Hey, folks! I regularly receive questions about the steps a company would need to take to be successful in becoming ISO 9001 certified. If you have been charged with the responsibility of getting your organization registered/certified, or would be interested to find out more about what it would entail then this will be a great opportunity to ask questions and get started on planning your own project. In this one hour webinar, I'll be walking through the implementation process from beginning to end, from project initiation to accredited certification. If you have specific questions or any topics you would like covered, let me know in the comments below. I'll be announcing dates and details soon, so get your name down now by signing up with your email and I'll be sure to keep…
Read More
GDPR and ISO 27001. Is my ISMS enough?


Law and Regulation
The new European General Data Protection Regulation (GDPR) will come into full force in May 2018. Apparently, the implications are global, meaning that any company that processes personal data of natural persons within the EU, no matter where they reside in the world, will fall within the scope of the GDPR. A question being asked by many ISO 27001 certified organizations is, "if we already have ISO 27001, are we covered for the GDPR?". This is a good question, and if you want the short answer, it is probably, "no". For a longer answer, feel free to read on. GDPR vs. ISO 27001 The general response I am seeing from most experts when asked this question is, "no, the GDPR is much bigger and broader than that." They go on to…
Read More

Context of the Organization: External issues

Management Systems Implementation
Next up, on the subject of business context as the foundation that a management system is built upon, is the need to determine your external issues. Clause 4 "Context of the Organization" specifies this requirement and pertains to the things outside of the organization that can affect or have an impact on our goals and objectives. In this post, I will be suggesting what things should be considered when determining your external issues and giving you some ideas on how to go about it. What should be considered? External issues are about things outside of the company. I.e. things that you do not have direct control over. They can be anything that is relevant to the intended outcome or purpose of your management system. Here is a list of considerations to get you…
Read More
Context of the organization: Internal issues


Management Systems Implementation
In my last post, I talked in general about the meaning and intent of the management system clause 4 requirement which covers Context of the Organization. In this post, I'll be talking about one aspect of this process which requires the organization to determine its "internal issues". So what does it mean, "internal issues"? And how might we go about doing it? The word 'issues', in my book, implies a more negative connotation to the subject at hand. But this is not necessarily the literal meaning here. Issues can be thought of as being the source of both risk and opportunity, and I prefer to think about this activity as identifying current business challenges or the current situation. What should be considered? Internal issues are about things inside of the…
Read More


(360) 352-3860
"Context of the organization" is essentially a new requirement in managements system standards introduced based on the guidance given to standards writers in Annex SL. However, it is not really a new idea in the grand scheme of things when it comes to all things ISO MSS - management system standards, that is. To get straight to the point then. Through the process of establishing and implementing any management system, an organization will have instinctively addressed many, if not all, of these requirements already, and probably without having realized it. Regardless if you approached this in a formal or an informal way, having a good understanding of the organization's business context is critical if your time and efforts are to bear fruit. For those who are transitioning from an older…
Read More
Annex SL explained: in brief

(317) 869-0095

The biggest change to come to ISO management system standards (MSS) in recent years is the so-called "Annex SL". Annex SL is a high-level structure (HLS) described in ISO/IEC Directives, Part 1  which provides direction to standards writers by setting out guidelines which include a generic structure for requirements as well as common terms and text. About time, I say! Before Annex SL Comparing other management system standards of the past (e.g. ISO/IEC 27001:2005 and ISO 9001:2008) you can see that the underlying concepts and approach are basically the same. They all address requirements such as scoping, policy, roles and responsibilities, competency, operations, internal audit, management review, corrective action, and others. However, they have historically each told us the same thing in different ways. For example, in ISO 9001:2008 the requirement for…
Read More
Improvement planning and objective evidence


Management Systems Auditing
During an internal audit of a client's business continuity management system, an auditee in the company’s communications department who was responsible for internal communications, offered up – when prompted – an improvement opportunity that he said he had identified a month or so earlier regarding the early warning procedure that they were currently following. Naturally, as an auditor, I wanted to see objective evidence of this improvement. At the time I was auditing, the procedure for notifying staff of an impending, potentially disruptive incident (an approaching sand storm for example) involved sending out a high priority red color-coded alert message. These messages were being sent by email and SMS to all staff in the company, at all levels, and to all locations and offices across the entire country in which they operated…
(717) 312-5993
(762) 555-2347

The importance of context when writing a policy

Management Systems Implementation
For a while now, I've been intending to create and post a couple of example documents for downloading. Yanno, the usual stuff,  such as policies and common management system processes. Sitting here tonight, with nothing better to do, I figured I would get to work on an example/template for an ISMS Policy. Sounds easy enough. I have no problem banging them out when I'm busy at work helping organizations to prepare theirs. But I've been sitting here for hours now and have little to show for it. I'm phrasing it this way, then phrasing it another way, then changing my mind and looking at it from a completely different angle altogether. Which statement should I put in and which should I leave out? Who am I speaking too? What's the purpose…


How much does it cost to establish and implement a management system and to get your organization certified by an accredited certification body? The simple answer is that it can cost you anywhere from nearly nothing to lots and lots. In this post, I will try to explain the options that you have so you can choose an approach that will best suit your project's budget. Bear in mind, when planning the project budget, there will be some known costs that are reasonably predictable upfront (e.g. certification body, templates, training, consultant) and then there will be some additional costs that will likely come up as you move through each stage of the project (e.g. risk treatment and corrective actions). I will be focusing mostly on the more knowable factors here,…

(212) 632-1987

(985) 857-8874
PDCA, or Plan Do Check Act - also known as the Deming cycle or PDSA (S=study). Probably the simplest and most logical of ideas and fundamental to all things ISO, in my opinion. The PDCA cycle is an iterative, 4 step approach that emphasizes the continual improvement of processes through effective change management. ISO standards often refer to the "PDCA" cycle, but in itself, is not mandated. Any method that leads to continual improvement can be used, but the PDCA cycle is probably the most commonly thought of. At a high-level, management system standards, such as ISO 9001, ISO 22301, and ISO/IEC 27001, outline requirements that mirror this approach. You can see this reflection initially where standards require an organization to: establish, implement, operate, monitor, review, and continually improve the management system.…
Read More