Saturday, September 10, 2016

[IT-007] ISO 15489 'certification' process for dummies

ISO Certification process for dummies

Background :- At our office, we planned to digitize tons of paper documents while keeping related physical copies safely dumped at faraway place in the earth. After going through hundreds of technical jargons related to "Record Management", I thought of finally its better to just scan and dump it in computer hard disk and ceremoniously call it as RMS, after all in Govt organizations, who really bothers about what we do at IT 😃 

But, we thought of why don't we follow some well defined global standards such as ISO 15489, US DoD 5015.2 etc. Also, had shortlisted many products such as HP Record Manager, EMC Documentum, IBM Filenet, OpenText, NewGen OmniDocs etc, but curiously Microsoft SharePoint does not claim to comply with those standards albeit existence of few add-on such as Record Point. 

At one point in time, we realized that there is no certification exists for ISO 15489 and US DoD 5015.2 certificates no more issued. But, strangely there are many vendors who claim themselves as ISO 15489 certified. To put full-stop to this vicious cycle, I finally reached out to Mr.Govind Srinivasan, CEO of Paramount Dataware Pvt Ltd., Chennai, India through LinkedIn by chance. He is a well established ISO certification process veteran who had even trained BSI auditors! What I learned from him through a brief LinkedIn chat which moved into further detailed WhatsApp session is an eye opener. I finally understood that, ISO 15489 is just guidance and NOT an auditable standard whereas ISO 30301 is auditable avatar of ISO 15489. Strangely, no CB (Certifying Body) such as BSI, STQC etc had approached AB (Accredition Body) to seek approval to carry out accredition in India for ISO 30301. 

An edited extract of our chat is reproduced with kind permission of Mr. Govind Srinivasan of Paramount Dataware Pvt Ltd. 

Me : Sir, Pl enlighten me with brief summary about ISO audit process,  then move to explain why ISO 15489 is NOT auditable and alternative option available within the context of Records management Software (RMS) in India, particularly for Govt organizations. 

He: You have an organization, by name, INTERNATIONAL ACCREDITATION Forum (IAF). This body is the supreme authority, accrediting the Accreditation Bodies like UKAS, ANAB, etc.

 These accreditation bodies (UKAS, ANAB, etc.), in turn, approve the Certification Bodies (like  BSI, Bureau Veritas, STQC, DNV, SGS, TUV, etc.) for specific  ISO Management System Standards.

Every Accreditation Body maintains a catalogue of ISO Management System Standards that are ready to approve, once a CB comes with a request seeking accreditation arrangement.

Which means that ...... if BSI wants to carry on the business of 3rd party audits for ISO 27001, it has to approach one of the Accreditation Bodies, seeking approval to operate that particular scheme.  In this case, it is the intent to perform 3rd party audits for ISMS (ISO 27001) for which BSI seeks to get the approval from one of the  Accredited Bodies.

The Accreditation Bodies (let us call them as ABs) carry out an audit to find out the readiness of the CB to perform 3rd party audits, with regard to the particular ISO MSS (Management System Standard) and grants the approval to BSI for conducting 3rd party audits and issue Accredited Certificates to its clients (BSi's clients).

There is literally an ISO Standard for every activity that governs the working of the ABs & CBs.

When an AB performs the audit of a CB, it keeps the ISO 17021-1:2015 as the auditing requirements to be complied with  by the CB.

But I thought these info would be useful to you at some point of time, as literally MOST GOVT DEPTS have no idea about  the structure of audit bodies like  CBs, ABs and IAF. And this has even led to a govt department getting fooled by an unaccredited so-called CB conducting ISO 9001 audit and granting certificate !!

ISO 15489 is NOT an accreditable standard. Meaning, it cannot be one of the 3rd party auditable standard. Because it DOES NOT have any requirement. It  is just a guidance standard.

A 3rd party audit CANNOT be conducted against a guidance standard. So, at no point of time ISO 15489 can be 3rd party audited.

It is exactly to remove this handicap, ISO brought 30301. A 3rd party auditable standard should have REQUIREMENTS or Specifications. 

You can distinguish a 3rf party auditable standard from other ISO standards, when you find the word "REQUIREMENTS" or "SPECIFICATIONS" mentioned in the standard's title itself.

A  3rd party standard consists of only REQUIREMENTS and not the guidance. There are about 40 standards in the ISO 27K family of standards. But there is only one 3rd party auditable standard in the ISO 27K family of standards, which is popularly known as ISO 27001.

If one  read ISO 15489-1 & 2 carefully, and map it with ISO 30301, you will find the 15489 standards really interesting and easy to understand.  They may appear to be very practical, where ISO 30301 std may appear to be speaking from that proverbial 40000 feet level.  But then, every single certifiable ISO Management System Standard may appear like this only. And here is that another distinction.  There are about 18000 ISO Standards.  But all of them are not MANAGEMENT SYSTEM STANDARDS. It is only a MANAGEMENT SYSTEM STANDARD that can be 3rd party audited. And such a MANAGEMENT SYSTEM STANDARD (MSS) is distinguished by the word that is displayed as part of the  title itself, in such MSSs, that reads as "Requirements" or "Speficifications".

That means if you conclude that any ISO spec if mentioned as MSS could be 3rd party auditable and also think about an example of, while ISO 30301 is MSS, 15489 is not. Then, YES, YOU ARE RIGHT.

It is a question of chick from egg or egg from chick issue.  Certification Bodies, at least in India, have not taken accreditation to do 3rd party audits  for ISO 30301.

(That's the end of one more learning walk in the lazy Sunday morning. Bye) 

1 comment: