ISO
ISO certification certifies that a management system, manufacturing process, service, or documentation procedure has all the requirements for standardization and quality assurance.
ISO certification certifies that a management system, manufacturing process, service, or documentation procedure has all the requirements for standardization and quality assurance.
ISO (International Organization for Standardization) is an independent, non-governmental, international organization that develops standards to ensure the quality, safety, and efficiency of products, services, and systems.
ISO certifications exist in many areas of industry, from energy management and social responsibility to medical devices and energy management.
ISO standards are in place to ensure consistency. Each certification has separate standards and criteria and is classified numerically. For instance, the ISO certification we currently hold at Mead Metals is ISO 9001:2015.
ISO 9001:2015 Standard
ISO 9000 is a family of standards for quality management systems. ISO 9000 is maintained by ISO, the International Organization for Standardization and is administered by accreditation and certification bodies.
Some of the requirements in ISO 9001 (which is one of the standards in the ISO 9000 family) include :
- A set of procedures which cover all key processes in the business;
- Monitoring processes to ensure they are effective;
- Keeping adequate records;
- Checking output for defects, with appropriate corrective action where necessary;
- Regularly reviewing individual processes and the quality system itself for effectiveness; and facilitating continual improvement
A company or organization which has been independently audited and certified to be in conformance with ISO 9001 may publicly state that it is “ISO 9001 certified” or “ISO 9001 registered.” Certification to an ISO 9000 standard does not guarantee the compliance (and therefore the quality) of end products and services; rather, it certifies that consistent business processes are being applied.
Although the standards originated in manufacturing, they are now employed across a wide range of other types of organizations. A “product”, in ISO vocabulary, can mean a physical object, or services, or software. In fact, according to ISO in 2004, “service sectors now account by far for the highest number of ISO 9001:2000 certificates – about 31% of the total.”
ISO 9001 certification does not guarantee that the company delivers products of superior (or even decent) quality. It just certifies that the company engages internally in paperwork prescribed by the standard. Indeed, some companies enter the ISO 9001 certification as a marketing tool.
Quality management Systems (QMS) certification as per ISO 9001:2015 is an important opportunity that can enable the companies acquire the label of an enterprise caring for the customer needs and improve their economic performance at the same time. QMS provides an organization a systematic structured documented and effective approach to consistently maintain the product quality meeting customer requirements. We are able to use our independence to take an objective view, thus avoiding any of the internal politics that often prevail in business, whilst still being sympathetic with the values and culture of our customers.
Benefits of ISO 9001:2015
Organisations have obtained measurable benefits early in the process of deploying the standard requirements in their operations.
Some of benefits that they obtained are a follows: –
- A template for the creation of a sound quality system and a foundation to develop future quality initiatives.
- Reduce Costs
- Enhance Customer Satisfaction
- Greater brand loyalty.
- An important step in the road to Total Quality Management.
- Help to identify best practice and ensure everyone in the organisation is moving in the right direction.
A powerful management tool that complements other key management other key management functions such as financial and strategic planning.
ISO 14000 (Environmental Management Standards) Certification
The ISO 14000 environmental management standards exist to help organizations minimize how their operations negatively affect the environment (cause adverse changes to air, water, or land) and comply with applicable laws and regulations.
ISO 14001 is the international specification for an environmental management system (EMS). It specifies requirements for establishing an environmental policy, determining environmental aspects and impacts of products/activities/services, planning environmental objectives and measurable targets, implementation and operation of programs to meet objectives and targets, checking and corrective action, and management review. ISO 14000 is similar to ISO 9000 quality management in that both pertain to the process (the comprehensive outcome of how a product is produced) rather than to the product itself. The overall idea is to establish an organized approach to systematically reduce the impact of the environmental aspects which an organization can control. Effective tools for the analysis of environmental aspects of an organization and for the generation of options for improvement are provided by the concept of Cleaner Production.
As with ISO 9000, certification is performed by third-party organizations rather than being awarded by ISO directly. The ISO 19011 audit standard applies when auditing for both 9000 and 14000 compliance at once.
Standards
The material included in this family of specifications is very broad. The major parts of ISO 14000 are :
- ISO 14001 is the standard against which organizations are assessed. ISO 14001 is generic and flexible enough to apply to any organization producing and/or manufacturing any product, or even providing a service anywhere in the world.
