Great night at ICT Illawarra tonight featuring Ted Smillie MD Montrose Computer Services.-
My notes from Ted's presentation - apologies for their rough state
- ISO 9001 – 20000 - 27001- experience with AS 3563 in 1980’s (defunct was extremely good – was a guidance document – now surpassed by other guidance documents
- ISO 90003: 2004 – guidance standards
- Integrated Management Systems – other aligned with ISO 14001 – AS 4801 (US 18001)
- Emergence ICT integrated management systems aligning with ISO 20000 (aka ITIL)& 27001
- Process Models – elements – overlap with ICT – Turtle Diagram PDCA model
- Information Security Management System : ISO 27001
- ISO 9001 – why compliance needed to get contracts – efficiency quality customer satisfaction reduced rework – costs – consistent approaches across all business units – comply with internationally accepted practice (good housekeeping – not necessarily best practice vs capability maturity model – ISO only gets you to stage 2-3)
§ QMS - Framework policies processes methods controls documentation records – CAPA (Help Desk)
§ Management responsibility – commitment, resources, training, awareness, competence, mgmt review (differs fr ISO 27001 Mgmt Review to ISO 9001)
· Resource Management – says it is HR focus – also tools esp EBMS – EDRMS – also workplace – aligns to a degree with OHS system
· Mgmt System Improvement – continual improvement – CAPA
· Customer feedback
§ Product Realization – software development /engineering lifecycle – project management – success rates are low
§ Measurement Analysis Improvement
- Australian has been in forefront of standards making – made some good standards – does he know what happened to Standards Australia and its new business model
RISK – where does it fit – why doesn’t ISO 9001 not mention risk- APRA PPG 234 Operational – Security – IT Security – IT risks – Technology Risk Management
- Believes that standards should be free and has contributed to standards development
- Consultants make a meal of getting certified to these documents
- Early 1990’s Bob Hawke had TQM epiphany – oversold – but benefit : risk mitigation strategy by taking on certified suppliers
-
ISO/IEC 20000 elements – how can I use this to cross over to ISO 9001 QMS requirements – integrated focus – get the diagram of Service Delivery Process
Document Records Control & Internal audit – not done as well as QMS
ISO 27001-mostly aligned with ISO 9001 then refer Annexe A Controls – detailed daunting – 133 controls -
- Security policy – info security org’n – asset mgmt – HR security – physical environmental security – communications / ops mgmt – access control – info systems acquisition-devt – maint / info security incident mgmt – business continuity mgmt (often outsourced) / compliance (legal legislative standards)
Risk Assessment & Treatment – try to focus on top 8 to 10 risks that matter first
– remember folks are already fully loaded & not given time resources to do this or recognition – believes Certification needs to be done as a project plan
· but what happens afterwards
- Describe
- Asset Category
- Level
- Threat – info availability confidentiality integrity
- Impacts
- Likelihood
- Consequence
- Risk Level
- Controls –effectiveness
- Reason for selection – legal requirements contractual obligations – business requirements
- Owners – CEO, HR Managers, Quality Manager, IT Manager
Gap Analysis review – identify what’s right
Project Stages
· Stage 1 – Strategy & Plan – manual procedures
· Stage 2 – complete QMS ISMS implementation – Pre-assessment audit
· Stage 3 – Address pre assessment findings – certification audit
You are going to keep getting re-auditing – mostly nice guys not gestapo
Recommends earlyContact with 3 potential Certification Bodies – looking at Chemistry – does auditor understand your business – you are going
http://www.praxiom.com/ISO-90003.htm
http://www.iso27001security.com/27001.html
Montrose covers Malaysia
Quality Enterprise Software Performance
Doing webinars ?
His Consulting Costs - $20-30K – certification body - $15-20k (small clients down to $10k) – could take a year – best has been done in only 6 months
Combine the processes – risk of systems implemented in silo’s
CMDB in ISO 20000 –
Cloud Computing - ?? – people don’t trust it
Move away from waterfall model – rigid to less rigid model – AGILE methodology for maintenance mostly
Prof Michael Hough – govt imposing requirements – what about not for profit sectors – best practice – mindset – we can’t afford it – MySchool & MyUniversity – opening up
Increased focus on control of outsourced processes & verification – testing tools – of software
Pink product certification approach vs process certification route eg NATA – 9136 14598 conformity assessment morphed ISO 25000 series of standards
How well is our existing tool set serving our the business ?
No comments:
Post a Comment