Governance, Risk and Compliance Blog

Marc Gardner

Recent Posts

Good Distribution Practice (GDP) – How enlisting a consultant can ensure compliance

Posted by Marc Gardner on Thu, Aug 17, 2017

EU guidelines revised in 2013 set out best-practice methods for how medicines and other pharmaceutical products should be stored, transported and handled. These Good Distribution Practice (GDP) guidelines have gained real traction, and the regulator, MHRA, is putting more and more pressure on businesses to ensure they're compliant.

Qualsys recently partnered with long-standing GDP consultants PJH Logistics Solutions. PJH have years of expertise in helping a wide range of businesses – from global pharmaceutical giants to regional transport firms – to understand and adapt to GDP.

We spoke to Pelleren Hodges, PJH's owner and director, about the benefits of enlisting a consultant, and why any company required to meet GDP should consider doing so.

Vast knowledge of what GDP involves

GDP is no different to many other quality standards and guidelines in that it's complex to interpret and often difficult to implement. It might be new to you, but a GDP consultant has been down that road many times before.

"Most of what we do revolves around GDP, particularly in relation to the pharmaceutical business," Pelleren says. "Part of it is sub-contracting for other consultancy firms, and the other part is direct work with our own clients. 

"It could be a project to get a company up and running in applying for a Wholesale Distribution Authorisation (WDA). It could be a pre-inspection audit or a customer inspection. We might act as Responsible Persons for WDA licences, or set up quality management systems. Our work is extensive."

Experience of implementing quality management systems (QMS)

Complying with GDP means taking a consistent, organised, systematic approach. There's no better way to do this than by implementing a QMS throughout your business. A GDP consultant will know how that implementation process should unfold, and consider questions like:

  • What kind of product do you provide?
  • Do you store the product yourself or do you outsource it to someone else?
  • Are your suppliers complying with what you want them to do?
  • What are your premises like? What equipment do you use?

"Gathering this kind of information means we can start to form the structure of what the QMS will look like," Pelleren says. "We can then draft the documentation, fine-tune it and get it approved by the necessary people within the company. Then we can provide general and more detailed procedural GDP training with all the staff who are going to be involved in GDP activity."

Understanding of how quality management software can help

Quality management can be made simpler and much more effective with the use of software. A GDP consultant will understand the part software can play in strengthening an organisation's QMS.

"Software is crucial, particularly when it comes to maintaining an audit trail, for example," says Pelleren. "It makes the task so difficult when you have bits of paper flying around, some of it's lost and it's impossible to track.

"We work with a lot of smaller companies, some of which don't employ a quality assurance person. They might assign that responsibility to two or three different people, which can cause difficulties in terms of who's doing what, when and how. So a software package such as EQMS gives us the tools to manage that."

Experience of dealing with all levels of staff and getting leadership buy-in

Complying with any sort of regulation or standard, implementing a quality management system – these can be initially disruptive to a business that's traditionally operated with a very fixed mindset. Changing a company culture can unsettle and attract resistance from employees at all levels. A GDP consultant will be familiar with this and have the skills to persuade people to buy in to the new ways of working.

"Some companies do see getting a WDA as a tick-box exercise, and once they have it, that's it," Pelleren says. "It could be that the senior managers have been told they have to do it, and even then it's only lip service. For us, it's about understanding that and tackling it.

"We'll look to provide the right metrics so that the very top manager in the business knows they're responsible for ensuring the managers below them hit their targets. They're the targets that MHRA will be looking for in their inspections.

"Other companies are more willing but pharmaceuticals might not be their core activity. So in those cases, we need to account for the staff not having that familiarity with GDP and getting that continual experience of handling it."

 

Are you a consultancy firm?

Michael Ord, New Business and Marketing Director, says: "Here at Qualsys we work to a set of core values centred around the idea of making other businesses fitter, faster and stronger. When we form partnerships we always look for organisations who share those values.

"It was clear right away that PJH Logistics Solutions believe in the same ideas, and then some, and we're delighted to partner with them to benefit both our customers and theirs."

If you're a consultancy firm, request more information about our partnership programme here:

 

Tags: Partnerships

ISO 17025 Explained – Management and Technical Requirements

Posted by Marc Gardner on Thu, Aug 03, 2017

ISO 17025 is the international standard for testing and calibration laboratories. It's a set of requirements those laboratories use to show that they operate a quality management system and that they're technically competent to do the work that they do.

