Food safety ISO 22000 - from intent to implementation

Transcription

Vol. 6, No. 3
IMS
May-June 2006
ISO Management Systems
When Results Count. ISO Standards.
Food safety
ISO 9001 in
Saudi Arabia

Consumers
and ISO 9001
S-Class and
ISO/TR 14062
ISO 9001 in
the media ?
ISSN 1680-8096
Globalization
and
ISO 14001
• Greenhouse
gas accounting
• ISO 22000
and world trade
• People
and quality
© ISO Management Systems, www.iso.org/ims
EDITORIAL
by Roger Frost
ISO Power
D
o you want to know a secret ? When I began working
for ISO, combining the roles of Editor of what was
then ISO 9000 News with that of Press Officer, it was
about three months before I received my first enquiry from a
journalist.
That was back in 1992, before e-mail and Internet had shrunk
the wired world to put ISO Central Secretariat in Geneva
within minutes or even seconds’ reach of journalists everywhere and when the ISO 9000 phenomenon was bubbling under, but had not
quite boiled over onto the pages of the
non-technical press.
Now, there are days when it is not unusual to find myself like an air traffic controller with a holding pattern of three or
more journalists to serve, each with a different enquiry and different deadline. The
worldwide interest in ISO, of which media
enquiries and reports are one measure,
has really taken off. However, while the
trend has been apparent for some time,
its extent was difficult to establish.
nationally. Trusted by engineers for many decades, the ISO
“brand”, spearheaded by ISO’s management system standards, has over the last 15-20 years penetrated the company
boardroom and government administrations. Now, recognition of ISO has moved up to another level – into the perception of marketers and top brand watchers, as the following
experience illustrates.
Edwin Colyer 1), a freelance science and technology writer in
the United Kingdom, recently contacted the PR department
at ISO Central Secretariat for help with a story idea. He had
observed that the ISO brand is now
becoming increasingly meaningful to
the general public – for whom it generates confidence. His ensuing article was
first published online by Brandchannel.
com (www.brandchannel.com) under
the headline, “ Standards : Who Needs
Them ? ” and then by BusinessWeek
Online (www.businessweek.com), under
the new headline, “ The Power of ISO ”.
Here are some extracts from Edwin
Colyer’s article :
SIMPLY
MPLY
MEANSS
GOOD!
GO
GOO
OD!
D!
SIMPLY
MEANS
This is a consequence of the fact that ISO
develops standards for just about every
industrial and business sector, and for use
worldwide. Therefore, almost every print
or broadcast media (including Internet
ones), in every country, could potentially carry an article on an aspect of ISO’s work.
This has made press clipping services prohibitively expensive.
“ It is amazing how much three letters
can convey. Most people may have never
heard of the International Organization
for Standardization, but when they see
ISO attached to a product or company,
they feel more confident. They expect
things to be up to standard – nothing
shoddy and no cowboy service.
ISO = Confidence + Good
Recently, however, I’ve had the opportunity to try out a new
Web-based news report tool which has produced eye-opening
results. It has shown that each day, there are hundreds of references to ISO and its standards in online media, company communiqués and other sources.
While ISO 9001 and ISO 14001 continue to lead the field, there
are articles, reports and references to many other ISO standards,
such as for information technology, health care, financial services, food safety and ISO’s new ventures into new domains like
standards for nanotechnologies.
This coverage suggests that ISO, if not yet a household
name, is on its way to becoming a “ brand ” recognized inter-
“ Marketers can only marvel at such ‘ brand ’
penetration. Without any specific logo, colours
or typeface, these three letters consistently give
customers a feeling of confidence, even though most of them
have no idea about the actual contents of any given standard.
But standards are good, and that’s all they need to know.”
So, from a situation where not so long ago a reference to ISO in
non-specialist circles would have generated the reaction “ ISO ?
What or who is that ? ” we have moved to :
ISO = Confidence + Good.
That is indeed brand power !
1) E-mail : [email protected]
ISO Management Systems – May-June 2006 1
CONTENTS
VIEWPOINT
5
How standards nurture innovation in the cold light of dawn
ISO President, Professor Masami Tanaka, writes : “ Many a flash of inspiration,
many a hot, new idea, when examined in the cold light of dawn is found to
face serious practical barriers to their implementation.” ISO’s speciality, he
continues, is developing standards that provide the link between creative ideas
and practical implementation as manufacturable and marketable products.
SPECIAL REPORT
7
Food safety ISO 22000 – from intent to implementation
ISO MANAGEMENT
SYSTEMS is published
six times a year
by the Central
Secretariat of ISO (International
Organization for Standardization)
and is available in English,
French and Spanish editions.
Publisher : ISO Central Secretariat,
1, rue de Varembé, Case postale 56,
CH-1211 Geneva 20, Switzerland.
Tel.
+ 41 22 749 01 11.
Fax
+ 41 22 733 34 30.
E-mail [email protected]
Web
www.iso.org
Editor in Chief : Roger Frost.
Contributing Editor : Garry Lambert.
Artwork : Pascal Krieger and
Pierre Granier.
A one-year subscription
(six issues) to ISO MANAGEMENT
SYSTEMS costs 128 Swiss francs.
Subscription enquiries : Sonia
Rosas-Friot, ISO Central Secretariat.
Tel.
+ 41 22 749 03 36.
Fax
+ 41 22 749 09 47.
Advertising enquiries :
ISO Central Secretariat,
Case postale 56, CH-1211 Geneva 20,
Switzerland.
Contact : Régis Brinster.
Tel.
+ 41 22 749 02 44.
© ISO, May-June 2006.
The views expressed in
ISO MANAGEMENT SYSTEMS are
those of the authors. The advertising
of products, services, events or
training courses in this publication
does not imply their approval by ISO.
Cover photo : © ISO
How close is the intent of ISO 22000:2005 and its implementation by users?
An expert who took part in its design and development has reviewed feedback
from early users and gives some pointers to tackling the issues they raise.
ISO INSIDER
12
Help for small businesses to implement ISO management system standards • From
farm to fork – ISO 22005 to systemize traceability of food and feed • ISO/IEC 20000
benchmarks provision of IT service management • ISO/IEC standard for assessing
quality of e-learning • Can you trust them ? ISO standard for sizing up personal financial
planners • ISO’s work on water services presented at World Water Forum
INTERNATIONAL
1
ISO 900
21
Do consumers really care about ISO 9001
ISO 9001 certification ? This article presents the results of one of the few
ISO 900
1
surveys carried out by a professional market research organization
to uncover just what consumers know or care about ISO 9000.
World’s biggest oil company uses ISO 9001:2000
in giant SAP roll-out
Saudi Aramco, the world’s largest oil company, placed its confidence
in ISO 9001:2000 to provide a backbone for supporting the deployment of a massive SAP enterprise resource planning programme.
Globalization and ISO 14001 – trading up or trading
down?Does globalization spur a “race to the bottom”, in which
countries relax their environmental regulations in pursuit of
foreign trade?
ISO 14000 in China’s Green March to environmental
management By 2005, nearly 13 000 Chinese
organizations had achieved ISO 14001 certification.
How to implement an ISO/IEC 27001
information security management system
Experts who developed ISO/IEC 27001 give advice on how
to achieve its benefits.
STANDARDS FOR SERVICES
45
After slow start, pace picks up in Germany
The momentum to develop service standards has now built up in
Germany and puts the country among the leaders in the field.
NEXT ISSUE
49
ISO 22000 for
safe food supply
chains.
ISO 22000, Food
safety management
systems – Requirements
for any organization in
the food chain.
Available from ISO national
member institutes (listed
with contact details on the
ISO Web site at www.iso.org)
and ISO Central Secretariat
Web store at www.iso.org
or by e-mail to [email protected].
Looks good.
But is it safe ?
VIEWPOINT
Many a flash of inspiration,
many a hot, new idea, when
examined in the cold light of
dawn is found to face serious
practical barriers to their implementation. Brilliant ideas for
innovative products and technologies can be so far ahead
of their time that even a commonly understood terminology
for communicating them may
be lacking.
However, for brain-storming new ideas and bringing
them to market in record time,
few business areas can rival
information technology. Fittingly therefore, it was Watts
Humphreys, a key thinker on
the management of software
development, who said : “ Innovation is the process of turning
ideas into manufacturable and
marketable form.”
A similar point was made by
Theodore Leavitt, the Harvard Business School professor and author who as early
as 1973 made the connection
between standardization and
the then unfamiliar term of
“ globalization ”, when he said :
“ Creativity is thinking up new
things. Innovation is doing new
things.”
Today, the need for creativity
and innovation is being recognized not only in business and
academic circles, but by the
world’s political and economic leaders, as indicated by the
choice of “The Creative Imperative” as the theme for this
year’s World Economic Forum,
which took place in January at
Davos, Switzerland.
The organizers stated : “ It is
imperative that we learn how
to unleash our creative potential to tackle the world’s problems.”
Speciality
by Masami Tanaka
How
standards
nurture
innovation
in the cold
light of dawn
We in ISO have something to
contribute. Our speciality is
developing standards that provide the link between “ creative
potential ” (great ideas) and
“ tackling problems ” (practical
implementation).
Standardization begins with a
creative vision : to transform
valued criteria such as quality,
ecology, safety, economy, reliability, compatibility, interoperability, efficiency and effectiveness into real attributes of
products and services.
ISO standards help great ideas to survive the contact with
practical realities and support their growth to maturity
as “ manufacturable and marketable ” products.
Professor Masami Tanaka is
ISO President 2005-2006.
Currently Director General of the
Japan Chemical Industry Association
(JCIA), he has been very active –
at international and national
levels – in standardization both in
the governmental sphere and in
the private sector.
ISO’s track record provides
numerous examples. To take
one from the IT field, the
MPEG series of standards for
the digital coding of audio
and visual signals has encouraged the growth of business
sectors offering thousands of
new products and services in
such areas as digital television
and photography, mobile telephones, music via the Web and
personal audio.
This Viewpoint first appeared
in the February 2006 issue of
ISO Focus www.iso.org/isofocus
Standardization ensures agreement about essential characteristics such as terminology,
safety, performance, compatibility and interoperability.
This creates the conditions for
new markets to take root and
grow, while allowing individual organizations free rein
to their creativity in developing differentiated product
offerings.
If standardization really stifled innovation in business
and technology – as some mistakenly believe – ISO would
not in recent years have welcomed new industries such as
nanotechnologies, hydrogen
technologies, and health and
transport informatics. These
sectors have turned to ISO for
the International Standards
they need to facilitate the dissemination of innovative technologies and to help structure
markets for them.
ISO standards help
great ideas to survive the contac t
wit h p rac tic a l rea l it ie s
Today’s products are increasingly the culmination of global
supply chains that need to be
aligned. Early standardization
of basic, essential characteristics
of products allows this alignment to take place efficiently
and effectively. In today’s interconnected world, International
Standards can provide internationally harmonized solutions to
global challenges that are too
large for any one company to
solve on its own.
Unique
Global challenges need global
solutions and ISO, through its
national members and organizations in liaison has a unique
framework for bringing together the international expertise
that can develop these solutions, and for disseminating
them in an orderly and effective manner.
ISO standards also ensure that
innovative solutions can be
transferred to developing
countries so that the benefits
are also available on a global
basis.
Innovative technologies, interconnectivity and global availability raise issues related to
intellectual property rights.
By allowing patent technologies to be embedded and signalled in its standards, under
fair and non-discriminatory
conditions, ISO is ensuring the
continuing inter-play between
innovation and standardization, and that great ideas are
brought to market.
Global challenges
need global
solutions
ISO standards ensure that
innovation survives the reality test. For innovation, standardization transforms the cold
light of dawn into a bright
new day.
•
6 ISO Management Systems – May-June 2006
Kinkakuji, Kyoto © Pascal Krieger
VIEWPOINT
SPECIAL REPORT
ISO 22000
From intent to implementation
How close is the intent of ISO 22000:2005 and its implementation by users ?
An expert who took part in its design and development has reviewed
feedback from early users and gives some pointers to tackling the issues they
raise.
by Didier Blanc
Author Didier Blanc is founder
and director of ProCert, a provider
of training and certification in ISO
9001, ISO 14001 and ISO 22000
management system standards.
He is a veterinary surgeon
specialized in food hygiene, and a
member of Working Groups WG 8
and WG 11 of ISO Technical Committee ISO/TC 34, Food products,
responsible for developing ISO
22000:2005, Food safety management systems – Requirements for
any organization in the food chain,
and ISO/TS 22003, Food safety
management systems – Requirements for bodies providing audit
and certification of food safety
management systems.
Dr. Didier Blanc, Director, ProCert,
CH-1015 Lausanne 15, Switzerland.
Tel. + 41 79 337 51 39.
Fax + 41 21 693 87 20.
Web www.procert.ch
ISO 22000:2005, Food safety
management systems – Requirements for any organization in
the food chain is the first management system standard on
food safety to go beyond the
recommendations put forward
in 1993 by the Codex Alimentarius Commission. Inevitably, the arrival of this brand
new standard with its updated approach is accompanied
by issues of interpretation
and how to meet its requirements.
in any of the quality or food
safety management systems
standards used so far by companies in the food chain (e.g.
ISO 9001, BRC, IFS, DS 3027
or others). Table 1 (overleaf)
lists and interprets the key new
elements.
These innovations mainly
relate to the interpretation,
consistency and thoroughness of the HACCP method
of controlling food safety hazards. Indeed, ISO 22000 is the
first standard that not only
endorses the Codex Alimentarius recommendations, but
also attempts to fill the gaps
and inconsistencies brought to
light by 13 years of accumulated experience with HACCP.
ISO 22000 goes beyond
the food safety
recommendations
put forward in 1993
by the Codex Alimentarius
Commission
The main interpretation and
implementation challenges
revolve around requirements
that did not appear in the 12
Hazard Analysis and Critical
Control Point (HACCP system)
application steps described in
the Codex Alimentarius, nor
SPECIAL REPORT
What’s new?
Figure 1 illustrates the links
between ISO 22000 and the 12
HACCP steps and highlights
the stages that have been added (broken outline), or significantly altered and consolidated (yellow background).
These innovations apply as
much upstream – the requirement for the selection and
implementation of appropriate prerequisite programmes
(PRP’s) 1), before proceeding to
hazard analysis – as to the core
of the HACCP system itself :
hazard analysis, selection, validation and monitoring of adequate control measures.
A generic requirements-based
standard designed for certification purposes cannot provide examples or recommendations, so I will provide some
here. In addition, the systems
approach of ISO 22000 states
requirements in terms of results
rather than means.
Although this approach, successfully applied in ISO 9001
and ISO 14001, has been widely supported by representatives of the food industry, it
can prompt questions such as
the following:
• What do I have to do ?
• What are the baselines ?
• Can I have examples ?
• How will I validate my
choices ?
• How can I be sure not to go
too far, or not far enough ?
Table 1 – Key innovations
of ISO 22000
Clause in
the standard
New element
5.5
Food safety team
leader
Responsibility and authority for : organizing the team’s
training and work ; ensuring the implementation and
updating of the system ; reporting to management ;
communicating.
5.6
Communication
External communication relating to food safety hazards throughout the food chain (upstream and downstream) ;
Internal communication to ensure that the HACCP team
is informed in real-time of all changes (e.g. raw materials, facilities and installations, recipes, requirements,
etc.) likely to affect the system.
6.2
Human resources
The requirements of (demonstrated) competence of
the HACCP team members and the staff having an
impact on food safety.
7.2
Prerequisite
programmes (PRP’s)
The company should itself select and implement appropriate good hygiene practices (instead of merely applying those imposed upon it).
7.4.2
Hazard identification
and determination
of acceptable levels
Taking into account the various stages in the food
chain (primary production, processing, distribution)
where hazards can occur ;
7.4.4
Selection and
assessment of
control measures
Selection of (combinations of) control measures associated with hazards assessed as requiring control ;
Determination of acceptable levels in the finished
product.
Assessment of the effectiveness of control measures ;
Method for assigning these (combinations of) control
measures either to the HACCP plan (“conventional ”
CCP), or to operational PRP’s (new concept).
7.5
Establishing
the operational
prerequisite
programmes (PRP’s)
Establishment of a monitoring system (procedures,
responsibilities, corrective actions) for the (combinations of) control measures assigned to the operational PRP’s.
8.2
Validation of
control measure
combinations
Prior validation of the effectiveness of the (combinations of) control measures to ensure observance of the
predefined acceptable level for the relevant hazard.
8.4.2
Evaluation of
individual verification
results
Systematic review of individual results of the plan and
verification (e.g. implementation of operational PRP’s
and CCP’s, compliance with acceptable levels, and analysis of products and services, etc.).
8.4.3
Analysis of results of
verification activities
Analysis and overall review of the implementation, operation and efficiency of the system and of the trends in
terms of hazard control, with management reporting.
Investing in skills
In a nutshell, while the requirements for means often involve
investment in infrastructure,
the obligation to achieve
results leads rather to investing in manpower, in the skills
of the HACCP team and its
leader, and in the staff that
impact on the control of food
product safety.
ISO 22000 states
requirements in terms of
results rather than means
However, corporate culture
limitations often arise as soon
as the qualification and empowerment of staff are involved,
while many companies do not
have the resources to employ
highly trained HACCP management.
In addition to the financial
resources needed to fund a
team of competent managers
and specialists, it may prove
difficult to find appropriate
training and recruit experts,
and develop the necessary
experience and skills on the
job. Nevertheless, an organization can find a solution suited
to its size and circumstances
by measures such as the following :
1) Prerequisite programme
(PRP) : basic conditions and
activities that are necessary to
maintain a hygienic environment
throughout the food chain suitable
for the production, handling and
provision of safe end products and
safe food for human consumption.
(ISO 22000).
SPECIAL REPORT
– exchanging or sharing
HACCP team members,
and functions such as internal auditing and data analysis, among several companies;
– using e-learning when the
required vocational training
is not available in appropriate timeframes, locations or
quality 2).
Some examples
One of the difficulties in complying with the requirements
of a standard is to find a starting point on which to build the
implementation. Examples
can help set the right course
and boost confidence in the
implementation process. Two
such examples are described
hereafter.
Selection of control
measures
Clause 7.4.3, Hazard assessment of ISO 22000 (see Figure
1) serves to determine which
of the potential hazards identified require specific control
measures. To ensure such control, the standard requires the
selection of (or combination
of) control measures (clause
7.4.4, Selection and assessment of control measures).
2) See, for example, the HACCP
and ISO 22000 courses on the
I-Cube Academia platform developed by Liège University,
Belgium, and Lausanne Polytechnic,
Switzerland – www.i3academia.com
French speakers can find
further help on ISO 22000
interpretation and implementation in Didier Blanc’s
book ISO 22000, HACCP et
sécurité des aliments –
Recommandations, outils,
FAQ et retours de terrain
(ISO 22000, HACCP and food
safety – recommendations,
tools, FAQ’s and user feedback), on which this article
is based.
His book illustrates the
principles of the new International Standard with
practical examples, and is
based on answers to the most
frequently asked questions
(FAQ’s) on food safety management systems, and on
the management tools he
developed in over 20 years’
food safety experience.
ISO 22000, HACCP et sécurité
des aliments – Recommandations, outils, FAQ et retours
de terrain (ISBN 2-12-4453114) is published in French by
Association française de normalisation (AFNOR),
350 pp, price 42.65 euros,
available from
www.boutique.afnor.fr









