Consultants’ Corner A Bi-Monthly e-Journal from

Issue 89 | Pages 1– 15 August-September 2014

Quality Management System—An Overview

- Praveena K R

Key QMS Processes at MaGC

- Gopal Agarwal

Challenges in Implementing QMS

- U S Mohanty

ISO/IEC 27001— An Overview

- Ela Vijay

3 Quality Management Systems—A Bird’s

Eye View

An introduction to the Quality Management Systems approach.

6 Key changes in MaGC processes after

introducing QMS

A snapshot of processes that will undergo a change at MaGC after the introduction of ISO 9001:2008.

8 Challenges in implementing QMS

Some of the key challenges that an organisation could face during the implementation of a QMS.

11

ISO/IEC 27001— Information Security

ISO 27001 is a specification for an information security management system (ISMS).

13 An Exclusive talk with Ela Vijay

14 Quiz Corner

14 What’s up at MaGC?

All events during June & July at MaGC and up-coming birthdays of MaGCites

In this Issue

Readers’ Corner

If you have any comment/suggestion for the editors, please write to us at cc@magc.in. Your views and comments on

articles featured here are also welcome!

Anyone spending some time at MaGC the last two

months could not have missed the buzz around ISO

implementation. The last few months have been a

methodical preparation for implementing ISO

9001:2008. As has been the MaGC tradition, we get the

best out when we do it in-house. Training sessions

have been happening in Bangalore and Chennai

offices. The team which worked on the QMS manual is

confident that at the end of the training we will have a

good quality, implementable manual. For the few of us

who were fortunate to be part of the manual

development process, it has been a great learning

experience.

Given the buzz around ISO, the topic for this issue of

CC was an easy choice for the editors. In fact, CC had

already jumped into the ISO action from last issue itself

(we had a small update on ISO @MaGC). In this issue,

Praveena writes about what a QMS is all about and

gives an overview of ISO 9001:2008. She gives an

auditor‘s perspective of the QMS. Make sure you read it

thoroughly- it will help you breeze through the audit

process!. Gopal who has been leading the ISO effort

writes about what is going to change for us post-ISO.

He has already started piloting the implementation and

gives us all the confidence that it is change for the

better. Mohanty writes about the typical challenges that

an ISO implementation poses in any organization. We

at MaGC are bound to come across some of these

challenges and this article provides some useful tips on

how to handle them.

While the initial implementation in MaGC is all about

ISO 9001:2008, that is not all that there is to a QMS.

Vijay introduces us to ISO 27001 on Information

Security. His article gives us a sneak peek into the

standard. Probably an indicator of what MaGC should

be doing next.

Consultants’ Corner thanks all the authors for their

contribution. We hope we get more such theme based

thought provoking articles for upcoming issues as well.

Lets wish ourselves success in the ISO implementation.

After all, our profession is all about making life better for

our clients and what better place to start than at home!!

From the Editors

Consultants’ Corner 2

1.Increased Efficiency - QMS certification process

helps organisations rethink their processes and

how to maximize quality and efficiency. Once

certified for QMS, the processes are established

and guidelines in place for anyone to follow easily,

making training, transitions, and trouble-shooting

easier.

2. Increased Revenue - Studies have shown that

ISO QMS certified companies experience

increased productivity and improved financial

performance, compared to uncertified companies.

3. Employee Morale - The following aspects help

improve employee motivation and satisfaction -

roles and responsibilities get clearly defined, there

is accountability of management, training systems

get established and employees get a clear picture

of how their roles affect quality.

4. International Recognition - The International

Organization for Standardization (ISO) is

recognized worldwide as the authority on quality

management. Getting ISO certified will improve our

image, make us more competitive to participate in

international bids and attract clients.

5. Factual Approach to Decision Making - The

standard sets out clear instructions for audits and

process reviews that facilitate information gathering

and decision making based on the data. Decision

making becomes more objective/process-oriented,

rather than employee-oriented.

6. Improves Documentation - The standard requires

documentation of all processes and any changes,

errors and discrepancies.

Word has been around that MaGC is going to

implement a Quality Management System (QMS) and

have it ISO certified. Let us try to understand what

QMS is, how it will improve MaGC and our role in this

whole exercise.

What is QMS? Quality Management System may be defined as a

collection of business processes focused on achieving

an organisation's quality policy and quality objectives.

It comprises of the organizational structure, policies,

procedures, processes and resources needed to

implement quality management. A properly

functioning QMS ensures that-

procedures are carried out consistently,

problems are identified and resolved in a timely

manner, and

the organization is continuously reviewing and

improving its procedures, products and services.

It is a mechanism for maintaining and improving the

quality of products or services so that they consis-

tently meet or exceed the customer's implied or stated

needs and fulfil their quality objectives.