The standard is set out in five clauses:

  1.    Scope
  2.    Normative references
  3.    Terms and definitions
  4.    Management requirements
  5.    Technical requirements

(However, as ISO 17025 is currently being revised – it's at the approval stage at the time of writing – the format of the standard will be changing to adopt the Annex SL structure. Read more about Annex SL here.)

The scope means a clear statement of everything the lab does for which it wants to be accredited. A testing lab will set out its specific methods for conducting its tests. A calibration lab will list the specific measurements and associated uncertainty it uses in its calibration work. Defining the scope means the lab can identify suitably skilled staff and give clients confidence in its tests and measurements.

The two main sections of ISO 17025 are clauses 4 and 5, which cover the two types of requirements.

Management requirements (clause 4)

Clause

What it covers

4.1 – Organisation

Legal status

Facilities (permanent, temporary or mobile)

Responsibilities of key staff

How confidential information is handled

Management – structure; deputies; appointment of quality manager; supervision of staff

4.2 – Management system

Establishing, implementing and maintaining a QMS appropriate to the scope

Issuing a quality manual and quality policy

Commitment to professional practice and complying with the standard

Staff familiarising themselves with the QMS

Responsibility and authority of quality manager

4.3 – Document control

Procedures for:

  • Controlling all documents (internal and external) relating to the QMS – regulations, normative reference documents, drawings, specifications, instructions, manuals etc.
  • Approving and issuing documents (including maintaining a master list)
  • Changing/correcting documents
4.4 – Reviewing requests, tenders and contracts Policy and procedure for reviewing requests, tenders and contracts
4.5 – Subcontracting tests and calibrations Policy and procedure for subcontracting testing and calibration work
4.6 – Purchasing services and supplies Policy and procedure for choosing and buying services and supplies that, when used, may affect the quality of tests and/or calibration
4.7 – Service to the client

Good communication and co-operation with clients

Protecting clients' confidentiality

4.8 – Complaints Policy and procedure for recording and resolving complaints
4.9 – Controlling non-conforming testing and/or calibration work Policy and procedure for dealing with non-conforming work or problems with the QMS, testing and/or calibration
4.10 – Improvement Continually improving the QMS by using the quality policy, auditing, data analysis, corrective and preventive action and management review
4.11 – Corrective action Policy and procedure for taking corrective action when non-conforming work or faults in the QMS or technical operations have been identified
4.12 – Preventive action Policy and procedure for identifying and taking preventive action
4.13 – Controlling records Procedure for controlling records (identification, collection, indexing, access, filling, storage, maintenance and disposal of quality and technical records)
4.14 – Internal audits Policy and procedure for conducting internal audits and implementing findings
4.15 – Management reviews Procedure for management reviews of policies and procedures, audit findings, corrective and preventive action, customer feedback etc.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Technical requirements


Clause

What it covers

5.1 – General

Factors affecting results of testing or calibration

5.2 – Personnel

Ensuring all laboratory staff are properly skilled and qualified

5.3 – Accommodation and environmental conditions

Policy and procedure on monitoring, controlling and recording accommodation and environmental conditions so testing and calibration is done correctly

5.4 – Test and calibration methods and method validation Policy and procedure for choosing methods of testing and calibration (which covers sampling, transport, storage, uncertainty, control of data etc.)
5.5 – Equipment Policy and procedure for ensuring equipment used for testing and/or calibration is available, suitable and properly maintained
5.6 – Measurement traceability Procedure for choosing, using, calibrating, checking and maintaining measurement standards, reference materials used as measurement standards, and equipment used for testing and calibration
5.7 – Sampling

Plan and procedure for sampling

5.8 – Handling test and calibration items Policy and procedure for recording and resolving complaints
5.9 – Assuring the quality of test and calibration results Procedure for monitoring the validity of testing and calibration
5.10 – Reporting results Ensuring results of testing and calibration are reported clearly and objectively

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Using EQMS for ISO 17025 

Many medical device manufacturers and life science research facilities use EQMS to meet ISO 17025. EQMS helps integrate data, processes, business systems, assets and people in an extended enterprise. The integrated modules enable you to easily maintain all procedures, sampling records and audits in a centralised, unified system. 

