Ways to Market Your Company’s Certification
Written by: Elizabeth Field
So your company has obtained or upgraded its certification, and now you are relieved because all of your company’s hard work has paid off. You may also be wondering “how can I let everyone know about my company’s certification.”
DQS Inc. wants to help you get the most out of being certified, but first, you should celebrate with the employees who helped make this certification possible. Whether you host a break room brunch with premium coffee and donuts or take some time to celebrate with your employees during a meeting. Don’t forget to take a photo for social media to boast a bit about your accomplishment.
Ways to market the certification you achieved:
Writing a Press Release
In recent years press releases have felt outdated, but this fact could not be farther from the truth. Third party announcements come off more reliable than a blog or social media post on your website. Write your press release as if you were writing an article for a newspaper; many journalists read press releases and only make a few changes before sending them to print. Just a reminder that a press release starts off with the primary information and then expands in later paragraphs.
Writing a Blog Post
If you have decided to write a blog post, you should still write a blog post to publicize on your website. Write for the audience and make it captivating. Grab the reader’s attention so they will keep reading about your accomplishment and hopefully help the reader decide they want to work with your company. Don’t forget to proofread and make the article aesthetically pleasing with different headers and photos to engage the reader.
Send Out an Email Campaign
Once you’ve received your certification, you should send an email to all of your customers and vendors. Not only to let them know about your accomplishment but also linking to your website driving more traffic to your website.
Post on Social Media
There are several different times you can post on social media about your company’s certification. When you obtain the certification you can write a post linking it with your certification body growing the engagement; you can post about the brunch/potluck/etc. your employees enjoyed, you can post the news article when it is published linking with your newspaper again for more engagement, and you can post when you write your blog post, spreading the word and gaining more readers.
Put Your Registered Firm Mark Everywhere
Putting the Registered Firm Mark on giveaways, sell sheets, etc. is a useful marketing tool. The DQS certification gives your company more credibility. By placing the Registered Firm Mark on a tradeshow booth, a sell sheet, giveaways, etc. you will publicize your certification and encourage potential clients to speak with a company representative. Make sure your company’s use follows the DQS requirements. Another option, found on the DQS Website, is ordering a plaque or flag with the certification on it to keep in the office.
GDPR Compliance – Get Your Questions Answered
To help answer any GDPR questions you might have, we have compiled some of the questions asked during our GDPR Compliance Webinar.
Q: Is GDPR certification a voluntary or mandatory certification for organizations?
A: GDPR Certification is a voluntary certification as per the GDPR regulation. However, if you are a processor working for a controller, the controller may demand a certification from you proving your company is complying with GDPR requirements.
Q: Is there a comprehensive to-do list for US-based companies that only have a web presence but no offices in Europe?
A: If you have a web preference, and if you are collecting personal data from EU Nationals then you are coming into the scheme of GDPR, but we need to go through the list of GDPR requirements to see how you demonstrate compliance there is not a specific list available till now or not that I’m aware of, but there could be.
Q: Does a US company have to have a DPO located in Europe, if they have a customer there?
A: No, but if you have an office in Europe then you have to designate someone to act as the DPO or as someone to contact in case there is a complaint.
Q: If my company is ISO 27001:2013 certified and touches PII and has a field office in Poland. What is the impact on my certification audits? What might customers require beyond our ISO certificate?
A: There will be no impact on your certification audits but if you need to show your customers compliance to GDPR only for those employees who are in Poland. However, you do have to include the GDPR related privacy requirements into the scope of your SOA, and you have to be audited against that.
Q: Where can I find the list of authorized countries?
A: You can access the list of authorized countries at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
Q: If a company credit card is used without any direct reference to an individual, does this come under GDPR?
A: A company credit card number is not private information and according to the definition of GDPR, unless it is attached to an individual.
Q: Does remote access where data is not pulled/transferred to a country outside EU fall under GDPR?
A: If you are accessing data remotely then it is not considered as a transfer; however, the data within EU is still covered under GDPR. The body which is storing the data in the EU, they are still responsible for managing the safeguarding of this data. So if you are a processor you are only accessing the data from here, you are not processing, and you are not bringing the data to your facility then you may need a risk assessment. Does your company have any risk of a data breach from your end? If there is proof that there is no chance of data breach, then you can claim exemption from GDPR.