1
7.3.2 Food safety team
2
7.3.3 Product characteristics
For French
speakers…
3
7.3.4 Intended use
4
7.3.5.1 Flow diagrams
7.2 Prerequisite programmes (PRP)
or Good hygiene practices (GHP)
– integrating supplier or client experts into the team,
to bring in hazard control
expertise from other levels in the food chain;
Figure 1 –
ISO 22000
and Codex
Alimentarius
– What’s
new ?
7.3.5.2 Description of
process steps and control measures
5
6.a
7.4.2 Hazard identification and
determination of acceptable levels
6.b
7.4.3 Hazard evaluation
6 c-7
7.4.4 Selection and evaluation
of control measures
8-9-10
7.5 Establishment
of operational PRP’s
7.6 Establishment
of HACCP plan
8.2 Validation of combinations
of control measures

11
7.8 Verification planning
Elements added to Codex
Alimentarius

HACCP steps according to Codex
Alimentarius
Significantly altered and consolidated, compared to Codex Alimentarius
SPECIAL REPORT
This is likely to prompt questions such as :
fears by providing a list of possible approaches. These are
presented in Table 2 in the
form of a systems approach
to implementation based on
existing validations within a
small company in a specific
business sector.
• Where do these control
measures come from ?
• How do they differ from
PRP’s ?
• Should they be selected
from the PRP’s – in which
case I doubt the value of
this additional requirement
since the HACCP measure
is already in place – or elsewhere ?
Where to start?
Once one is convinced that ISO
22000 is the best approach to
controlling impacts on the safety of food products, the inevitable question arises, “Just where
do I start?”
An organization can find
a solution suited to its size
and circumstances
Much will depend on the company’s certification status in
terms of ISO 9001, BRC, IFS,
etc. Indeed, certain principles
common to all management
system standards will have
already been assimilated –
e.g. control of documents and
The required control measures
can be selected either :
– from an organization’s PRP’s
(e.g. the slicing sequence of
a cross-contamination hazard between cooked meat
preparation and air-dried
meat products, or a refrigeration chain in the case of
fresh products) ;
– beyond the PRP’s, by introducing additional, more
advanced technology (e.g.
laminar flux, air processing, x-ray detection) ;
– outside the PRP’s relating to that specific business sector, using measures
which belong to another
level in the food chain (e.g.
good agricultural or animal
health practices, integrated
farming, or EurepGAP certification required by the
food industry of its suppliers).
Validation of control
measures
Clause 8.2, Validation of control measure combinations,
basically a new requirement
introduced by ISO 22000 that
relates to the control measures addressing hazards having been assessed as needing
control, control measures that
must then be validated before
being implemented. This might
prompt prospective users to
declare, “But I have neither the
human nor financial resources to perform scientific validations! Isn’t the standard
designed mainly for large and
wealthy companies alone, and
not for the small players?”
ISO/TS 22004, Food safety
management systems – Guidance on the application of ISO
22000:2005 can help allay such
Product
Hazard to be controlled
Control measure(s)
Validation methods
Applicable
yes/no
Comments
Third-party scientific validation
Historical knowledge
Simulation of production conditions
Collection of data in normal
production
Admissible in industrial practices
Statistical programmes
Mathematical modelling
Conclusion :
internal validation needed ?
If so, following which method ?
Table 2 – Need for and methods of, validating control measures
according to ISO/TS 22004
SPECIAL REPORT
records, policy, internal auditring, improvement measures,
mmanagement review.
Sources of help
In addition to the official guidance provided
by ISO in ISO/TS 22004, examples of food
safety management-related frequently asked
questions (FAQ’s) are available on the
author’s ProCert Web site – www.procert.ch –
which also welcomes new questions in
English, French and German. A sample
question and answer follows.
Question
I see no difference between PRP (or GMF/
GHP’s) and control measures. For me, PRP’s
are measures to control existing hazards,
otherwise they have no purpose. Moreover,
control measures associated with hazards will
always be selected from among the PRP’s.
Recommendations of ISO/TS 22004:
ISO/TS 22004 provides the following
clarifications in this respect :
ISO 22000 reorganizes the traditional concept of dividing control measures into two
groups [prerequisites and measures applied
at critical control points (CCP’s)] in a logical
order for the development, implementation
and control of the food safety management
system. Control measures are grouped into
three groups, as follows :
• prerequisite programmes (PRP’s) that
manage the basic conditions and activities ;
the PRP’s are not selected for the
purpose of controlling specific identified
hazards but for the purpose of maintaining
a hygienic production, processing and/or
handling environment
(see 7.2 of ISO 22000:2005) ;
• operational prerequisite programmes
(operational PRP’s) that manage those
control measures that the
hazard analysis
identifies as necessary to
control identified hazards to
acceptable levels, and which
are not otherwise managed by
the HACCP plan;
• a HACCP plan to manage those
control measures that the
hazard analysis identifies as
necessary to control identified
hazards to acceptable levels,
and which are applied at
critical control points (CCP’s).
Answer
In view of the clarifications provided by
ISO/TS 22004, the answer seems to be
twofold :
1) Yes, strictly speaking PRP’s are control
measures, even though in practice it is
recommended not to designate them as
such in order to avoid confusion.
2) No, PRP’s are not selected to control
hazards identified through hazard
analysis – this will require specific
control measures assigned to operational
PRP’s or to the HACCP plan – but to
create a suitable hygienic environment
that is able to keep to a minimum the
likelihood of contamination.
For further guidance, the author recommends
establishing contact with an expert in
another company, or a consultant or auditor,
and visiting Internet forums, specialized
clubs and FAQ’s.
The key is to correctly manage HACCP procedures in
conjunction with the additional requirements of ISO 22000
which, while introducing consistency, nonetheless require
some effort to assimilate.
Early feedback indicates
that one should start by
investing in the HACCP
skills revisited by ISO 22000
Early feedback on the use of
the standard indicates that
one should start by investing
in the HACCP skills revisited
by ISO 22000 in order to reap
the full benefits of the new
standard. Once these skills are
in place and operational, the
rest should follow as a matter
of course.
•
ISO INSIDER
Help for small businesses to implement
ISO management system standards
by Roger Frost
ited ISO 9000/ISO 14000 section on its Web site a number
of articles aimed at making it
easier for small businesses to
implement the ISO 9001 and
ISO 14001 standards that were
being used by some 760 900
organizations in 154 countries
at the end of 2004, according
to The ISO Survey.
The articles cover the following topics of particular interest to SME’s :
• Taking the first steps
towards a quality management system
Readers of ISO Management
Systems were the first to benefit
from a series of articles to help
small and medium-sized enterprises (SME’s) reap the advantages of implementing quality
and environmental management systems based respectively on ISO 9001:2000 and ISO
14001:2004. ISO has now posted the articles in the ISO 9000/
ISO 14000 section on its Web
site (www.iso.org) as a new edition especially for SME’s.
ISO Secretary-General Alan
Bryden commented : “ SME’s
may mistakenly perceive of
International Standards as
being only for big business
and government. In fact,
SME’s too can benefit from
the state-of-the-art technology and management practices disseminated by International Standards which also
open the door to export mar-
SME’s too can benefit
from International
Standards that open the
door to export markets
and participation in global
supply chains
kets and participation in global supply chains.
“ To encourage SME’s to use
International Standards and
to become more involved in
developing them, ISO and
its partners the International
Electrotechnical Commission
and the International Telecommunication Union have chosen
SME’s and standardization as
the theme for World Standards
Day 2006, on 14 October.”
As a practical measure in support of this theme, ISO has
added to the frequently vis-
Having taken the decision to
implement a quality management system, SME’s in particular are often unsure just how
to get started. This article takes
SME managers through the first
steps and is based on advice given the ISO handbook ISO 9001
for Small Businesses 1).
• Taking the first steps in
environmental management
This article explains clearly
how an SME can implement
an environmental management system so that the process is not a series of hurdles, but
rather a set of practical steps
towards raising environmental
and business performance.
• Quality management
consultants : instructions
for use
A decision to implement a
quality management system
may be the organization’s first
real contact with the world of
ISO 9000 – especially if it is
an SME – and many turn to an
external consultant for help.
This article gives some helpful
pointers. It was written by the
leader of the group of experts
that developed the standard
ISO 10019:2005, Guidelines for
the selection of quality management system consultants and
use of their services 2).
• Implementing ISO 14001:
do you hire a consultant,
or do-it-yourself ?
This article helps SME managers answer some essential
questions. Should you hire a
consultant to help with environmental management system
implementation, or go it alone?
What are the advantages and
potential pitfalls ? How can you
get best value for money if you
hire a consultant, and what are
the criteria you should use for
choosing one ?
•
1) The English and French editions
of this book each cost 48 Swiss
francs and are available from ISO
national member institutes (listed
with contact details on the ISO Web
site at www.iso.org) and ISO Central
Secretariat Web store at www.iso.org
The Spanish edition published by
AENOR (www.aenor.es) may
ordered from that organization :
2) ISO 10019:2005 costs 78 Swiss
francs and is available from ISO
national member institutes (listed
with contact details on the ISO Web
site at www.iso.org) and ISO Central
ISO INSIDER
From farm to fork
– ISO 22005 to
systemize
traceability of
food and feed
General principles for design
and development, of ISO Technical Committee TC 34, Food
products, responsible for the
development of ISO 22005,
followed the spirit of an existing related standard developed
by the Italian national standards body, UNI (www.uni.
com) in leaving the choice of
objectives to the implementing organizations.
by Paola Visintin
The safety of feed and food
at any point in the chain from
producer to consumer is of
worldwide concern.
Outbreaks of highly contagious
diseases in livestock, such as
bovine spongiform encephalopathy (BSE) and foot and
mouth disease, and the presence of micro-organisms like
salmonella have highlighted
the risks of food contamination as never before.
The introduction of genetically
modified organisms (GMO’s)
is another issue. Now, the poultry stock is threatened by avian influenza.
Clearly, an effective system
of traceability of feed and
food has become crucial to the
industry and consumer. In the
case of meat, for example, it is
essential to be able to trace a
single cut of meat sold over the
butcher’s counter right back to
the animal that provided it.
A traceability system should be
able to document the history
of the product and/or locate a
product in the feed and food
chain. It should also contribute to the search for causes of
nonconformity and to product withdrawal or recall if
necessary.
New standard
The introduction of a new
standard on traceability could
hardly be more timely. And the
good news is that Draft International Standard ISO/DIS
22005, Traceability in the feed
and food chain – General principles and basic requirements
for system design and implementation, the third standard
in the ISO 22000:2005 family
of food safety management
standards, is nearing publication.
ISO 22005 is intended for
organizations operating or
cooperating at any stage of the
feed and food chain. It does
not contain any reference to
certification nor combination
with other standards. Instead,
the choice of certification is
left to the user’s discretion,
although the standard requires
the organization to carry out
monitoring, internal audit and
review to assess the effectiveness of the system.
Objectives
In defining the objectives of
traceability, Working Group
WG 9, Traceability system in
the agricultural food chain –
Outbreaks of highly
contagious diseases in
livestock have highlighted
the risks of food
contamination as never
before
Thus, safety and compliance
with, for example, the European
Union’s (EU) general food law
regulations are to be considered as only one of the possible applications of a traceability system.
This represents the core of
the standard, while it is foreseen that in designing a traceability system each element
should be considered and justified on a case-by-case basis
taking into account the objectives to be achieved, and the
cost benefits of applying such
a system.
Deadline
WG 9 approved the technical content of the draft in July
2005. It was subsequently submitted to parallel technical
enquiry in ISO and the European Committee for Standardization (CEN) as prEN ISO
22005, with a deadline for completion of April 2006.
The progress of the draft is
being closely watched by many
H o w e v e r, I S O / D I S 2 2 0 0 5
gives the following examples
of objectives, to :
• support food safety or quality objectives ;
• document the history or origin of the product ;
• facilitate the withdrawal
and/or recall of products ;
• identify the responsible parties in the feed and food
chain ;
• facilitate the verification of
specific information about
the product ; and to
• communicate information
to relevant stakeholders and
consumers.
Paola Visintin is Secretary of
Working Group WG 9, Traceability
system in the agricultural food
chain – General principles for
design and development,
of ISO Technical Committee
ISO/TC 34, Food products.
Since 1990, she has been Technical
Officer responsible for the food
sector with the Italian national
standards body, UNI. She has a
degree in food technology.
Web www.uni.com
ISO INSIDER
interested parties and collaborators. Organizations liaising
with WG 9 in this endeavour
include CIAA (Confederation
of Food and Drink Industries
in UE), EAN International
(International Article Number
Association), CIES (Food Business Forum facilitating the
Global Food Safety Initiative)
and UNIDO (United Nations
Industrial Development Organization).
Experts from Canada,
Denmark, France, Germany,
India, Italy, Japan, Poland
and the USA shared their
visions on traceability
In the development of ISO/DIS
22005, experts from Canada,
Denmark, France, Germany,
India, Italy, Japan, Poland and
the USA shared their visions
on traceability, to ensure that
the standard would reflect the
views of all participating countries, and represent an agreed
approach to a system of traceability.
Work on ISO/DIS 22005 started in June 2001 with circulation of a new work item proposal on principles for the
design and develop of traceability systems in the agricultural
food chain among ISO/TC 34
members. Attached was the
English translation of the relevant UNI standard, published
two months before.
Indeed, UNI considers traceability a crucial matter for the
food sector and a fundamental
tool for the development of a
food management system.
Any agricultural food chain
organization was deemed to
have an interest in a traceability system designed to protect
hygienic and sanitary standards, and establish clear and
safe marketing principles.
This intent was in line with
the new European Commission regulations on food safety, introduced in a White Paper
in January 2000, establishment
of the European Food Safety
Authority (EFSA), and publication of the first Regulation
(EC) N° 178/2002 on general
food law.
This describes traceability as
an important element in the
identification of any supplier of
a feed and food. It also requires
operators to establish systems
and procedures to identify all
destinations for their products,
and to provide labels to facilitate traceability.
In 2002, CEN promoted its
Food Strategy on European
Food Standardization, in support of EU regulations and in
cooperation with existing food
safety and food trades institutions, to ensure consistency
with the global market.
This became part of a network
including Codex Alimentarius,
ISO/TC 34, National Standard
Bodies and the EFSA.
Important tool
WG 9 members see this new
International Standard as an
important tool to help feed
and food stakeholders achieve
transparent and fruitful dialogue, and achieve compliance
with an internationally recognized system of traceability –
one of the most fundamental
aspects of food safety management.
We expect ISO 22005 to be
widely applied across the feed
and food chain. Its content is
at the same time sufficiently
generic to accommodate cultural differences around the
world, while detailed enough
to convince stakeholders of the
value of harmonising objectives, managing the flow of
information and avoiding the
