Most government and defense contracts require technology service providers to have some type of ISO certificate and CMMI maturity level 3. These requirements sound very simple; however, implementation is quite complex. There are three ISO standards and two different versions of the CMMI model that apply to technology companies. This has become a challenge for small and medium size companies.
The three ISO standards required in government contracts are: ISO 9001 (an all-purpose quality management system), ISO 20000 (IT service management) and ISO 27001 (information security management). The two CMMI variants are CMMI (DEV) designed for software and systems development and CMMI (SVC) designed for services.
The solution to this model quagmire depends on two factors: (1) selecting the CMMI model/ISO standard that is relevant to your business. If your organization is not delivering IT services, you should not try to implement ISO 20000 and CMMI (SVC). Similarly, if you are not developing systems or software, you should not try to implement CMMI (DEV). Having more certificates does not give you an edge over your competitors, unless those are relevant to your business. (2) The second factor is that you should never try to maintain ISO and CMMI as two separate systems. This would create an unnecessary overload for your organization.
Let’s talk about the basic concept of integration. ISO 9001 is an excellent standard that creates the foundation of your organization’s Quality Management System (QMS) i.e. organizational policies, management commitment, management reviews, roles and responsibilities, documentation structure and main procedures. CMMI generic goals will be satisfied by the same policies, senior management commitment and management reviews. Of course CMMI requires additional procedures, but those procedures will fit into the documentation structure created by the QMS. I recommend that you plan carefully when defining documentation structure and process architecture if you plan to implement multiple models and standards. There is no conflicting requirement between ISO 9001 and CMMI (DEV and SVC).
I’d like to discuss more specific elements of integration in my next post. Please keep reading.
Recently, I was auditing an organization for an ISO 20000-1 registration. I was surprised to see that every individual was ITIL foundation certified. Around 40% of the staff was ITIL masters certified. I could not resist asking the CIO, “When you have already invested so much on ITIL, why do you need the ISO 20000 registration?” His response was simple –“ISO certification set a goal and we all worked towards that.”
From my experience of working in the IT Service industry, I can tell you with confidence that 90% of large and medium sized IT organizations have been implementing ITIL for the last 5+ years. How many successful ITIL implementations we have seen? I personally have not seen many. Please don’t get me wrong, I am not suggesting that ITIL is a bad choice for IT service improvement. On the contrary, I believe ITIL is the only comprehensive body of knowledge for ITSM. So, then why are we not seeing many success stories? What is the definition of success? Process owners feel completion of process deployment is a success, CIOs/CTOs expect return on investment (ROI), end users expect improved services. So, it is very difficult to have all these stakeholders to agree on a common goal for ITSM. If you can understand this, you will appreciate my CIO’s statement above.
This is human nature – we work better if we see an achievable goal with a well-defined roadmap. ISO 20000-1 provides you a crisp roadmap of implementing IT services best practices. Where do you find the best practices? - ITIL books. Why is certification important? That is your achievable goal which nobody can dispute. The best part of ISO certification is continuous surveillance and recertification after three years. This is like sitting on the back of a tiger where getting down is not an option. This external driver keeps your continuous service improvements going. Obviously there is cost associated with ISO 20000 certification. If you compare this cost with the cost of ITSM tools, ITIL training and certifications, it is peanuts.
If you would like to write a success story about your ITIL implementation, use ISO 20000 as your road map and ISO certification as your goal.
Anyone who is keeping up with the political primaries is well aware of actions taken by politicians along the campaign trail. Every misstep is documented, scrutinized and goes viral rapidly. The same can be said about food safety missteps at the manufacturing level. Now that we have the technology to test for outbreaks rapidly and medical experts have the knowledge of identifying common food borne illnesses it seems like we are hearing about people getting sick much more often than previous times. Case in point, the Jensen Farms facility that has been accused of improperly processing cantaloupe and causing the death of 30 people and causing illness in approximately 150.
Food borne illness is a very serious issue that affects an untold number of people each year and it still remains poorly understood. More than half of the known outbreaks are caused by unknown sources. The reality is that our media focuses on topics such as the Listeria outbreak when there were more than five million cases of Norovirus and more than one million Salmonella cases that received significantly less attention.
Even the best implemented HACCP plan by a manufacturer comes to an end once the product has been shipped out the door. The does not mean that food safety ends at the manufacturing site, it is just as important for basic GMPs to be followed at home such as hand washing and avoiding cross contamination between raw and cooked products.