What you should do now

Download our case study booklet to learn how global brands like Diageo, Sodexo and BT and hundreds of SMEs across the UK use EQMS to transform the role of quality and compliance in their organisation.

Download EQMS Case Study Booklet

Tags: ISO 17025

ISO 27001:2013 – Free Gap Analysis Spreadsheet Tool

Posted by Marc Gardner on Wed, Aug 02, 2017

Time to sharpen up your information security management system? Thinking of using ISO 27001:2013 as a framework? 

Richard Green, founder of Kingsford Consultancy Services, recommends getting to grips with the standard, talking to your certification body and doing a thorough gap analysis before making any dramatic changes to your processes.

It may be that you actually already have many of the required processes in place. Or, if you've neglected your information security management practices, you may have a mammoth project ahead of you which will require fundamental changes to your operations, product or services. 

To access the Gap Analysis Tool, download the ISO 27001 Toolkit. Read on to find out how to use it.  

 

Download ISO 27001 Toolkit

 

What is a gap analysis?

Think of the gap analysis as simply looking for gaps. That's it. You're analysing the ISO 27001 standard clause by clause and determining which of those requirements you've implemented as part of your information security management system (ISMS).

Take clause 5 of the standard, which is "Leadership". There are three parts to it. The first part's about leadership and commitment – can your top management demonstrate leadership and commitment to your ISMS? It might be that you've already covered this in your information security policy (see #2 here), and so to that question you can answer 'Yes'.

Find the ISO 27001:2013 Gap Analysis Template Checklist in the ISO 27001 Toolkit

 

Gap analysis vs. risk assessment

Doing a gap analysis for the main body of the standard (clauses 4–10) isn't compulsory but very much recommended. It'll help to have first defined your ISMS's scope (see #1 here), because any ISO 27001 auditor will want to know exactly what information your ISMS intends to secure and protect. Having a clear idea of what the ISMS excludes means you can leave these parts out of your gap analysis.

A gap analysis is compulsory for the 114 security controls in Annex A that form your statement of applicability (see #4 here), as this document needs to demonstrate which of the controls you've implemented in your ISMS.

The risk assessment (see #3 here) is an essential document for ISO 27001 certification, and should come before your gap analysis. You can't identify the controls you need to apply without first knowing what risks you need to control in the first place. Once you've determined those risks and controls, you can then do the gap analysis to identify what you're missing.

Gap analysis

Tells you what you're missing to comply with ISO 27001.

Doesn't tell you which controls to apply to address the risks you've identified.

Risk assessment 

Tells you what controls you should apply.

Doesn't tell you what controls you already have.

 

When to do a gap analysis 

Complete the ISO 27001 Gap Analysis Questionnaire


When you do your gap analysis depends on how far along you are with implementing your ISMS. 

  • If you have no real system to speak of, you already know you'll be missing most, if not all, of the controls your risk assessment deemed necessary. So you might want to leave your gap analysis until further into your ISMS's implementation.
  • If your implementation's underway but still in its infancy, your analysis will still show lots of gaps, but you'll have a much better understanding of how much work you have ahead of you.
  • If you have a fairly established system in place, you can use the gap analysis to determine just how strong your system is. So you might want to do it towards the end of your implementation.

After completing the ISO 27001:2013 Gap Analysis Checklist, you'll be given an ISMS Gap Analysis Report, detailing where you need to make changes 

 

What you should do now

There's no prescribed method for doing your gap analysis, but we've made it really easy with our free Gap Analysis Checklist. Download the Gap Analysis Tool from the ISO 27001 Toolkit

 Download ISO 27001 Toolkit

Tags: ISO 27001

ISO 27001:2013 – Why is information security important?

Posted by Marc Gardner on Mon, Jul 31, 2017

Information in this day and age has become currency, driving business and commerce across the world. It could be your organisation's most important and valuable asset, and so it demands to be properly protected.

Protecting information means managing risk, just as you'd manage the risk of any other type of hazard occurring. Yet the risks around information security are all too often overlooked or brushed off  the mindset being that only the huge multinational corporations suffer data breaches and "it'll never happen to us".

But it can happen to any business – and does.

More than 1,500 UK businesses took part in the UK Government's Cyber Security Breaches Survey 2017 and virtually all were found to have been exposed to cyber security risks in some way. Once you have a website and social media, use cloud services, or hold electronic data on your customers, you become a potential target, regardless of size, wealth or reputation.

Yes, larger organisations are routinely hit, for various reasons. It might be that their security measures aren't integrated but operating in isolation, creating vulnerabilities for calculating hackers to exploit. Or perhaps their systems are outdated, unfit for purpose in staving off sophisticated cyber threats.

Nearly 70% of all medium (50 to 249 staff) to large (250+) businesses surveyed by the UK Government said they'd suffered some kind of cyber breach or attack in the previous year. For micro (2 to 9 staff) and small (10 to 49) businesses, it was a not-insignificant 45%.

Click the image to read findings from the Government's surveyClick the image to read findings from the Government's survey

Click the images to read findings from the UK Government survey


With technology only becoming more commonplace in business and industry, information security simply can't be ignored. Still, m
icro/small businesses are less likely than medium and large firms to have implemented cyber security measures (formal policies or staff training, for example) or sought advice on how to do it. 35% of micro/small businesses that had identified a breach still considered security a low priority. Some businesses thought themselves too small or insignificant to consider security measures at all.

While the big firms are hit with the highest costs in monetary terms, the financial impact of cyber attacks is disproportionately high for firms with fewer than 100 employees, as a report commissioned by insurance provider Hiscox found.

Click to read the Hiscox Cyber Readiness Report 2017

However, not all data breaches are hacks, and information security involves more than your company's website and IT network. The physical security of your buildings; your employees' use of electronic devices like laptops, smartphones and tablets; your handling of confidential documents – these are considerations that affect all businesses, regardless of size.

So organisations need to be heeding the warnings about data security, and recognising that it's vital to their reputation, brand and the continuity of their business. An increasing number of companies are adopting international standards like ISO 27001 and 27002 to demonstrate their commitment in this area. And many firms are devoting more budget and manpower to keeping their information secure.

Consider your own organisation. How committed to information security are you? Is there more you can be doing to protect yourself? 

If you're doing it right, you'll have built information security into everything you do – it'll be reflected in your corporate strategy and objectives, your company culture. You'll have planned and implemented an information security management system (ISMS). And every employee, from top-level management down, will know what's required and what they need to do to achieve it.

 

What you should do now

For more information about ISO 27001, download our toolkit.

ISO 27001 Toolkit - Updating ISMS

Tags: ISO 27001

ISO 27001:2013 – How EQMS can help with certification

Posted by Marc Gardner on Fri, Jul 21, 2017

Many organisations find themselves in a digital storm of relentless and continuous change, often brought on by rapidly evolving technology. For this reason, information security can no longer be a once-in-a-while project – it must be central to all your projects and processes.

ISO 27001 provides a framework for managing information security. Based on regular risk assessments that consider ever-changing scenarios, it's at its most effective with a robust and flexible electronic management system working alongside it.

And so to EQMS, Qualsys's solution for managing ISO 27001 documentation, audits, risk and suppliers simply, securely and efficiently.

EQMS Document Manager

Planning an information security management system (ISMS) is a crucial requirement of ISO 27001 accreditation.

ISO 27001 sets out a nine-stage process for doing so. The documentation you generate through this process will define your system's scope (i.e. what information it intends to protect), your organisation's context, and your detailed approach to keeping your information secure. This process needs to be embedded throughout your entire organisation.

With EQMS Document Manager, you can easily share compulsory documents (such as your information security policy, risk assessment methodology and statement of applicability) with the relevant members of your team. EQMS ensures only the most recent version of the documents will be seen and read.

Disseminating information too widely can expose your company to unnecessary risk. With EQMS, you can really lock down your data by reducing to the barest minimum the number of roles that have higher access privileges or levels of authorisation.

And EQMS uses electronic signatures to ensure that your employees confirm they've read and understood your latest operating procedures. This limits the risk of your company being liable for data breaches.

Download the EQMS Document Manager datasheet here

EQMS Risk Manager

Risk assessment is a complex part of ISO 27001 implementation – and the most important step.

EQMS Risk Manager is configured to your risk assessment methodology. How you treat those risks you've identified in your assessment can be managed through a workflow which is traceable at every stage. You'll be able to view real-time risk assessment reports in the KPI Dashboard, allowing you to proactively manage risk from a central system.