- ISO 14004 is a guidance document that explains the 14001 requirements in more detail. These present a structured approach to setting environmental objectives and targets and to establishing and monitoring operational controls.
These are further expanded upon by the following :
- ISO 14020 series (14020 to 14025), Environmental Labeling, covers labels and declarations.
- ISO 14030 discusses post-production environmental assessment.
- ISO 14031 Evaluation of Environmental Performance.
- ISO 14040 series (14040 to 14044), Life Cycle Assessment, LCA, discusses pre-production planning and environment goal setting.
- ISO 14050 terms and definitions.
- ISO 14062 discusses making improvements to environmental impact goals.
- ISO 14063 is an addendum to 14020, discussing further communications on environmental impact.
- ISO 14064-1:2006 is Greenhouse gases – Part 1: Specification with guidance at the organization level for the description, quantification and reporting of greenhouse gas emissions and removals.
- ISO 14064-2:2006 is Greenhouse gases – Part 2: Specification with guidance at the project level for the description, quantification, monitoring and reporting of greenhouse gas emission reductions and removal enhancements.
- ISO 14064-3:2006 is Greenhouse gases – Part 3: Specification with guidance for the validation and verification of greenhouse gas assertion.
- ISO 19011 which specifies one audit protocol for both 14000 and 9000 series standards together. This replaces ISO 14011 meta-evaluation—how to tell if your intended regulatory tools worked. 19011 are now the only recommended way to determine this.
ISO 22000 specifies requirements for a food safety management system where an organisation in the food chain needs to demonstrate its ability to control food safety hazards in order to ensure that food is safe at the time of human consumption. It is applicable to all organisations, regardless of size, which are involved in any aspect of the food chain and want to implement systems that consistently provide safe products. The means of meeting any requirements of ISO 22000 can be accomplished through the use of internal and/or external resources.
ISO 22000 specifies requirements to enable an organisation to:
- Plan, implement, operate, maintain and update a food safety management system aimed at providing products that, according to their intended use, are safe for the consumer
- Demonstrate compliance with applicable statutory and regulatory food safety requirements
- Evaluate and assess customer requirements and demonstrate conformity with those mutually agreed customer requirements that relate to food safety, in order to enhance customer satisfaction
- Effectively communicate food safety issues to their suppliers, customers and relevant interested parties in the food chain
- Ensure that the organisation conforms to its stated food safety policy
- Demonstrate such conformity to relevant interested parties
- Seek certification or registration of its food safety management system by an external organization, or make a self-assessment or self-declaration of conformity to ISO 22000
ISO 22000 International Standard specifies the requirements for a food safety management system that involves the following elements :
- Interactive communication
- System management
- Prerequisite programs
- HACCP principles
Critical reviews of the above elements have been conducted by many scientists . Communication along the food chain is essential to ensure that all relevant food safety hazards are identified and adequately controlled at each step within the food chain. This implies communication between organizations both upstream and downstream in the food chain. Communication with customers and supplies about identified hazards and control measures will assist in clarifying customer and supplier requirements.
ISO/IEC 27001:2013 Information Security Management Systems
ISO/IEC 27001 formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information risks (called ‘information security risks’ in the standard). The ISMS is an overarching management framework through which the organization identifies, analyzes and addresses its information risks.
The ISMS ensures that the security arrangements are fine-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts – an important aspect in such a dynamic field, and a key advantage of ISO27k’s flexible risk-driven approach as compared to, say, PCI-DSS.
The standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profits), all sizes (from micro-businesses to huge multinationals), and all industries or markets (e.g. retail, banking, defense, healthcare, education and government). This is clearly a very wide brief.
Structure of the Standard
ISO/IEC 27001:2013 has the following sections:
- 1 Introduction – the standard describes a process for systematically managing information risks.
- 2 Scope – it specifies generic ISMS requirements suitable for organizations of any type, size or nature.
- 3 Normative References – only ISO/IEC 27000 is considered absolutely essential to users of ’27001: the remaining ISO27k standards are optional.
- 4 Context of the Organization – understanding the organizational context, the needs and expectations of ‘interested parties’ and defining the scope of the ISMS. Section 4.4 states very plainly that “The organization shall establish, implement, maintain and continually improve” the ISMS.
