May 19, 2010

Can there be Quality in an ICT World - ICT Illawarra answers that question

Great night at ICT Illawarra tonight featuring Ted Smillie MD Montrose Computer Services.-          

My notes from Ted's presentation - apologies for their rough state

-          ISO 9001 – 20000 - 27001- experience with AS 3563 in 1980’s (defunct was extremely good – was a guidance document – now surpassed by other guidance documents

-          ISO 90003: 2004 – guidance standards

-          Integrated Management Systems – other aligned with ISO 14001 – AS 4801 (US 18001)

-          Emergence ICT integrated management systems aligning with ISO 20000 (aka ITIL)& 27001

-          Process Models – elements – overlap with ICT – Turtle Diagram PDCA model

-          Information Security Management System : ISO 27001

-          ISO 9001 – why compliance needed to get contracts – efficiency quality customer satisfaction reduced rework – costs – consistent approaches across all business units – comply with internationally accepted practice (good housekeeping – not necessarily best practice vs capability maturity model – ISO only gets you to stage 2-3)

§  QMS - Framework policies processes methods controls documentation records – CAPA (Help Desk)

§  Management responsibility – commitment, resources, training, awareness, competence, mgmt review (differs fr ISO 27001 Mgmt       Review to ISO 9001)

·         Resource Management – says it is HR focus – also tools esp EBMS – EDRMS – also workplace – aligns to a degree with OHS system

·         Mgmt System Improvement – continual improvement – CAPA

·         Customer feedback

§  Product Realization – software development /engineering lifecycle – project management – success rates are low

§  Measurement Analysis Improvement

-          Australian has been in forefront of standards making – made some good standards – does he know what happened to Standards Australia and its new business model

RISK – where does it fit – why doesn’t ISO 9001 not mention risk- APRA PPG 234 Operational – Security – IT Security – IT risks – Technology Risk Management

 

-          Believes that standards should be free and has contributed to standards development

-          Consultants make a meal of getting certified to these documents

-          Early 1990’s Bob Hawke had TQM epiphany – oversold – but benefit : risk mitigation strategy by taking on certified suppliers

-           

ISO/IEC 20000 elements – how can I use this to cross over to ISO 9001 QMS requirements – integrated focus – get the diagram of Service Delivery Process

Document Records Control & Internal audit – not done as well as QMS

ISO 27001-mostly aligned with ISO 9001 then refer Annexe A Controls – detailed daunting – 133 controls -

-          Security policy – info security org’n – asset mgmt – HR security – physical environmental security – communications / ops mgmt – access control – info systems acquisition-devt – maint / info security incident mgmt – business continuity mgmt (often outsourced) / compliance (legal legislative standards)

Risk Assessment & Treatment – try to focus on top 8 to 10 risks that matter first

 – remember folks are already fully loaded & not given time resources to do this or recognition – believes  Certification needs to be done as a project plan

·         but what happens afterwards

-          Describe

-          Asset Category

-          Level

-          Threat – info availability confidentiality integrity

-          Impacts

-          Likelihood

-          Consequence

-          Risk Level

-          Controls –effectiveness

-          Reason for selection – legal requirements contractual obligations – business requirements

-          Owners – CEO, HR Managers, Quality Manager, IT Manager

 

Gap Analysis review – identify what’s right

Project Stages

·         Stage 1 – Strategy & Plan – manual procedures

·         Stage 2 – complete QMS ISMS implementation – Pre-assessment audit

·         Stage 3 – Address pre assessment findings – certification audit

You are going to keep getting re-auditing – mostly nice guys not gestapo

Recommends earlyContact with 3 potential Certification Bodies – looking at Chemistry – does auditor understand your business – you are going

http://www.praxiom.com/ISO-90003.htm

http://www.iso27001security.com/27001.html

Montrose covers Malaysia

Quality Enterprise Software Performance

Doing webinars ?

His Consulting Costs - $20-30K – certification body - $15-20k (small clients down to $10k) – could take a year – best has been done in only 6 months

Combine the processes – risk of systems implemented in silo’s

CMDB in ISO 20000 –

Cloud Computing - ?? – people don’t trust it

Move away from waterfall model – rigid to less rigid model – AGILE methodology for maintenance mostly

Prof Michael Hough – govt imposing requirements – what about not for profit sectors – best practice – mindset – we can’t afford it – MySchool & MyUniversity – opening up

Increased focus on control of outsourced processes & verification – testing tools – of software

Pink product certification approach vs process certification route eg NATA – 9136 14598  conformity assessment morphed ISO 25000 series of standards

How well is our existing tool set serving our the business ?

 

  

Posted via web from kerrieannesfridgemagnets's posterous

No comments: