NIST 800-171 Compliance
We have a Fast-Track Program to assist Suppliers to the Federal Government with meeting the requirements for Compliance with Executive Order 13556 and NIST 800-171
Our professional services include assisting with:
- Initial Risk Assessments for Controlled Unclassied Information (CUI)
- Preparation of a CUI Security Plan and Statement of Applicability
- Preparation of Policies, Procedures and Control Objectives
- Personnel Awareness Training
- Auditing for Compliance to NIST 800-171 and ISO 27001
Contact Us | Request a Proposal
Controlled Unclassified Information (CUI) supports federal missions and business functions that affect the economic and national security interests of the United States. Non-federal organizations (e.g. colleges, universities, state, local and tribal governments, federal contractors and subcontractors) often process, store, or transmit CUI.
Executive Order 13556, as issued November 10, 2010, designated the National Archives and Records Administration (NARA) as the Executive Agent to implement the CUI program. NIST Special Publication 800-171 defines the security requirements for protecting CUI in non-federal information systems and organizations. The final draft was made public in April 2015.
NIST 800-171 REQUIREMENTS
Security Requirements for Protecting the Confidentiality of CUI
NIST Special Publication 800-171 contains fourteen families of security requirements (including basic and derived requirements)18 for protecting the confidentiality of CUI in nonfederal information systems and organizations.
The security controls from NIST Special Publication 800-53 associated with the basic and derived requirements are also listed in Appendix D. Organizations can use Special Publication 800-53 to obtain additional, non-prescriptive information related to the CUI security requirements (e.g., supplemental guidance related to each of the referenced security controls, mapping tables to ISO/ IEC security controls, and a catalog of optional controls that can be used to help specify additional CUI requirements if needed).
The security requirements identified in 800-171 are intended to be applied to the non-federal organization’s general-purpose internal information systems that are processing, storing, or transmitting CUI. Some specialized systems such as medical devices, Computer Numerical Control (CNC) machines, or industrial control systems may have restrictions or limitations on the application of certain CUI requirements and may be granted waivers or exemptions from the requirements by the federal agency providing oversight.
1 ACCESS CONTROL
Basic Security Requirements:
1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
Derived Security Requirements:
1.3 Control the flow of CUI in accordance with approved authorizations.
1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
1.8 Limit unsuccessful logon attempts.
1.9 Provide privacy and security notices consistent with applicable CUI rules.
1.10 Use session lock with pattern-hiding displays to prevent access/viewing of data after period of inactivity.
1.11 Terminate (automatically) a user session after a defined condition.
1.12 Monitor and control remote access sessions.
1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
1.14 Route remote access via managed access control points.
1.15 Authorize remote execution of privileged commands and remote access to security-relevant information.
1.16 Authorize wireless access prior to allowing such connections.
1.17 Protect wireless access using authentication and encryption.
1.18 Control connection of mobile devices.
1.19 Encrypt CUI on mobile devices.
1.20 Verify and control/limit connections to and use of external information systems.
1.21 Limit use of organizational portable storage devices on external information systems.
1.22 Control information posted or processed on publicly accessible information systems.
2 AWARENESS AND TRAINING
Basic Security Requirements:
2.1 Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems.
2.2 Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
Derived Security Requirements:
2.3 Provide security awareness training on recognizing and reporting potential indicators of insider threat.
3 AUDIT AND ACCOUNTABILITY
Basic Security Requirements:
3.1 Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.
3.2 Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
Derived Security Requirements:
3.3 Review and update audited events.
3.4 Alert in the event of an audit process failure.
3.5 Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity.
3.6 Provide audit reduction and report generation to support on-demand analysis and reporting.
3.7 Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
3.8 Protect audit information and audit tools from unauthorized access, modification, and deletion.
3.9 Limit management of audit functionality to a subset of privileged users.
4 CONFIGURATION MANAGEMENT
Basic Security Requirements:
4.1 Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
4.2 Establish and enforce security configuration settings for information technology products employed in organizational information systems.
Derived Security Requirements:
4.3 Track, review, approve/disapprove, and audit changes to information systems.
4.4 Analyze the security impact of changes prior to implementation.
4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system.
4.6 Employ the principle of least functionality by configuring the information system to provide only essential capabilities.
4.7 Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services.