By: Jill Carson, Lead Auditor
The Capability Maturity Model® Integration for Services (CMMI-SVC) is a collection of best practices for service providers. It provides a five level maturity framework for process improvement. Service provider organizations follow this model as a road map for process improvement. This model is part of the CMMI product suite developed by the Software Engineering Institute (SEISM). SEI has also provided a standard method for process appraisal known as SCAMPISM- Standard CMMI Appraisal Method for Process Improvement.
ISO/IEC 20000-1 is an international standard for Information Technology Service Management. This standard provides specifications for a Service Management System. IT Service providers may adopt this standard for improving IT service management and obtain certification under the ISO certification scheme.
Given these two options, organizations may be wondering how they can benefit from the positive attributes of both. Director of IT Services at UL DQS, Subrata Guha, has developed a new white paper that outlines the similarities, differences and benefits of these two documents, as well as, how organizations may choose to implement an integrated approach.
Click below to download our free white paper!
“We need ISO 20000 and ISO 27001, which one should we get first?” - I hear this question very often these days. This is a very intriguing question. In my opinion, these two standards are closely linked and should be implemented as a single management system. The new release of ISO 20000-1 has made this process easier than ever before.
To begin with, let’s look at the common management system requirements of ISO 27001 and ISO 20000-1:
- Management responsibility
- Document management
- Resource management
- Management reviews
- Internal audit
- Continuous improvement
Once an organization addresses the requirements listed above, they will have laid the foundation for ISO 20000-1 and ISO 27001. Now, let’s look at section 6.6 (Information Security Management) of ISO 20000-1. The key elements of this section are:
- Information security policy
- Risk management
- Information security controls
- Security incident management
Requirements for security policy and incident management have been defined in ISO 20000-1; however, no details are provided on risk management and security controls. Let’s discuss the critical elements of risk assessment:
- Methodology for risk assessment
- Risk analysis
- Evaluation of risks
- Risk treatment options
- Calculation of residual risks
Section 4.2.1 of ISO 27001 provides these details. Where will you find the security controls? You can define your own controls or refer to a security standard. The best available source that I have found is Annexure A of ISO 27001. With a list of 133 security controls, there is no need to reinvent the wheel. Organizations can easily identify the controls applicable to their business and integrate them with their service management system.
Now you see why I think these two standards should be implemented together. Having said so, I’d like to clarify one point. It is not a pre-requisite to implement these two standards together. I have worked with many organizations that have successfully implemented ISO 20000-1 without referring to ISO 27001. However, I recommend the integrated approach that will establish an effective IT Service Management system with a robust backbone of an Information Security Management system.
In the recent decades food manufacturers have started taking a more active interest when it comes to their packaging suppliers, such as supplier audits, and including them in traceability studies. Food manufacturers quickly realized that packaging suppliers were just as important as food ingredient suppliers and therefore deserved the same attention. As a result, packaging suppliers began implementing Good Manufacturing Practices as well as Hazard Analysis and Critical Control Point (HACCP) plans.
Food packaging is responsible for protecting food products from outside influence and damage, to contain the food, and to provide consumers with ingredient and nutritional information. Traceability, convenience, and tamper indication are secondary functions of increasing importance. The goal of food packaging is to contain food in a cost effective way that satisfies industry requirements and consumer desires, maintains food safety, and minimized environmental impact.
With such an important function, food packaging should be required to meet applicable GMP standards as required by the other food chain suppliers. UL DQS offers a certification audit according to the BRC/IoP standard specific to food packaging suppliers. Companies that have already achieved ISO9001 certification may already meet many of the requirements of the BRC/IoP standard. This standard has a comprehensive scope that covers areas of quality, sanitation and safety that is applicable to both low risk and high risk food contact and non-food contact packaging.
You might be asking, "how does it help an ISO 9001 certified organization adopt ISO 20000-1?
Let’s look at the structure of ISO 9001:2008. Management system requirements in ISO 9001 are defined in 5 sections:
-
Section 4 – Quality management system
-
Section 5 – Management responsibility
-
Section 6 – Resource management
-
Section 7 – Product realization
-
Section 8 – Measurement, analysis and improvement
Only section 7 provides requirements for service design and delivery. The remaining sections provide requirements for the management system framework. Now let’s look at the structure of ISO 20000-1:2011. Section 4 (Service management system general requirements) is essentially a concise version of sections 4, 5, 6 and 8 of ISO 9001:2008. So, an ISO 9001 certified organization should have a robust foundation established for their service management system.
Now, an organization could just consider revisiting the implementation of section 7 (ISO 9001) requirements with the help of ISO 20000-1. This is essentially an elaboration of “Product realization” using IT services specific processes. So, just replace section 7 of ISO 9001 with sections 5, 6, 7, 8 and 9 of ISO 20000-1 and your Quality Management System (QMS) will become a Service Management System (SMS). It makes good business sense to align these two standards.
The industry’s reaction to the Jensen Farm cantaloupe issue seems reminiscent of a scene from the Keystone Cops. It is an example of our ability to “capture the cow” and indiscriminately blame someone instead of focusing on how to “keep the barn door shut”.
The FDA stated a need for the cantaloupe industry to align its practices with it’s "Guide to Minimize Microbial Food Safety Hazards for Fresh Fruits and Vegetables," (click here to read more) and the corresponding guide for "Fresh-cut Fruits and Vegetables" (click here to read more). The Western Growers and United Fresh Produce Association reviewed existing research on cantaloupe safety to determine the most effective measures in preventing contamination. (click here for more information) These possible solutions, in my opinion, do not address one of the core issues.
No mention is made of the immediate need to develop an on-site training plan for growers in applying systems that can minimize the risk of these dramatic occurrences no matter the size of the operation. They need help. These growers, whether they have two or two hundred employees, should be looked at as a manufacturer of food that supplies to a global marketplace. This requires disciplined adherence to global good agricultural practices and food safety standards. This is how members of the supply chain can work to "keep the barn door shut" with a plan that prevents the "cow" from escaping in the first place!
Submitted by Michael Pearsall, Director of Food Safety Services, UL DQS Inc.
ISO released a new version of ISO IEC 20000-1 in June 2011. I have never been so happy to see a new release of an ISO standard. This version has solved some major issues of the 2005 version of the standard. Let me highlight the improvements in the new standard which I am so excited about.
Improvement #1 Redefinition of section 5: How many times have you stumbled on the question, "Why do we need this section: 'Planning and implementing new or changed services'?" Regardless of wheter a service is new or has been changed, their implementations have to follow Change Management and then Release Management. This question is quite logical. The actual intent of section 5 was to define service design and transition. The 2011 version has redefined section 5 as “Service Design and Transition.”
Improvement #2 Alignments with ISO 9001: There are only 3 clauses for management system requirements in the 2005 version. Honestly, you can’t establish a management system by fulfilling only those three requirements. Perhaps, it was assumed that organizations will follow ISO 9001 anyway. Actually, IT Services organizations should not require ISO 9001 when ISO 20000 is available. The new release of ISO 20000-1 has added more comprehensive requirements from ISO 9001. If you are a start up, ISO 20000-1 is adequate for a management system. If you already have ISO 9001, just add on service related requirements from ISO 20000-1.
Improvement #3 Alignments with ISO 27001: The information security related requirements of 2005 were so inadequate that it was almost imperative to refer to ISO 27001 to understand what was required for information security. If you are looking for a minimum requirement, ISO 27001 will easily overwhelm you. The new version of ISO 20000-1 has adopted the synopsis of ISO 27001. It is adequate to establish a rudimentary information security system which can be easily migrated to a full blown ISMS following ISO 27001.
Improvement #4 Applications in a complex sourcing scenario: In the era of outsourcing, very rarely do you have a straightforward sourcing deal where one service provider delivers end to end IT services, supported by few suppliers. Sourcing scenarios are often far more complicated then envisioned in the 2005 version. What if a client is managing part of the process or a shared services organization is involved in the service delivery? There was no clear guidance. The new version added a section on “Governance of processes operated by other parties.”
With these improvements, the new standard is better aligned to the real world.
Written by:
Subrata Guha, Director of IT Services, UL DQS Inc.
Listeria Outbreak at Jensen Farms in Colorado is being called by the CDC the worst outbreak in a decade. These incidents revolving around contaminated cantaloupe are an unfortunate indication that farms should be considered to be production sites, much like a facility that processes foods. Growing a fruit or vegetable is after all a process. Enforced rules and regulations must be in place to protect consumers from injury. Now, I realize that I am stating the obvious, so what is the solution? I will only offer the first step.
We in the United States must come to realize that we participate in not only an intrastate market but a global one as well. Our food products are sold all over the world and it is time that we Americans are more open to global models surrounding food safety and their application to our farms and processing plants, no matter how small.
If you don’t want to consider it from a safety standpoint, look at it from an economic one. Our supply of food outside of our borders is the best negotiating tool that we have as a country. We don’t want to make it undesirable and lose that advantage.
Michael PearsallDirector of Food Safety, UL DQS Inc.