misunderstandings that can
lead to loss of time, money and
human resources.
At the same time, trade in
food products will be facilitated through the worldwide
use of the standard.
•
Trade in food products
will be facilitated
through the worldwide use
of the standard
ISO INSIDER
ISO/IEC 20000
benchmarks
provision of
IT service
management
risks that are understood and
fully managed.”
ISO/IEC 20000:2005, which is
issued in two parts, will enable
service providers to understand
how to enhance the quality
of service delivered to their
customers, both internal and
external.
is available from ISO national
member institutes (listed with
contact details on the ISO Web
site at www.iso.org) and ISO
Central Secretariat Web store at
www.iso.org or by e-mail to
[email protected].
•
by Elizabeth Gasiorowski Denis
A new ISO/IEC standard for
benchmarking the management of information technology services integrates the
process-based approach of
ISO’s management system
standards – ISO 9001:2000 and
ISO 14001:2004 – including the
Plan-Do-Check-Act (PDCA)
cycle and requirement for continual improvement
With up to 80 % of information technology (IT) budgets
of most organizations directly
linked to service management
processes, ISO/IEC 20000:2005,
Information technology – Service management, is expected to result in cost savings for
users, whether large or small
enterprises, as well as increased
productivity and improved customer service.
Developed by ISO and its partner the IEC (International
Electrotechnical Commission),
ISO/IEC 20000 will enable
organizations to benchmark
their capability in delivering
managed IT services, measuring service levels and assessing performance.
Today, IT service providers
are under sustained pressure
to deliver high quality service
at minimum cost. Concerns
have been raised that IT services, whether provided by an
François Coallier, Chair of the
ISO/IEC group that developed
ISO/IEC 20000 : ‘ Organizations
will reap major business and
financial benefits by its adoption.’
in-house IT department or an
external organization, are not
aligned with the needs of the
business and its customers.
Best value
ISO/IEC 20000 will reduce
operational exposure to risk,
meet contractual and tendering requirements, demonstrate
service quality and deliver
best value.
The implementation of ISO/
IEC 20000 will ensure proactive working practices able to
deliver high levels of customer service to meet their business needs.
“ Organizations will reap major
business and financial benefits
by ISO/IEC 20000 adoption,”
says François Coallier, Chair of
the ISO/IEC group that developed the standard. “ These service management processes
deliver the best possible service
to meet a customer’s business
needs within agreed resource
levels, i.e. service that is professional, cost effective and with
IT service providers are
under sustained pressure
to deliver high quality
service at minimum cost
Part 1 : Specification, provides
requirements for IT service
management and is relevant
to those responsible for initiating, implementing or maintaining IT service management
in their organization.
Part 2 : Code of practice, represents an industry consensus
on guidance to auditors and
assistance to service providers planning service improvements or to be audited against
ISO/IEC 20000-1:2005.
Certified
Organizations that so wish can
have their IT service management systems independently certified as conforming to
the requirements of ISO/IEC
20000.
The new standard is based on
the British Standard BS 15000
and is integrated with the ISO
and IEC collection of software
and systems engineering standards.
ISO/IEC 20000-1:2005 costs 81
Swiss francs and ISO/IEC 200002:2005 costs 124 Swiss francs and
Elizabeth Gasiorowski Denis
is a journalist in the Public
Relations department of ISO
Central Secretariat.
Web www.iso.org
ISO INSIDER
ISO/IEC standard
for assessing
quality
of e-learning
A new International Standard
aims to harmonize the various
approaches used around the
world for assessing the quality
of e-learning initiatives.
“ The standard represents the
harmonized international
know-how on quality for elearning,” explains Bruce Peoples, Chair of the ISO/IEC
group that developed the
standard.
“ By having comparable and
commonly understood requirements and criteria, there will
be a better match between the
needs of users, purchasers and
providers.”
The acceptance of e-learning
by the market is dependent on
the quality of the related products, services and tools. A harmonized conception of e-learning quality is a prerequisite for
a properly functioning market
in e-learning products and services and for their overall quality to continually improve.
ISO/IEC 19796-1:2005, Information technology – Learning, education and training –
Quality management, assurance
and metrics – Part 1 : General
approach, provides an overall framework which can be
used for introducing quality
approaches in all provider and
user organizations of e-learning. The standard will make it
easier to compare and evaluate the relative merits of different initiatives.
It will provide a collection
of reference methods that
can be used to manage and
ensure quality in different
contexts. This part will further provide a collection of
reference metrics and indicators that can be used to
measure quality in processes,
products, components, and
services.
The standard harmonizes the
international conception of
e-learning quality by creating
a coherent inventory of the
diverse processes which affect
the attainment and preservation of e-learning quality.
These processes embrace all elearning application scenarios,
such as content and tool creation, service provision, learning and education, monitoring and evaluation, and life
cycle stages – from continuous needs analysis to ongoing
optimization.
Innovation
According to Bruce Peoples :
“ The standard will reduce the
cost and complexity of adopting quality approaches and, at
the same time, bring new or
improved products and services to the market. This will have
the effect of enhancing the level of innovation, diversity of
“ ISO/IEC 19796-1 represents the
harmonized international knowhow on quality for e-learning,”
says Bruce Peoples, Chair of the
ISO/IEC group that developed the
standard.
Mr. Peoples is a systems engineer
with the US company Raytheon.
He currently leads research
projects in the field of advanced
intelligent multilingual systems.
E-mail Bruce_E_Peoples@raytheon.
com
supply and procurement intelligence in the market.”
ISO/IEC 19796-1 is the first
part of an overall framework
which is due to be developed
over the next two years and
that will include the following
documents :
1. Part 2 : Quality model, will
harmonize the aspects of
quality systems and their
relations and will provide
orientation for all stakeholders. It will not enforce
any particular implementations but will, instead, focus
on their intended results.
2. Part 3 : Reference methods
and metrics, will harmonize
formats for describing methods and metrics for quality
management and assurance.
3. Part 4: Best practice and
implementation guide, will
provide harmonized criteria
for the identification of best
practice, guidelines for the
adaptation, implementation,
and usage of this multi-part
standard, and will contain
a rich set of best practice
examples.
ISO/IEC 19796-1 will reduce
the cost and complexity of
adopting quality approaches
ISO/IEC 19796-1 has been
developed by ISO/IEC Joint
technical committee JTC 1,
Information technology, subcommittee SC 36, Information
technology for learning, education and training. The standard costs 212 Swiss francs and
is available from ISO national
Central Secretariat Web store
at www.iso.org or by e-mail to
[email protected].
•
Web www.iso.org
ISO INSIDER
Can you trust
them ? ISO
standard for
sizing up personal
financial planners
ods, and obliges the financial planner to demonstrate
continued competency by following the necessary training
programmes and maintaining
records of these.
The standard additionally
specifies the requirements,
content, and length of experience a personal financial planner must have and is applicable to all personal financial
planners regardless of their
employment status.
by Antoinette Price
Many business managers and
professionals need to plan not
only for the future of their
enterprise, but also for their
personal finances. They will be
interested in the first International Standard that will help
people to decide whether or
not they can be confident about
the ethics and competence of
professionals proposing advice
on planning their personal
finances.
ISO 22222:2005, Personal
financial planning, is aimed
at increasing client confidence
by providing an internationally
agreed benchmark for a high
global standard of service.
Experts from more than
17 countries have authored
a pioneering, goal-oriented
standard
Up until now, people seeking
advice on how to plan their
retirement or best invest their
savings have been confronted
with similar problems the world
over. There is a vast choice
of investment schemes, legal
frameworks vary from country to country, and investments
can go wrong. With so many
financial planners to choose
from, how can they know who
to trust and how should they
compare the different schemes
on offer ?
For example, according to the
technical committee that developed the standard, ISO/TC 222,
Personal financial planning,
the number of financial planners in the United States alone
ranges from 800 000 to several
million, depending on the definition of “ planner ”.
Ethical
“ An International Standard
for financial planning will provide simplification for the client by setting forth requirements to assure that the client
is well served by financial planners who have met the highest
ethical and educational standards ”, said Stuart Kessler,
Chair of ISO/TC 222.
The standard defines six steps
of the personal financial planning process :
• establishing client/planner
relations ;
• determining goals and gathering data ;
• evaluating the client’s financial status ;
• developing and presenting
the financial plan ;
“Experts from a variety of
legal, economic and cultural
backgrounds from more than
17 countries have authored a
unique and pioneering goaloriented standard,” said Holger Muehlbauer, Secretary of
ISO/TC 222, established in
2001 to create an internationally accepted benchmark for
providers of personal financial planning.
I S O 2 2 2 2 2 : 2 0 0 5 , Pe r s o n al financial planning, costs
112 Swiss francs and is available from ISO national
Central Secretariat Web store
at www.iso.org or by e-mail to
[email protected].
•
• implementing recommendations ; and
• monitoring the plan recommendations.
ISO 22222:2005 is built on a
framework that applies to all
aspects of the personal financial
planner’s ethical behaviour, and
requires compliance with applicable rules and regulations.
It gives the requirements for
competence performance and
competence assessment meth-
Antoinette Price is a journalist in
the Public Relations department
of ISO Central Secretariat
Web www.iso.org
ISO INSIDER
ISO’s work
on water services
presented at
World Water
Forum
Expected to be issued in 2007,
the suite of ISO standards (ISO
24510, ISO 24511 and ISO
24512) is being developed to
serve as a tool to assess organizations involved in the provision of water services (water
supply and wastewater utilities).
Designed for maximum flexibility, the standards are applicable in industrialized as well
as in developing countries, in
big cities or small towns, irrespective of whether the responsible body or utility operator
is private or public.
The suite of future ISO standards for the assessment of
water and wastewater services
was featured in the programme
of side events to the 4 th World
Water Forum, which was held
on 16-22 March 2006 in Mexico City, Mexico.
The implementation of the
standards will help water
authorities and their opera-
tors to achieve a level of quality that best meets the expectations of consumers and the
principles of sustainable development.
ISO standards are being
developed to assess
organizations involved
in the provision of water
services
ISO Secretary-General Alan
Bryden commented : “Water is
a worldwide challenge for the
21st century and many countries
are still not on track to reach
the water-related targets of
the Millennium Development
Goals. ISO is providing internationally-recognized guidance
documents for improving governance, quality and efficiency
of water services.
‘ Shining example ’
“ Without sustainable water
management to ensure that
there are sufficient supplies
of clean, safe water, the health
of ecosystems and those who
depend on them will suffer.
These ISO standards are a shining example of what standardization can achieve for a sustainable world.”
The World Water Forum was
an initiative of the World Water
Council, which aims to raise
awareness of water issues all
over the world. As the main
international event on water,
its aim was to facilitate multistakeholder participation and
dialogue to influence water
policy-making at a global lev-
el, thus assuring better living
standards for people worldwide and a more responsible
social behaviour towards water
issues, in line with the pursuit
of sustainable development.
The future ISO standards on
water services are being developed by ISO technical committee ISO/TC 224, which was
established in 2001 following
a proposal from ISO’s French
member, Association française
de normalisation (AFNOR –
www.afnor.fr). Many different
stakeholders participate in its
work, including representatives
from national and local water
authorities, public and private
water operators, consumer
organizations and NGO’s, as
well as numerous international organizations.
These ISO standards were presented in Mexico together with
presentations of local projects
on water and wastewater management from Latin America,
Africa, Asia, and Europe. A
panel of representatives from
the Inter-American Association of Sanitary and Environmental Engineering (AIDIS),
African Water Association,
United Nations – Department
of Economic and Social Affairs,
World Health Organization,
and the Argentinian standards
body IRAM (www.iram.com.
ar) discussed the implementation of the ISO standards in
developing countries.
•
Web www.iso.org
ISO/IEC 17025:2005. The international accreditation
standard for competent laboratories.
Confidence in the competence of laboratories
is frequently needed
Competent laboratories operate to
International Standards.
• by businesses when testing new products, or
ensuring that finished products are fit for sale
Competent laboratories operate to
ISO/IEC 17025:2005.
• by government regulators and trade officials
who require assurance about domestic or
imported products before they can be placed
on the market
• by consumers and users of products who
need assurance about the quality and
reliability of testing and analysis relating to
environmental, health or safety hazards.
member institutes (listed
with contact details on the
ISO Web site at www.iso.org)
Definitely, one good ISO standard could
change your business – for the better
ISO has more than 16 000 great standards for you to choose from !
INTERNATIONAL
Do consumers
really care
about
ISO 9001
certification ?
by James Tannock and
Henry Brown
ISO 9001
James Tannock (left) is a Reader
in Quality and Operations
Management at the Nottingham
University Business School,
Nottingham, United Kingdom.
E-mail James.
[email protected]
ISO 9001
ISO 9001
SO 9001
Web www.nottingham.ac.uk/
business/
Web www.nottingham.ac.uk/cqgsc/
index.phtml
Henry Brown (right) was an
undergraduate at the Nottingham
University Business School when
the survey on which this article is
based was carried out. He now
works as a consultant at Computer
Futures Solutions.
ISO 9001
ISO 9001
SO 9001
ISO 9001
SO 9001
This article is a rarity. It presents the results of one
of the few surveys carried out by a professional
market research organization to uncover just what
consumers know or care about ISO 9000. The findings are of vital interest to the thousands of organizations worldwide that invest in ISO 9001:2000.
Wouldn’t it be useful for companies that invest in ISO 9001:
2000 implementation and certifi cation to have some hard
data on whether this improves
how consumers perceive their
organization, its products and
services ?
Many surveys on the impacts
and benefits of the ISO 9000
quality management standards have been carried out, but
most have dealt with businessto-business relationships and
issues. This article breaks new
ground in presenting the main
findings of a survey to discover
the knowledge, perceptions and
attitudes of consumers towards
ISO 9000.
Little evidence
Previous to this survey, which
was carried out in the United
Kingdom, there has been little
direct evidence that the ISO
9000 standards have had a significant impact on consumers,
either in terms of knowledge
and attitudes, or by improving
their perception of product or
service quality.
A frequently advanced argument for certification to an
ISO 9000 series standard is the
fact that customers require it,
or prefer suppliers to be certified to the standard. A number
of studies and surveys support
this view.
Most ISO 9000
survey have dealt with
business-to-business
relationships and issues
Results reported by Buttle
(1997) suggest that marketing
advantages are the third most
important motivation for companies to obtain certification
and also that their customers
were generally more satisfied.
In a survey reported by Corbett et al. (2003), in which more
than 5 000 companies from 15
countries responded, increased
customer satisfaction was the
fourth most important benefit.
SO 9001
INTERNATIONAL
ISO 9001
SO 9001
