ISO 9001 2015 and Risk Assesment
-
Upload
abdel-nasser-al-sheikh-yousef -
Category
Documents
-
view
239 -
download
1
Transcript of ISO 9001 2015 and Risk Assesment
-
7/24/2019 ISO 9001 2015 and Risk Assesment
1/33
ISO 9001:2015 How
to apply Risk-basedThinking to !ality"#o$esses %"a#t I&Why taking a risk-based approach is arequirement of ISO 9001
Risk-based thinking is a sore point among many Quality professionals. Even so,
identifying risk, analyzing the consequences, probability and level of risk (i.e. risk
analysis and risk evaluation using formal techniques are becoming increasingly
important tasks in the global business !orld.
"#$ %&&')&'* incorporates !hat the draft version of the "nternational #tandard has
termed +Risk-based hinking in its requirements for the establishment,
implementation, maintenance and continual improvement of the quality management
system. "f you are already familiar !ith the "# or have read the many discussions on
the sub/ect that have appeared on 0inked"n groups and else!here, you !ill already be
a!are that formal risk management is not mandated. 1o!ever, organizations can, in
-
7/24/2019 ISO 9001 2015 and Risk Assesment
2/33
the !ords of the 2 '34 2ommittee5s draft standard (6ay )&'7 +8choose to
develop
a more e9tensive risk-based approach than is required by this "nternational #tandard,
and "#$ :'&&& provides guidelines on formal risk management !hich can be
appropriate in certain organizational conte9ts.
" am sceptical about the sub/ect of demonstrating risk-based thinking to a certi;cation
auditor !hen they assess your quality management system. $f course, it5s possible that
you !on5t be sub/ect to an intensive grilling if the #tandard does not require you to
produce the outputs from your risk assessment processes or evidence of a formal riskmanagement system. uidance documents that, along !ith the "#$ %&&')&'* #tandard, are yet to be
published. nobody yet kno!s e9actly !hat they !ill be asking for C and they don5t kno!
-
7/24/2019 ISO 9001 2015 and Risk Assesment
3/33
themselves either, unless they are the ones !riting the guidelinesD, and (b a useful !ay
of identifying, evaluating and treating the kind of risks that apply to the processes used
in Quality 6anagement.
Starting point for risk-based approachapp"ied to qua"ity processes
"n my post "#$ %&&')&'* C he likely impact (Fart "", Gebruary 7, )&'*, " suggested the
follo!ing basic checklist of tasks8
'nalyse and p#io#iti(ethe risks and opportunities in your organisation
What is acceptab"e!
What is unacceptab"e!
hen plan a$tionsto address the risks.
-
7/24/2019 ISO 9001 2015 and Risk Assesment
4/33
he "#$ %&&' "# says that "#$ :'&&& provides guidelines on formal risk management
!hich can be appropriate in certain organizational conte9ts.
his fact !ill be !ell understood by those !orking for large, indeed global entities that
have long since adopted risk management methodologies and have risk managers on
their team !ho are familiar !ith "#$ :'&&&.
Iut !hat is "#$ :'&&& attempting to achieve, and is it relevant to the ma/ority of
organizations that are trying to gain or transition to "#$ %&&'H
"#$ :'&&& describes an +overall approach to risk management, not /ust risk analysis or
risk assessment. "t deals !ith the links bet!een risk management process and both
strategic direction and day to day actions and treatments1. =hich on the face of it
sounds an ideal recipe for risk-based thinking. Fick up the #tandard and read it, and this
thought is quickly dispelled, since "#$ :'&&& takes a generic approach that has to be
developed C in considerable detail C to be useful in a given conte9t.
>reat for the #trategic aims of the senior management, but not of any great value to the
@poor bloody infantry5 of quality managers out there.
Ferhaps the ;rst (and most frustrating conclusion that you !ill come to, having spent
J')& (K'?& L# on your personal copy is that you ne9t need to buy "#$."E2 :'&'&)&&%
C Risk management C Risk assessment techniques. < slightly steeper J))4 from I#", or
K::3 L#, on )7M&:M'*.
#o your boss says, +$N, buy the one that you actually need, but don5t come back to me
asking for any more. =e5ve got by !ithout @risk-based thinking5 in the past Ainsert
number of years or decadesO surely !e !ill do so this timeH
-
7/24/2019 ISO 9001 2015 and Risk Assesment
5/33
here is no point in making life more complicated than it needs to beO thus
"n general terms, suitable techniques should e9hibit the follo!ing characteristics
it shou"d be /ustiab"e and appropriate to the situation or organiation
under consideration it shou"d pro#ide resu"ts in a form which enhances understanding of the
nature of the risk and how it can be treated
it shou"d be capab"e of use in a manner that is traceab"e. repeatab"e and
#eriab"e2 3Ibid4
>reatD
Iy no!, you5re probably ;red up !ith the possibility of ;nding a suitable risk
assessment technique that ;ts the conte9t of your organization and its quality
management systemH Pou can5t !ait to get started on the /ob.
