Magazine

Our experience implementing and maintaining ISO 9001 and ISO 27001

“Clearview’s Quality Management System and Information Security Management System can be described as very good with some outstanding features..”

– External ISO auditor

Introduction

Clearview Systems Limited is a small business based in rural Worcestershire employing 15 staff. We provide performance management, business intelligence and customer engagement products and services to our customers. We pride ourselves on delivering high quality products and supporting services to our clients. Back in 2015 we decided to commence our journey to become ISO 9001 and ISO 27001 certificated. This is our experience and story.

How do we manage our policy and procedure documents?

As we commenced our ISO journey, our first task was to get all of our policies and procedures in one secure location and implement a version control and publishing process that was workable. We leveraged our skills and knowledge of the Microsoft Sharepoint system and used that as a repository for all of our policy and procedure documents. Commenting on this, Sarah Ingleston – Office Manager says,

“We can edit all of our policies and procedure documents in a secure way with full version control. Once these are ready we publish them to staff. It’s a simple and effective means of securely managing the development and publishing of our policies and procedures”

How do we manage complaints, incident and non-conformance logs?

Initially, we were provided with a number of templates for processes and procedures such as complaints, incident and non-conformance logs. These templates were provided in Microsoft Word and Excel format and it became apparent very quickly that maintaining these would be a daunting prospect. We felt that we needed a better way…

sarah-hill.pngSo we set about again using a feature of Sharepoint called lists that enabled us to put in place an easily accessible system for managing many of these processes. Sarah continued,

“Being able to access all of this information live during management review meetings and update it there and then has been invaluable and saved (me) a lot of administration time.”

Furthermore, outside of meetings we have configured the system to automatically alert stakeholders when data changes e.g. when a non-conformance is logged, allowing action to be taken straight away.
These basic steps using Sharepoint helped us to get started, but it became apparent that a number of requirements to achieving ISO certification involved much better documenting, tracking and evidencing of management and business processes. To do this we implemented a version of our own software [Clearview Strategy and performance suite] to help.

How do we ensure our quality objectives are being met?

20140805_103030.jpgFor ISO 9001 we needed to evidence that our quality objectives were being met. For example, one of our internal objectives is producing high quality software. We ensure this by documenting and delivering projects to enhance and maintain our software. These projects are monitored using traffic light indicators in the software allowing the management team to apply our focus to projects that need our attention. Nicky Hawkins – Director comments,

“I can’t imagine how we would track and evidence this using a manual system.”

How do we manage risks?

An integral part of ISO 9001 and ISO 27001 is robust risk management processes. We need to be able to evidence that risk assessments are happening and adequate controls are in place and being effectively managed. Again we turned to the Risk management module within our software to do this. We use Clearview Risk to document all of our threats to information and data and we’re then able to ensure that the controls are in place by again utilising the traffic light monitoring within the system. Nicky continues,

“At any point in time I can check that the necessary controls are in place and adequately protecting our business.”

How do we evidence that staff have the right skills to achieve our objectives?

appraisal morph lo res.jpgWe use another feature of the Clearview software to record the competency levels of staff on a regular basis. We also track any learning and development activity being undertaken. We use the system to capture when training on policies and procedures has happened as part of our general company wide awareness. Sarah said,

“I was asked by our auditor to show that staff had been trained in our Information and Security Management system. Using Clearview it was easy to bring up a list of all those that had attended the training in just a few clicks.”

"We also use the system to track our new staff induction process. It was easy to evidence our compliance with ISO requirements in this area."

How do we manage internal audit and policy review schedules?

We use the Clearview Project module to achieve this. This has really helped with evidencing that these are taking place when scrutinised at external audits. Sarah says,

“We can see at a glance all of the internal audits taking place or scheduled and importantly whether any actions arising have been completed or not.”

Benefits to our business

Competitive advantage.PNGWhen we started on our ISO journey it was a daunting prospect as to how we would embed, track and evidence the requirements of the standards. Using a combination of Microsoft Sharepoint and Clearview’s own Strategy and performance suite software we have put in place robust systems and procedures to support our continued compliance with the standards. These in turn have significantly reduced our administration of our ISO management systems.

Not only do our ISO certifications give us an edge over our competitors but they have brought other benefits to our business. Our staff understand the importance of policies and procedures now and their role in ensuring the delivery of a great service to our customers. Nicky says,

“For us obtaining and retaining ISO 9001 and ISO 27001 certification is about delivering quality products and services to our customers in a more consistent and secure way.”

You can imagine our delight when we received the following comments following our last external audit review:

“No systems non - conformity was found in both [9001 and 27001] cases and much of the evidence remains constant from the previous certification audit. There are no improvement recommendations made on this occasion and, overall, both the QMS and ISMS can be described as very good with some outstanding features.”

– ISO auditor

How can Clearview help you?

Clearview provides business management consultancy and supporting software. We can help you with your:

  • Strategy and business planning;
  • Performance measurement and management;
  • Data management and business intelligence;
  • People management;
  • Customer insight and engagement; and
  • Risk and audit.

If your company is on the ISO journey and you would like us to help you put in place software to help you manage it, then please get in touch.