Q: Where are you able to get the slides?
A: You can access a recording of the GDPR Compliance webinar and the accompanying Slideshow at https://dqsus.com/information-center/recorded-webinars/
Do you have an unanswered question? Then check out the webinar recording by going to https://dqsus.com/information-center/recorded-webinars/.
CMMI Case Study
Written By: Subrata Guha
DQS has conducted an integrated assessment combining ISO 9001, ISO 20000-1, ISO 27001, CMMI-DEV and CMMI-SVC. This case study explains the approach used and benefits derived from this method. All data used in this document are indicative. Actual data could not be shared to protect the confidentiality of the customer.
Massy Gas Receives Inaugural Quality Award from Guyana National Bureau of Standards
The First Guyana National Bureau of Standards (GNBS) National Quality Awards Ceremony was held at the Georgetown Club in Georgetown, Guyana on October 13, 2017. Sixteen companies were considered for the large, medium, and small company quality awards.
These awards were based on the seven ISO Quality Management Principles.
The Platinum (first place) Manufacture Award for Quality was presented to Massy Gas Ltd., the largest multi-principle gas distribution company in the Caribbean.
The Gold Manufacturer Award for Service was presented to Massy Distribution Guyana.
Founded in 1935, Massy Gas Products Ltd. supplies gasses to different companies in the manufacturing, food & drink, agriculture, and healthcare field. They offer a wide range of quality gases; everything from compressed air to nitrous oxide.
Massy Gas Productions Ltd. has been a client of DQS Inc. for three years and has a certification in ISO 9001:2015. Massy Distribution Guyana has been a DQS client for ten years and is also certified to ISO 9001:20015.
“Massy Gas’ proactive approach to maintaining the highest quality standards within their organization, and their strong sense of understanding the importance of a quality management system has struck a positive cord within our organization,” said Tumi Kwenamore, Customer Service Professional for the account. “I would like to thank Elicia Chapman and her team for their impeccable knowledge and I look forward to doing more business with Massy Gas for many more years to come.”
Congratulations Massy Gas Ltd. and Massy Distribution Guyana on your GNBS Awards!
We Want To Hear From You:
Has your company won an award recently or has something good happened to the company? We want to hear about all of your accomplishments so send us your stories, tag us in your social media posts, and send us news articles written about your success. To email us articles and let us know about the work you are doing, email [email protected] We look forward to hearing about your success!
ISO/IEC 20000-1:2017 – What To Expect?
Author: Subrata Guha
ISO/IEC DIS 20000-1:2017 is about to become the newest revised international standard when it comes to IT service management.
About ISO/IEC 20000-1:2011
ISO/IEC 20000-1:2011 is a global service management system standard which describes the requirements for the service provider to improve their service management system. Aiming to provide control and efficiency to an organization and its team can run as smoothly as possible.
Why Update ISO/IEC 20000-1:2011?
With certifications and processes continually changing, ISO/IEC 20000-1:2011 is ready for a facelift. ISO/IEC 20000-1:2011 has stayed the same for over five years now, and in this digital age it is time for revisions.
About ISO/IEC DIS 20000-1:2017
ISO/IEC DIS 20000-1:2017 version provides more specific requirements for planning as a) what will be done; b) what resources will be required; c) who will be responsible; d) when it will be completed; e) how the results will be evaluated.
Specific Updates Include:
- New Sections: Organization and Its Context, Plan the Service
- New Requirements: Plan the Services, Knowledge Management, Asset Management, Demand Management, and Service Delivery
- Focuses On: Accountability, Measurements, and More Explicit Details
- New Annex SL Formatting
- Changes of documented procedures: Removing requirement for availability to plan service ability and capacity and replacing it with requirements to plan service availability and capacity
- Changes in Terminology: Service provider is now “Organization”
If you would like to learn more about ISO/IEC 20000-1:2017, contact us at DQS either by email at [email protected] or call us at 800-285-4476
Here’s What You Need to Know about ISO 9001:2015
Author: Joe Mansour
The ISO 9001:2015 standard was first announced in September of 2015, leaving a three-year window to update ISO 9001, but with less than six months left in that window, more and more organizations are gearing up to make the necessary enhancements, and the task of upgrading for some is becoming rather urgent.