4.8 Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
4.9 Control and monitor user-installed software.
5 IDENTIFICATION AND AUTHENTICATION
Basic Security Requirements:
5.1 Identify information system users, processes acting on behalf of users, or devices.
5.2 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
Derived Security Requirements:
5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
5.4 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
5.5 Prevent reuse of identifiers for a defined period.
5.6 Disable identifiers after a defined period of inactivity.
5.7 Enforce a minimum password complexity and change of characters when new passwords are created.
5.8 Prohibit password reuse for a specified number of generations.
5.9 Allow temporary password use for system logons with an immediate change to a permanent password.
5.10 Store and transmit only encrypted representation of passwords.
5.11 Obscure feedback of authentication information.
6 INCIDENT RESPONSE
Basic Security Requirements:
6.1 Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.
6.2 Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization.
Derived Security Requirements:
6.3 Test the organizational incident response capability.
7 MAINTENANCE
Basic Security Requirements:
7.1 Perform maintenance on organizational information systems.24
7.2 Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
Derived Security Requirements:
7.3 Ensure equipment removed for off-site maintenance is sanitized of any CUI.
7.4 Check media containing diagnostic and test programs for malicious code before the media are used in the information system.
7.5 Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
7.6 Supervise the maintenance activities of maintenance personnel without required access authorization.
8 MEDIA PROTECTION
Basic Security Requirements:
8.1 Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital.
8.2 Limit access to CUI on information system media to authorized users.
8.3 Sanitize or destroy information system media containing CUI before disposal or release for reuse.
Derived Security Requirements:
8.4 Mark media with necessary CUI markings and distribution limitations.25
8.5 Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
8.6 Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
8.7 Control the use of removable media on information system components.
8.8 Prohibit the use of portable storage devices when such devices have no identifiable owner.
8.9 Protect the confidentiality of backup CUI at storage locations.
9 PERSONNEL SECURITY
Basic Security Requirements:
9.1 Screen individuals prior to authorizing access to information systems containing CUI.
9.2 Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers.
Derived Security Requirements: None.
10 PHYSICAL PROTECTION
Basic Security Requirements:
10.1 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
10.2 Protect and monitor the physical facility and support infrastructure for those information systems.
Derived Security Requirements:
10.3 Escort visitors and monitor visitor activity.
10.4 Maintain audit logs of physical access.
10.5 Control and manage physical access devices.
10.6 Enforce safeguarding measures for CUI at alternate work sites (e.g., telework sites).
11 RISK ASSESSMENT
Basic Security Requirements:
11.1 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI.
Derived Security Requirements:
11.2 Scan for vulnerabilities in the information system and applications periodically and when new vulnerabilities affecting the system are identified.
11.3 Remediate vulnerabilities in accordance with assessments of risk.
12 SECURITY ASSESSMENT
Basic Security Requirements:
12.1 Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application.
12.2 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.
12.3 Monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
Derived Security Requirements: None.
13 SYSTEM AND COMMUNICATIONS PROTECTION
Basic Security Requirements:
13.1 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.
Derived Security Requirements:
13.3 Separate user functionality from information system management functionality.
13.4 Prevent unauthorized and unintended information transfer via shared system resources.
13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
13.7 Prevent remote devices from simultaneously establishing non-remote connections with the information system and communicating via some other connection to resources in external networks.
13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
13.9 Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
13.10 Establish and manage cryptographic keys for cryptography employed in the information system.
13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
13.12 Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
13.13 Control and monitor the use of mobile code.
13.14 Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
13.15 Protect the authenticity of communications sessions.
13.16 Protect the confidentiality of CUI at rest.
14 SYSTEM AND INFORMATION INTEGRITY
Basic Security Requirements:
14.1 Identify, report, and correct information and information system flaws in a timely manner.
14.2 Provide protection from malicious code at appropriate locations within organizational information systems.
14.3 Monitor information system security alerts and advisories and take appropriate actions in response.
Derived Security Requirements:
14.4 Update malicious code protection mechanisms when new releases are available.
14.5 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
14.6 Monitor the information system including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
14.7 Identify unauthorized use of the information system.
|
NIST 800-171 SECURITY FAMILIES (14 DERIVED FROM 800-53) |
NIST 800-53 R4 SECURITY FAMILIES |
| Access Control | Access Control |
| Awareness and Training | Awareness and Training |
| Audit and Accountability | Audit and Accountability |
| Configuration Management | Configuration Management |
| (Not required by NIST 800-171) | Contingency Planning |
| Identification and Authentication | Identification and Authentication |
| Incident Response | Incident Response |
| Maintenance | Maintenance |
| Media Protection | Media Protection |
| Personnel Security | Personnel Security |
| Physical Protection | Physical Protection and Environmental Protection |
| (Not required by NIST 800-171) | Planning |
| (Not required by NIST 800-171) | Program Management |
| Risk Assessment | Risk Assessment |
| Security Assessment | Security Assessment and Authorization |
| System and Communications Protection | System and Communications Protection |
| System and Information Integrity | System and Information Integrity |
| (Not required by NIST 800-171) | System and Services Acquisitions |
The development of the CUI security requirements and the expectation of federal agencies in working with nonfederal entities include:
- Nonfederal organizations have information technology infrastructures in place, and are not necessarily developing or acquiring information systems specifically for the purpose of processing, storing, or transmitting CUI;
- Nonfederal organizations have specific safeguarding measures in place to protect their information which may also be sufficient to satisfy the CUI security requirements;
- Nonfederal organizations can implement a variety of potential security solutions either directly or through the use of managed services, to satisfy CUI security requirements; and
- Nonfederal organizations may not have the necessary organizational structure or resources to satisfy every CUI security requirement and may implement alternative, but equally effective, security measures to compensate for the inability to satisfy a particular requirement.
Online Internal Auditor Training Course Updated
We have updated the ‘online version’ of our Internal Auditor Training Course. This course is applicable to many ISO Management Systems, including:
|
|
Some of the Learning Objectives of this Course
- Learn how to create an environment where management and staff members (employees) fully appreciate the value of internal audits in the continual improvement of their organization, which also shall contribute to their success.
- Learn easy-to-use methods for audit preparation to enable you to develop a more effective approach to process auditing.
- Learn easy-to-use audit techniques that can enable you to discover findings that will genuinely contribute to the success of the organization.
- Learn additional techniques that can be used in conducting the audit in way to tap into the expertise of the auditee (management, staff members or employees) and find those opportunities for improvement that may result in an important return on investment.
- Learn an approach to reporting non-conformance and to report internal audit results in a way that encourages timely and effective corrective actions.
This course has 5 Learning Modules:
Introduction to Internal Auditing of Management Systems- Basics of Process Auditing
- Preparing for an Internal Audit
- Performing the Audit
- Reporting the Audit
Also, this Internal Auditor Course includes an option to take a learning confirmation quiz, which contains 100 True or False Questions.
- The course Certificate of Achievement requires a minimum score of 80% and you may have only one opportunity to complete the quiz.
- Participants that attain a score of less than 80% on the final course quiz shall be issued a Certificate of Completion.
This course includes Auditor Templates and Tools
- Template for creating a Turtle Diagram for Process. (Word.docx file)
- Template for creating an Audit Action List of Corrective Action Request written during the Audit. (Word.docx file)
- Template for creating a Journal of Required Records (ISO9001:2008 & ISO13485:2003 in the template). (Word.docx file)
- License for QMSCAPA™ software for managing International Management Systems.
Complete the Course at your own pace
There is not a course completion deadline.- Download our Internal Auditor Learning Guide for offline studying.
- Take the final quiz for certification online when you are ready.
- The course and the quiz takes approximately 4 hours to complete.
Click to Order this online Internal Auditor Training Course
Use the Buy Now button to order through PayPal’s secure online credit card services.
Getting Ready for ISO 9001:2015 Quality Management Systems
The new ISO 9001:2015 Quality Management System is slated to be approved for publishing later this fall. The new Standard for quality will follow a new, higher level structure to make it easier to use in conjunction with other management system standards, with increased importance given to managing and mitigating risk. According to the International Organization for Standardization, if your organization is certified to ISO 9001:2008, you are granted a three-year transition period after the revision has been published to migrate your quality management system to the new edition of the Standard.
Indeed, ISO 9001:2008 is one of the most well-known ISO standards and Quality Management Systems worldwide. Like ISO 9001:2008, all requirements of the new ISO 9001:2015 Standard are generic and are intended to be applicable to all organizations, regardless of type and size to help companies demonstrate that they can offer their customers consistent, good quality products and, or services. Also, ISO 9001:2015 provides a framework to help them streamline their processes and become more efficient at what they do through enhanced communications.
Self-study Course for Transitioning from ISO 9001:2008 to ISO 9001:2015
This self-study or classroom course is designed to provide the most recent information and interpretation of the ISO/DIS 9001:2015 requirements. The course provides participants an opportunity to acquire the necessary knowledge to support an organization in their process of transitioning to ISO 9001:2015. Participants will learn the different components on how to plan and implement the transition to the new version of the standard. Moreover, the training course will also explore on the time frame of implementation and the influence on current processes.
Self-study Course for Transitioning from ISO 9001:2008 to ISO 9001:2015Offered @ $150.00 USD |
Also, this course may be scheduled as an instructor lead online class or on your premises. Please call or email ABCI Consultants to arrange for private training classes.
|
Who should take this course?
• Senior management;
• Persons responsible for the QMS transition and meeting new requirements in their organization;
• Persons considering implementing a new quality management system;
• ISO 9001 auditors and quality practitioners;
• Trainers and consultants;
• Operations personnel; and
• Management Representatives.
Learning objectives
• Identify the anticipated changes in the forthcoming revision of ISO 9001.
• Understand the implementation of a Quality Management System in accordance with ISO 9001:2015
• Gain a comprehensive understanding on how to interpret, plan, and implement the changes of ISO 9001:2015.
• Identify how these changes could affect the organization’s quality management system.
• Identify the timeframe for the implementation and implications of the ISO 9001 management system.
 Self-Study Courses |
 Webinar Courses |
 Classroom Courses |
PECB Certified Course, Accredited by ANSI
Course agenda
Section 1
This section elaborates on the course objectives, structure of the standard and provides an introduction to ISO and its network.
Section 2
This section introduces ISO/DIS 9001, and discusses the differences between the updated version and previous versions. In addition, it explains why and how previous versions have been revised to follow the common structure for management system standards, especially for those organizations practicing integrated management systems.
Section 3
This section defines the Annex SL (former known as ISO Guide 83) and explains its importance and purpose for a management system.
Section 4
This section explains in detail the new version of the standard with primary focus on the major changes that the standard has undergone, such as risk-based and process approach, documentation flexibility, better focus on stakeholders and the context of an organization.
There are also other relevant information included in this section, elaborating other changes of ISO/DIS 9001 in detail. In addition, guidelines are provided on how to measure an organization’s performance and continual improvement.
Section 5
Finally, section 5 lists all corresponding standards which are affected by the transition of ISO 9001.
Furthermore, several procedures and suggestions are provided for the adjustment of the current management system to ensure effective implementation to the recent revision of ISO 9001.
Prerequisites
ISO 9001 Foundation Certification or a basic knowledge of ISO 9001:2008 standard is recommended to ensure effective results.
Exam (Optional)
The ISO 9001:2015 Transition exam fully meets the requirements of the PECB INTERNATIONAL Examination and Certification Program (ECP). Click here for additional requirements for the optional Exam and associated cost.
The exam covers the following competence domains:
Domain 1: Fundamental principles of quality management.
Domain 2: Understanding the high-level structure application on the QMS.
Domain 3: Planning the ISO/DIS 9001 changes.
Domain 4: Planning the QMS transition based on ISO/DIS 9001.
Domain 5: Understanding the difference between ISO 9001:2008 and ISO 9001:2015.
Domain 6: Continual improvement of a QMS based on ISO/DIS 9001.
• The exam will be paper-based, lasting 2 hours and it contains 45 exam questions (Multiple choice, Matching, Fill in the blanks, and TRUE/FALSE).
• The exam is available in English only.
Certification
• After successfully completing the exam, the candidate will receive a certificate documenting the positive completion of the course and examination.
• The certificate will be issued by PECB International.
• The certificate will be sent to participants via e-mail.
ISO 13485 Auditor Training Slated for Anaheim, California
For Internal Auditors (4 Days) and Certified Lead Auditors (4 1/2 Days)
This comprehensive course enables participants to develop the necessary expertise to audit a Quality Management System (QMS) based on ISO 13485:2003 and to manage a team of auditors by applying widely recognized audit principles, procedures and techniques. During this training, the participant will have an opportunity to acquire the necessary knowledge and skills to proficiently plan and perform internal and external audits in compliance with the certification process of the ISO 19011 and ISO 17021 standards.