Download the EQMS Risk Manager datasheet here

EQMS Audit Manager

EQMS Audit Manager can be configured for both systematic and closed-loop auditing. And you can associate your audits with whatever regulations or standards (such as ISO 27001) might apply to your business.

iEQMS Auditor is an iPad application for mobile auditing. The application works without an internet connection and gives your top-level management complete visibility of how well your information security processes are working.

Download the EQMS Audit and Inspection Manager datasheet here

Request a demo of iEQMS Auditor here

 

What you should do now

For more information about ISO 27001, download our toolkit.

ISO 27001 Toolkit - Updating ISMS

 

Tags: ISO 27001

ISO 27001:2013: Context of the organisation

Posted by Marc Gardner on Thu, Jul 20, 2017

When it was revised back in 2013, ISO 27001 adopted the Annex SL format, a generic framework for ISO standards that uses several identical sections of wording and a lot of similar terminology.

One of the core Annex SL clauses is clause 4, which concerns the context of the organisation. It's an important part of the standard, and it requires you to consider the internal and external issues that can impact on your strategic objectives and how you plan your information security management system (ISMS).

Your organisation should focus particularly on factors and conditions that can affect your products, services, investments and on your interested parties. Context becomes an important consideration and helps to ensure that your ISMS is designed and adapted for your organisation rather than taking a 'one size fits all' approach.

Determining the context (step by step)

There's no prescribed method for determining the context of your organisation in relation to ISO 27001, but you could take this simple and pragmatic four-step approach:

  1. Identify the internal issues that can affect your organisation's products, services, investments and interested parties.
  2. Identify the external issues that can affect your organisation's products, services, investments and interested parties.
  3. Identify who are the interested parties and what are their requirements.
  4. Regularly review and monitor those internal issues, external issues and interested parties you have identified.

1 – Internal issues

Your organisation's internal context is the environment in which you aim to achieve your objectives. Internal context can include your approach to governance, your contractual relationships with customers, and your interested parties.

Internal issues can include your:

  • regulatory requirements
  • strategies to conform to your policies and achieve your objectives
  • relationship with your staff and stakeholders, including partners and suppliers
  • resources and knowledge (e.g. capital, people, processes and technologies)
  • risk appetite
  • assets
  • product or service
  • standards, guidelines and models adopted by the organisation
  • information systems

2 – External issues

To understand your external context, consider issues that arise from your social, technological, environmental, ethical, political, legal and economic environment.

External issues may include:

  • government regulations and changes in the law
  • economic shifts in your market
  • your competition
  • events that may affect your corporate image
  • changes in technology

3 – Interested parties

Your interested parties include your customers, partners, employees and suppliers. When developing your ISMS, you only need to consider interested parties that can affect your:

  • ability to consistently provide a product or service that meets your customers' needs and any statutory requirements and regulations
  • continual improvement process
  • ability to enhance customer satisfaction through effectively applying your system
  • your process for ensuring you conform to your customers' requirements and any statutes or regulations that apply

4 – Regular reviews and monitoring

You must regularly review and monitor those internal or external issues you've identified. Understanding your internal context means your management can carry out a 'PEST' (political, economic, social and technological) analysis to determine which factors will affect how you operate.

While you have no control over external issues, you can adapt to them. PEST factors can be classified as 'risks' and 'opportunities' in a SWOT (strengths, weaknesses, opportunities, threats) analysis or other alternative methods.

 

What you should do now

ISO 27001 Toolkit - Updating ISMS
 
IMAGE CREDIT: http://www.e-lgs.sthk.nhs.uk/PublishingImages/Pages/Security-and-Information-/Fotolia_41908523_Subscription_Monthly_XL.jpg
 

Tags: ISO 27001

ISO 27001 and information security – An introduction

Posted by Marc Gardner on Thu, Jul 20, 2017

Simply put, ISO 27001 is about information security, and how you manage it in an ever-changing world. You're not only having to contend with the effects of digitisation, big data and the Internet of Things, but the growing demands of globalisation, regulation, and protection against cyber threats.

What ISO 27001 gives you is a best-practice method of implementing an information security management system (ISMS). Having this system in place, and achieving ISO certification, means you can demonstrate to your customers and partners that you're committed to information security. And you'll have an advantage when it comes to winning tenders with government clients or large corporate clients, who often demand that their suppliers comply with the standard.