Our transition plan is available on the DQS website and we offer a two-part upgrade process. Stage 1 is to determine the organization’s readiness, and Stage 2 is the actual upgrade audit to assess the effectiveness of the ISO 9001:2015 requirements.
Identification of Processes
ISO 9000:2015, defines “Process” as a “set of interrelated or interacting activities that use inputs to deliver an intended result.”
It may be challenging to justify the inclusion of Purchasing and Warehousing under a more extensive process, say “Fulfillment.” In most organizations, both Purchasing and Warehousing have well-defined inputs and expected outputs, with very little in common. Therefore, having both under the same umbrella may not be adequate.
However, if justification could be made that, say for a Distributor, Purchasing and Warehousing are related activities to ensure adequate stock levels at all times, then that may make it perfectly fine for the two “distinctly different” activities to be merged into one.
Based on what has been seen so far, for smaller organizations, ten or so processes may be sufficient to meet the intent of the requirements. Mid-size companies may have a bit more – perhaps 15 or so. For more substantial organizations 20-25 may be the right subscribed number. Anything more or less will have to be evaluated for adequacy.
Identification of Risks
For the identified processes, clause 4.4.1 requires that the risks be identified and managed. “Risks” should include factors that may prevent the organization from achieving its intended targets in meeting their Interested Parties’ expectations and objectives. Most organizations find the use of FMEAs suitable in addressing this requirement, but its use is not mandatory.
Establishing Goals and Objectives for all Processes
Also in 4.4.1, the need to monitor the process by use of process indicators is included as well. Please note that this requirement is not just related to the “Key Processes,” but all processes of the organization.
Our webinar webpage offers several webinars on various sections of the standard that are still available for you to access. If you have any questions about the ISO 9001:2015 update or you would like to learn more about DQS’s two-stage upgrade process, feel free to email us at [email protected] or call us at 800-285-4476.
ISO 45001 to be Published on March 12, 2018
Author: Candace Orbaugh, Sustainability Programs Manager
Five years after the decision to establish an international standard for occupational health and safety, ISO has now announced the approval of ISO 45001. The comprehensive revision of BS OHSAS 18001 didn’t just change its name; ISO 45001 has a High Level Structure providing uniform structure for all management systems standards.
ISO 45001 Info Series – Definitions
One feature of the ISO 45001 standard is that it includes some definitions that weren’t present in the old standard.
Worker: person performing work or work related activities that are controlled by the organization. This definition opens it up to include top management, managers, non-managers, contractors, temporary, agency workers, part-time, seasonal, paid or unpaid.
Participation: involvement in decision-making with further clarification as including engaging health and safety committees and workers’ representatives, where they exist. Consultation is defined as seeking views before making a decision including engaging health and safety committees and workers’ representatives, where they exist.
Objective: simply defined by the standard as “result to be achieved” is that an objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational criterion, as an OH&S objective or by the use of other words with similar meaning (e.g. aim, goal, or target).
Occupational health and safety risk: the combination of the likelihood of occurrence of a work-related hazardous event or exposure and the severity of injury and ill health that can be caused by the event or exposure.
Injury and ill health: adverse effect on the physical, mental or cognitive condition of a person. These adverse effects include occupational disease, illness and death.
If your company is interested in a Gap Assessment please contact [email protected] Look for more posts about ISO 45001 on DQS’s website in the future.
5 Tips for Planning Your IATF Transition
Author: Cindy Soltis
The IATF transition hasn’t been an easy process for anyone. Planning seems to be an area of concern for a lot of people; below are five tips to make planning your IATF transition easier.
1. Compile the Items Specified of the CF167 Form
The CF167 Form, sent by your auditor(s), is not for you to complete; however, it is a list of items that you need to send to your auditor. The information specified in CF167 is critical to determine your organization’s readiness for the IATF transition.