(2ome on 8 humour meD
Pou turn to8
'nne) '
(informative
*o+pa#ison o, #isk assess+ent te$hni!es
-
7/24/2019 ISO 9001 2015 and Risk Assesment
6/33
12 5rainstorming
+2 Structured or semi-structured inter#iews
)2 6e"phi
72 %heck-"ists
82 rimary haard ana"ysis:2 Haard and operabi"ity studies ;H
?2 Haard
102 Scenario ana"ysis
112 5usiness impact ana"ysis
1+2 Foot cause ana"ysis
1)2 Dai"ure mode e&ect ana"ysis
172 Dau"t tree ana"ysis182 A#ent tree ana"ysis
1:2 %ause and consequence ana"ysis
1?2 %ause-and-e&ect ana"ysis
1@2 'ayer protection ana"ysis ;'O
192 6ecision tree
+02 Human re"iabi"ity ana"ysis
+12 5ow tie ana"ysis
++2 Fe"iabi"ity centred maintenance
+)2 Sneak circuit ana"ysis
+72 Garko# ana"ysis
+82 Gonte %ar"o simu"ation
+:2 5ayesian statistics and 5ayes ets
+?2 D cur#es
+@2 Fisk indices
+92 %onsequenceprobabi"ity matri(
)02 %ostbenet ana"ysis
)12 Gu"ti-criteria decision ana"ysis ;G%6
Bot everybody of course !ill have the resources and capabilities !ithin the organizationto attempt some of these C e.g., Gault tree analysis, 2ause M consequence analysis,
6onte-2arlo analysis, Iayesian analysis.
Quality managers !orking for smaller enterprises (#6Es may only dream of conducting
analysis at the level required by some techniques in the list. he sheer comple9ity of
some types of risk assessment !ill render the tool useless in most organizations
-
7/24/2019 ISO 9001 2015 and Risk Assesment
7/33
employing bet!een ' and )*& people. 1o!ever, that doesn5t mean to say that "#$
:'&'& isn5t a valuable reference should you ever be required to think about risk in these
terms.
Iear !ith me, though, because in the ne9t fe! posts, " am going to sho! you a method
to assess risk by turning 2omple9ity into #implicityD
1 ro/ect risk management guide"ines* managing risk with ISO )1000 and IA% :+19@. 6a"e D %ooper.
et a". Wi"ey. +0172
ISO 9001*+018 $ How to
app"y Fisk-basedEhinking to Jua"ityrocesses 3art II4ISO )1000 Fisk management techniques*
< se"ection of risk assessment too"s youmight "ike to consider
-
7/24/2019 ISO 9001 2015 and Risk Assesment
8/33
"n my vie!, this doesn5t have to be an
onerous task even at the high-risk end of the conte9t spectrum. 1o!ever, to completely
ignore the risks and opportunities aspect of planning your Q6# Asee 4.', regardless of
the degree of risk involved, !ould surely be to risk a ma/or non-conformityH
"#$ %&&' Risk-based thinking could(and " am not saying that it should be
demonstrated by sho!ing the outputs from one or more of the risk assessment tools in
"#$ :'&'& in your +documented information.
o give you a avour of !hat these tools are intended to achieve and ho! they !ork, "
intend to describe a selection of the :' listed in "#$ :'&'&.
-
7/24/2019 ISO 9001 2015 and Risk Assesment
9/33
'OOK L GAEHO6SCheck-lists
< simple form of risk identi;cation. < technique !hich provides a listing of typical
uncertainties !hich need to be considered. Lsers refer to a previously developed list,
codes or standards.
2heck-lists and revie!s of historical data are, naturally enough, a sensible step if you are
serious about identifying the risks and opportunities in accordance !ith the
requirements of "#$ %&&')&'* 2lause 4.', and intend to plan and implement the
appropriate actions to address them.
-
7/24/2019 ISO 9001 2015 and Risk Assesment
10/33
SLOFEIM GAEHO6SStructured interview and brainstorming
< means of collecting a broad set of ideas and evaluation, ranking them by a team.
Irainstorming may be stimulated by prompts or by one-on-one and one-on-many
intervie! techniques.