What is ISO 9001:2008? This is the standard that sets out the criteria for a

QMS and is the only standard in the family that can be

certified to (others are primarily guidelines). It can be

used by any organization, large or small, regardless of

its field of activity. This standard is based on a

number of quality management principles including a

strong customer focus, the motivation and implication

of top management, the process approach and

continual improvement.

Certification under this ISO is not mandatory.

However, it has been implemented by over one million

companies and organizations in over 170 countries.

This is because, using ISO 9001:2008 helps ensure

that customers get consistent, good quality products

and services. This in turn brings many business

benefits.

Why QMS certification? There are umpteen advantages of having our core

business processes certified for quality by ISO. Some

of the key benefits have been listed below:

contd on next page..

Things work out best for those who make the

best of how things work out.

- John Wooden

3 Consultants’ Corner

Quality Management

Systems—A Bird’s Eye View

Management Review - QMS is a strategic, manage-

ment-driven system. It is the responsibility of the Man-

agement to periodically review QMS for the following:

Adequacy – QMS should be capable of satisfying

the organisation's quality objectives and

requirements. This includes those specified by the

organization, its clients, and any applicable

standards and/or regulations.

Suitability – QMS should be able to sustain the

current performance levels of the organization

utilizing an acceptable amount of organizational

resources. Each QMS aspect should be right for

the specific purpose.

Effectiveness –QMS should enable the

organization to meet its own needs, those of its

clients and other interested parties. It has to

produce the expected results.

Management will use the inputs from employees,

Clients, Internal Auditor and their own experience to

evaluate the above. Based on this review they

formulate Corrective and Preventive action plans to

improve the QMS.

The role of the various components in the QMS cycle

has been diagrammatically represented below:

Figure: QMS - PDCA Approach

Terminology 1. PDCA approach/model - This approach is named

after the individual phases - "Plan", "Do", "Check",

"Act" and is thus also referred to as the PDCA model.

Most ISOs recommend the PDCA approach to de-

signing management systems. Accepting that change

is inevitable in business, and incorporating review cy-

cles to embrace such changes is recommended as a

healthy management approach.

This ensures consistency across the organisation

and accountability of all staff. This also

guarantees traceable records are available in

case of project delays, lapses, etc.

7. Customer Satisfaction - Client confidence is

gained because of the universal acceptance of the

ISO standards. Also, implementing QMS improves

efficiency, consistency and dedication to providing

quality service.

8. Continual Improvement of Processes -

Improvements are carefully planned and imple-

mented based on facts, using a system of

documentation and analysis, to ensure the best

decisions are made for the organisation.

Management takes the responsibility of ensuring

continual improvement of QMS.

Key QMS components The key components of

QMS are the following:

Quality Policy and Objectives - QMS has to define

its purpose and objectives clearly. Each organisation

has to construct its quality policy depending on its

scope of QMS, business priorities, values, focus, etc.

Also measurable objectives consistent with the policy

have to be formulated. This will form the framework of

the organisation's QMS.

Quality Processes - These are processes to be

followed pertaining to core business for managing

quality. These processes, related procedures,

documents and reports have to be documented and

standardised across the organisation. Also, all

employees have to be sensitised and trained to follow

them.

Quality Manual

The Quality Manual is a compendium of the organisa-

tion's Quality policy, processes, procedures,

document and report formats (components 1 & 2

discussed above). This document lays out the

framework of QMS operating in the said organisation.

ISO requires that a Quality Manual should form part of

the QMS documentation.

Internal Audit - Every certified organization must

perform internal audits to check how its QMS is

working. An organization may decide to invite an

independent certification body to verify that it is in

conformity to the standard, but there is no mandate

for this. At MaGC, we have decided to have the

internal audit done by one of our consultants. The

Internal Auditor will be appointed in rotation.

Consultants’ Corner 4

PLANDefine Quality Policy

and Objectives,Quality manual put in

place

ACTPeriodic Management

review to take corrective/preventive

action

CHECKInherent internal

controls in processes,Internal Audit of QMS

DOFollow Policies,

Processes and support with documentation as

per Quality Manual

contd on next page

3. QMS kills flexibility and innovation - QMS is

designed with the primary objective of improving

quality. So, a system that properly balances good

discipline and structure with certain flexibilities will

definitely facilitate creativity rather than curb it. Also,

this ISO provides for continual improvement. Hence,

any aspects posing as barrier to innovation can be

altered appropriately during management review.

4. QMS distracts an organization from its core

activities - This myth will almost certainly come true

for organizations that use a plug-and-play approach to

implementing QMS, instead of making sure

documents and practices fit their businesses.

Adopting and designing procedures that form part of

routine core activities help overcome this concern.

5. QMS does not guarantee service quality - This is

true to some extent, as nothing can absolutely

guarantee quality of service/deliverable. However,

QMS can go a long way in preventing problems from

occurring in the first place, thus providing dramatic

improvements in results while reducing costs.