2. Perform a Gap Assessment
Gap assessments are only required if the remote location has not transitioned to IATF 16949. If a gap assessment is needed, it must be performed for each remote site within your corporation. Combined gap assessments will not be considered for the IATF Transition and will be, regrettably, rejected.
If you would like a FREE Gap Assessment Quote, please feel free to contact your Customer Service Professional (CSP). If you don’t know your CSP’s direct information, you can email DQS at [email protected] or call us at 800-285-4476 and press 2 to speak to a CSP.
3. Perform a Full System Internal Audit
Your company must have a full system internal audit to IATF or full system audit to ISO/TS with a gap assessment which was reported in management review before the IATF Transition can be complete.
4. Identify Your Risks and Objectives
Evaluation of risk is critical for each process identified by the organization. Risk is in regards to the organization’s processes being able to support internal and external processes that ultimately impact your ability to provide quality product on time to the customer. Risk can come in many forms and different impacts. Impacts may not be inherently obvious such as: risk to produce accurate work instructions in a timely manner.
One of the issues that organizations are having the most problems with is determining the difference between efficiency and effectiveness. Effectiveness is the ability to meet the intended outcome of the process, and efficiency is the cost that it takes to meet the effective outcome of the process. Consider for efficiency: overtime, rework, accuracy, # of errors, etc.
5. How to Handle Corrective Actions
Don’t worry if the audit identifies concerns your company needs to address. Very few audits have gone without the need for corrective actions. To close a corrective action all of the above must be identified, and evidence must be provided to the auditor within 60 days of the audit. An on-site follow up must be scheduled as well.
If you have any questions about the IATF Transition or you would like to learn more about DQS’s Gap Assessment, please feel free to contact us.
Evidence Required to Close Corrective Actions
Containment: Containment must include immediate measures to contain the concern. Containment should include timing and number of occurrences identified during containment, so everyone understands how big or small the impact is on the system.
Root Cause: Root cause must be a systemic root cause. What if the system failed to allow this to occur? Please do not write a root cause specific to the individual item identified in the objective evidence. Only systemic root causes will be acceptable.
Corrective action: Actions taken only to resolve the item identified in the objective evidence of the non-conformance will not be accepted. That is containment, not systemic correction. Please send in as much evidence to show the changes in the system.
Effectiveness Verification: Issuing a procedure is not effectiveness verification. If you state that your verification of effectiveness is going to be an internal audit, then we would expect to see results of that audit in the 60-day submission along with any other evidence of implementation that you would send. If it is a layered process audit, do not just send in a blank layered process audit form with the change. Send in several audits with the results so the auditor can see the system is working.
Guiding Standards for Cybersecurity
What is cybersecurity?
Cybersecurity has become a buzz word in the industry for last couple of years. How is it different from Information Security? Cybersecurity means ensuring the security of three critical elements i.e. (1) Security of critical infrastructure (2) Data protection and (3) Privacy protection.
Information security is mostly focused on data protection. The most popular standard used for this purpose is ISO IEC 27001. It does address some part of infrastructure security and privacy but not to the extent that other Cybersecurity standards cover infrastructure security.
The main guiding standards for Cybersecurity are:
- NIST cybersecurity framework
- ISO IEC 27032 – Guideline for Cybersecurity, to be used along with ISO 27001 standard.
- General Document on Privacy Requirements (GDPR) – New privacy regulations from EU to be released in May 2018.
To implement the Cybersecurity framework basic requirements is to conduct risk assessment using the NIST Risk Management Framework (RMF) and implement controls from the applicable NIST 800 series standards.
Why NIST standards?
- All Federal Government and Defense organizations use NIST standards for their Information Security.
- All Federal and Defense contractors handling (storing, processing and transmitting) information falling under the Controlled Unclassified Information (CUI) category must comply with NIST SP 800-171 before end of 2017.
What is Controlled Unclassified Information (CUI)?
CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act (National Archives).
A CUI Registry has been published by the National Archive to provide categories and subcategories based on industry segments. Some examples of CUIs for Technology Contractors (under Controlled Technical Information categories) are contract data, requirement specification, design specifications, and project plans related to Government projects that are stored in the computer systems of the contractor.