So what shouldwe plan to collect in terms of ideas and evaluation?
'ets remind ourse"#es rst of what ISO 9001*+018 sayswe shou"d do2
=hen planning for the quality management system, "#$ %&&')&'* requires
organizations to consider the issues referred to in 7.' ALnderstanding the organization
and its conte9t and the requirements referred to in 7.) ALnderstanding the needs and
e9pectations of interested parties and determine the risks and opportunities that need
to be addressed, in order to
a give assurance that the quality management system can achieve its intended
result(sOb prevent, or reduce, undesired eectsO
c achieve continual improvement.
=e should integrate and implement the actions into the organization5s quality
management system processes (see clause 7.7 and evaluate their eectiveness.
-
7/24/2019 ISO 9001 2015 and Risk Assesment
11/33
Irainstorming as a technique could be particularly useful !hen, for e9ample, identifying
risks of ne! technology !here there is no data or !here novel solutions to problems
are needed. o quote "#$ :'&'& +8it encourages imagination !hich helps identify ne!
risks and novel solutions. 1o!ever, it is not applicable to risk analysis tasks of
consequence, probability or level of risk. "t therefore has its limitations and along !ith
the @0ook-Lp 6ethods5 of 2heck-lists and Frimary hazard analysis, and most of the@#upporting 6ethods5 of #tructured intervie!s, elphi technique, #="G (#tructured
+!hat if and, it does not provide any quantitative output C although this is not a
requirement of "#$ %&&'.
ABote in the section @#upporting 6ethods5, 1uman reliability analysis (1R
-
7/24/2019 ISO 9001 2015 and Risk Assesment
12/33
What can we "earn from ISO )1000 riskassessment processes!
"#$ :'&&& states that risk assessment attempts to ans!er the follo!ing fundamental
questions
S !hat can happen and !hy (by risk identi;cationH
S !hat are the consequencesH
S !hat is the probability of their future occurrenceH
S are there any factors that mitigate the consequence of the risk or that reduce
the probability of the riskH
Froviding that you adhere to this basic structure, you are follo!ing the frame!ork that
is set out in the "nternational #tandard "#$ :'&&&)&&%.
Rather than spending several days reading the #tandard and having long meetings !ith
colleagues to see ho! it might be applicable, !hy not look for methods that !ould help
you to meet the requirements of "#$ %&&'H
Gor me, a good start !ould be
ocumenting the results of any @consideration of risks and opportunities5 e9ercise as
evidence of your management team5s +risk-based thinking.
Even if it is clear from the design of your processes that you have taken account of
2lause 4.' and determined the risks and opportunities that need to be addressed,having a record of your risk assessment processes might prove useful, if only as a
reminder to keep matters under revie!D
hen, evaluate the risk assessment tools (numbering :' in total in "#$ :'&'& to see if
they are applicable to your organizational conte9t.
"t5s probably not the time to use them in anger yet (see belo!, but at least you !ill kno!
they e9ist and that some tools could help to identify risks and opportunities and be
useful in carrying out risk analysis (if you consider consequences, probability and level
of risk and risk evaluationH
-
7/24/2019 ISO 9001 2015 and Risk Assesment
13/33
developed list available of hazards, risks or control failures, either resulting from a
previous risk assessment or past failures,- !here do you beginH his is likely to be a
especially ve9ing question for organizations that are ne! to "#$ %&&' quality
management and have to develop appropriate documented information for their
quality processes.
1o!ever a cautionary note
Iefore you despair and start !riting out check-lists based on your o!n observations in
an eort to tick the bo9, remember that your colleagues in other departments and
business units may already be using some of the formal techniques of risk assessment
and risk management process (in a @silo-centric5 !ay of course, !ithout you even
kno!ing about this.
o quote from the "ntroduction to "#$ :'&&&)&&%
+he current management practices and processes of many organizations includecomponents of risk management, and many organizations have already adopted
a formal risk management process for particular types of risk or circumstances1.
"t follo!s therefore that it is !orth intervie!ing them (in a structured or unstructured
!ay or bringing them together for a brainstorming session C if only to ;nd out !hat
qualitative and quantitative risk assessments have been made that could help you to
address the requirements of "#$ %&&'D
=hether or not though anyone is carrying out risk assessments, !ith or !ithout the use
of the tools in "#$ :'&'&, "#$ %&&')&'* e9pects the organization to understand its
conte9t (see clause 7.' and determine the risks and opportunities that need to be
addressed (see clause 4.'.
Gor e9amplehe "#$ assume that one of the key purposes of a quality management
system is to act as a preventive tool, taking account of identi;ed risks. 2onsequently, "#$
%&&')&'* does not have a separate clause or sub-clause titled @Freventive action5.