Based on practical exercises, the participant will have an opportunity to develop the skills (mastering audit techniques) and competencies (managing audit team and audit program, communicating with customers, conflict resolution, etc.) necessary to efficiently conduct an audit of a Quality Management System for Medical Devices. The daily agenda of the Class appears below.
Lead Auditor Certification Examination and Registration by the Professional Evaluation and Certification Board, an ANSI Accredited Program for Personnel Certification #1003.
| Register as a Participate for Internal Auditing or Lead Auditing | Class Dates | Location | Class Fee |
| ISO 13485 Internal Auditor Course, 4 Days (excludes PECB Certification Examination) | July 13 – 16 | Anaheim, California | $1495.00Click here to Register |
| ISO 13485 Lead Auditor Course, 4 1/2 Days (includes PECB Certification Examination) | July 13 – 17 | Anaheim, California | $1995.00Click here to Register |
Who should attend?
- Auditors wanting to perform and lead Quality Management System (QMS) certification audits in the medical device industry
- Expert advisors in Quality Management Systems
- Internal auditors
- Members of a quality team
- Persons responsible for the quality or conformity in an organization
- Project managers or consultants wanting to master the Quality Management System audit process
- Regulatory affairs managers
- Technical experts wanting to prepare for a Quality audit function in the medical device industry
Do you know your Risk Priority Numbers (RPN) for your processes?
In the ISO 9001:2013 (Committee Draft) the word risk appears 30 times, which appears to follow the revisions to the AS9100C Standard for Aerospace Quality Management.
In recent years we have published Excel workbooks with the type of risk assessments used Failure Mode Effects Analysis (FMEA), whereas the Risk Priority Number (RPN) of the impact is calculated by multiplying the Probability times the Severity times the Detection or [RPN = (P * S * D)]. These Excel tools along with recent additions to QMSCAPA, our quality management software, provide a complete tool kit for compiling the data of various aspects of risk from processes and assessing their impacts.
ISO 9001:213 indicates a requirement to determine the risks to conformity of goods and services and customer satisfaction if unintended outputs. And in Clause 4.4.2 Process Approach: Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that the risks which can affect conformity of goods and services and customer satisfaction are identified and addressed;
In Clause 6 Planning, 6.1 Actions to address risks and opportunities;
When planning for the quality management system, the organization shall consider the issues referred to in paragraph 4.2 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to
a) assure the quality management system can achieve …
b) assure that the organization can consistently achieve conformity of goods and services and customer satisfaction,
c) prevent, or reduce, undesired effects, and
d) achieve continual improvement.
Free Corrective Action Software
Here’s a great way to improve your product / service quality and its free! Click here to join our user-group and download QMSCAPA.
Furthermore
The organization shall plan:
a) actions to address these risks and opportunities, and b) how to integrate and implement the actions into its quality management system processes (see 4.4), and 2) evaluate the effectiveness of these actions.
Notes include, Any actions taken to address risks and opportunities shall be proportionate to the potential effects on conformity of goods and services and customer satisfaction. The organization shall undertake change in a planned and systematic manner, identifying risks and opportunities and reviewing the potential consequences of change.
In Clause 8.3 for Operational planning process …
In preparing for the realization of goods and services, the organization shall implement a process to determine the following, as appropriate,
a) requirements for the goods and services taking into consideration relevant quality objectives; b) actions to identify and address risks related to achieving conformity of goods and services to requirements;
… the risks identified and the potential impacts, …
e) the determined risks and opportunities associated with the development activities with respect to the nature of the goods and services to be developed and potential consequences of failure, …
3) the potential impact on the organization’s ability to consistently meet customer requirements and enhance customer satisfaction.
Also Clause 8.6.5 Post delivery activities …
Where applicable, the organization shall determine and meet requirements for post delivery activities associated with the nature and intended lifetime of the goods and services. The extent of post delivery activities that are required shall take account of
a) the risks associated with the goods and services …
In Clause 9.1.1 General
The organization shall determine take into consideration the determined risks and opportunities and shall:
a) determine what needs to be monitored and measured in order to:
The organization shall: a) plan, establish, implement and maintain an audit program(s), including the frequency, methods, responsibilities, planning … shall take into consideration the quality objectives, the importance of the processes concerned, the related risks, and the results of previous audits;
What does ISO Certification Cost?