We can clearly see a pattern here; most of the

misconceptions are actually concerns that can be

overcome by properly designing the QMS. Hence it is

essential for all personnel to actively participate in the

designing of QMS and provide regular feedback for its

betterment.

Conclusion MaGC

TM operates in the highly competitive service

sector of Management Consultancy. This requires us

to be on our toes and continually improve our

competitiveness. Of the several measures to do this,

improving the quality of our deliverables and efficiency

of our processes are crucial for organisational

success. Also, our core values are in line with the

requirements of this standard. We are an organisation

with strong client focus and commitment to meet

deadlines. Implementing and using tools such as

Documan (Document management software) has

enabled us to standardise many aspects of our

processes.

So as an organisation we have the wherewithal to

implement a QMS and get it ISO certified. This will

definitely provide us the competitive edge and help us

grow.

2. Continual improvement - This term is often

misconstrued to be the same as 'Continuous

improvement'. Continual improvement is broader in

scope than continuous improvement. The concept of

'continual improvement' is a strategy that typically

consists of both 'continuous process improvements',

like regular training programs, reporting, monitoring,

etc. and discontinuous function or systemic

improvements like organizational ―reengineering‖,

throwing out dysfunctional methods of management,

etc. An organisation that is continually improving will

be, by definition a learning organization.

3. Corrective action - maybe defined as action taken

to eliminate the cause of detected non-conformity or

other undesirable situation. This is to prevent the

repetition of the same non-conformity/incident. For

example, process changes made to address the

anomalies observed by internal audit is a corrective

action. Here non-conformity has been observed and

the issue is being addressed to prevent such

incidents in future.

4. Preventive action - maybe defined as action taken

to avoid the occurrence of any non-conformity or

other undesirable situation. This is to prevent the

occurrence of non-conformity. For example,

introducing a new process to periodically monitor a

business activity is a preventive action. Here there is

no incident; this is a precautionary introduction of

internal control by the management.

Some misconceptions QMS and ISO certifications are not well understood

and hence there are a number of misconceptions

about them. We have seen these arguments as

resistance to change even while implementing

process re-engineering projects for clients! Let's bust

some of these myths!

1. QMS requires excessive documentation and

paperwork - ISO recommends documented

procedures to provide transparency, structure, and

confidence to the organization. This will vary based

on entity size, complexity and competence of

employees. Hence regularly maintaining 'essential'

documents will be a change to be embraced. How-

ever, this does not qualify as 'excessive' paperwork.

2. QMS is just a cost and does not add value -

QMS helps organizations avoid mistakes and save

resources, time, and money. Many studies show that

preventing a problem is less expensive than dealing

with the consequences after a problem

occurs. Hence a properly implemented QMS should

result in cost savings and efficiencies.

Consultants’ Corner 5

Praveena K R

can be reached at praveena@magc.in

M aGC has a systematic process approach in

understanding clients‘ requirements which

culminates into clients‘ satisfaction. The Mission

Statement and Quality Policy of MaGC too revolves

around clients‘ happiness. The Quality Policy and the

Quality Objectives of MaGC is given below.

1. Quality Policy: A quality policy has been defined.

The policy ensures that the quality to be

maintained in performing work will help MaGC to

meet client expectations by providing high quality

and value added consulting solutions.

2. Quality Objectives: The quality objectives such as

client satisfaction, on time delivery, and meeting

ISO require-

ments are de-

fined and will be

practiced during

project execu-

tion. This will

help the em-

ployees/

consultants to

meet these ob-

jectives to maintain the quality of the project.

The Quality Management Systems (QMS) at MaGC

seeks to smoothen and streamline its business

processes. The QMS serves as a user guideline for all

its employees and also helps in outlining the

employees‘ responsibilities.

A Quality Manual has been prepared by MaGC which

outlines the processes and procedures to be followed

during the execution of all the consulting projects.

This manual gives guidelines to the consultants at the

time of executing their work and this result in better

delivery of projects and ensures higher client

satisfaction. .

After introducing QMS in MaGC there have been

some noticeable changes in the execution of projects

i.e. from the proposal stage to the finalisation of the

reports. The main changes in MaGC processes due to

QMS are listed below:

1. For every project, a Project Plan is to be prepared

containing the deliverables, task breakdown,

responsibility and timelines. This is very helpful for

tracking completion of project on time.

2. Prior QMS the records of clients‘ communication

was limited to the extent it affects the project. But now

every communication with the client is properly

documented and maintained. A Meeting Minute Sheet

is prepared. Details such as meeting date, persons

met, discussion points, etc. are recorded and updated

as and when meetings are held with client.

3. A document for recording the details of documents

collected from client is maintained. This helps in

tracking the documentation received from the client.

4. A Project Status Tracker is prepared for monitoring

the project work. It contains the detailed work

breakdown with team allocation and timelines. It is

updated peri-

odically or on re

-allocation of

the tasks to

reflect the cur-

rent status, any

change in

tasks, dates,

etc.