Rather, the !ording states unequivocally
+he concept of preventive action is e9pressed through a risk-based approach to
formulating quality management system requirements.+
-
7/24/2019 ISO 9001 2015 and Risk Assesment
14/33
negotiating contract conditions, or developing contingency plans C O but even so,
thinking about risks and opportunities is central to their !ork).
"G it can reasonably be argued that managing risk is an integral part of good
management (and " think that it can and that risk-based thinking is fundamental to
achieving good business and pro/ect outcomes and the eective procurement of goodsand services, 1EB identifying, analysing and evaluating risk should be processes
familiar to all quality managersH
Bot everyone agrees !ith this statement of course, but understanding the conte9t (see
clause 7.' and determining the risks and opportunities that need to be addressed
(clause 4.' are requirements of "#$ %&&')&'*. herefore, before you re/ect the idea of
using risk assessment tools on the grounds that they are too complicated and +not part
of your /ob, it5s !orth pondering this quote from the "ntroduction to the "#$
:'&&&)&&%
+he generic approach described in this "nternational #tandard provides the principlesand guidelines for managing any form of risk in a systematic, transparent and credible
manner and !ithin any scope and conte9t.7
/otes
1"#$ :'&&&)&&% C Frinciples and >uidelines on "mplementation+raft I# EB "#$ %&&' Quality 6anagement #ystems C Requirements, ate '7 6ay
)&'7, Gebruary '3, )&'*
-
7/24/2019 ISO 9001 2015 and Risk Assesment
15/33
What ,documented information isrequired by ISO 9001*+018!
denes documented information as that which is
Prequired to be contro""ed and maintained by the organiationQ2
Ehe otes make it c"ear that this documented information can be in any format
and media and from any source2 It can refer to the qua"ity management system;)2))>. inc"uding re"ated processes ;)21+>. or it can be information ;)280> created
for the organiation ;)201> to operate ;i2e2 documentation>2 It can a"so be
e#idence of resu"ts achie#ed ;records>2
Ehe source for the abo#e references is ISO 6IS 9000*+017. )2@2121212
-
7/24/2019 ISO 9001 2015 and Risk Assesment
16/33
ISO 9001*+00@ was designed to a""ow an organiation greater e(ibi"ity in the
way it chooses to document its qua"ity management system ;JGS>2
%"ause 72+212 Menera" pro#ided an e(p"anation of what qua"ity management
system documentation and records were required specica""y*
a> documented statements of a qua"ity po"icy and qua"ity ob/ecti#es
b> a qua"ity manua"
c> documented procedures required by this Internationa" Standard
d> documents needed by the organiation to ensure the e&ecti#e p"anning.
operation and contro" of its processes. and
e> records required by this Internationa" Standard
In +01+. the ISO 6ocument ISOE% 1?:S% + 8+8F+. tit"ed* ISO 9000
Introduction and Support ackage* Muidance on the 6ocumentation
Fequirements of ISO 9001*[email protected] the question ,What is a PdocumentQ! and
dened at "east some of the main ob/ecti#es of an organiations documentation2
Ehese were*
a> %ommunication of Information
b> A#idence of conformity
c> Know"edge sharing
In terms of category a>. both the type and e(tent of documentation depended on
R the nature of the organiation s products and processes. the degree of
forma"ity of communication systems and the "e#e" of communication ski""s within
the organiation. and the organiationa" cu"ture2 3Ibid. page 142
Out with the o"dN in with the new ISO9001 terms and denitionsWhich terms and denitions are going to be dened and used when ISO
9001*+018 is pub"ished!
-
7/24/2019 ISO 9001 2015 and Risk Assesment
17/33
Dor a start. due to the introduction of
format ;e2g2 "anguage. software #ersion. graphics> and media ;e2g2 paper.
e"ectronic>
re#iew and appro#a" for suitabi"ity and adequacy2
6ocumented information shou"d a"so be contro""ed to ensure*
a> it is a#ai"ab"e and suitab"e for use. where and when it is needed
b> it is adequate"y protected ;e2g2 from "oss of condentia"ity. improper use.
or "oss of integrity>2
-
7/24/2019 ISO 9001 2015 and Risk Assesment
18/33
Eo address these requirements. the fo""owing acti#ities are necessary*
a> distribution. access. retrie#a" and use
b> storage and preser#ation. inc"uding preser#ation of "egibi"ity
c> contro" of changes ;e2g2 #ersion contro">
d> retention and disposition2
Tou shou"d a"so identify and contro" documented information of Pe(terna" originQ
which is necessary for the p"anning and operation of your JGS2
It is $ and wi"" continue to be $ necessary to regu"ar"y re#iew documents to make
sure they are up-to-date. suitab"e and reect your practices2 Fe#iew processes
shou"d a"so check for changes in re"e#ant standards. regu"ations. specications
and other e(terna" documented information2
6ocumented information wi"" be used to support the operation of processes andbe retained Pto the e(tent necessary to ha#e condence that the processes are
being carried out as p"annedQ 3. !ality +anage+ent syste+and its
p#o$esses42 !