Already in 2017, several large organisations – the NHS, Wonga and Three, to name a few – have fallen victim to serious security breaches. The Government's Cyber Security Breaches Survey revealed that 7 out of 10 large businesses had suffered some form of breach or attack, costing them, on average, around £20,000, and in many cases much, much more.

So how exactly does ISO 27001 help you to more effectively manage your information security? And what does implementing an ISMS actually entail?

Managing information security means preserving the confidentiality, integrity and availability of your information and the facilities you use to process it. That could be your IT systems, infrastructure, or the actual buildings in which your organisation is based.

Confidentiality Ensuring information isn't made available to people or organisations who don't have authorisation to see it
Integrity Ensuring the information is both accurate and complete
Availability Ensuring the information can be made available and used when an authorised person or organisation demands it


It might be that you've been so focused on keeping information confidential that you've overlooked integrity and availability. You're not alone! But now IT and digital data are – or are likely to become – such vital elements of your business, you need to be mindful of all three aspects

And this is where an ISMS comes in.

It's a system of processes, documents, technology and people that helps to manage, monitor, audit and improve your information security. With an ISMS you can manage all your security practices consistently and cost-effectively.

But it's important not to see information security as solely your IT team's responsibility – 'information' isn't just confined to your computer files and IT networks. Information security must be a concern of your entire organisation, embedded in all practices, policies and procedures and communicated clearly to every employee.

And as is the case with all quality management systems, without buy-in from top management and the people who'll implement and maintain the system, you'll likely struggle to reach the level of diligence you need to achieve certification to the ISO standard.

Bear in mind that it's neither a quick nor temporary process. Embedding ISO 27001 practices into your organisation is complicated, and involves making often substantial changes to your strategy, operations and company culture. If you're a small business, you may need 4–5 months to prepare for an audit; larger organisations might need more than a year. And don't rest on your laurels: you're operating in a rapidly changing business environment, and your ISMS must continually evolve and improve to remain effective.

 

What you should do now

For more information about ISO 27001, download our toolkit.

ISO 27001 Toolkit - Updating ISMS

 

Tags: ISO 27001

ISO 9004 Overview

Posted by Marc Gardner on Thu, Jul 06, 2017

ISO 9004 is currently under revision and the draft international standard is now available for public comment. In this article, we spoke to Richard Green, founder of Kingsford Consultancy Services Ltd and former Technical Director at IRCA, who shared what the standard is about and how you can get involved. 

 ISO 9004 in focusBackground

First published in 1994, ISO 9004 was updated in 2000 and more recently in 2009. It stands apart from ISO 9001 but is aligned to it where it makes sense to do so.

Because ISO 9004 wasn't revised alongside ISO 9001 in 2015, it needed to be updated to meet the new requirements of that standard. A project to revise ISO 9004 was approved in December 2015 and a technical committee is currently developing a working draft.

The title and scope of ISO 9004 have changed, and there's now a self-assessment tool to evaluate how best to implement the standard's recommendations. For example:

  • The standard now explains the difference between 'Mission', 'Vision', 'Objectives' and 'Policy', and it applies to all organisations, no matter what their size or sector.
  • The title of ISO 9004 was previously "Managing for the sustained success of an organization – A quality management approach." It'll now be titled "Quality of an organization – Guidance to achieve sustained success."

What does it mean by 'sustained success'? 

Richard Green explains: "There are still questions as to what constitutes sustained success. There haven't been any studies in this area since Jim Collins's "Good to Great" 30 years ago, but overall the feeling is that ISO 9004 is going in the right direction.

"ISO 9004 offers guidance as to how organisations can enhance their overall quality by improving their maturity level, and provides a framework for strategy, leadership, resources and processes."

good to great article.png

http://www.jimcollins.com/article_topics/articles/good-to-great.html#articletop 

Should our organisation work to ISO 9004? 

ISO 9004 is recommended as a guide for organisations to extend the benefits of ISO 9001 and develop their performance through continual improvement.

Richard says: "Should you go for 9004 if you already have 9001? I’d say that depends on your motives for going for 9001. If you went for 9001 simply to get onto tender lists and you've no aspirations for seeking to operate an efficient and effective business, then no. If you genuinely want to develop yourselves, then yes."

Is ISO 9004 taken up less than ISO 9001? 

Low awareness, and competition with other methodologies, might go some way to explaining why there seems to be less talk about ISO 9004 than its bigger sister ISO 9001.