It should be noted, however,
that such reports are often
in the context of business-tobusiness transactions and relationships, or do not specify the
type of customer (Casadesús &
Giménez, 2000).
ISO 9001
There is some anecdotal evidence of benefits to the consumer. Certification bodies
claim that ISO 9001:2000 certification increases consumer
confidence, but evidence concerning the extent to which
consumers know about the
standards, or perceive them
to be beneficial in their interactions with businesses, is very
scarce (Ferguson, 2004).
ISO 9001
SO 9001
British research
This article reports on research
carried out to investigate the
knowledge, perceptions and
attitudes of British consumers towards ISO 9000. The ISO
9000 series standards have had
widespread diffusion in Britain
and were preceded by very similar national standards – the BS
5750 series. Hence the situation
as regards consumer knowledge
and attitudes should reflect
the mature nature of ISO 9000
adoption in the country.
The research questions were
as follows :
• How many consumers are
aware of ISO 9000 ?
• Do those who are aware of
it, perceive it to be an indicator of superior quality ?
• Do consumers have more
trust in companies with ISO
9000 ?
• Are they more likely to
purchase goods and services from such companies ?
zation, which interviewed 1 012
British adults during March
2004, representing a weighted
base of 984 adults.
The answers to such questions
are significant to businesses
that may be considering ISO
9001:2000 certification.
Survey methodology
The study was carried out by
“omnibus survey”, undertaken by a professional market
research organization. This is a
well-established technique for
investigating the views of populations and is popular due to its
relative cheapness, speed and
representative nature.
An omnibus is so called because
various customers pay to “ get
on the bus ” by having questions
included in the survey, hence
sharing the fixed costs. The ISO
9000 study used an in-home
face-to-face technique, the
Capibus service carried out by
Ipsos, a leading survey organi-
Total awareness
of ISO 9000 was
26 %
The survey used random location design with pre-set quotas within each gender for age
and working status. Respondents were interviewed using
a standard set of questions,
developed by the authors, the
questions being displayed by
the interviewer in a specified
sequence using a portable computer, which can also display
illustrations to the respondent. The interviewer’s computer recorded the answers and
automatically routed to the
appropriate follow-up question
for the answer given.
Initial questions established
the awareness level of respond-
ents, either spontaneous or
prompted, to the standards
and typical certification symbols. Later survey results could
then distinguish between attitudes expressed by respondents who were already aware
of ISO 9000 series standards,
and those who were previously unaware.
The next questions followedup for those who were already
aware of ISO 9000, enquiring
about the origin of such awareness, whether the respondent
had knowingly purchased products or services from a certified
company, and the nature of the
purchase(s).
The interview then moved on
to present eight propositions to
the respondents, to which they
indicated the extent of their
agreement. The direction of
propositions was deliberately
varied, some being positive in
tone towards ISO 9000, whilst
others were negative.
Consumers possess
greater levels of trust and
confidence in ‘ ISO 9000 ’
products and services
Finally, two questions explored
the importance that consumers might attach to “ ISO 9000
certification ” for various types
of purchase, compared with
other factors.
All questions used simple
wording, to make them understandable to the general consumer. For example, questions
referred to “ISO 9000”, instead
of “ISO 9001:2000” – which is
the only certification standard in the ISO 9000 series – to
INTERNATIONAL
avoid confusing the respondents, although in many cases
the strictly correct wording
would have referred to ISO
9001:2000.
Phrases such as, “ products
with ISO 9000 ” were also used,
rather than a more accurate
phrase such as, “ products
manufactured by companies
holding certification to ISO
9001:2000 ”.
Survey results
Awareness of quality
management standards
The first question attempted to
uncover spontaneous awareness of quality managementtype standards. Of unprompted respondents, 84 % could
not name any quality standard. However, of the 16 % who
did, over half (8 %) named
ISO 9000.
Th e n e x t m o s t c o m m o n ly named “ standard ” were
various answers referring to
the generic “ Kitemark ” logo
for British Standards Institution (BSI) product standards.
This was mentioned by 2 % of
respondents.
tion 1). One was typical of the
superseded ISO 9002 standard ;
the other represented an ISO
9001:2000 certification. 17 % of
the respondents had seen such
symbols before.
In a follow-up question, respondents who had responded positively were asked, “ Where
have you seen this symbol ? ”
Answers included “ at work”
(43 %) or “ in shops/when buying goods ” (25 %).
The large proportion of respondents that had seen the symbol
at work reflects the considerable number of organizations
in the United Kingdom with
ISO 9001:2000 certification.
Other respondents had seen
the symbol in business directories (15 %), magazines (9 %)
or newspapers (7 %).
A further follow-up question
asked previously aware
respondents if they had ever
purchased a product or service
from a company displaying this
symbol. 46 % of people had
done so.
When asked what type of product/service had been purchased,
the responses were not very
informative : 65 % of answers
were categorized as “ other ” or
More economically active
consumers are more likely
to have a positive view
of ISO 9000
SO 9001
Respondents who had not spontaneously mentioned ISO 9000
were then asked if they had
heard of ISO 9000. From this
base, 19 % were aware of the
standards. Combining results
from these questions using a
weighted base, total awareness
of ISO 9000 was 26 %.
Awareness of ISO 9000
logos
All the respondents were
shown two logos – or symbols
– of the type used by companies
to indicate ISO 9000 certifica-
ISO 9001
SOISO9001
9001
ISO 9001
SO 9001
“ don’t know ”. Other responses
mentioned food products (9 %)
and electrical goods (26 %).
Attitudes to and
perceptions of ISO 9000
Two questions were used to
assess consumer attitudes and
perceptions to ISO 9000. In
each, four propositions were
made to respondents who then
stated the extent of their agreement. A Likart scale was used,
where “ strongly agree ” scored
five points and “ strongly disagree ” scored one point.
All respondents were asked
these questions and typically,
approximately 60 % of them
“ did not know ”, reflecting the
high level of interviewees who
were unaware of ISO 9000.
Tables 1 and 2 (overleaf) summarize the responses, showing
the mean score for various categories of respondent.
The results shown in these tables
give a clear message : awareness
of ISO 9000 improves positive
attitudes towards the standard
and also towards companies
1) There is no ISO 9000 or ISO
9001:2000 logo or symbol available
from or approved by ISO for use
in connection with certification.
The reason is that ISO itself does
not carry out certification and
does not approve certifications,
which are carried out independently of ISO by certification
bodies. In addition, ISO does not
allow the ISO organizational logo
to be used in connection with
certification. Guidelines with more
information on these and related
issues are available on the ISO
Web site at www.iso.org, and in
the brochure Publicizing your ISO
9001:2000 or ISO 14001:2004 certification. Certified companies may
apply to use the logo or symbol of
their certification bodies, or design
their own logo or symbol.
INTERNATIONAL
Proposition
Overall base of
respondents
Those who
spontaneously
mentioned ISO
9000
“Products with ISO 9000 are
better quality than those
without ”
3.41
3.79
3.79
4.04
“Companies only belong to
ISO 9000 to try and sell more
products ”
3.16
3.06
3.16
2.91
“Products with ISO 9000
are more expensive than those
without ”
3.06
2.78
2.94
2.98
3.05
2.17
2.55
2.03
“ISO 9000 is just another
meaningless symbol ”
Total
respondents
aware of
ISO 9000
Respondents
who had
bought product/
service
“ with ISO 9000 ”
Table 1 – Consumer opinions of ISO 9000 – on scale of one (strongly disagree) to five (strongly agree).
Proposition
Overall base of
respondents
Those who
spontaneously
mentioned ISO
9000
“I would be more confident
buying a product with the
ISO 9000 symbol than one
without ”
3.37
4.06
3.86
4.23
“The ISO 9000 symbol would
make no difference to my
choice of product/service ”
3.25
2.84
2.94
2.77
“I would be more likely to
contact a company using
ISO 9000 in its adverts than
one without ”
3.12
3.70
3.52
3.77
“I would trust a company using
ISO 9000 in its adverts more
than one without ”
3.35
4.05
Total
respondents
aware of
ISO 9000
3.83
Respondents
who had
bought product/
service
“ with ISO 9000 ”
4.08
Table 2 – Attitudes to and perceptions of ISO 9000 – on scale of one (strongly disagree) to five (strongly agree).
which have adopted it and use
an ISO 9000 logo or symbol.
In every case, prior awareness
and (especially) having bought
a product or service “ with ISO
9000 ” results in more positive
attitudes.
Businesses could benefit
by increasing
the general awareness
levels of ISO 9000
These results indicate that it
would be beneficial for companies having certification
to promote increased public
awareness of ISO 9000, because
increased levels of consumer awareness should improve
levels of confidence and trust
in their products and services.
Importance of ISO 9000 in
purchasing decisions
The final survey questions
attempted to discover more
about the importance of ISO
9000 certification in consumer purchasing decisions. A list
of products and services were
offered and respondents were
asked if they had purchased
each product/service for their
home over the previous year.
The products/services offered
to the respondents, together with percentages who had
purchased them, are shown in
Table 3 (38 % reported that
they had not purchased any of
these products/services).
Respondents who had purchased products or services
were asked which factors most
affected their purchasing decision, being offered the following options :
INTERNATIONAL
The table shows that conformity
to a quality standard (column
a) is less important as a factor in purchase decisions than
most other factors, but still an
issue, with more than 10 % of
respondents ranking it the most
important factor.
a) Conformity to a quality
standard such as ISO
9000
b) Brand/company’s
reputation
c) Cost
d) After sales service
The mean percentage of all
respondents ranking it first
for the six services offered was
e) Knowing the product will
last
Product/service
13 %, whilst for the four products listed ; the average ranking was 6.25 %.
Considering only respondents
previously aware of ISO 9000
(Table 4), 18.3 % considered
ISO 9000 certification the most
important factor. For services,
23 % and for products, 11.25 %
rated it the most important
factor.
% ranking as the most important purchasing
decision factor
%
a
b
c
d
e
Kitchen/bathroom fitter
7
12
31
32
1
13
Double glazing fitter
7
13
36
37
1
13
Heating engineer
12
12
41
28
9
10
Plumber
14
9
46
25
7
12
Electrician
8
19
38
32
4
7
Builder
7
13
54
20
7
6
Domestic appliance
22
9
27
40
4
20
Furniture
19
4
20
46
3
28
Home electrical goods (e.g. TV, stereo)
29
7
36
39
4
13
Garden machinery
6
5
24
50
6
15
10.3
35.3
34.9
4.6
13.7
Mean % ranking most important
Table 3 – Ranking of purchasing factors for products and services
(all respondents).
Product/service
All respondents
Respondents
aware of ISO 9000
Kitchen/bathroom fitter
12
28
Double glazing fitter
13
33
Heating engineer
12
10
Plumber
9
14
Electrician
19
42
Builder
13
11
Domestic appliance
9
15
Furniture
4
8
Home electrical goods
(e.g. TV, stereo)
7
8
Garden machinery
5
14
10.3
18.3
Mean % of respondents
Table 4 – Percentage of “previously aware” respondents ranking conformity
to a quality standard such as ISO 9000 the most important purchasing factor.
ISO 9001
among males, in higher income
groups, in higher-status social
grades and aged between 35
and 54. This probably reflects
the higher probability that
such people will be influenced
by working in a business environment, in which ISO 9000
is well known.
The results also suggest positive attitudes towards ISO
9000 and companies certified
to the standard. People tend
to perceive products and services associated with ISO 9000
as being of higher quality. In
particular:
• Consumers are more likely to contact a company if
it uses “ISO 9000” in the
labelling and marking of
its products/services 2).
• Consumers possess greater levels of trust and confidence in “ ISO 9000 ” products and services.
ISO 9001
ISO 9001
SO 9001
ISO 9001 ISO 9001
Conclusions
The United Kingdom has perhaps the most mature usage
of the ISO 9000 series standards, worldwide. Nevertheless,
the authors were surprised to
find that more than one quarter (26 %) of the general adult
population was already aware
of the standards.
Less surprisingly, awareness
was concentrated among
working people, was higher
2) ISO’s brochure Publicizing
your ISO 9001:2000 or ISO
14001:2004 certification
(available from ISO national
contact details on the ISO Web site
at www.iso.org) and ISO Central
or by e-mail to [email protected])
states : “…ISO 9001:2000…
certification marks of conformity
should not appear on products,
product labels or product
packaging, or in any way that
might be interpreted as denoting
product conformity.”
INTERNATIONAL
• The labelling of products/
services with a logo denoting “ISO 9000 ” is likely to
cause consumers to prefer
them.
The survey results
suggest ISO 9001:2000
certification presents
potential business
and marketing advantages
for a company
More economically active
consumers are more likely to
have a positive view of ISO
9000. Again, positive attitudes
ISO 9001
The results of the questions
asking about the importance
of ISO 9000 certification in
making purchasing decisions
also suggest potential business
advantage from wider consumer knowledge about the
standard, especially for services provided directly to the
consumer.
This is a business area where
British companies’ advertising material more frequently mentions “ISO 9000 certification ”, or displays an
ISO 9000 logo. Consumers
who were already aware of
ISO 9000 were more likely to
ISO 9001
ISO 9001
ISO
9001
ISO 9001
ISO 9001
tended to peak in ages 3544, to be higher among men,
among working people and
to be associated with higherstatus social groups and higher incomes.
More positive attitudes are
also associated with greater
awareness, the most positive
being among consumers who
were spontaneously aware of
ISO 9000 and those who had
purchased a product or service “with ISO 9000”. These
results suggest that businesses could benefit by increasing
the general awareness levels
of ISO 9000 in their consumer market.
Acknowledgement
The authors would like to thank the United Kingdom consumer
organization Which ? (www.which.net), a member of Consumers
International (www.consumersinternational.org) and the
Which ? staff, in particular Malcolm Basset, for promoting and
supporting the research which led to this article.
References
Buttle, F. 1997, “ ISO 9000 : marketing motivations and benefits ”, International Journal of Quality and Reliability Management, Vol. 14, No. 9, pp. 936-947.
Casadesús, M. and Giménez, G. 2000, “ The benefits of the
implementation of the ISO 9000 standard : empirical research
in 288 Spanish companies ”, The TQM Magazine, Vol. 12, No. 6,
pp. 432-441.
Corbett, C.J., Luca, A.M., and Pan, J.-N. 2003, “ Global perspectives
on global standards : a 15-economy survey of ISO 9000 and
ISO 14000 ”, ISO Management Systems, January-February 2003.
Ferguson, A. 2004, “ Do management standards benefit
consumers ? ”, Consumer Policy Review, Vol. 14, No. 2.
ISO 9001
ISO 9001
SO 9001
ISO 9001
choose this factor as the most
important issue in purchasing
decisions.
Overall, the survey results
suggest that “ISO 9000 certification” – in actual fact,
ISO 9001:2000 certification –
presents potential business and
marketing advantages for a
ISO 9001
ISO 900
company when dealing directly with the consumer.
In the authors’ view, these results
probably reflect an improved
consumer experience when
dealing with an ISO 9001:2000
certified organization.
•
INTERNATIONAL
World’s biggest oil company uses
ISO 9001:2000 in giant SAP roll-out
Saudi Aramco, the world’s largest oil company,
placed its confidence in ISO 9001:2000 to
provide a backbone for supporting the
deployment of a massive SAP enterprise resource planning programme
that has already seen SAP training
for more than 144 600
employees since 2000.
by Tom Bartridge
As the world’s largest oil and
gas producer, Saudi Aramco
does things in a big way, including when it comes to striving for
excellence in everything it does
by following three key company attributes : performance,
reliability and innovation.
And this drive for excellence
m o t i v a t e d t h e c o m p a n y ’s
choice of ISO 9001: 2000 as a
key tool for the deployment of
a major training and change
management process.
Saudi Aramco pump
station.
Like all organizations with
vision and mission statements,
Saudi Aramco faced the challenge of translating its ideals
of performance, reliability and
innovation into reality. To
begin, the company decided
to implement SAP across the
organization to streamline
performance and improve reliability of day-to-day operations.