Who is responsib"e for distributing documented information to where it is
needed $ both e"ectronica""y ;e2g2 #ia intranet access. document attachments.
down"oad "inks. etc> and in paper form!
-
7/24/2019 ISO 9001 2015 and Risk Assesment
19/33
Is documented information from e(terna" sources. such as re"e#ant
standards. current "egis"ation. product specications from your supp"iers.
being re#iewed. updated and made a#ai"ab"e #ia contro""ed processes!
hosted on your ser#er or in the c"oud isworth considering before you transition2
In our ear"ier post ;see abo#e> on the sub/ect of using a 6GS #ersus other
approaches. we showed how %ogni6o( maps to the "ist in Gark Hammars post to
gi#e you much greater contro" o#er your documented information2
Garks usefu" tips wi"" he"p to make your contro"s better suited to your
organisations needs2 He "ists them under the fo""owing se#en categories*
12
-
7/24/2019 ISO 9001 2015 and Risk Assesment
20/33
2 Eip 8 is supported by embedded metadata in the
documents. so readers can see what they are using2 WeR d "ook to "imited
partner access andor the e(tranet porta" functiona"ity for :2 Dina""y. tip ? can
be achie#ed by marking the document as obso"ete2
Increased e(ibi"ity in terms of the documented information required by ISO
9001*+018 wi"" not "essen the daunting cha""enge of contro""ing the "arge amount
of data contained within your qua"ity management system2 < 6GS can great"y
impro#e the eXciency and e&ecti#eness of your JGS2
5ut regard"ess of how you manage documented information. it wi"" soon be time
to say a heartfe"t ,Hasta "a #istaU to your trusty Jua"ity Ganua"2
Sources referenced p"us recommendedreading
Ehe fo""owing sources are usefu" in understanding the de#e"opment process that
has "ed to the pub"ication of the ISO 9001 %ommittee 6raft ;the ,6IS>. inc"udingthe much debated topic of ,risk-based thinking2
Dirst"y. the 6raft Internationa" Standard ;6IS> issued for pub"ic comment*
#a,t S 3/ ISO 9001 !ality 4anage+ent Syste+s Re!i#e+ents.
6ate* 17 Gay +017. which is a#ai"ab"e from the ISO Store. 5SI Shop. IE
Mo#ernance 'td. and other distributors wor"dwide2
A#en though the D6IS ;na" draft internationa" standard> is e(pected soon. $
possib"y "ater this month! $ the ISO6IS 9001 draft issued in Gay +017 makes forinteresting and necessary reading. $ especia""y the %"ause 028 , Fisk-based
thinkingand the schematic ;Digure + on page 9> with the bo( "abe""ed "an the
rocess ;A(tent of p"anning depends on FISK>U
http://www.iso.org/iso/home/store.htmhttp://shop.bsigroup.com/http://www.itgovernance.co.uk/?gclid=CJP-uuTuz8MCFazKtAodFhsAKghttp://www.itgovernance.co.uk/?gclid=CJP-uuTuz8MCFazKtAodFhsAKghttp://www.iso.org/iso/home/store.htmhttp://shop.bsigroup.com/http://www.itgovernance.co.uk/?gclid=CJP-uuTuz8MCFazKtAodFhsAKghttp://www.itgovernance.co.uk/?gclid=CJP-uuTuz8MCFazKtAodFhsAKg -
7/24/2019 ISO 9001 2015 and Risk Assesment
21/33
Dor those "ooking for straightforward answers to the simp"e questions regarding
the +018 #ersion and transition process. I recommend 5SIs D e(p"anation of Fisk-based Ehinking. #iew theirs"ideshare presentation at*
http*www2s"ideshare2nettimdwi""iso9001-risk-basedthinking
ote s"ide 7 of 1+* What is Prisk-based thinkingQ! which features a #ersion of the
statement found in the 6IS. %"ause 028. PFisk-based thinkingQ i2e2 Pthe concept
http://www.bsigroup.com/LocalFiles/en-CA/ISO%209001-%20FAQ%20fact%20sheet%20July%202014.pdfhttp://www.bsigroup.com/LocalFiles/en-CA/ISO%209001-%20FAQ%20fact%20sheet%20July%202014.pdfhttp://www.bsigroup.com/LocalFiles/en-IN/Resources/ISO%209001/ISO-9001-Whitepaper-Risk-in-quality-management.pdfhttp://www.bsigroup.com/LocalFiles/en-IN/Resources/ISO%209001/ISO-9001-Whitepaper-Risk-in-quality-management.pdfhttp://www.bsigroup.com/LocalFiles/en-IN/Resources/ISO%209001%20Whitepaper%20-%20Understanding%20the%20changes%20July%202014.pdfhttp://www.bsigroup.com/LocalFiles/en-IN/Resources/ISO%209001%20Whitepaper%20-%20Understanding%20the%20changes%20July%202014.pdfhttp://www.fr.com/files/Uploads/attachments/RISC/Report_Avanesov.pdfhttp://www.slideshare.net/timdwill/iso9001-risk-basedthinkinghttp://www.bsigroup.com/LocalFiles/en-CA/ISO%209001-%20FAQ%20fact%20sheet%20July%202014.pdfhttp://www.bsigroup.com/LocalFiles/en-CA/ISO%209001-%20FAQ%20fact%20sheet%20July%202014.pdfhttp://www.bsigroup.com/LocalFiles/en-IN/Resources/ISO%209001/ISO-9001-Whitepaper-Risk-in-quality-management.pdfhttp://www.bsigroup.com/LocalFiles/en-IN/Resources/ISO%209001/ISO-9001-Whitepaper-Risk-in-quality-management.pdfhttp://www.bsigroup.com/LocalFiles/en-IN/Resources/ISO%209001%20Whitepaper%20-%20Understanding%20the%20changes%20July%202014.pdfhttp://www.bsigroup.com/LocalFiles/en-IN/Resources/ISO%209001%20Whitepaper%20-%20Understanding%20the%20changes%20July%202014.pdfhttp://www.fr.com/files/Uploads/attachments/RISC/Report_Avanesov.pdfhttp://www.slideshare.net/timdwill/iso9001-risk-basedthinking -
7/24/2019 ISO 9001 2015 and Risk Assesment
22/33
of risk has a"ways been imp"icit in ISO 9001 $ this re#ision makes it more e(p"icit
and bui"ds it into the who"e management systemQ2
Ehe ISO white paper on the same sub/ect of ISO 9001 and Fisk can be
down"oaded from ,ub"ic information on the ISO E%1?:S%+ Home age*
http*isotc2iso2org"i#e"ink"i#e"inkopentc1?:S%+pub"ic
ote the frequent"y quoted "ine* PFisk-based thinking has a"ways been in ISO
9001 - this re#ision bui"ds it into the who"e management system23Source* ISO
6ocument 1+++. Yu"y +017. page +4. $ which appears. in a "onger and more
detai"ed form. in the committee draft of the standard2
!hat does the Chair of the "S# $%%& subcommittee haveto say?
Watch the #ideo of the Moog"e hangout where ige" %roft. %hair of the ISO
subcommittee responsib"e for ISO 9001 ta"ks to us about how the re#ision is
progressing*www2youtube2comwatch!#Z5r97[ogFST
Ehis addresses the thorny sub/ect of risk-based thinking. which as he points out.
does not necessari"y mean using forma" risk management2
In sma"". "ow-risk organisations. the ,risk-based thinking may simp"y be
Pintuiti#eQ in others. a fu"" risk management process may be appropriate
%yber Assentia"s* Whyyour organisationshou"d ,Met 5adgedU $
art IV
http://isotc.iso.org/livelink/livelink/open/tc176SC2publichttp://isotc.iso.org/livelink/livelink/open/tc176SC2publichttps://www.youtube.com/watch?v=BrP94_ogRSYhttp://isotc.iso.org/livelink/livelink/open/tc176SC2publichttp://isotc.iso.org/livelink/livelink/open/tc176SC2publichttps://www.youtube.com/watch?v=BrP94_ogRSY -
7/24/2019 ISO 9001 2015 and Risk Assesment
23/33
Fequirement +2 Secure conguration. and)2 Lser access contro"
he second 2yber Essentials Requirement references @secure con;guration5.
