Tom Taormina
March 19, 2019
Implementation, maintenance, training, and knowledge products for Information Security Management Systems (ISMS) according to the ISO 27001 standard.
Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.
All required policies, procedures, and forms to implement an ISMS according to ISO 27001.
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful ISMS.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Compliance and training products for critical infrastructure organizations for the European Union’s Network and Information Systems cybersecurity directive.
All required policies, procedures, and forms to comply with the NIS 2 cybersecurity directive.
Company-wide training program for employees and senior management to comply with Article 20 of the NIS 2 cybersecurity directive.
Compliance and training products for personal data protection according to the European Union’s General Data Protection Regulation.
All required policies, procedures, and forms to comply with the EU GDPR privacy regulation.
Accredited courses for individuals and privacy professionals who want the highest-quality training and certification.
Implementation, training, and knowledge products for Quality Management Systems (QMS) according to the ISO 9001 standard.
All required policies, procedures, and forms to implement a QMS according to ISO 9001.
Accredited courses for individuals and quality professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 and the QMS using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for Environmental Management Systems (EMS) according to the ISO 14001 standard.
All required policies, procedures, and forms to implement an EMS according to ISO 14001.
Accredited courses for individuals and environmental professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 14001 and the EMS using Advisera’s proprietary AI-powered knowledge base.
Implementation and training products for Occupational Health & Safety Management Systems (OHSMS) according to the ISO 45001 standard.
All required policies, procedures, and forms to implement an OHSMS according to ISO 45001.
Accredited courses for individuals and health & safety professionals who want the highest-quality training and certification.
Implementation and training products for medical device Quality Management Systems (QMS) according to the ISO 13485 standard.
All required policies, procedures, and forms to implement a medical device QMS according to ISO 13485.
Accredited courses for individuals and medical device professionals who want the highest-quality training and certification.
Compliance products for the European Union’s Medical Device Regulation.
All required policies, procedures, and forms to comply with the EU MDR.
Implementation products for Information Technology Service Management Systems (ITSMS) according to the ISO 20000 standard.
All required policies, procedures, and forms to implement an ITSMS according to ISO 20000.
Implementation products for Business Continuity Management Systems (BCMS) according to the ISO 22301 standard.
All required policies, procedures, and forms to implement a BCMS according to ISO 22301.
Implementation products for testing and calibration laboratories according to the ISO 17025 standard.
All required policies, procedures, and forms to implement ISO 17025 in a laboratory.
Implementation products for automotive Quality Management Systems (QMS) according to the IATF 16949 standard.
All required policies, procedures, and forms to implement an automotive QMS according to IATF 16949.
Implementation products for aerospace Quality Management Systems (QMS) according to the AS9100 standard.
All required policies, procedures, and forms to implement an aerospace QMS according to AS9100.
Implementation, maintenance, training, and knowledge products for consultancies.
Handle multiple ISO 27001 projects by automating repetitive tasks during ISMS implementation.
All required policies, procedures, and forms to implement various standards and regulations for your clients.
Organize company-wide cybersecurity awareness program for your client’s employees and support a successful cybersecurity program.
Accredited ISO 27001, 9001, 14001, 45001, and 13485 courses for professionals who want the highest-quality training and recognized certification.
Get instant answers to any questions related to ISO 27001 (ISMS), ISO 9001 (QMS), and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Find new clients, potential partners, and collaborators and meet a community of like-minded professionals locally and globally.
Implementation, maintenance, training, and knowledge products for the IT industry.
Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.
Documentation to comply with ISO 27001 (cybersecurity), ISO 22301 (business continuity), ISO 20000 (IT service management), GDPR (privacy), and NIS 2 (cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Compliance, training, and knowledge products for essential and important organizations.
Documentation to comply with NIS 2 (cybersecurity), GDPR (privacy), ISO 27001 (cybersecurity), and ISO 22301 (business continuity).
Company-wide training program for employees and senior management to comply with Article 20 of the NIS 2 cybersecurity directive.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for manufacturing companies.
Documentation to comply with ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety).
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for transportation & distribution companies.
Documentation to comply with ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety).
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for schools, universities, and other educational organizations.
Documentation to comply with ISO 27001 (cybersecurity), ISO 9001 (quality), and GDPR (privacy).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 (ISMS) and ISO 9001 (QMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, maintenance, training, and knowledge products for telecoms.
Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.
Documentation to comply with ISO 27001 (cybersecurity), ISO 22301 (business continuity), ISO 20000 (IT service management), GDPR (privacy), and NIS 2 (cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Implementation, maintenance, training, and knowledge products for banks, insurance companies, and other financial organizations.
Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.
Documentation to comply with ISO 27001 (cybersecurity), ISO 22301 (business continuity), GDPR (privacy), and NIS 2 (cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for local, regional, and national government entities.
Documentation to comply with ISO 27001 (cybersecurity), ISO 9001 (quality), GDPR (privacy), and NIS 2 (cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 (ISMS) and ISO 9001 (QMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for hospitals and other health organizations.
Documentation to comply with ISO 27001 (cybersecurity), ISO 9001 (quality), ISO 14001 (environmental), ISO 45001 (health & safety), and GDPR (privacy).
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 (ISMS), ISO 9001 (QMS), and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for the medical device industry.