But what exactly is SAP ?
SAP AG, one of the world’s
leading enterprise resource
planning (ERP) software providers, has captured 33 % of
the worldwide market. “ SAP ”
is an abbreviation for Systems,
Applications and Products in
Data Processing – a software
programme used by 80 % of
Fortune Global 100 companies.
The software is highly flexible
and can be customized to meet
the unique needs of individual
industries and companies.
Wide-ranging
In fact, SAP solutions within
Saudi Aramco make up one
of the largest and most wideranging ERP system installations in the world.
As the world’s largest oil
and gas producer, Saudi
Aramco does things in
a big way
Saudi Aramco’s SAP solutions
cover an amazing range of
business functions including
the core areas of drilling,
hydrocarbon management,
plant maintenance, supply
chain management, materials
management, warehouse management and generally all
information that aids in strategic business planning.
SAP solutions also cover
human resources, payroll and
benefits, performance management, finance, quality management, strategic enterprise
management, projects and
capital planning, aviation,
medical, transportation and
fleet management, e-training and professional certification.
This widespread and remarkable undertaking was promoted by Ibrahim Al-Mishari,
then Saudi Aramco Corporate
Information Technology (IT)
Vice-President and Ahmed
Al-Zayyat, the SAP Computer
Center General Manager.
Both strongly encourage the
“ drive for excellence ” and an
innovative atmosphere.
In addition, one of the strongest champions of innovation
is Fouzi Bubshait, Director of
the SAP Training & Change
Management Department
whose philosophy is “ the best
way to see the future is to
design it yourself.”
The main focus of the SAP
Training & Change Management Department is to ensure
the success of the numerous
SAP applications within Saudi
Saudi Aramco oil supply planning and scheduling control room
at Dhahran, Saudi Arabia.
About the author
Tom Bartridge has over 15 years of
human resource (HR) management
and consulting experience with the
last 12 years focusing on the oil and
gas industries within the Middle East.
He is currently on a consulting
assignment with Saudi Aramco.
He was awarded the HR Professional
of the Year at the Human Resource
Summit held during September 2005
in Dubai, United Arab Emirates.
Tom Bartridge has a column in Human
Assets magazine (www.humanassets-me.com) and frequently
publishes HR and leadership articles on-line at AME Info (www.
ameinfo.com/news/HR_and_Training) and Emiritisation.org (www.
emiratisation.org/content/view/858/43).
Tom Bartridge, Change Management Consultant,
Change Management & Communication Division, SAP Computer Center,
C-B1001 North Park 3, Dhahran, Saudi Arabia.
Tel. + 966 3 874 2358.
INTERNATIONAL
tions, activities, tasks and
roles required. In addition,
the on-line process was also
used to identify the specific competencies needed to
support the SAP deployment
activities.
The results of this endeavor
were noteworthy for two reasons. First of all, the organizational realignment that took
place laid the groundwork for
ISO 9001:2000 certification
and secondly, the process was
so unique that a provisional
patent was received on the
methodology developed by
Saudi Aramco personnel.
Saudi Aramco corporate aircraft.
SAP solutions within Saudi
Aramco make up one
of the largest ERP system
installations in the world
Aramco by providing communications support, expertise in
change management, training
material development and
delivering training to ensure
user needs are met.
By focusing on these primary functions, the department has developed specific
criteria and processes that
provide world-class services
to their customers.
Ensuring quality standards are
adopted is challenging in any
environment and due to the
size of Saudi Aramco’s SAP
project the task seemed overwhelming. But what exactly
does “ overwhelming ” mean
in this context ?
32 349
Training
As one example, let’s look
at developing and delivering
training. More than 144 600
employees have attended
SAP training since 2000 with
the main training campaigns
taking place to support major
implementations at the end of
2001 and 2004.
Although many users received
training in more than one
function, there is no denying
that the number of participants
has been enormous (see Figure
1) and the programme is still
continuing.
Making sure each SAP application is implemented successfully is critical to Saudi
Aramco’s strategic business
objectives since SAP solutions are expected to be operating within Saudi Aramco for
years to come.
“ Establishing an atmosphere
of continual improvement in
the SAP Computer Center was
33 239
24 228
27 590
22 729
4 474
2000
2001
2002
2003
2004
2005
Figure 1 – Number of Saudi Aramco employees in receipt of SAP
training 2000-2005.
one of the best ways of providing value-added services,”
noted Ahmed Al-Zayyat.
One way of adding value
was to align SAP Training &
Change Management responsibilities with the requirements needed to support SAP
deployment throughout the
company.
A business transformation
team was put together and it
developed an on-line methodology that defined the func-
Primary focus
This is where Saudi Aramco’s ISO 9001:2000 certification enters the picture. ISO
establishes standards that are
consistently applied to materials, products, systems, testing, analysis, manufacturing
and services. In this way, certification of conformity to an
ISO standard provides benefits to business, consumers
and, of course, to society as
a whole.
INTERNATIONAL
Within the Training & Change
Management Department,
the primary focus of the
ISO 9001:2000 certification
involves services provided by
SAP training services, communication, change management,
end-user learning, administration and quality functions.
existing processes, reviewing
and redesigning standards
and finally developing a quality manual.
This approach recognized
t h e i m p o r t a n ce of understanding and meeting customer requirements, as well
as ensuring that all departmental processes add value
to the business.
‘ The best way to
see the future is
to design it yourself ’
Acquiring ISO 9001:2000 certification was no easy task so
Fouzi Bubshait and his team
laid out a comprehensive plan
to ensure the department’s
success. The first step involved
training the entire department’s staff on the quality management principles
on which the ISO 9000:2000
series is based and on the certification process.
After the hard work – the reward (left to right) : the new Saudi
Aramco Vice President of Information Technology, Abdulrahman
Al-Wuhaib, and Saudi Aramco Director SAP Training & Change Management Department, Fouzi Bubshait, are presented the ISO 9001:2000
certificate by the Vice-President of the TÜV Cert certification body,
Dr.Vougioukas.
This was followed by two
ISO 9001:2000 auditor training workshops where 23 individuals, including division
heads and managers, learned
how to conduct conformity
audits. The ISO 9001:2000 task
force was also responsible for
developing a quality plan and
establishing the department’s
quality system.
Once the auditor training was
completed, the team focused
its attention on analyzing
The entire process was
completed on-line through
a dedicated Web site
What made this accomplishment unique was that the
entire process, from procedures to process flow diagrams, was completed on-line
through a dedicated Web site
instead of relying on a paperbased system.
Saudi Aramco night
operations.
INTERNATIONAL
Next, internal audits were
conducted throughout the
Training & Change Management Department. The internal auditors completed 28 formal audits during a five-day
inspection period and identified 81 nonconformities that
had to be addressed before
the final certification audit
could be conducted.
In mid-December 2005, the
certification body auditors
completed their audit of the
Training & Change Management Department’s quality
management system and recommended ISO 9001:2000 certification.
This achievement was remarkable because the entire implementation and certification
process was completed in
only 16 weeks, compared to
the average 24 weeks most
companies require to achieve
certification.
involved from the start and, as
mentioned earlier, the entire
department received training
on the quality management
principles and on the certification process. This approach
ensured that both managers
and employees supported the
programme.
The most important factor
was having
management
commitment
Although Saudi Aramco’s
certification process was
noteworthy, the real achievement was the acknowledgem e n t t h a t t h e Tr a i n i n g &
Change Management Department is recognized worldwide as a professional entity
for information technology
training.
And that brings us full circle,
because pursuing excellence
in everything we do is one of
Saudi Aramco’s corporate
values.
•
(Below) The SAP Training &
Change Management auditor
team receives ISO 9001:2000
training.
(Bottom) Saudi Aramco gas plant.
Another critical factor was
determining manpower
requirements since the SAP
Computer Center wanted
to drive the entire process
through an on-line Web site. A
dedicated technical team was
appointed to support the programme and the final results
speak for themselves.
The certification process
was completed in only
16 weeks
Management commitment
What made Saudi Aramco
so successful at tackling the
implementation and certification process? The most
important factor was having
management commitment
during every phase of the process. Management team members were deeply and visibly
involved in all aspects of the
programme and were trained
to conduct internal audits.
Next, a concentrated effort
was made to get everyone
INTERNATIONAL
Globalization and ISO 14001
trading up
by Aseem Prakash and
Matthew Potoski
or trading down ?
Does globalization spur a “race to the bottom”, in which countries
relax their environmental regulations in pursuit of foreign trade ? The
authors use the results of a study of 108 countries to suggest the opposite
– that international trade actually encourages progressive environmental practices like ISO 14001 implementation, particularly in developing countries.
1) This article is an abridged version of “ Racing to the Bottom ?
Trade, Environmental Governance,
and ISO 14001”, American Journal
of Political Science, 2006, 50(2),
pp. 347-361. The authors gratefully
acknowledge the permission of
Blackwell Publishing. For the unabridged version, including a
description of the methodology
used by the authors in their
research, see :
http://faculty.washington.edu/
aseem/iso-ajps.pdf
2) The ISO Survey of Certifications
– 2004, http://www.iso.org/iso/en/
prods-services/otherpubs/pdf/
survey2004.pdf
Critics of globalization argue
that international trade spurs
a “ race to the bottom ” 1), in
which countries weaken their
environmental regulations in
pursuit of foreign investment
and trade.
Our research suggests the
opposite can occur – international trade can help spread
progressive environmental
practices, such as those spec-
ified in ISO 14001, if a country’s major export markets
have adopted the international
environmental management
system (EMS) standard.
This is good news for the environment because developed
countries, which absorb most
of world’s exports, also have
high levels of ISO 14001 adoption. Europe, Canada, Japan
and the United States account
for about three quarters of all
ISO 14001 registrations while
absorbing about two-thirds of
the world’s exports 2).
ISO 14001 is an example of a
process standard because it
governs how firms manufacture products rather than the
products themselves. Interestingly, the World Trade Organi z a t i o n ( W TO ) d i s a l l o w s
member governments from
INTERNATIONAL
imposing process standards on
imports.
Environmentalists argue that
the WTO undermines domestic regulations because imports
from countries with laws based
on lax process standards (and
therefore lower production
costs) can flood countries with
more stringent standards.
The WTO, however, does not
prevent private sector organ-
izations or industry groups
from requiring their international trading partners
to adopt process standards.
Th u s, f i r m s c a n , a n d d o,
require their foreign suppliers to implement ISO 14001.
For example, the US auto
industry requires first and
second tier suppliers, many
of which are located abroad,
to adopt ISO 14001.
The use of the EMS standard
as a business requirement is
an important development
because more than half of the
world’s trade occurs between
companies and their suppliers 3).
networks should have lower levels of ISO 14001 certification.
Resolving the debate
production and management
costs, thereby raising the price
of exports.
Their argument is that trade
may create disincentives for
firms to adopt ISO 14001 voluntarily because it may increase
About the authors
Aseem Prakash is Associate
Professor of Political Science
at the University of WashingtonSeattle, USA.
He is the author of Greening
the Firm (Cambridge University
Press, 2000, ISBN 052166487X),
co-author with Matthew
Potoski of The Voluntary
Environmentalists (Cambridge
University Press, 2006, ISBN
0521677726), and co-editor of
Globalization and Governance
(Routledge, 1999, ISBN
0415242495), Coping with
Globalization (Routledge, 2000,
ISBN 0415228638) and
Responding to Globalization
(Routledge, 2000, ISBN
0415228654).
Matthew Potoski is Associate
Professor of Political Science
at Iowa State University, USA.
He is co-editor of International
Public Management Journal.
He has published in journals
including The American Journal
of Political Science, Journal of
Politics, Journal of Policy
Analysis and Management,
Public Administration Review,
and Journal of Public Administration Research and Theory.
Our hunch is that because
most multinational corporations are headquartered in
and closely tied to countries
with high ISO 14001 adoption
rates, they are more likely to
encourage their suppliers to
become ISO 14001 certified.
Since such countries also
absorb the bulk of world
exports, then trade could be
a vehicle for encouraging ISO
14001 adoption around the
world, particularly in developing countries.
There is a plausible counter
argument to this optimistic
scenario. If critics of trade
and globalization are correct, countries that are more
integrated with global trading
Our research sought to resolve
these debates empirically
through an analysis of ISO
14001 adoption across 108
countries between 1996 and
2002. The key hypotheses we
tested were the following :
1. ISO 14001 adoption rates
are lower in countries that
are more dependent on
exports ;
2. ISO 14001 adoption rates
are higher in countries
whose major trading partners have high levels of ISO
14001 certification.
3) UNCTAD 1996. World Investment Report. Geneva : UNCTAD.
INTERNATIONAL
critics fear that developed
countries are likely to dilute
their environmental laws
to remain competitive with
exports from developing countries that have weaker regulations themselves.
Influences on ISO 14001
adoption
Although trade is the primary
variable, our analysis considered the following additional
political, economic and social
factors that might influence
varying levels of ISO 14001
adoption across countries.
Foreign direct investment
(FDI), may influence ISO
14001 certification. Globalization critics suggest that FDI
assists environmental races to
the bottom, while international business scholars counter
that such races are rare because
multinational corporations seldom base their FDI location
decisions on environmental
costs alone.
Critics of globalization
argue that international
trade spurs a
‘ race to the bottom ’
Companies may be more likely to implement ISO 14001
if they are located in countries that are more embedded in international intergovernmental organizations
(IGO’s) and international
non-governmental organizations (INGO’s) and in cultural networks that transmit
such the international standards to which these organizations adhere.
Thus, awareness of the responsibility of business towards the
natural environment is likely to be more pronounced in
those culturally similar countries with common language
or countries in geographical
proximity. After all, managers are likely to take cues on
appropriate corporate behaviour by observing other managers with whom they have
cultural affinities.
Companies view the value
of ISO 14001 certification
in terms of its fit with their
domestic context. Competitive market economies can
compel firms to differentiate themselves on a variety
of counts, including environmental stewardship.
ISO 14001 adoption rates may
be higher in countries with
more open economic systems.
Likewise, if the demand for
environmental amenities rises
with personal wealth, ISO
14001 adoption rates should
be higher in wealthier countries, where EMS implementation would signal an organization’s commitment to
safeguarding the environment.
In addition, public perception
of environmental quality may
be influenced by the level of
polluting emissions in a coun-
try. When levels are high, citizens are likely to demand that
governments and firms adopt
policies to curb pollution 4).
Results
International trade influences
ISO 14001 adoption through
bilateral trade linkages only.
Countries whose export destinations have higher levels
of ISO 14001 certifications
have higher certification levels themselves (Hypothesis 2).
Thus, overall dependence on
trade per se does not affect a
company’s incentive to adopt
ISO 14001 (Hypothesis 1).
Our study, therefore, strongly supports Vogel’s “California Effect” 5) – if export destinations support ISO 14001,
then firms in exporting countries are more likely to implement the EMS standard. What