-
7/24/2019 ISO 9001 2015 and Risk Assesment
24/33
efault installations of computers and net!ork devices can provide cyber
attackers !ith a variety of opportunities to gain unauthorised access to an
organisation5s sensitive information, often !ith ease. Iy applying some simple
security controls !hen installing computers and net!ork devices (a technique
typically referred to as system hardening, inherent !eaknesses can be
minimised, providing increased protection against commodity cyber attacks.
asi$ te$hni$al $ybe# p#ote$tion ,o# se$!#e $ong!#ation
2omputers and net!ork devices (including !ireless access points should be
securely con;gured. shou"d be remo#ed or disab"ed2
+2 shou"d be remo#ed or disab"ed2
72 Ehe auto-run feature shou"d be disab"ed ;to pre#ent software programs
running automatica""y when remo#ab"e storage media is connected to a
computer or when network fo"ders are accessed>2
82 < persona" rewa"" ;or equi#a"ent> shou"d be enab"ed on desktop %s and
"aptops. and congured to disab"e ;b"ock> unappro#ed connections by defau"t2
%ommentary*
Gor #6E organisations employing U*& people, among the ;rst things that " !ouldde;nitely recommend checking are the default con;gurations of routers, including
converged !ireless routers !ith access points (
-
7/24/2019 ISO 9001 2015 and Risk Assesment
25/33
%hange the defau"t "ogin username. if permitted ;refer to the users
guide>. and password2 ;Ehe defau"t passwords are pub"ished in
manufacturers pub"ications and are readi"y accessib"e2>
%onduct G
-
7/24/2019 ISO 9001 2015 and Risk Assesment
26/33
8. se# a$$ess $ont#ol
Ob6e$ti7es Lser accounts, particularly those !ith special access privileges (e.g.
administrative accounts should be assigned only to authorised individuals,
managed eectively and provide the minimum level of access to applications,
computers and net!orks
Lser accounts !ith special access privileges (e.g. administrative accounts typically
have the greatest level of access to information, applications and computers.
=hen privileged accounts are compromised their level of access can be e9ploited
resulting in large scale corruption of information, aected business processes and
unauthorised access to other computers across an organisation.
o protect against misuse of special access privileges, the principle of least
privilege should be applied to user accounts by limiting the privileges granted and
restricting access.
asi$ te$hni$al $ybe# p#ote$tion ,o# se$!#e $ong!#ation
Lser accounts should be managed through robust access control.
-
7/24/2019 ISO 9001 2015 and Risk Assesment
27/33
Pou put yourself in the position of an attacker. =hat is your primary task once you have
@in;ltrated5 (i.e. got into a net!orkH "t5s not really a brain teaser question /ust ask
yourself !hat you !ould do in the real-!orld to gain access to valuable data assetsH
Pour /ob the moment you are in the system is to initiate escalation of privileges, !hich is
ho! an attacker attempts to gain more access from the established foothold that theyhave created.
-
7/24/2019 ISO 9001 2015 and Risk Assesment
28/33
he administrator referred to here !as, allegedly, Ed!ard #no!denD
A#ource #ysadmin security fail B#< ;nds #no!den hi/acked oVcials5 logins, allagher C 6.
Ferhaps it isn5t /ust the smaller enterprises that need 2yber EssentialsH
%yber Assentia"s* Whyyour organisationshou"d ,Met 5adgedU $
art Vart V* Fequirements 72 Ga"wareprotection. and 82 atch management
6al!are protection soft!are is a necessary cyber security requirement. =e all have
kno!ledge of mal!are threats in one form or another and e9perience teaches us to be
!ary of certain links and email attachments.
-
7/24/2019 ISO 9001 2015 and Risk Assesment
29/33
2yber Essentials starts !ith the
assumption that computers connected to the internet are vulnerable to attack from
mal!are and therefore mal!are protection is seen as a key feature of basic cyber
hygiene requirements.
. 4alwa#e p#ote$tion
Ob6e$ti7es2omputers that are e9posed to the internet should be protected
against mal!are infection through the use of mal!are protection soft!are.
6al!are, such as computer viruses, !orms and spy!are, is soft!are that has
been !ritten and distributed deliberately to perform unauthorised functions on
one or more computers.
2omputers are often vulnerable to malicious soft!are, particularly those that are
e9posed to the internet (e.g. desktop F2s, laptops and mobile devices, !here
available. =hen available, dedicated soft!are is required that !ill monitor for,
detect and disable mal!are.
2omputers can be infected !ith mal!are through various means often involving a
user !ho opens an aected email, bro!ses a compromised !ebsite or opens anunkno!n ;le on a removable storage media.
asi$ te$hni$al $ybe# p#ote$tion ,o# +alwa#e
he organisation should implement robust mal!are protection on e9posed
computers.