Request a Quote for Certification from ABCI
I’ll assume you are asking about the cost of a certification audit by an accredited Certification Body (CB, aka Registrar) as opposed to the cost of implementation and the cost of continual operation within the requirements of the ISO system.
Of course, the cost of the audit is mainly driven by the number of full-time and part-time staff members at the location for the audit. IAF’s IAF Mandatory Document for Duration of International Management System Audits provides guidance for the audit duration for Stage 1 and 2. You can use the Annex A for Quality Systems (page 12 of the 2009 edition) as base line for the Stage 1 and 2 Audit Day, which can be downloaded from http://abcisoconsultants.com/iso-resources/download-iso-resources/.
For example, a small job shop with 11 to 15 employees requires 2.5 audit days. Therefore, if your CB charges $1250.00 per day the base cost for initial certification is $3150.00. Of course, the audit day rates varies between certification bodies, plus industry classifications, audit location, number of work shifts among others variables.
Surveillance audits tend to cost about 1/3 of the initial certification and re-certifications tend to cost about 2/3 of the initial certification.
Plus, CBs tend to add-on other cost for maintenance and registration fees, plus other fees that may be necessary for your situation.
Always get three or four quotes and require the CB to provide you an estimate for the travel-time cost and the travel expenses of its auditor(s) for your locations.
Nationally Recognized Testing Laboratory: UL or CSA
The “CSA” or Canadian Standards Association has recently been certified by the United States Occupational Safety and Health Administration (OSHA) as a “Nationally Recognized Testing Laboratory” (NTRL), just like Underwriters Laboratories (UL). Therefore, since both the UL and CSA are now recognized by all US federal, state, provincial and local authorities to test and certify product-safety in the U.S. and Canada, Your products may use either approval.
Evaluating and Scoring Suppliers
I have developed a prototype quality management Excel spreadsheet tool for evaluating, scoring and approving suppliers.
Be sure to join our Quality Managers User Group to download the Excel workbook and the workinstructions, which are described below.
Click here to Join our User Group or Download our resources.
Jack T. Bogle, Managing Partner abci-consultants.comSupplier Evaluation & Scoring Calculator Log.xlsx
The following table describes the features in the Supplier Evaluation Excel Workbook, which is shown above.
- The Active Suppliers field is automatically tallied when a 1 or 0 is entered into Column A.
- A supplier can be marked active or inactive by entering a 1 or 0 into Column A.
- The Minimum Score Required to be APPROVED field is user-defined and intended to mean the minimum scored needed to indicate an approved supplier.
- The Over-all Experience with a supplier is an average score of all suppliers.
- Enter up to 100 suppliers for evaluation.
- Enter the date of the last evaluation and the next evaluation date is automatically generated.
- If the (H) Supplier Score in less than the (C) Minimum Score Required to be APPROVED, then the (G) Approval Status automatically becomes ‘Not-approved’, else the Status becomes ‘Approved’. The ‘Provisional’ column to the right of the Approval Status column is meant to be used for indicating that a supplier ‘Not-approved’ may be used as needed.
- The average individual Supplier Score.
Supplier Evaluation & Scoring Calculator Log.xlsx
(not within the print area)
The image below shows the Excel columns not intended for printing.
- The Supplier Evaluation Criteria should be entered into row 1, columns G1 through Q1.
- The over-all average score and the average score for each supplier is displayed on row 2, columns G1 through Q1.
- Section (C) shows the individual scores for each supplier.
- Section (D) shows the individual criteria score for each supplier.
A Supplier Evaluation form is located in the Excel Workbook, Supplier Form tab/worksheet.
|
Supplier Name |
Contact: |
||
|
Email: |
Phone: |
||
|
Evaluation Completed by: |
Date: |
Complete the survey below to provide an evaluation of the supplier. Using a scale of 1 through 10; a 1 would indicate that you are very dissatisfied with the supplier, a 5 would indicate indifference and a 10 would indicate that you are very satisfied.