- 5 Leadership – top management must demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles, responsibilities and authorities.
- 6 Planning – outlines the process to identify, analyze and plan to treat information risks, and clarify the objectives of information security.
- 7 Support – adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled.
- 8 Operation – a bit more detail about assessing and treating information risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors).
- 9 Performance Evaluation – monitor, measure, analyze and evaluate/audit/review the information security controls, processes and management system, systematically improving things where necessary.
- 10 Improvement – address the findings of audits and reviews (e.g. nonconformities and corrective actions), make continual refinements to the ISMS.
ISMS scope, and Statement of Applicability (SoA)
Whereas the standard is intended to drive the implementation of an enterprise-wide ISMS, ensuring that all parts of the organization benefit by addressing their information risks in an appropriate and systematically-managed manner, organizations can scope their ISMS as broadly or as narrowly as they wish – indeed scoping is a crucial decision for senior management (clause 4.3). A documented ISMS scope is one of the mandatory requirements for certification.
Although the “Statement of Applicability” (SoA) is not explicitly defined, it is a mandatory requirement of section 6.1.3. SoA refers to the output from the information risk assessments and, in particular, the decisions around treating those risks. The SoA may, for instance, take the form of a matrix identifying various types of information risks on one axis and risk treatment options on the other, showing how the risks are to be treated in the body, and perhaps who is accountable for them. It usually references the relevant controls from ISO/IEC 27002 but the organization may use a completely different framework such as NIST SP800-53, the ISF standard, BMIS and/or COBIT or a custom approach. The information security control objectives and controls from ISO/IEC 27002 are provided as a checklist at Annex A in order to avoid ‘overlooking necessary controls’: they are not required.
The ISMS scope and SoA are crucial if a third party intends to attach any reliance to an organization’s ISO/IEC 27001 compliance certificate. If an organization’s ISO/IEC 27001 scope only includes “Acme Ltd. Department X”, for example, the associated certificate says absolutely nothing about the state of information security in “Acme Ltd. Department Y” or indeed “Acme Ltd.” as a whole. Similarly, if for some reason management decides to accept malware risks without implementing conventional antivirus controls, the certification auditors may well challenge such a bold assertion but, provided the associated analyses and decisions were sound, that alone would not be justification to refuse to certify the organization since antivirus controls are not in fact mandatory.
Metrics
In effect (without actually using the term “metrics”), the 2013 edition of the standard requires the use of metrics on the performance and effectiveness of the organization’s ISMS and information security controls. Section 9, “Performance evaluation”, requires the organization to determine and implement suitable security metrics … but gives only high-level requirements.
ISO/IEC 27004 offers advice on what and how to measure in order to satisfy the requirement – an approach not dissimilar to that described in PRAGMATIC Security Metrics.
Certification
Certified compliance with ISO/IEC 27001 by an accredited and respected certification body is entirely optional but is increasingly being demanded from suppliers and business partners by organizations that are (quite rightly!) concerned about the security of their information, and about information security throughout the supply chain or network.
Certification brings a number of benefits above and beyond mere compliance, in much the same way that an ISO 9000-series certificate says more than just “We are a quality organization”. Independent assessment necessarily brings some rigor and formality to the implementation process (implying improvements to information security and all the benefits that brings through risk reduction), and invariably requires senior management approval (which is an advantage in security awareness terms, at least!).
The certificate has marketing potential and demonstrates that the organization takes information security management seriously. However, as noted above, the assurance value of the certificate is highly dependent on the ISMS scope and SoA – in other words, don’t put too much faith in an organization’s ISO/IEC 27001 compliance certificate if you are highly dependent on its information security. In just the same way that certified PCI-DSS compliance does not mean “We guarantee to secure credit card data and other personal information”, certified ISO/IEC 27001 compliance is a positive sign but not a cast-iron guarantee about an organization’s information security. It says “We have a compliant ISMS in place”, not “We are secure”. That’s an important distinction.
OHSAS 18001 Occupational Health and Safety Management
BS OHSAS 18001 is a framework for an occupational health and safety (ohs) management system and is a part of the OHSAS 18000 (sometimes incorrectly identified as ISO 18000) series of standards, along with OHSAS 18002. It can help you put in place the policies, procedures and controls needed for your organization to achieve the best possible working conditions and workplace health and safety, aligned to internationally recognized best practice.