-
7/24/2019 ISO 9001 2015 and Risk Assesment
30/33
12 Ga"ware protection software shou"d be insta""ed on a"" computers that are
connected to or capab"e of connecting to the internet2
+2 Ga"ware protection software ;inc"uding program code and ma"ware
signature "es> shou"d be kept up-to-date ;e2g2 at "east dai"y. either by
conguring it to update automatica""y or through the use of centra""y manageddep"oyment>2
)2 Ga"ware protection software shou"d be congured to scan "es
automatica""y upon access ;inc"uding when down"oading and opening "es.
accessing "es on remo#ab"e storage media or a network fo"der> and scan web
pages when being accessed ;#ia a web browser>2
72 Ga"ware protection software shou"d be congured to perform regu"ar
scans of a"" "es ;e2g2 dai"y>2
82 Ga"ware protection software shou"d pre#ent connections to ma"icious
websites on the internet ;e2g2 by using website b"ack"isting>2
he scope of mal!are protection in this document covers desktop F2s, laptops
and servers that have access to or are accessible from the internet. $ther
computers used in the organisation, !hile out of scope are likely to need
protection against mal!are as !ill some forms of tablets and smartphones.
=ebsite blacklisting is a technique used to help prevent !eb bro!sers connecting
to unauthorised !ebsites. he blacklist eectively contains a list of malicious or
suspicious !ebsites that is checked each time the !eb bro!ser attempts a
connection.
*o++enta#y
2yber Essentials assumes that @robust mal!are protection5 !ill help to protect your
system. hat protection comes from @mal!are protection soft!are5 (the $b/ectives
section avoids the outdated term @antivirus5.
he aim of course is to protect against human nature and the inevitable introduction of
commonly found types of malicious soft!are to a system. here5s no mention here of
highly sophisticated, targeted, zero-day and persistent advanced mal!are threats that
-
7/24/2019 ISO 9001 2015 and Risk Assesment
31/33
computer. =hile the email may appear to come from someone you kno!, it really came
from a compromised computer.
Relying purely on your mal!are protection soft!are is not a good idea. Pou should take
steps to raise sta a!areness of the e9ternal threats, and !hat steps they can take as
individuals to avoid mal!are infection.
Fersonally, " !ould like to have seen a reference to training employees in cyber security
a!areness and incident reporting rather than total reliance on soft!are tools both are
important in reducing the risk of data breach.
0ike!ise, there should be a @health !arning5 about advanced persistent threats to dispel
the notion that 2yber Essentials controls are eective against '&&X of the mal!are
attacks perpetrated by determined hackers.
1o!ever, !hat 2ontrol 7 attempts to do is probably a realistic goal for @essential
security5 given the limited aims of 2yber Essentials certi;cation.
-
7/24/2019 ISO 9001 2015 and Risk Assesment
32/33
software #endor or supp"ier of the software> to ensure security patches for known
#u"nerabi"ities are made a#ai"ab"e2
+2 Lpdates to software ;inc"uding operating system software and rmware>
running on computers and network de#ices that are connected to or capab"e of
connecting to the internet shou"d be insta""ed in a time"y manner ;e2g2 within )0days of re"ease or automatica""y when they become a#ai"ab"e from #endors>2
)2 Out-of-date software ;i2e2 software that is no "onger supported> shou"d be
remo#ed from computer and network de#ices that are connected to or capab"e of
connecting to the internet2
72 2
*o++enta#y
Reasonable steps in a sensible approach. " particularly like the reference to removal of
out-of-date soft!are. "f you don5t need it, get rid of it C fastD here5s no point in leaving
redundant, unpatched application soft!are on a system to help the hacker in their /ob.
e-cluttering improves security.
e;ning time limits for applying soft!are updates C i.e. !ithin :& days of release or
automatically !hen they become available from the vendor, C and, for security patches,
'7 days or automatically, for soft!are running on computers or net!ork devices, is, "
think, a useful security benchmark.
0ess helpful, there are no speci;c remarks about patching and updating Gire!alls, "#
and B"# (Bet!ork "ntrusion etection #ystems that often get a lo! priority in relation
to applying $# patches but are in constant need of attention and monitoring. he
alternatives to doing this yourself or building a dedicated in-house team are (a
outsourcing to a systems security or net!orking company e9perienced at dealing !ith
installations and on-going con;gurations of devices on a daily basisO or (b using cloud
services from public cloud providers like >oogle "nc. and
-
7/24/2019 ISO 9001 2015 and Risk Assesment
33/33
How does %yber Assentia"s dea" withc"oud ser#ice pro#ision!