5. Periodicity of project review meeting is decided at

the beginning of the project. Any challenges faced,

major issues, time/cost savings, change in approach,

project billing etc. are discussed during the project

review meeting.

6.The changes made to any documents/submittal is

clearly identified as all the documents from the

commencement, execution till the completion of the

project are properly maintained version wise and

revision wise.

7. A Quality Checklist covering aspects to be checked

before sending any submittal to the client is prepared

and followed. The checklist is organized along the

lines of the MaGC Documentation Guidelines.

.

Key changes in MaGC processes

after introducing QMS

6 Consultants’ Corner

No one can make you feel inferior without

your consent.

Eleanor Roosevelt

contd on next page..

A POUND OF BUTTER

There was a farmer

who sold a pound of

butter to the baker.

One day the baker

decided to weigh the

butter to see if he was

getting a pound and

he found that he was

not. This angered him

and he took the farmer

to court. The judge

asked the farmer if he was using any measure. The

farmer replied, amour Honor, I am primitive. I don't

have a proper measure, but I do have a scale." The

judge asked, "Then how do you weigh the butter?"

The farmer replied "Your Honor, long before the baker

started buying butter from me, I have been buying a

pound loaf of bread from him. Every day when the

baker brings the bread, I put it on the scale and give

him the same weight in butter. If anyone is to be

blamed, it is the baker."

What is the moral of the story? We get back in life

what we give to others. Whenever you take an action,

ask yourself this question: Am I giving fair value for

the wages or money I hope to make? Honesty and

dishonesty become a habit. Some people practice

dishonesty and can lie with a straight face. Others lie

so much that they don't even know what the truth is

anymore. But who are they deceiving? Themselves.

8. Project Closure checklist is maintained and filled

after completion of the project to ensure that all

documentation and archival formalities are completed.

9. Informal discussions have been made part of

MaGC QMS. These discussions ensure that all the

team members are in the know of the projects

handled by MaGC at any given point in time.

10. Periodically the QMS is being reviewed to

maintain the quality standard of the company and if

any changes are needed in the quality policy or

objectives, are identified and taken up for changes.

11. The end-to-end processes followed in the

execution of the project are verified and validated

through QMS.

12. The documents maintained are properly stored in

DocuMan and are clearly identifiable. The security

and rights to access documents are ensured by

access controls that are set in place in the software

Don't be afraid to give up the good to go for the great..

- John D. Rockefeller

Consultants’ Corner

7

Gopal Agarwal

can be reached at gopal@magc.in

Qu

ali

ty I

mpr

ovem

ent

8 Consultants’ Corner

Such attitude sayings stem from the popular notion that management is

always right and therefore employees are‖ only supposed to implement management decisions without questioning. Lethargy is

fur ther propagated through management‘s failure to train

employees on QMS fundamentals that build better attitudes by involving them in

teams that identify and solve problems. Such training can transform employees from being part of the problem to part of the solution. This will foster motivation and creativity and build productive and healthy attitudes that focus employees on basic fundamentals, such as: keep Client Happiness needs in mind, constantly look for improvements, and accept personal responsibility.

3. Lack of leadership for quality

Excess layers of management quite often lead to duplication of duty and responsibility. This has made the lower employees of an organization to leave the quality implementation to be a management‘s job. In addition, quality has not been taken as a joint respon-

sibility by the management and the employees. Coupled with the notion that management is infallible and therefore it is always right in its decisions, employees have been forced to take up peripheral role in quality improvement. As a result employees who are directly involved in the delivery of services are not motivated enough to incorporate quality issues that have been raised by the Clients they serve since they do not feel as part of the continuous process of quality improvement. Moreover, top management is not visibly and explicitly committed to quality in many organizations.

QMS views an organization

functions as a collection of processes. QMS is a philoso-phy that seeks to integrate all processes of various functions of an organization to focus on meeting client needs and organiza-tional objectives. QMS maintains that or-ganization must always strive to continuously im-prove these processes by incorporating the knowledge and experiences of experts within and outside.

The organization Quality Policy translates into the specific quality objectives for its various functions. As in implementation of any system, there will be challenges in the implementation of the QMS also.

Challenges in QMS implementation may be an action or a situation that causes an obstruction. Challenges can be attitude, economic, technology or resource based.

The challenges in implementation of QMS are

1. Lack of Management Commitment

A QMS implementation program will succeed only if top management is fully committed. Success requires devotion and highly visible and articulate champions. Lack of commitment in QMS implementation may stem from various reasons. Major obstacles include the pre-occupation with short-term profits, time constraint in Project Submittals and the limited experience and training of many consultants in Quality Objectives. For example, it is observed that many Consultants have extensive experience in consultancy but not in quality improvement. Similarly the MD does not have to be a quality expert; the QMS implementa-tion program may fail when the MD does not recognize the contribution of the Quality Objectives make toward profitability and customer satisfaction.