matters in terms of the level
of ISO 14001 adoption is not
how much you export but who
receives your exports.
This finding has important
policy implications. Trade
Given that the bulk of developing country exports are
absorbed by developed countries that have relatively stringent environmental laws and
high levels of ISO 14001 adoption, our analysis suggested
that trade creates at least some
incentive for firms in developing countries to adopt systems
in compliance with domestic
environmental policies.
The use of the EMS
standard as a business
requirement is
an important development
Thus, trade can be an instrument for ratcheting up the
environmental practices of
firms in developing countries
– specifically those that export
to developed countries whose
domestic industry has adopted progressive environmental policies.
The analyses also indicated
that pressures to adopt ISO
14001 flow not just through
4) On the question of whether ISO
14001 encourages organizations to
pollute less and demonstrate superior compliance with domestic
environmental law, see Aseem
Prakash and Matthew Potoski,
2006, The Voluntary Environmentalists: Green Clubs, Environmental Governance and ISO 14001,
Cambridge University Press.
5) Vogel, D. 1995. Trading Up.
Harvard University Press, Cambridge, MA.
INTERNATIONAL
trade linkages, but cultural
and sociological ones as well.
The statistical significance of
the international sociological
network variables (IGO’s and
INGO’s) is mixed.
While the INGO variable is
significant and is positively
associated with ISO 14001
adoption, the IGO variable
is not significant, perhaps
because ISO 14001 is a nongovernmental standard. Thus,
the analysis suggests that
international non-governmental networks are important conduits for the ideas
and norms embodied in ISO
14001.
Countries with high numbers
of ISO 9001 certifications
also have high numbers of
ISO 14001 certifications, most
likely because these standards
share a common management
system approach.
Managers are likely to
take cues on appropriate
corporate behaviour by
observing other managers
We also found that the relationship between wealth (per
capita GDP) and ISO 14001
certifications was non-linear.
Th u s, w h i l e I S O 1 4 0 0 1 ’ s
attractiveness increases with
a country’s wealth, its appeal
for the wealthiest countries,
such as the United States and
France, tends to decline. Our
findings showed that other
domestic variables – governm e n t c o n s u m p t i o n , G D P,
manufacturing, regulation,
and pollution levels – were
not significant.
We also examined whether
our results reflected the
special case of the European
Union (EU) – a leader in environmental policies. Given that
the EU countries have been
in the forefront of ISO 14001
adoption and are highly integrated via trade, our results
could be driven by an “ EU
effect.”
Re-running the analysis without the EU countries showed
essentially the same result,
suggesting that our conclusions regarding the effect of
trade on ISO 14001 were not
driven by a dominant “EU
effect.”
14001 if key export markets
have widely adopted it. Thus,
importing countries are influencing organizational practices in the exporting countries, not vice-versa.
From this perspective, international trade has significant
implications for public policy
and business strategy. Access
to international markets can
serve as an important instrument to encourage the diffusion of preferred governance
models and organizational
practices.
tutions that lower trade barriers do not deserve opposition. Instead, environmental
groups should help promote
non-governmental voluntary
systems, such as ISO 14001, as
they also push for stringent
governmental regulations.
Trade can be an instrument
for ratcheting up the
environmental practices
of firms in developing
countries
We adopted the same logic
to check for a “ Japan effect ”
given that Japan leads in ISO
14001 adoption and is highly
integrated in the world economy, with essentially similar
results.
Conclusion
Environmental groups argue
that international trade leads
to a race to the bottom as
developing country exporters exploit allegedly less stringent domestic environmental
standards to capture markets
in developed countries.
They also argue that governments in developed countries
are likely to come under pressure from their constituents
to level the playing field by
diluting domestic environmental laws.
Our analysis suggested that
while high levels of trade
may not significantly affect a
company’s decision to implement ISO 14001, trade can
be a vehicle to promote ISO
In this way, at least, the WTO’s
pro-trade agenda is not an
enemy of the environment.
Given that developed countries with stringent environmental standards absorb the
bulk of developing country
exports, free trade can lead
to a ratcheting up of environmental product and process standards in developing
countries.
The forestry sector and the
clothing industry – where
NGO’s have used market power at home to encourage suppliers in developing countries
to adopt progressive policies
– are good examples. NGO’s
can therefore leverage international trade to serve their
progressive environmental
goals.
•
One lesson from this study
for environmental NGO’s is
that international government
and non-governmental insti-
INTERNATIONAL
ISO 14000 in China’s Green March
to environmental management
It is not only ISO 9000 that is on the march in China (see ISO Management Systems, March-April 2006, “ISO 9000 in China’s Great March to
quality”). ISO 14000 also arrived early and gave the country something
of a head start in EMS implementation. By 2005, nearly 13 000 organizations had achieved ISO 14001 certification. Many are now reporting
significant benefits.
by Yuhua Fan
The author, Yuhua Fan, is Senior
Engineer of the Secretariat to
SAC/TC 207, Sub-Institute of
Resource and Environment
Standardization, at the China
National Institute of Standardization
(CNIS).
Web www.cnis.gov.cn
ISO 14000 arrived early in
China. In 1995, a year ahead
of publication by ISO, drafts
of the first five of the environmental management system
(EMS) standards were translated into Chinese and circulated for discussion among a
committee of governmental
agencies, industrial administrators, scientific research
bodies and universities.
The Chinese Government
attached great importance
to the emerging EMS standards. The former China State
Bureau of Quality and Technical Supervision (CSBTS), the
predecessor of today’s national
standards body, the Standardization Administration of China (SAC – www.sac.gov.cn),
established CSBTS/TS 207 —
the Chinese mirror committee
to ISO/TC 207, Environmental
management, responsible for
the ISO 14000 family.
Since systematic environmental management was totally
new to Chinese organizations,
EMS certification staff working for the environmental department of
the Organizing Committee for the 2008 Beijing Olympic Games meet
with external auditors in preparation for ISO 14001 certification.
the CSBTS invited foreign
experts to China to help the
would-be professionals gain a
better understanding of ISO
14000. Nationwide dissemination of the EMS standards
began at Draft International Standard (DIS) stage, and
the final versions were swiftly
nationalized and implemented soon after publication by
© TSR
ISO in 1996.
Launching ISO 14001
To facilitate ISO 14001 implementation and certification
throughout China, the relevant governmental agencies
(then five) – the Environmental Protection Agency (EPA),
CSBTS, the State Commission of Planning, the State
Commission of Economy and
Trade, and the State Entry-
INTERNATIONAL
certifiers accredited by CNAB
now total 63.
From a standing start in 1996,
some 12 683 organizations had
achieved ISO 14001 certification by the end of 2005. EMS
At first, organizations seeking ISO 14001 certification
were almost exclusively large
companies with advanced
14000
12683
12000
Remarkable development
10000
Thanks to the Chinese Government’s determined efforts
and growing public environmental awareness, ISO 14001
implementation in the country
has shown remarkable development. It was triggered in
1997 by pioneering ISO 14001
implementation and certification programmes in four companies and 11 cities, conducted by the EPA.
8 862
8000
6000
5 064
4000
2 803
Figure 2 – Growth of ISO 14001 certification in China 1996-2005
General Administration of Quality Supervision, Inspection and Quarantine
(AQSIQ)
Certification
and Accreditation
Administration
(CNCA)
China National
Institute of
Standardization
(CNIS)
Sub-Institute of R and
E Standardization
Figure 1 – Standardization and accreditation infrastructure in China.
Other
Secretariat
of SAC/TC 207
Other
subordinate
bodies
Other
Other
CNAL
CNAT
CNAB
Certifi- Auditors and
cates consultants
SAC TCs
Other
(CNAS)
Standardization
Administration
(SAC)
2005
Following these initial successes, the programme was
rolled out nationally. Growth
1 085
2004
0
510
2003
222
2002
94
2001
22
2000
9
1999
2000
1998
In 2001, the State Council
formed the General Administration of Quality Supervision, Inspection and Quarantine (AQSIQ – www.aqsiq.
gov.cn), under which two sub-
in certifications since then has
been dramatic (see Figure 2).
1997
The mechanisms and procedures for EMS certification,
including the China National
Accreditation Board for Certifiers (CNAB – www.cnab.
org.cn) and China National
Auditor and Training Accreditation Board (CNAT – www.
cnat.org.cn), were also established. With this framework,
the implementation of ISO
14001 in China was well and
truly launched.
ministerial administrations,
i.e. SAC and the Certification
and Accreditation Administration (CNCA – www.cnca.
gov.cn) were founded, responsible respectively for supervising standardization and certification/accreditation work
throughout the country (see
Figure 1).
1996
Exit Inspection and Quarantine Bureau (CIQ) – jointly
formed the Steering Committee for Environmental
Management System Certification (CSCEC) in 1997,
together with 28 interested
governmental agencies and
institutions.
manufacturing plants and relatively low environmental
impact. Most were from the
electronics, household appliance, chemicals and automotive sectors, and many were
Sino-foreign joint ventures.
Now ISO 14001 certification
has expanded rapidly across
industry and into the services,
tourism and municipal administration sectors.
Reporting the benefits
Not only is ISO 14001 adoption proving instrumental in
enhancing environmental protection, but it is also bringing many social/ecomomic
benefits to China, including
INTERNATIONAL
greater public environmental
awareness, improved resource
conservation, reduction of
environmental impacts, an
increased sense of environmental responsibility among
managers and employees,
sharpened competitive edge
of Chinese enterprises and
better business cooperation.
Yanjing Brewery in China has
reported significant savings in
waste recycling and energy and
materials consumption since
achieving ISO 14001 certification
in 2002.
Many certified organizations
report significant benefits
from the implementation.
Here are some examples :
• Zhejiang Qianjiang
Brewery
Following certification in 2001,
the company has implemented 27 cost-cutting programmes
via its EMS, resulting in savings
of 1 377.5 kilowatt-hour of
electricity, 2 390 m 3 of water,
1 000 tons of steam, 4 400 tons
of coal, 32 tons of grain and
2.5 tons of glue to date. It has
also cut alkali solution use by
30 % (210 tons), reduced CO 2
emissions by 250 tons, and
lowered the pH of waste water
from 10.5 to 8.
• Yanjing Brewery
The company achieved ISO
14001 certification in 2002.
Since then, it has made significant savings in waste recycling
and in energy and materials
consumption. In 2004, Yanjing
saved 7 616 tons of coal from
waste methane reuse, recycled
600 tons of yeast, extracted
17.5 tons of ribonucleic acid
from waste, and reclaimed
11 594.5 tons of CO 2.
In the first half of 2005 : the
company reduced consumption of water used in beer
production by 6.79 tons/kilo-
litre, and saved 20 829 tons of
coal and 6 880 kilowatt-hour
of electricity.
• Panasonic Home Appliances Air-Conditioning
(Guangzhou) Co. Ltd.
Since certification in 1999,
Panasonic has made major
s a v i n g s i n m a t e r i a l s. Fo r
example, it has reduced iron
plate consumption by 30 %,
and aluminum foil and copper tube by 17 %.
• Tianjing Environmental
Protection Bureau
In 2000, the TEPB became
the first ISO 14001-certified
government agency in China.
Its objective in doing so was
to promote environmental
protection in the city by
strengthening and refining
regulations, streamlining its
administration, promoting
ISO 14001 implementation
among local organizations,
and “ greening ” the bureau’s
office work.
Priorities have been set
according to its environmental
policy, objectives and targets,
responsibilities and accountabilities have been rationalized and clarified, and PDCA
(Plan-Do-Check-Act) processes adopted in policy making,
enforcement and fulfillment.
By 2004, 250 organizations
in Tianjing had achieved ISO
14001 certification.
• 2008 Beijing Olympic
Games
One of the themes of the 29 th
Olympic Games to be held in
Beijing in 2008 is “ The Green
Olympics ”. The Beijing Organizing Committee for the
Games of the XXIX Olympiad (BOCOG) – www.beijing2008.org) achieved ISO 14001
certification in 2005 and is
implementing an EMS for the
preparatory phase and the
Olympiad itself. BOCOG has
committed to integrating a
policy of sustainable development into every aspect of
the Games, including engineering and construction,
marketing, procurement,
logistics, accommodation and
catering.
© NZZ
© ISO Management Systems,
www.iso.org/ims
INTERNATIONAL
BOCOG also commits to
support the Beijing government in developing an environmental protection infrastructure to improve the local
environment, and raise public awareness of the environment through the inspiration
of the Olympic Games. The
Since becoming ISO 14001-certified in 1999, the Panasonic Home
Appliances Air-Conditioning Company of Guangzhou, China, has made
up to 30 % savings in production materials.
The official emblem of the
Beijing 2008 Olympic Games.
The running figure embracing
triumph resembles the Chinese
character ‘ Jing ’, meaning ‘ the
Capital ’, i.e. the second ideogram of the name of the host
city (the first one being ‘ Bei ’,
meaning ‘ the North ’).
ISO 14001 certification was
awarded to the “ Beijing
Organizing Committee for the
Games of the XXIX Olympiad ”
on 29 September, 2005.
It covers implementation
of the Committee’s green office
guidelines, planning of event
routes and venues, selection of
partners and contracted hotels,
communication and environmental
management.
contracted hotels, communication and environmental management.
Environmental labelling
scope of the ISO 14001 certification covers implementation of the Committee’s
green office guidelines, planning of event routes and venues, selection of partners and
In addition to ISO 14001, other
standards in the environmental management series have
also been adopted nationally. For example, the ISO
14020 series of environmental
labelling standards are being
applied progressively.
Tianjing Environmental Protection Bureau is using its ISO 14001
certification to green and streamline its own activities, and promote
EMS implementation to local organizations.
An environmental label compliant with ISO 14024: 1999,
Environmental labels and declarations – Type I environmental labelling – Principles
and procedures, was launched
in China by the former China Certification Committee
for Environmental Labelling
Products (CCEL), predecessor of China Environmental
United Certification Center Co., Ltd (CEC). By 2005,
some 22 000 products belonging to 57 categories had been
so labelled.
In 2005, the CEC developed
rules and procedures for ISO
14021:1999 Type II environmental labelling. About 50
companies have participated
in the scheme to date.
•
INTERNATIONAL
How to implement
an ISO/IEC 27001 information security
management system
The March-April issue of ISO Management Systems reported positive
user feedback on the new ISO/IEC 27001:2005 standard for information
security management systems. This follow-up article provides advice
from experts who developed the standard on how to achieve its benefits.
by Ted Humphreys
Ted Humphreys is Convenor
of the Joint Technical Committee,
ISO/IEC JTC 1, Information
Technology, Subcommittee 27, IT
Security techniques, Working
Group 1, Requirements, services
and guidelines.
He is also Director of XiSEC,
a company specializing in
information security management
systems.
Tel. + 44 1473 626615.
Web www.xisec.com
The recently published ISO/
IEC 27001:2005, Information
technology – Security techniques – Information security
management systems – Requirements, provides a foundation
for designing and deploying a
management system for information security to prevent a
variety of business-threatening
risks such as the following :
• financial losses and
damages ;
• loss of the organization’s
intellectual capital and
intellectual property
rights ;
• loss of market share ;
• poor productivity and
performance ratings ;
• ineffective operations ;
• inability to comply with
laws and regulations ; and
even
• loss of image and reputation.
This ISO/IEC standard is
already showing signings of
becoming even more of a winner than its predecessor – the
hugely successful previous
British standard BS 7799 Part
2:2002
this model), as well as on the
requirement for continual
improvement.
My previous article, in the
March-April 2006 issue of ISO
Management Systems, provided some feedback from those
thousands of businesses that
have already been using an
