energy management systems certification.

The Energy Management Leadership Awards program was established by The Clean Energy Ministerial (CEM)—a global forum consisting of 24 countries and the European Commission.

The awards aim to raise global awareness of the benefits of energy management and accelerate uptake of the management system to support corporate, national, and global climate goals.

Industrial, commercial, and public-sector companies or facilities that hold a valid, third-party-verified ISO 50001 certificate are eligible to enter. To enter, organizations are required to submit a case study that describes their energy management experience and the benefits of doing so. The entries will be evaluated by an independent panel of international experts.

The winning organizations will be recognized in 2017 during the Clean Energy Ministerial meeting in China, which will host energy ministers and corporate leaders from around the world.

Each organization to submit a qualifying entry will receive an Energy Management Insight Award for helping to build global insight on the benefits of energy management systems. The top-ranking submissions from each country will also be shared with the appropriate governments.

Click here to learn more about the CEM Energy Management Leadership Awards. The deadline for submissions is January 24, 2017.

The post Awards Program to Promote ISO 50001 appeared first on The Auditor.

New ISO Technical Specification to Improve Animal Welfare

New ISO technical specification ISO/TS 34700:2016, Animal welfare…

New ISO technical specification ISO/TS 34700:2016, Animal welfare management – General requirements and guidance for organizations in the food supply chain aims to ensure the welfare of farm animals across the supply chain.

ISO/TS 34700 will help the food and feed industry develop an animal welfare plan that aligns with the principles of the World Organization of Animal Health (OIE) Terrestrial Animal Health Code (TAHC). The standard is the culmination of a joint effort between ISO and the OIE following the signing of a cooperation agreement in 2011.

The technical specification intends to support the implementation of relevant practices to ensure animal welfare in livestock production systems, and will allow business operators in the food supply chain to demonstrate their commitment to animal welfare management.

The working group in charge of developing ISO/TS 34700, ISO/TC 34 WG 16, comprised more than 130 experts representing all regions of the world. The group included strong participation from developing countries and a range of stakeholders including private sectors, competent authorities, and nongovernmental organizations.

Dr. François Gary, convenor of ISO/TC 34 WG 16,  said the first beneficiaries of ISO/TS 34700 will be business operators in the animal production food chain including farmers, livestock transport companies, and slaughterhouses.

“By creating a common vocabulary and a common approach to animal welfare management, this ISO technical specification will improve the needed dialogue between suppliers and customers within the food supply chain, especially between primary production and processing operators,” Gary said. “This will be a business-to-business tool.”

ISO/TS 34700 will serve as a helpful tool for the private sector and competent authorities alike to clear up discrepancies in the regulatory framework. Retailers, consumers, and NGOs with an interest in animal welfare protection will be indirect beneficiaries of ISO/TS 34700 as business operators demonstrate their animal welfare commitment.

OIE Director General Dr. Monique Eloit said ISO/TS 34700 will provide an important framework to support the implementation of the OIE’s international standards for animal welfare around the world.

“Consistent implementation of humane and ethical rearing conditions for animals provides certainty for farmers and producers, and confidence for consumers,” Eloit said.

ISO/TS 34700 will undergo systematic review in three years.

The post New ISO Technical Specification to Improve Animal Welfare appeared first on The Auditor.

ISO 45001 Release Could Extend to March 2018

Based on the latest information…

Based on the latest information on the revision of occupational health and safety standard ISO 45001, the publication date could be extended to March 2018.

ISO/PC 283/WG1, the working group responsible for developing ISO 45001, met three weeks ago in Lithuania to work on text for DIS2 for clauses four to 10. The working group plans to reconvene in February in Vienna to complete the review of the comments received.

Based on current progress and the latest information from the working group, the expected timeline for the publication of ISO 45001 is as follows:

  • February 2017–WG1 meeting to complete a review of comments
  • March 2017–DIS2 to be edited and prepared
  • April/May 2017–DIS2 released for translation
  • June/July 2017–DIS2 ballot held
  • September 2017–PC283 and WG1 meeting to review DIS2 ballot results

If DIS2 is approved and a final draft international standard (FDIS) is not required, ISO 45001 could be published as early as October/November 2017. In the case that an FDIS is required, publication is likely to occur in March 2018.

“Given that work on ISO 45001 first began in 2013, we are now working on a four-year timeline, and the ISO Central Secretariat has approved a nine-month extension,” said Steve Williams, external liaison member of ISO/PC 283 and LRQA systems and governance manager.