Top management should, therefore, embrace quality improvement programs no matter how far reaching the programs may appear the monetary implications therein.

2. Lack of Employee Participation in QMS

In the competitive environment, poor management practice, lack of higher expectations has contributed to unproductive and unhealthy attitudes. These attitudes often are expressed in popular sayings, such as ―It‘s not my job‖ and ―If I am not broke, don‘t fix it.

Challenges in Implementing QMS

If you can't explain it simply, you don't under-

stand it well enough.

- Albert Einstein

contd on next page

8. Poor Planning The absence of a sound strategy has often contributed to ineffective quality improvement. The deficiencies in the original planning cause a process to run at a high level of chronic waste. The pre-planning stage of developing the right attitude and level of awareness is crucial to achieving success in a quality improvement program.

Newell and Dale (1990) in their study observed that a large number of companies are either unable or unwilling to plan effectively for quality improvement. Although many performed careful and detailed planning prior to implementation, not one of the firms studied or identified beforehand the stages that their process must endure. Perhaps the root cause of poor plans and specifications is that many owners do not understand the impact that poor drawings have on a project‘s quality, cost, and time. Regardless of the cause, poor plans and specifications lead to a project that costs more, takes longer to complete, and causes more frustration than it should. Companies using QSM should always strive towards impressing upon owners the need to spend money and time on planning. If management took reasonable time to plan projects thoroughly and invest in partnering to develop an effective project team, a lot could be achieved in terms of product performance as these investments in prevention- oriented management can significantly improve the quality of the services offered by an organization. 9. Resistance of the workforce A workforce is often unwilling to embrace QSM for a variety of reasons. Oakland (1989) explained that a lack of long-term objectives and targets will cause a quality imple-mentation pro-gram to lose credibility. Keys (1991) warned that an adversarial re la t ionsh ip between man-agement and n o n -management should not exist, and he em phas ized that a coop-erative relationship is necessary for success. A QSM project must be supported by employee trust, acceptance and understanding of management's objectives .Employees ,therefore, should be recog-nized by the management as vital players in the deci-sion making processes regarding to quality improve-ment as involving them would have motivating effect on implementation of quality programs.

4. Deficiency of Cultural Dynamism

Every organization has its own unique way of doing

things. This is defined in terms of culture of the

organization. The processes, the philosophy, the

procedures and the traditions define how the

employees and management contribute to the

achievement of goals and meeting of organizational

objectives. Indeed, sticking to organizational culture is

integral in delivery of the mission of the organization.

In adequate cultural dynamism has made QMS

implementation difficult because most of the top level

management of many organizations is rigid in their

ways of doing things.

5. Inadequate resources for QMS

Since most companies do not involve quality in their

strategic plan, little attention is paid to QSM in terms

of human resources, infrastructure, technology and

financial resources. Much of the attention is drawn to

increasing profit margins of the organization with little

regard as to whether their offers/ supply to client are

of expected quality. There is paltry budgetary

allocation made towards employee training and

development, updation of technology and sufficient

infrastructure, which are critical for QSM implementa-

tion. Employee training is often viewed as unneces-

sary cost which belittles the profits margins which is

the primary objective for the existence of businesses

and as a result QSM has been neglected as its

implementation ―may not necessarily bring gains to

the organization in the short term‖.

6. Lack of focus on Client Happiness

Most strategic plans of organizations are not Client

Happiness driven. They tend to concentrate much on

profit-oriented objectives within a given time frame.

Little (if any) market research is done to ascertain the

service performance in the market relative to its

quality. Such surveys are regarded by most

organizations as costly and thus little concern is

shown to quality improvement for Client Happiness.

7. Lack of Effective Measurement of Quality

Improvement

QSM is centered on monitoring employees and

processes, and establishing objectives that anticipate

the client's needs so that the client is surprised and

delighted. This has posed a considerable challenge to

many companies. Measurement problems are caused

by goals based on past substandard performance,

poor planning, and lack of resources and competitor-

based standard.

9 Consultants’ Corner

Life is not about finding yourself. Life is about

creating yourself.

- Lolly Daskal

contd on next page

Conclusion and recommendation

The advantages of QSM have been widely discussed,

but the challenges of implementation have received

little attention. A quality philosophy is required for the

successful implementation of a quality project. This

philosophy must facilitate a long-term lifestyle change

for a company. Commitment of top management is

essential. Substantial inflow of resources, adequate

training, workforce participation and effective meas-

urement techniques are some of the key success

factors. A successful QSM program is unique, and it

should motivate middle management to focus on long-

term strategies rather than short-term goals.

Teamwork is the key to involvement and participation.

Groups should be encouraged to work closely and

effectively, and should focus on quality improvement

and client happiness.