Occupational Health & Safety Management System
An occupational health & safety management system, often called an OH&SMS, is comprised of the policies, processes, plans, practices, and records that define the rules governing how your company takes care about occupational health and safety. This system needs to be tailored to your particular company, because only your company will have the exact legal requirements and occupational health & safety hazards that match your specific business processes. However, the OHSAS 18001 requirements provide a framework and guidelines for creating your occupational health & safety management system so that you do not miss important elements needed for an OH&SMS to be successful.
Why OHSAS 18001 is Important?
Taking care of occupational health and safety and preventing injuries in the work place are among the most important challenges facing businesses today. One of the biggest benefits of implementing an OH&SMS is the recognition that comes with being among those businesses that care for its employees’ health and safety. This can bring better relationships with customers, the public, and the community at large for your company, but it also brings other benefits.
Along with the good public image, many companies can save money through the implementation of an occupational health & safety management system. This can be achieved through reducing incidents that can result in workers’ injuries, and being able to obtain insurance at a more reasonable cost. This improvement in cost control is a benefit that cannot be overlooked when making the decision to implement an occupational health & safety management system.
Why should you implement OHSAS 18001 in your organization?
The benefits of OHSAS 18001 cannot be overstated; companies large and small have used this standard to great effect, as mentioned above. Here are just a few of these benefits:
Improve your Image and Credibility – By assuring customers that you have a commitment to demonstrable management of occupational health and safety, you can enhance your image and market share through maintaining a good public image and improved community relations.
Improve Cost Control – One improvement that all companies are looking for is reduction of costs. The OH&SMS can help with this by increasing rating at insurance companies, while reducing occupational health and safety incidents that may lead to lawsuits and deterioration of the company’s image.
Use Evidence-based Decision Making – By ensuring that you are using accurate data to make your decisions on what to improve, you can greatly increase the chances that your improvements will be successful the first time, rather than having several unsuccessful attempts. By using this data to track your progress, you can correct these improvement initiatives before they go “off the rails,” which can save costs and time.
Create a Culture of Continual Improvement – With continual improvement, you can work toward better processes and reduced occupational health and safety hazards in a systematic way in order to improve your public image and potentially reduce your costs, as identified above. When a culture of improvement is created, people are always looking for ways to make their processes better, which makes maintaining the OH&SMS easier.
Engage your People – Given a choice between working for a company that shows care and concern for occupational health and safety and one that does not, most people would prefer the first company. By engaging your employees in a group effort to reduce your occupational health and safety hazards, you can increase employee focus and retention.
What are the benefits of BS OHSAS 18001?
- Create the best possible working conditions across your organization
- Identify hazards and put in place controls to manage them
- Reduce workplace accidents and illness to cut related costs and downtime
- Engage and motivate staff with better, safer working conditions
- Demonstrate compliance to customers and suppliers
And if work-related road safety is a concern, OHSAS 18001 can be combined with ISO 39001 Road Traffic Safety to make sure you address the increasing risks presented to your employees in all work related activities.
SA 8000:2014 Social Accountability Certification
Non-Governmental Organizations (NGOs) and investment analysts scrutinize organizations to assess that minimum standards are upheld in the workplace and ensure that workers are getting a fair deal.
SA 8000:2014 Social Accountability
NGOs, investment analysts and other stakeholders, including your employees, are increasingly evaluating your organization’s commitment to ensuring a fair and equitable working environment and transparent business practices.
This climate means that your organization will be called upon more and more to demonstrate its social responsibility.
The most widely recognized global standard for managing human rights in the workplace is Social Accountability International’s SA 8000:2014. It is an auditable standard, suitable for organizations of all sizes anywhere in the world, and provides a framework for assuring all of your stakeholders that social accountability is being stewarded by your management.
Benefits of SA 8000:2014 Social Accountability
- Achieve best practice in ethical employment, trading and operations
- Engage and motivate your employees with improved morale
- Introduce greater transparency to the way you run your business
- Maintain existing business and attract new customers and investors
- Gain recognition as an socially accountable organization