Information Security Management System (ISMS) to
manage and protect this critical and important asset. This
article provides some ideas on
how to get started with implementing the standard, as well
as going for certification if so
desired.
John Snare : ‘ Organizations
need to consider how the ISMS
processes will be imbedded as
part of business as usual.’
The ISMS model
ISO/IEC 27001:2005 specifies the requirements and
processes for enabling a business to establish, implement,
review and monitor, manage
and maintain effective information security. Like ISO
9001:2000, it is built on the
Plan-Do-Check-Act (PDCA)
process cycle model (see Figure 1 for the ISMS version of
Here is advice on implementing ISO/IEC 27001 gleaned
from a question-and-answer
session with John Snare (Fujitsu, Australia) one of the coeditors of the standard.
• What are the three key things
an organization needs to
consider when designing and
developing an ISMS based
on ISO/IEC 27001:2005 ?
John Snare : “Firstly, an organization needs to have a very
INTERNATIONAL
ISO/IEC 27001 is based
on the PDCA process cycle
model
“ Secondly, an organization’s
senior management needs to
be actively involved in the
decision-making processes
concerning objectives, priorities and implementation timeframes.
“ Thirdly, organizations need
to consider how the ISMS
processes will be imbedded
as part of business as usual
operational processes. This is
important to ensure that the
ISMS is effectively used as a
means to achieve the desired
outcomes on an ongoing and
sustainable basis. If this is not
done, the ISMS is destined to
become shelf-ware, ineffective,
and a waste of money.”
John Snare : “ Selection of
a suitable risk assessment
approach and tools are critical to the ongoing effectiveness of an ISMS. The approach
taken must be consistent with
the culture of the organization concerning the management of other types of risk,
and staff must be trained in
the methodology and use of
the tools.
“ A successful ISMS implementation also requires follow through from planning
to operation. It is very easy to
become distracted following an
intensive initial implementation phase and neglect ongoing operational and improvement activities.”
• As ISO/IEC 27001 is based
on the PDCA model, its
approach is targeted towards
continual monitoring, review
and improvement of the
ISMS. Do you have any useful tips on how go about these
tasks ?
John Snare : “It is inevitable
that security incidents will
occur and that, from time to
time, management reviews or
audits will detect nonconformities with ISMS standards,
policies and procedures.
“ When such circumstances
arise, don’t just take a tactical
approach to solve the problem
on an ad hoc basis. Instead,
use the ISMS. If procedures
and processes are found wanting, then improve them. For
example, if they do not support rapid response to a crisis, update them so that they
will in future.”
Implement and deploy ISMS
Figure 1 – The ISMS version of the PDCA model
Angelika Plate : ‘ A risk
assessment should be seen as
an enabler for organizations.’
Risk management
One of the key aspects of
ISO/IEC 27001:2005 is that
of risk management and the
reduction of risks based on
ISO/IEC 17799:2005, Information technology – Security
techniques – Code of practice
for information security management. The following advice
is based on recent interviews
with Angelika Plate (AEXIS,
Germany) co-editor of ISO/
IEC 17799.
• What are the three key things
an organization needs to
consider when doing a risk
assessment ?
Maintain and improve ISMS
Design ISMS
“ Senior management needs to
determine how they are going
to demonstrate that they are
actively involved in the leadership of ISMS activities, have
provided the necessary
resources, and have ensured
that sufficient trained personnel are available for implementation and ongoing operation and improvement of the
ISMS.
• What are the main areas that
an organization needs to consider in order to achieve a
successful ISMS implementation and operational deployment ?
Monitor and review ISMS
clear understanding of why
information security is important and what it wants an ISMS
to help it achieve. This means
understanding how information security relates to its specific business objectives, taking
into account the expectations
of its customers, the financial
objectives of the organization,
and any relevant regulatory or
legal requirements.
Angelika Plate : “ Carrying out
a risk assessment is a requirement of ISO/IEC 27001, but
this should not be the only
driver for doing so. A risk
assessment should be seen as
an enabler for organizations to
tailor the amount of information security and the extent of
controls exactly to what their
business needs.
“ Therefore, organizations
should take this opportunity
seriously and identify all their
individual legal and regulatory, contractual and business
requirements.
INTERNATIONAL
latest software updates need to
be obtained and installed.
“ Next, an organization should
think about what it wants to
protect (its assets), the utility
the assets have for the business and what could damage
the assets (threats and vulnerabilities).
“ Following on from this, the
impact of a damaging event
and the likelihood that such
an event takes place need to
be assessed. The combination
of these two factors creates
the risk. The result of the risk
assessment should be a list
of identified risks, ranked in
order of their severity and the
need to take action.”
Selection of a suitable risk
assessment approach and
tools are critical
• After carrying out the risk
assessment, what does a user
need to do next ?
Angelika Plate : “ An organization needs to decide how it
wants to deal with the risks.
There will be an initial threshold, a level of risk that has
been identified as acceptable,
and all risks below or at this
level will not require further
treatment. For all other risks,
there are different options
( a s described in ISO/IEC
27001) that an organization
can take :
− Reduce the risk by implementing controls ;
− Knowingly and objectively
accept the risk (even though
it is above the threshold of
acceptance; for example, if
no other feasible solution
exists ;
“ Perhaps the access to the
organization’s information
systems is based on a standard
password mechanism and this
has been recently compromised. This may be due to lack
of awareness or diligence by
the staff in the need to apply
good password management
for their own passwords.
Job skills in areas that impact information security effectiveness
should be evaluated. (Photo: DIN)
− Avoid the risk ; for example,
by not getting involved in the
business activity that causes
the risk ;
it the damage due to information loss, irrespective of
the risk that causes the information loss ;
− Transfer the risk ; for example
to an insurance company.
− reducing the likelihood that
a damaging event ; i.e. a particular threat/vulnerability
combination, occurs.
“Whichever of these alternatives – or a combination of
them – is to be taken is entirely up to the organization doing
the risk assessment. These
decisions are to be made by the
management of the organization, and the business objectives and requirements should
be taken into account when
making these decisions.
ISMS controls
• Do you have any useful tips
of how go about the selection of controls from ISO/IEC
17799:2005 ?
Angelika Plate: “There are
different objectives that controls might fulfil when they are
selected to reduce risks :
− limiting the damage if a risk
occurs ; an example is information back-up that can lim-
“Let’s look at these in more
detail.
Limiting the impact
“In addition to information
back-up, incident management,
which ensures a controlled,
orderly response, can again
limit the impact regardless of
the problem that might have
caused the incident.
Dealing with
the vulnerability
“ If the organization’s Internetconnected systems have been
compromised due to a software
vulnerability, then this weakness needs to be dealt with. For
example, the problem might
be caused by lack of software
patch management and so the
“ Is the weakness in fact a lack
of awareness, a lack of clear
procedures or both? Again,
this weakness needs to be
investigated and dealt with to
avoid a recurrence of the comprised systems.
Reducing the risk
of exposure
“ A control might also aim at
reducing the likelihood that a
threat is able to exploit a vulnerability, i.e. a particular combination of threat and vulnerability occurs.
“ The threat is not removed,
or, as is generally the case, it
is not possible to influence or
removes the threats. Internet
attacks and hackers exist, and
always will do. However, it is
possible to reduce the vulnerabilities by improving the protection that is applied, thereby
making it more difficult for a
threat to take place.
“ If the policies and procedures
are well written, understood
and applied, if the technical
controls work as intended and
if this system of controls is also
regularly updated with the latest developments and changes,
the organization is far less likely to be subject to successful
attacks than otherwise.
INTERNATIONAL
“ Very often, a combination
of both effects (reducing the
damage and the likelihood that
it takes place) is most effective and in all cases it is worth
while considering alternatives
to achieve protection.
“ It is not always necessary to
use expensive, sophisticated
technical solutions – sometimes
a simple change or improvement of procedures might
achieve the same effect.
“ In addition, it is recommended only select a control
if it is possible to consistently
and completely implement it,
including all needed expertise
and resources – otherwise the
controls might only create a
false sense of security.
A risk assessment
enables organizations
to tailor the amount of
information security
“ For example, implementing
a control such as a firewall
only makes sense if this firewall is configured to the particular needs of the organization, and if this configuration
is well managed, monitored
and regularly updated.”
User awareness
There is no doubting t h e
importance that user training and awareness plays in
information security. Most of
the problems that occur can
be traced back to a people
problem.
Here is some advice provided
by Eva Kuiper (HP, USA and
“When putting such a programme in place, the following elements should be considered :
• Security awareness sponsorship must start at the top.
Eva Kuiper : ‘ Security needs
to be sold as an enabler
to keeping an organization
healthy.’
Canada) one of the co-editors
of ISO/IEC 27001:2005.
Eva Kuiper : “ The long term
effectiveness of an information
security programme depends
on buy-in from the entire organizational community, not just
those in the security staff.
“ Communicating the value
of the programme and the
responsibilities of the people
involved is a requirement for
the success of any security programme. This makes security
awareness and training indispensable as a key deliverable
of any information security
management system.
“ Policies and standards, no
matter how clearly written,
become a lot more personal when familiar examples
are presented to employees,
explaining their roles in implementing the policies.
“ Security awareness and training programmes are also identified as key controls in ISO/
IEC 17799:2005, and they are
a mandatory deliverable in
demonstrating both competence and understanding of
security responsibilities in
ISO/IEC 27001:2005.
• Basic mandatory training
of user responsibilities and
accountability for maintaining a secure organization
should be in place for all
employees.
“ Security needs to be sold
as an enabler to keeping an
organization healthy, changing the perception of security
as a barrier to getting one’s
job done. Upper management
needs to be involved in communicating why they want to
enhance the security posture
of their organization and what
the advantages will be to the
organization.
“ This training should be kept
timely, coordinated with any
changes in policies and standards, and repeated at a reasonable time interval. The
consequences of employee
actions should be clearly communicated.
Information back-up
can limit the damage due
to information loss
“An organization that uses
contractors or outsourced services should not ignore the
security impact of communicating security requirements
for storage and transmission
of sensitive information.
“These advantages can be
around customer loyalty, brand
image or other business benefits, and should not focus merely on the technical benefits.
• Job skills and certifi cation
programs required for information security staff should
be clearly identified.
“Training should be tracked
and reviewed to determine its
value and impact on improving
the effectiveness of the information security programme.
“ Job skills in areas that impact
information security effectiveness should be evaluated and
recommendations for training
put in place. This may include
areas such as software development, project management,
and operation delivery where
process improvement may
improve overall effectiveness
of security.
• Business partners, contractors, and outsourcers
should not be forgotten in
any training and awareness
programme.
• Education on policies and
standards is not sufficient
without the tools to enable
employees to meet what's
being asked of them.
It is not always necessary
to use expensive,
sophisticated technical
solutions
“ A Web site consisting of ‘how
to’ tutorials, security tips and
tricks, how to report security
events, links to policies and
standards, and other articles
of interest, such as home network security, is indispensable
for enhancing the sometimes
terse language of policies and
standards.
INTERNATIONAL
“This Web site should include
e-mail contacts and answers
to frequently asked questions
(FAQ’s) can also be provided.
The FAQ’s can also be used
during policy reviews to identify gaps and areas of further
clarification.
“ Ultimately, the goal of any
security training and awareness programme is to distribute the responsibility of
meeting security requirements
across the entire organization
and not just something that’s
the job of the information
security staff.
“A s t r o n g f e e d b a c k l o o p
between information security
and the rest of the organization
can become an effective tool
for improving security throughout the organization.”
Maintaining the state
of the art
After designing, implementing and deploying the ISMS it
is extremely important that to
have a regular review programme to check whether any
change that are made to the
organization’s business environment has an impact on the
ISMS.
Security awareness and
training are indispensable
It may be that over the following 6 to 9 months, the threats to
the organization’s information
resources have increased and
diversified. It may be that the
business processes or ways of
doing business have changed,
or that new technology has
been introduced, or there is a
new company structure, or new
legislation has been introduced,
or the size of the company has
changed. All these factors could
have an impact on the ISMS.
Th e I S M S P D C A m o d e l
defines monitoring, review and
improvement processes as part
of the ISMS life cycle to ensure
that the businesses security
posture is effective and is kept
up to date through continual
improvement. Hence, delivering effective ISMS protection
is an on-going activity.
The certification option
Certification of ISMS in conformity to BS 7799 Part 2 has
been in place for several years.
Certification is not a requirement of ISO/IEC 27001:2005
(nor was it of BS 7799 Part 2)
– it is the decision of the organization whether it wishes to
take the certification route.
However, more 2 000 organizations from over 50 countries
have been certified and the
growth in this area is increasing at a rate – see The International Register of Accredited Certifications at www.
ISO27001certificates.com.
Now that ISO/IEC 27001 has
been published BS 7799 Part
2 has been withdrawn and all
current certificates are being
migrated to ISO/IEC 27001 during a formal transition period
of about 18 months as defined
by the national accreditation
bodies that approve certification bodies as competent.
How does the ISMS certification market look since the
arrival of ISO/IEC 27001?
ficient in-house capability to
achieve and maintain certification. Think about external
help to coach you through
your preparations.
Malcolm Marshall : ‘ Have you
got the risk and control balance
right ? ’
Malcolm Marshall, Director,
Certification Services, KPMG
Audit Plc, provided his perspective : “ Having been involved in
some of the very first BS 7799
certification assessments in
1999, it is very pleasing to welcome the internationalisation
of the standard in the form of
ISO/IEC 27001.
“ We are already seeing an
increase in demand for services and expect to see a more
aggressive take-up in the
Americas and in Europe, the
Middle East and Africa during
2006 and beyond as more organizations seek to implement
ISMS on a global scale.
“ If you decide to embark on
the certification route you
need to think through four
key questions:
1. Do you need it ? Perform a
needs analysis to determine
the impacts of becoming certified – it is easy to underestimate the effort in moving from adherence with the
concepts of ISO/IEC 270001
and implementing a certifiable ISMS.
2. Can you do it ? You need to
make sure that you have the
right senior support and suf-
3. Do you understand it ? Recognize that there are two
components to the standard
– management system (governance) and security controls.
4. Have you got the risk and
control balance right ? A
key to achieving certification is demonstrating that
the balance between risks
and controls is appropriate