All organizations should focus on the following for

successful QSM implementation:

Create consistency of purpose toward improvement of

the service so as to become competitive, stay in

business and provide jobs.

Cease dependency on top management for mass

revision of project submittals.

Adopt the new philosophy. We are in a new economic

age. We no longer need live with commonly accepted

levels of delay, mistake, defective material and

defective workmanship.

Improve the quality of submittals, internal documents,

articles, and notes to clients as well as internal. Adopt

the practice of awarding services on the basis of price

and value addition; instead, depend on corrective

measures of qual-

ity, along with time

and price. Find the

problems; con-

stantly improve the

system of ser-

vice. There should

be continual rise in

productivity and a

decrease in costs.

Source: http://ir-library.ku.ac.ke/bitstream/handle/123456789/7167/

Jackline%20Atieno%20Ater.pdf?sequence=1

10. Lack of proper training/Inadequate Human

Resource Development

There is evidence that lack of understanding and

proper training exists at all levels of any organization,

and that it is a large contributor to worker resistance.

Schein (1990), for

example, men-

tioned that busi-

ness school fail-

ure to teach rele-

vant process skills

contributed to

manager ineffec-

tiveness. QSM

requires a well-

educated work-

force with a solid understanding of basic math, read-

ing, writing and communication. Although companies

invest heavily in quality awareness, statistical process

control, and quality circles, often the training is too

narrowly focused. For a company to produce a quality

service, employees need to know how to do their jobs.

For QSM to be successful, organizations must commit

to training employees at all levels. QSM should pro-

vide comprehensive training, including technical ex-

pertise, communication skills, small-team manage-

ment, problem-solving tools, and client relations.

11. Competitive markets

A competitive market is a driving force behind many of

the other obstacles to quality. One of the effects of a

competitive market is to lower quality standards to a

minimally acceptable level. This barrier to quality is

mainly a mental barrier caused by a misunderstanding

of the definition of quality. Unfortunately, too many

companies equate quality with high cost. Their

definition leads to the assumption that a company

can‘t afford quality. A broader definition needs to be

used to look at quality, not only in the company‘s ser-

vice, but in every function of the company. All

company functions have an element of quality. If the

quality of tasks performed is poor, unnecessary cost

is incurred by the company and, ultimately, passed to

the client or suffered by the company itself. SQM

should work by inspiring employees at every level to

continuously improve what they do, thus rooting out

unnecessary costs. Done correctly, a company

involved with QSM can dramatically reduce operating

costs. The competitive advantage results from

concentrating resources (the employees‘ brainpower)

on controlling costs and improving client service.

Motivation is what gets you started. Habit is

what keeps you going.

- Jim Ryun

Consultants’ Corner 10

Uma Shankar Mohanty

can be reached at mohanty@magc.in

-contd on next page..

Four phases of information security management

system:

ISO 27001 prescribes how to manage information

security through a system of information security

management. Such a management system, just like

ISO 9001 or ISO 14001, consists of four phases that

should be continuously implemented in order to

minimize risks to the confidentiality, integrity and

availability of information.

The phases are:

The Plan Phase – This phase serves to plan the

basic organization of information security, set

objectives for information security and choose the

appropriate security controls as the standard contains

a catalogue of 114 possible controls.

The Do Phase – This phase includes carrying out

everything that was planned during the previous

phase.

The Check Phase – The purpose of this phase is to

monitor the functioning of the ISMS through various

―channels‖, and check whether the results meet the

set objectives.

The Act Phase – The purpose of this phase is to im-

prove everything that was identified as non-compliant

in the previous phase

The cycle of these four phases never ends, and all

the activities must be implemented cyclically in

order to keep the ISMS effective.

Organizations are required to apply these controls

appropriately in line with their specific risks and

Third-party accredited certification is recommended

for ISO 27001 conformance.

The ISO/IEC Standards Family: ISO 27002 and

27003

The ISO 27002 standard was originally published as

a rename of the existing ISO 17799 standard, a code

of practice for information security. It basically outlines

hundreds of potential controls and control

mechanisms, which may be implemented, in theory,

subject to the guidance provided within ISO 27001.

The standard "established guidelines and general

principles for initiating, implementing, maintaining, and

improving information security management within an

organization". The actual controls listed in the

standard are intended to address the specific

requirements identified via a formal risk assessment.

What is ISO/IEC 27001?

Formally known as ISO/IEC 27001:2005, ISO 27001

is a specification for an information security

management system (ISMS). ISO 27001 was

developed to "provide a model for establishing, imple-

menting, operating, monitoring, reviewing, maintaining

and improving an information security management

system."An ISMS is a framework of policies and

procedures that includes all legal, physical and techni-

cal controls involved in an organization‘s information

risk management processes. ISO 27001 defines how

to organize information security in any kind of organi-

zation, profit or non-profit, private or state-owned,

small or large.