Documentation to comply with MDR and ISO 13485 (medical device), ISO 27001 (cybersecurity), ISO 9001 (quality), ISO 14001 (environmental), ISO 45001 (health & safety), and GDPR (privacy).
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 (ISMS), ISO 9001 (QMS), and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for the aerospace industry.
Documentation to comply with AS9100 (aerospace), ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety).
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for the automotive industry.
Documentation to comply with IATF 16949 (automotive), ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety).
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for laboratories.
Documentation to comply with ISO 17025 (testing and calibration laboratories) and ISO 9001 (quality).
Accredited courses for individuals and quality professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 and the QMS using Advisera’s proprietary AI-powered knowledge base.
Historically, outsourcing is one of the most misunderstood concepts in QMS implementation and operation. Prior to ISO 9001:2015, the requirement for outsourced processes was limited to a few sentences in 4.1 (find more information in the article How to control outsourced processes using ISO 9001). Using a case study, I will present my experience on how understanding outsourcing according to ISO 9001 is of key importance for a company.
ISO 9001:2008 clause 4.1 was so vague that a guidance document was needed. It was the subject of so many interpretations that Technical Committee 176 of ISO published guidance document ISO TC/176 SC 2/N 630R2, Guidance on ‘Outsourced Processes’.
The most impactful guidance from that publication was the definition that an outsourced process is one that the organization may conduct internally, but has chosen to subcontract the work to an outside organization. It goes on to provide verbiage that the company must exhibit the same level of control over outsourced processes as they would within their own QMS.
Fortunately, ISO 9001:2015 has relocated this requirement to 8.4 (Control of Externally Provided Processes, Products and Services), where it more logically belongs in the standard. Unfortunately, it again stops short of clarifying a key element that an outsourced process must be controlled to the same degree that the process is controlled within your organization.
The following case study will dramatize the importance of control of outsourced products and provide a practical basis for understanding its application and consequences.
A large international company developed a philosophy of outsourcing some of their manufacturing to smaller machine shops. Their noble plan was to help local businesses grow their capabilities and expand their client base. We will call this company BIG.
They identified a company that had machining capability for an entirely different market segment. We will call them Naïve.
The purchasing agent from BIG was eager to meet his target for qualifying new machine parts providers when he approached Naïve. In his initial interview, Mr. Big was impressed by the craftsmanship he saw and the quality of work they produced with modest machining equipment.
Mr. BIG enticed Naïve with an initial order for a large quantity of machined parts. He implied that they would need to purchase a larger CNC work center to handle the quantities and delivery needs. He also stated that Naïve would have to become certified to ISO 9001:2008 and undergo an audit by BIG’s quality department. Mr. Big offered Naïve a quality manual template and instructed them to just copy the content and change the context to their organization.
Having no quality management experience, the principals at Naïve created a quality manual and attempted to implement the process controls required by the Standard. The BIG quality representative performed an initial audit, created a list of major and minor nonconformities and gave Naïve tentative approval for the first production run.
Naïve was overwhelmed with the audit report and found a QMS consultant who informed them that they were nowhere near compliant with the Standard. The QMS consultant rewrote the quality manual and trained the principals on the resources they would need. Naïve purchased the CNC work center and produced hundreds of parts.
The incoming inspector at BIG, who was following their documented procedures, rejected all the parts. The raw material BIG provided to Naïve had not been tested and was not to specification. BIG had a set of special gauges to inspect the parts that were not provided to Naïve. The entire lot was determined to be scrap.
BIG refused to pay Naïve for the order. The situation rapidly deteriorated and lawyers were retained. An expert report was written on behalf of Naïve. The requirements of ISO 9001:2008 4.1 were cited along with an expert opinion that Big did not follow their own supplier approval requirements. BIG was found to have circumvented their own documented procedures within their ISO 9001:2008 QMS regarding outsourcing.
The lesson from this case for outsourcing is that the organization must virtually duplicate their QMS requirements, operational procedures, inspection and testing procedures, and go/no go criteria at the supplier’s facility. They must ensure that the subcontractor has the same competencies as those who perform those processes in house.
The other critical lesson is that BIG’s QMS was even more grossly out of control by allowing a purchasing agent to circumvent their own supplier approval procedures, a major nonconformity.
Clause 8.4 in ISO 9001:2015 is critical to the success of your QMS and your company. As you implement and audit the requirements, pay particular attention to how you structure the approval and monitoring of the various types of suppliers that you use. When buying off-the-shelf part numbers, the responsibility is on your organization to ensure that they are fit for use and that the suppliers continually deliver conforming commodities. When outsourcing services, your supplier must mirror the process controls that you have in-house. You have the obligation for ensuring that their operators are competent and that their processes are continually producing acceptable products or services.
If your organization does contract services for other companies, it is your obligation to ensure that your QMS meets all of the requirements of the organization you are providing services to. As you fulfill the requirements of 8.2 (Requirements for Products and Services), it is your duty to ensure that all controls are in place before accepting an order for contract services.
The bottom line is this: if there is controversy over the product or service, the company that outsources services cannot abdicate their responsibility for conformance to a subcontractor.
Learn more about ISO 9001 implementation in this free ISO 9001:2015 Implementation diagram.
You may unsubscribe at any time. For more information, please see our privacy notice.