– make sure there is rigour
behind your risk assessment
so that the processes and
controls mitigate the risks
to the business.
5. Can you maintain it ? Do not
underestimate the need to
maintain and improve – this
should, in fact, be an integral part of business-as-usual activities.”
Common language
ISO/IEC 27001:2005 is already
providing many benefits for
businesses world-wide. It is
ensuring their well-being and
allowing them to be successful
in today’s risk-pervasive business environments.
ISO/IEC 27001 promises to
be more even more successful than its predecessor, BS
7799 Part 2. The new standard
is rapidly becoming the common international language for
information security management systems across the whole
spectrum of business markets
and sectors.
•
After slow start, pace picks up
in Germany
Germany’s national standards institute, DIN, was one of the first to foresee
the need for standards for services. Getting service providers to recognize the need took longer than anticipated. However, the momentum to
develop service standards has now built up and puts Germany among the
leaders in the field.
by Peter Anthony
Peter Anthony is Communications
Manager at DIN German
Institute for Standardization, which
he joined in 1985.
His article is based on information
supplied by his colleagues at DIN,
Dr. Holger Mühlbauer of the
Performance Capability and Services
Standards Committee (NAGD), and
Hermann Behrens of the R&D
Phase Standardization Section
(EBN).
Web www.din.de
may well seem too disparate
to respond to the same type
of approach.
Some things take more time
than others. “ In its standardization activities, DIN will
need to give greater attention to the services sector
and greatly increase the participation of banks, insurance
companies, commerce and the
trades in the development and
implementation of its standards.” The above affirmation,
under the heading “ Short-term
goals ”, appeared in DIN’s
Annual Report for 1975.
The recognition by DIN (www.
din.de), the national standards
institute of Germany, of the
growing importance of the services sector – and of a growing need for standards – was
clearly ahead of its time. It was
not matched by a corresponding recognition on the part of
the service providers that voluntary standardization could
be of benefit to their form of
economic activity.
Services such as laundering,
hotel-keeping, transport, carservicing, telecommunications,
insurance, banking, trading,
The main perceived benefits
of technical standardization –
increased efficiency and productivity, reduced consumption of resources and lower
costs – do not seem to apply
to services with their generally
intangible outputs, dependence
on the individuals providing
them and hence more or less
irreducible personnel costs.
DIN Director Torsten Bahke
welcomes experts of ISO/TC 222,
which has developed the first
International Standard for providers
of personal financial planning
services. (Photo : Stefan Zeitz)
that in a note to the definition of “ service standard ” in
EN 45020 are listed as examples of fields in which standards may be prepared, were
apparently not yet ready for
standardization.
Indeed, at first sight, the set
of functions offered by a laundry and that offered by a bank
Services are in many
respects as responsive
to standardization
as products
And yet, here too, appearances are deceiving. “ X shall
be hardened, tempered,
toothed, straightened, tensioned, ground, set and sharpened.” “ Y shall be open, honest, responsive, accountable
and committed to acting competently, responsibly, reliably,
fairly and with respect in all
professional relationships.” X
is a blade of a woodworking
saw as specified in DIN 51342; Y is a personal financial
planner, as described under
the heading “ Integrity ” in
ISO 22222.
Not only is the presentation
of the range of characteristics required for compliance
with the standard in both cases
similar in style, but both standards also share the underlying principle of trust.
Services are, then, in many
respects equally as responsive
to the standardization process
as products. In particular, terminological exactitude, which
is a strong point in any standardization activity, is now
seen by service providers as
offering major benefits.
In a survey conducted in Germany a few years ago in the
context of a research project,
“ Service standards for global
markets”, 82 % of the respondents indicated terminology as
procedures and processes
underpinning performance
and methods enabling performance and/or required
minimum levels of quality to
be measured and thus compared.
appropriate standards and conformity assessment schemes –
between those who are within
the pale and the “ black sheep ”
beyond it, becomes correspondingly stronger.
In many industrialized count r i e s, t h e s e r v i c e s s e c t o r
accounts for more than 60 %
of Gross Domestic Product
(GDP) and well over 50 % of
all economic activity : Therefore, its relative lack of structure, its generally unsystematic,
if not haphazard development,
as also indicated by the low
level of standardization, would
be puzzling, if we did not allow
for the services sector’s flexibility towards meeting new
needs, for its innovative capacity and its generation of new
business – whether that be
personal financial planners or
personal fitness trainers.
Service input
In the case of Germany,
services only amount to
12 % of all exports
Fitness for purpose
Anyone purchasing saw blades
to DIN 5134-2 expects a certain quality of design and
manufacture; anyone employing the services of a personal financial planner claiming
conformity with ISO 22222
may expect a defined level of
professional expertise, experience and integrity. In both
cases, the customer gains confidence in the “ fitness for purpose ” of the product/service
concerned because it is backed
up by a standard from a trustworthy source.
Like standards for products,
standards for services such as
peronsal financial planners need
to ensure ‘ fitness for purpose ’.
(Photo : Stefan Zeitz)
important or highly important
as a subject of standardization,
followed by 76 % for the evaluation and 73 % for the classification of services.
Other aspects of services which
can usefully be clarified in
standards relate to the qualification of those providing them,
the resources and facilities on
which proper performance
depends, the organizational
The lack of standards in the
new markets thus created is
one explanation for services
still being largely limited to
the domestic economy. Compared with the cross-border
exchange of manufactured
goods, the export quota for
services is still minimal. Thus,
in the case of Germany, the
“ world export champion ”, services only amount to 12 % of
all exports.
Yet things are changing. As
each innovative branch grows,
its degree of self-organization increases and the desire
to differentiate – by means of
Government and other public authorities, both as providers and purchasers of services, are becoming increasingly
interested in service standardization as an instrument for
addressing issues such as quality, interoperability, conformity and comparability. Goods
production now also requires
a growing element of service
input.
As this production becomes
increasingly advanced and
international, more services
– research and development
(R&D), marketing, transportation etc. – are needed to
ensure the smooth functioning of the production and sales
systems.
Thus, from various quarters,
there is growing pressure to
internationalize the market for
services. Services, it is said, are
going to be a crucial factor in
international competition for
markets and locations.
Commissions for services are
not to be restricted by national
frontiers. In the context of the
European Union, the European Commission has declared
that it aims to achieve for services an equivalent level of
inter-market penetration as
has already been achieved for
products.
The successful realization of
the single market for products
within a comparatively short
period is not least to be attributed to the effect of European
Standards. It is thus expected
that the potential of standardization in terms of removing
barriers to trade and fostering
competitiveness can be similarly exploited for services.
Private security is
one of the
service sectors for
which standards
have been developed first at national level, then
European. (Photo:
BDWS)
There is growing pressure
to internationalize
the market for services
How are these developments
being reflected in the work of
DIN ? Standardization in the
services sector started to pick
up speed in the mid 1990’s. In
1996, the Performance Capability Standards Committee,
which defined requirements
on the fitness for purpose of
consumer goods, became the
Performance Capability and
Services Standards Committee
(NAGD), its scope extended
to specifying similar requirements for services at national, European and international level.
The guiding principle in its
activities has been that the
demand for standardization
should come from the interested parties themselves, as a true
reflection of market needs.
Currently work is being undert a k e n a t a l l t h r e e l e v e l s,
although national standardization activities are increasingly viewed as preliminary
to corresponding initiatives in
supranational forums.
Thus, the national standard
DIN 77500, Services in market and social research was an
important element in the preparation of ISO 20252, Market,
opinion and social research Service requirements. Ongoing projects at national level
include services provided in
connection with income tax
returns and assisted living services for the elderly.
Besides national standards,
NAGD has also assisted in
the preparation of a number
of Publicly Available Specifications (PAS, i. e. limited
consensus specifications) on
topics relating to services,
e. g. PAS 1055, Life insurance
customer information, and PAS
1037, Requirements relating to
quality management systems
for business-related education
and training establishments :
QM stage model.
Pioneering standard
The standard ISO 22222, Personal financial planning, published under the secretaryship
of NAGD in December 2005,
was a pioneering standard, the
first non-technical standard for
financial services.
All the more remarkable, then,
that those involved in the creation of such a global benchmark for a highly complex
professional service – representatives of financial planners, banks, consumer protection bodies and research
organizations from 16 countries – should in fact have
been able to “ do it right, do
it once and do it internationally ”.
More common has been the
development of standards at
European level, some of which
– such as those for tourism
services, transportation services, funeral services and private security services – were
originally prepared as national standards. Others – such as
the series of European Standards on leisure diving – have
later served as a basis for ISO
standards.
Further initiatives of NAGD
at the supranational level
presently concern cleaning
services, print media analyses,
educational services, aptitude
assessment, access panels in
market research, brand valuation and rating services.
Another iron in the fire of service standardization at DIN
is its R&D Phase Standardization Section (EBN). The
2005 and is scheduled to run
for three years.
As a first step, aimed at establishing priorities for later phases in the project, DIN has commissioned six of the research
partners to carry out secondary analyses or collect data via
case studies, interviews, etc.
The object is to examine motivation and approach of businesses of different sizes and
sectors with regard to services standardization under the
aspect of internationalization with a view to establishing recommendations for further action.
DIN was one of the leading
participants in the series of
European standards on leisure
diving that have since surfaced
at the international level.
(Photo: bigfoto.com)
remit of this section is to promote the development and use
of standards – both full consensus and limited consensus
standards – in areas of rapid
innovation as instruments of
technological transfer.
A c c o r d i n g l y, i n n o v a t i v e,
mainly information technology-driven business models (eCommerce, eLearning)
play a large part in the work
programme. The work is generally carried out in connection with specific projects that
are financed by the Ministry
of Economics and Technology or, more frequently, by the
Ministry for Education and
Research (BMBF).
Government
Both the present government
and its predecessor have identified innovation as a motor
for economic growth and job
creation, the services sector as
being particularly innovative
and standards as being important catalysts in market development.
Thus, not only are funds made
available for appropriate
research, but the inclusion of
standardization in the project specifications as a means
of technological transfer has
become the norm.
The results of the work are
published mainly as PAS (nine
to date connected with services), but also as DIN Standards, Technical Reports or
in book form. As examples of
the subjects covered, two of
the most recent documents
published are PAS 1047, Reference model for the delivery
of industrial services – Corrective maintenance and PAS
1052, Competence requirements of trainers in learning,
education and training with a
focus on e-learning .
Stakeholders in many areas
of the services sector
are now much more aware
of the role standards
In most cases, DIN participates as a partner in a consortium, but has also served
as project leader. One of the
projects in which DIN, through
the EBN section, is now acting as lead manager, is “ Standard: IS” (the IS in the title
referring to “ internationalization strategies ”), which brings
DIN together with two industry partners and seven research
partners.
The project, funded as part
of the BMBF research programme on export potential
and internationalization of
services, kicked off in August
Target
All in all, then, it is safe to
say that the target DIN set in
1975 has indeed been achieved.
The stakeholders in many
areas of the services sector
are now much more aware of
the role standards can play in
the development of their particular market at home and
abroad.
The growing body of service
standards and specifications
will, if not create a snowball
effect, certainly generate an
increasing volume of, and wider basis for, service standardization, particularly at the
international level.
Given all these positive indicators, we would have no
reservations about formulating another set of shortterm goals for this area of
our work and realistically
expect to see them reached
in the near future.
•
NEXT ISSUE
SPECIAL REPORT
VIEWPOINT
Call for public sector
worldwide to share
ISO 9001 best practice
makes a third visit to the
Phoenix Police Department
(PPD), Arizona, USA, which
has become a centre of excellence for ISO 9001:2000
implementation and freely
revealed its improvement
methods to various levels of
government in North America, Asia and
Europe. The
PPD’s Quality
Management
System Coordinator, David
Amari, argues
in favour of governmental
ISO 9001:2000 users everywhere sharing their knowhow to raise the quality of
public service on a worldwide basis.
Management systems
and government
First implemented in manufacturing, ISO 9000 and
ISO 14000 are now massively present in the service sector, which accounts for some
30 % of all certifications. The
“ third wave ” is take-up by
public administrations and
government organizations.
14001 implementation in the
public sector by national and
local governments, municipal
authorities, city administrations, the European Commission, Olympic committees, as
well as by armed forces and
defence ministries.
• Italy – rich in
municipalities and
management systems
Aalborg Town Hall, Denmark,
seat of the Aalborg Charter of
European Cities and Towns
Towards Sustainability, and heart
of the town’s ISO 14001-certified
environmental management system.
The growth of ISO
14001 in the public
sector : a worldwide
phenomenon
This article may become a
landmark. It provides the
most extensive international overview yet of ISO
INTERNATIONAL
Zimbabwean security
firm increases
productivity with
ISO 9001
Securico is the first
security firm in Zimbabwe
to achieve ISO 9001:2000
certification.
Management
systems and Indian
competitiveness
ISO’s management system
standards are playing a significant role in enhancing
Indian enterprises for competing on global markets.
More than 30 New Zealand standards and associated documents cover
a range of health services delivered through the public and private sector
every day.
Focus on New Zealand
In recent years, Standards New
Zealand has increased its work
in the health and disability sec-
tor, developing standards to
improve the provision of complex services that require consistent delivery of care.
Lose weight.
Gain power.
a g e m e n t Sy s
n
a
M azi n e Dat a b t
g
ISO
Ma
s
em e
as
magazine is essential
reading for doing business
on today’s global markets.
You’d have a job carrying
the collected works with
you – so we’ve put
28 issues on a CD-ROM..
Less weight – but concentrated
ISO Power !
CD - ROM
Magazine Database
on CD-ROM
member institutes (listed with contact
details on the ISO Web site
at www.iso.org
www.iso.org)
or by e-mail to
[email protected]

Food safety ISO 22000 - from intent to implementation

Transcription

Similar documents

Processing the dots

LMT Brochure - Gichner Shelter Systems

Siemens TransformHUV Mexico

xCon Partners Unternehmensvorstellung

SCP60

Oh… the Zoomanity

The Australian Bureau of Meteorology - approach to QM

Precontraint 902S GB

ISO 9001 : 2008 09 100 121808 TMS