Being a formal specification means that it mandates

specific requirements, ISO 27001 is for information

security the same thing that ISO 9001 is for quality – it

is a standard written by the world‘s best experts in the

field of information security and aims to provide a

methodology for the implementation of information

security in an organization.

It also enables an organization to get certified, which

means that an independent certification body has

confirmed that information security has been

implemented in the best possible way in the organiza-

tion. Given the importance of ISO 27001, many

legislatures have taken this standard as a basis for

drawing up different regulations in the field of personal

data protection, protection of confidential information,

protection of information systems, management of

operational risks in financial institutions, etc. Hence,

we could even say, that this standard is the founda-

tion of information security management.

Implementing ISO/IEC 27001:

ISO 27001 uses a top down, risk-based approach and

is technology-neutral. The specification defines a

six-part planning process:

Step: 1: Define a security policy.

Step: 2: Define the scope of the ISMS.

Step: 3: Conduct a risk assessment.

Step: 4: Manage identified risks.

Step: 5: Select control objectives and controls to be

implemented.

Step: 6: Prepare a statement of applicability.

The specification includes details for documentation,

management responsibility, internal audits, continual

improvement, and corrective and preventive action.

The standard requires cooperation among all sections

of an organization.

The Four Phase approach is considered to be the

most successful implementation methodology, ‗The P-

D-C-A Cycle‘, which comprises of the four phases of

ISMS.

ISO/IEC 27001— Information Security

11 Consultants’ Corner

Extended Benefits: Aligning Business and Technology Objectives: As the standard forces business management and technical staff to cooperate to meet certain management and information control objectives, it can dramatically improve alignment between these sometimes disjointed groups. ISO recommends this to foster continuous-and sustainable-improvement.

Data Protection: Applying a standard process to the selection and maintenance of existing and new security procedures that involves both management and information technology (IT) personnel helps prevent problems before they occur. It also addresses legal compliance through standardized internal and external audits.

Benchmarking: ISO 27001 provides additional opportunities for benchmarking, helping companies more readily implement best practices and reach stretch goals. Detailed, expanded comparisons with others in the same industry leads to breakthrough improvements. This standard also encourages everyone in the organization-from management to technical staff-to get on the same page regarding goals and objectives, improving communication and ultimately results. Conclusion: The ISO/IEC 27001 standards can be implemented successfully if the organization realizes the value of being certified as an ISO 27001 organization, could enhance their brand image in the competitive market compared with their competitors. However, the successful implementation depends on the support from the Management, effectiveness of the project team and on the awareness of the employees about the collective goal to be achieved in terms of ISMS Implementation. The duration and cost involved for the implementation could be other concerns but the duration depends on the planning and Cost involved may not be calculated successfully since, the risk assessment has to be completed and relative applicable controls are to be identified. On the whole, ISO/IEC 27001 implementation, if planned and executed in a phased approach (P-D-C-A) would help the organization to become standard-ized in terms of globally recognized measures of Standards – The ISO/IEC 27001 successfully. Visit to know more: http://www.iso.org/iso/home/standards/certification/iso- survey.htm?certificate=ISO/IEC%2027001&countrycode=AF#standardpick

The standard is also intended to provide a guide for the development of "organizational security standards and effective security management practices and to help build confidence in inter-organizational activities". In 2013 the current version was published. ISO 27002:2013 contains 114 controls, as opposed to the 133 documented within the 2005 version. However for additional granularity, these are presented in fourteen sections, rather than the original eleven. However, it should be noted that over the years a number of industry specific versions of ISO 27002 have been developed, or are under development, (for example: health sector, manufacturing, and so on). We could also consider this as it keeps on improvising on a never ending cycle as the technology grows and gets better every day. ISO 27002 contains the following major sections: 1. Introduction 2. Scope 3. Normative references 4. Communication Security 5. System Acquisition, Development and Maintenance 6. Supplier Relationships 7. Information Security Incident Management 8. Information Security aspects of Continuity Management 9. Compliance

ISO 27003 (ISO27003) Its suggested title at the present time is—"Information technology - Security techniques. Information security management system implementation guidance". The purpose of this proposed development is to provide help and guidance in implementing an ISMS (Information Security Management System). This will include focus upon the PDCA method, with respect to establishing, implementing reviewing and improving the ISMS itself. The following is the current structure, some other content originally planned are still under development: 1. Scope 2. Normative References 3. Terms & Conditions 4. Structure of this International Standard 5. Obtaining Management approval for initiating an ISMS

Project 6. Defining the scope, boundaries and ISMS policy 7. Conducting information security requirements analysis 8. Conducting risk assessment and planning risk treat-

ment 9. Design the ISMS

Advantages or benefits of implementing ISO: Prime Benefits: 1. Best framework for complying with information

security legislation 2. Better organizational image because of the

certificate issued by certification body. 3. Lower costs because of the prevented incidents. The operations in the organization are optimized because the responsibilities and business processes are clearly defined.