"I think lack of take-up is partly down to people not appreciating it exists," Richard says. "Or if they have heard of it, not understanding what it sets out to achieve. Also there's stiff competition out there in terms of improvement methodologies, most of which are sexier – lean, six sigma, Kanban and so on." 

Kanban kick-start example

ISO 9004 is currently being reviewed, and the draft is now available for public comment. Download a copy of the standard here: https://www.iso.org/standard/70397.html

Alternatively, subscribe to the Qualsys newsletter for regular updates on standards, regulations and quality career development. 

EQMS-GRC-Newsletter

Tags: ISO 9004

Quality Professionals: Sign Up for Free Events to Share, Learn & Network

Posted by Marc Gardner on Thu, Jun 29, 2017

A lot of quality professionals tell us that they sometimes feel they're ploughing a lonely furrow, and it's networking events and meetings that give them the inspiration they need to drive their projects forward.

In response to this, Qualsys Ltd, Kingsford Consultancy Services and Blackmores have set up a Meetup community you can join for free to share, learn and network. 

What are the events? Will you benefit? And how can you get involved? Read on below!

Free events for GRC professionals in Yorkshire

What are Meetups? 

We've created the Meetup community as a way of making life easier for you, the quality professional. By providing a forum for people in governance, risk and compliance roles to come together and simply talk, we hope we can give you positive, useful ideas to take back to your organisations to put into practice.

Whether it's methods for improving health and safety, tactics for getting senior management to buy in to quality management, or suggestions for how best to comply with certain ISO standards and regulations, we want you to get as much as you can from our Meetups. 

How can I get involved? 

There are lots of ways: 

Do I have to be an EQMS customer to attend?

Not at all. We welcome quality professionals from all sectors and industries and want to involve as many people as we can. 

Discussion forum

Where will the events be held?

They'll initially be based near the sponsor's locations – South Yorkshire, the West Country and Hertfordshire. However, if you'd like to host an event at your office, email hello@qualsys.co.uk for more information. 

Can my company become a sponsor? 

Absolutely. Just email hello@qualsys.co.uk and we'll tell you how. 

How can I join the community?

Sign up here! 

Meetup page

 

Join the Meetup for free here!

 

Tags: Events

BRC 7: Food Labelling Control with EQMS

Posted by Marc Gardner on Tue, Jun 06, 2017

Every week, food brands across the UK are forced to recall their products due to labelling errors. Whether it's providing incorrect use-by dates, making invalid claims about a product's shelf life, or overlooking allergens, food manufacturing processes are failing to protect brands and consumers.  

food allergy fears.png

Why so many labelling issues?

Standards require more controls than ever before. The British Retail Consortium (BRC) Global Standard for Food Safety, which specifies what criteria food manufacturers must meet to obey the law and protect consumers, was last updated in January 2015 to provide a new section on product labelling. 

Organisations must now review their labels whenever there are changes to the raw materials they use or the ingredients that go into making a product. If product labelling is the responsibility of the customer or a third party, the organisation must make sure they have the most accurate and up-to-date information. 

atheal-1.png

Atheal Alwash, Account Manager at Qualsys Ltd, says problems with labelling are largely due to a lack of systems in place to control changes: "Many companies have very complex structures with incredibly complicated supply chains. So an external provider might change a process, for example, without there having been an appropriate risk assessment on the label." 

Not only is labelling and documentation important for avoiding shutdowns in production, it can also prevent losses of man hours, expensive legal penalties, costly shipping and distribution, and damage to the brand's reputation. If your organisation labels anything, you must have robust document control.

Rapid developments in printing technology and more streamlined manufacturing processes also mean there is a smaller margin for error and less time to put things right.

 

 

How EQMS can help

EQMS can be configured to provide you with a fully integrated labelling and document control management system. It centralises all information, identifies and manages risk, assigns responsibility for reviewing documentation, controls processes across your organisation, and gives you unshakeable control over your documents.

With EQMS Document Manager, for example, you can distribute documents to employees at any location, and adjust your notifications settings to require those employees to acknowledge that they've read and understood the documentation. 

EQMS Document Manager also automates the management of document lifecycles, keeping track of versions and ensuring the right information is available to the right people at the right time.

While it's impossible to completely eradicate human error, having an effective document management system is essential to maintaining control over your policies, procedures and other critical documents.

 

Document control software

 

Tags: Food Safety Management, BRC 7