“This reinforces the importance of ISO 45001 and the significance of its applicability to organizations around the world.”

The post ISO 45001 Release Could Extend to March 2018 appeared first on The Auditor.

Revision of Core Aerospace Standards Complete

The International Aerospace Quality Group…

The International Aerospace Quality Group (IAQG) has published AS9110:2016 and AS9120:2016, completing the revision of the core aerospace standards.

AS9110 Aerospace Management System for Maintenance, Repair and Overhaul Stations outlines specific requirements that are significant for the maintenance of commercial, private, and military aircraft. AS9110 certification provides an additional layer of control, but does not replace regulatory oversight or customer monitoring.

AS9120 Aerospace Management Systems for Stockist Distributors addresses the chain of custody, traceability, control, and availability of records. AS9120 is applicable to organizations that resell, distribute, and warehouse aircraft parts and other aerospace components.

To drive effective operations in increasingly complex environments, the revision of these standards incorporates the essential changes made to ISO 9001:2015 and additional aerospace, space, and defense stakeholder requirements.

Updates to the AS9100 standards are designed to:

  • Link to the latest version of ISO 9001.
  • Adapt to a changing world.
  • Enhance the ability of an organization to satisfy its customers.
  • Create a consistent foundation for the future.
  • Reflect the increasingly complex environments in which organizations operate.
  • Ensure the standards reflect the needs of all interested parties.
  • Integrate with other management systems.

Organizations currently certified to AS9100, AS9110, or AS9120 will need to successfully transition to the relevant 2016 revision by September 2018.

The post Revision of Core Aerospace Standards Complete appeared first on The Auditor.

Auditor Profile: From Cabinet Maker to Key Influencer

Starting his career as an…

Starting his career as an apprentice cabinet maker, David Solomon worked his way up to become a key influence in the construction industry. As executive officer safety and risk at the Master Builders Association of New South Wales, Solomon oversees the safety and risk exposure of the association’s assets in NSW. The Auditor Online speaks to Solomon to learn the secrets of his success.

Solomon has received numerous awards throughout his career. For the past two years, Solomon has won the International Safety Quality Environment Management Association Safety Award which recognizes his commitment to develop a safety-conscious culture in the building and construction industry.

Solomon has also developed four management systems across safety, quality, environment, and integrated management systems.

“I have received comments from people that they are the leanest management systems they had ever seen,” Solomon said. “The secret to writing a good management system is to have everything in sequential order.”

Solomon is also active in the standards development process and is Standards Australia’s representative on the SF-001 committee to develop ISO 45001, the new occupational health and safety standard. Solomon is also on the committee to review ISO 19011, which addresses management system guidelines, among others.

While Solomon has always had a strong work ethic and drive to succeed, it wasn’t until recent years that he really started to develop professionally under the direction of a mentor and a coach.

“If you have someone who has already done it—not to give you the answers—but help you trigger your mind how to arrive at those conclusions it is highly beneficial,” Solomon said.

“Often I’d put my answers forward and my mentor would say, ‘That’s right,’ but you can also do it this way, or another way. It’s good to stop you getting ahead of yourself and see there are other pathways to achieve the same result.

“If you can get someone of the same caliber or higher to check your work without affecting impartiality or confidentiality, that’s another form of mentoring. They might be able to bring to your attention things you may have missed.”

It’s approaches such as these that have led Solomon to develop an “outside the box” approach to thinking and a commitment to develop the best solution for an auditee.

“There are ways to do things that still meet the outcomes without giving a non-conformance. There are other ways of achieving results.”

To boost the public perception of the auditing profession, Solomon said awareness and education is the key—whether it be for auditing, safety, or training.

“A lot of people have the experience. We need to tie that experience, time, and effort back to something tangible.

“There is no point in delivering awareness in an authoritarian way. I often relate the delivery of my messages back to life experiences. You can’t hide behind a document that you have put together.

“We need to bring it back to grass roots—mums and dads, and small to medium enterprises—that’s how to get stakeholder engagement.

“You have to make sure they see the value. If they can’t understand the benefits of getting a third-party audit it’s worthless. The message has to be plausible and then it will grow organically.

“[I encourage people to] have a conversation with someone about auditing, safety, quality, just to get the message out there.”

The post Auditor Profile: From Cabinet Maker to Key Influencer appeared first on The Auditor.