Consultants’ Corner 12

Ela Vijay

can be reached at elavijay@magc.in

An Exclusive talk with Ela Vijay ElaVijay

B.Sc., M.H.R.M., M.Phil. Pursuing LL.B (2014 -2017), MCSE – Security,

MCSA – Messaging, MCTS - BDD, MCTS – Vista, MCTS – Win Server 2003

Consultant

9th July 1984

elavijay@magc.in and personal email: elavijay84@gmail.com

+91 90253 15682

CC. The meaning of your name

Vijay: Victory

CC. Nick name.

Vijay: VJ / Ela

CC. CEO, Corporate Legal Consulting Firm

Vijay: Team work made dreams work J

CC. What personal/emotional characteristic of

yours do you want to change?

Vijay: Excessively caring for others, should

learn to ‘LET GO’

CC. Money or job satisfaction?

Vijay: Job satisfaction

CC. Your stress buster.

Vijay: Reading comics and playing with my

friend’s kids

CC. Do you have a small circle of close friends,

rather than a large number of friends?

Vijay: Small circle of trusted close friends, who

do everything before I ask for and large number

of friends to support with anything if I ask for.

CC. What do you most like about a person?

Vijay: Simple, down to earth and humble

CC. What do you most hate in a person?

Vijay: Lack of discipline, which could be ob-

served by everyone, creating a negative im-

pression about the person. However I believe in

“Never Judge, just Accept how a person

is”

CC. Team work Vs Individual work – your com-

ments.

Vijay: Individual work = winning Wimbledon

However,

Team Work = ICC World Cup or FIFA World Cup

Thanks to Michael Jordan J for his inspiring

quote.

CC. Do you make efforts to get others to laugh

and smile?

Vijay: Certainly, sometimes my contribution

happens even when I don’t take any special or

specific effort J

CC. Your heart rules your head or your head

rules your heart?

Vijay: Heart rules head in personal matters, but

in profession head rules my heart

CC. Special talent.

Vijay: Tough question, is there an option to say

Pass or Phone a Friend or Audience Poll? :)

CC. Hobbies.

Philately, reading comics, watching movies,

travelling, cooking.

13 Consultants’ Corner

What’s up at MaGC?

MaGC team headed by

Dr. RSM attended the MacMil-

lan Woods regional conference

on 18th and 19

th July 2014 at

Bangalore

Kishore enjoying an off day dur-

ing his Financial Advisory project

for IST Egypt in July 2014

Birthday wishes

Mamtha 5th Aug

Ashok Rao with Director General

Dept. of Public Accounts, Bhutan as

part of ―Peer Review of Financial

Rules and Regulations‖ project in

July 2014

1. Sydney has started installing ‗reverse vending machines‘. What are these?

2. Govt wants to promote the use of debit cards issued by National Payment

Corp of India. What is the name of this network?

3. British airways has introduced ‗Happiness blanket‘. What does it do?

4. Modi has made yet another new coinage. B4B. What does it stand for ?

5. In the Amazon logo, there are 2 subliminal messages being hinted with the

yellow arrow. What are they?

Send in your answers to the editor at cc@magc.in

Participants with the correct entry will be awarded with a Recognition Certifi-

cate by MaGC.

Last Quiz Corner Answers: 1. Honda Activa; 2. Largest Hindi search portal; 3. IDFC and

Bandhan Financial Services; 4. Google; 5. McKinsey Moms are former McKinsey employees who

left McKinsey to raise a family.

Right answers for the

previous issue quiz was

given by

Bhavana

!!! Congratulations !!!

Karthik M V gave a guest lecture on ‗Altman Z Score‘ at the Acharya Bangalore Business School, Bangalore on

17th June 2014

Karthikeyan 1st Sept US Mohanty 4st Sept

RS Murali 5th Sept Bhavana 14th Sept Roopa kamath 22nd Sept

Consultants’ Corner 14

Editorial Board

C S Suresh, Executive Director

Ashok Rao, Executive Director

Editors

Vinod M, Consultant

Karthik M V, Consultant

Published by

MaGC Private Limited, Chennai & Bangalore

Email to cc@magc.in

Our Mission is to apply our professional capabilities with a holistic approach for the happiness

of clients, through values and social commitment.

Branch Office: #107, 1st Floor, Railway Parallel Road, Kumarapark West, Bengaluru - 560 020, INDIA Phone/Fax: +91 80 23560265 Email: bengaluru@magc.in

Contact

Website: www.magc.in

Our Business Associates

Registered Office: 2nd Floor, New No. 4, Old No. 23, C P Ramasamy Road, Alwarpet, Chennai - 600 018, INDIA Ph:+91 44 2466 0955/ 24986850 Email: chennai@magc.in

N.C.R & Co.

Management and Governance Consulting Pvt. Ltd.