General Document on Privacy Requirements (GDPR)
The General Data Protection Regulation will replace the EU Data Protection Directive and will be effective starting on May 25, 2018. This is occurring due to the European Commission’s aim at unifying data protection laws across the union via one regulation, such as the GDPR.
The protection of personal and organizational data is always crucial in a constantly growing cross border market environment. The General Data Protection Regulation requires safeguards and measures for protecting personal data, ensuring safe data processing, and managing notifications of potential breaches.
The GDPR applies to organizations collecting, processing, and storing EU citizens’ personal data or EEA. This regulation also applies to:
- Organizations with a physical presence in at least one-member state of the European Union.
- Organizations located outside of the EU, if they offer services, monitor, or process data subjects which belong in the European Union, even if the company location is not in the European Union.
Overlap with ISO 27001:
ISO/IEC 27001, NIST standards, and GDPR at their core have the commitment to protect sensitive information from unauthorized access, i.e. store, process, and transmit sensitive information in a secured way, in common.
ISO 27001 is a generic standard as it defines the objectives and intents of the security controls. It also allows organizations to select appropriate controls from annex A and/or from any other standards. Both ISO and NIST require a security risk assessment, but ISO does not provide any method for conducting risk assessment. NIST RMF could be a nice supplement for that purpose.
ISO 27001 provides an Information Security Management System Framework, which helps an organization to sustain and continuously improve its security posture.
The below diagram shows how ISO 27001 can be used as an overarching framework.
Trainings: DQS can offer awareness trainings on the following subjects:
- GDPR requirements
- Risk Management Framework (RMF)
- NIST SP 800-53 requirements
- NIST SP 800-171
Conformity assessment: Why is an Independent Conformity Assessment Required?
NIST standards are developed for government organizations to secure their Information Systems. GDPR is for ensuring privacy of personal information. None of these are intended to be used for the purpose of third party certifications (like ISO standards), and there is no certification scheme available for NIST standards or GDPR. Application of NIST standards are now extended beyond the government agencies. Contractors are now required to comply with NIST SP 800-171 with target deadline. Very often the government also requires contractors to comply with NIST SP 800-53.
How can an organization show evidence of compliance to GDPR or NIST standards? A Conformance assessment report from an independent organization is the only option.
How to achieve conformity?
Option 1: ISO 27001 Registration:
There is a considerable amount of overlap between the controls provided in NIST SP 800-171, NIST SP 800-53 or GDPR with the controls provided in Annex A of ISO 27001. Additional controls from the NIST standard or GDPR can be added to the Statement of Applicability (SOA) of ISO 27001 registration audit. Registration scope statement will mention that the SOA includes controls from NIST standard.
You can request a quote for registration here.
Option 2: Conformity Assessment:
If organization is not willing to go for ISO 27001 registration, DQS can conduct an independent conformity assessment against the NIST standard and GDPR. After successful assessment, DQS will issue a “Letter of Conformance” (LOC) and detailed assessment report as evidence of conformance to the applicable NIST standard or GDPR. Assessment report and LOC will be valid for one year. Reassessment will be required for continuous evidence of conformance. Please contact us for more information on this.
ISO 50001:2018 DIS is Approved
The past few years have brought about many revisions in the industry, and now ISO 50001 is no exception. The energy management standard was released in 2011 to help organizations establish systems and processes that will improve their energy performance, including efficiency and consumption.
To be sure that the standard continues to meet the needs of the energy sector, the review of ISO 50001 has started. According to Deann Desai, Professor at the Georgia Institute of Technology and Convenor of the working group tasked with revising the standard, the main revision made was the incorporation of the high-level structure to provide for improved compatibility with other management system standards. This will make it easier for customers who integrate their energy management system with other management system standards.
In addition, there are more improvements made to help ensure that key concepts connected to energy performance are clear for small and mid-sized businesses. This is to help show the benefits of management system standards are not just for multinational businesses.
We are pleased to say that in November, the Draft International Standard ISO/DIS 50001 was approved. The new version of the standard is expected to be published in 2018. DQS will be ready to bring information as we receive it about the revisions and deadlines.