| # | Component Rating Key: 1 = Very Dissatisfied – 5 = Neutral – 10 = Very Satisfied | Rating |
|
1 |
Rate your experience with the supplier’s Sales personnel. Were the personnel prompt, professional, and courteous? | |
|
2 |
Rate your experience with the receipt of orders. Are orders correct as ordered? | |
|
3 |
Rate your experience with on-time delivery. Did you receive the product on-time as expected? | |
|
4 |
Rate your impression of the quality of the product ordered. | |
|
5 |
Rate your impression of the value received for the product ordered. | |
|
6 |
Rate your experience with the packaging and intact delivery condition. | |
|
7 |
Results of Supplier Quality Survey. | |
|
8 |
Rate the experience with the supplier’s Customer Services. Were the personnel prompt, professional, and courteous? | |
|
9 |
Rate your experience with the product realization compared to product specification. | |
|
10 |
Rate your over-all experience with doing business with the supplier. Would you recommend this supplier to others for the products and experience that you have received? | |
|
TOTAL RATING: |
Status: √ Approved √ Provisional √ Not-Approved
| I certify that the above described supplier has been actively supplying products and/or services for at least 6 months, and their quality performance has been satisfactory. This certification is based on my personal knowledge of the supplier’s performance as reflected in the above over-all rating. | Approved by: |
| Job Title: | |
| Approval Date |
Is AS9003-A an alternative to AS9100-C as a Quality System for small non-complex aerospace businesses?
The AS9003-A Standard states that AS9003 is an “inspection and test quality system” for the aerospace industry by the America’s Aerospace Quality Group (AAQG), an industry organization made up of representatives from leading aerospace companies in both North and South America and sponsored by the Society of Automotive Engineers (SAE) International.
The AS9003 Standard has been revised using AS9100:2009 as the baseline document. AS9100:2009 requirements are applicable to noncomplex products and manufacturing processes, which have been incorporated into this standard and modified, as necessary, to reflect the intent of this standard.
AS9003 standardizes, to the greatest extent possible, inspection and test quality system requirements for suppliers that provide noncomplex products. Within the AS9003 Standard, the term “inspection and test quality system” is referred to as quality system.
The globalization of the aerospace industry and the resulting diversity of regional and national requirements and expectations have complicated quality objectives, which includes:
- To assure customer satisfaction, aviation, space, and defense organizations must produce, and continually improve safe, reliable products that meet or exceed customer, and applicable statutory and regulatory requirements.
- Organizations have the challenge of purchasing products from suppliers throughout the world and at all levels of the supply chain. Suppliers have the challenge of delivering products to multiple customers having varying quality requirements and expectations.
The General SCOPE of AS9300A states the standard includes selected quality system requirements from ISO 9001:2008 and AS9100:2009 applicable to noncomplex products and associated manufacturing processes. The requirements of the AS9300A standard are intended to be applied in whole, without any exclusions.
Compliance with all corresponding AS9100 requirements is considered to meet/exceed compliance with the requirements of this standard. Therefore, the requirements specified in this standard are “complementary (not alternative) to contractual and applicable statutory and regulatory requirements”.
Also, the process approach described in ISO 9001 and AS9100 applies to this standard.
The following outline is from the AS9003A Standard. Those familiar with ISO 9001:2008 shall notice many similarities.
4.0 INSPECTION AND TEST QUALITY SYSTEM
4.1. General Requirements
4.2. Documentation Requirements
4.2.1. Quality Manual
4.2.2. Control of Documents
4.2.3. Control of Records
5.0 MANAGEMENT RESPONSIBILITY
5.1. Management Representative
6.0 RESOURCE MANAGEMENT
6.1. Human Resources
6.2. Work Environment
7.0 PRODUCT REALIZATION
7.1. Planning of Product Realization
7.1.1. Configuration Management
7.2. Customer-Related Processes
7.3. Design and Development (Excluded by the Standard)
7.4. Purchasing
7.4.1. Purchasing Process
7.4.2. Purchasing Information
7.4.3. Verification of Purchased Product
7.5. Production
7.5.1. Control of Production
7.5.1.1. Production Process Verification
7.5.1.2. Control of Production Process Changes
7.5.2. Identification and Traceability
7.5.3. Preservation of Product
7.6. Control of Monitoring and Measuring Equipment
8.0 MEASUREMENT, ANALYSIS, AND IMPROVEMENT
8.1. Monitoring and Measurement of Product
8.2. Control of Nonconforming Product
8.3. Corrective Action
8.4. Internal Audit
Once again AS9003-A is very similar to ISO 9001:2008 with some key factors from AS9100, which makes a robust quality management system framework. Therefore, one could make the case that AS9003-A is a viable alternate to AS9100 as Quality Management System.
Jack T. Bogle, Managing Partner Access Business Communications, Inc. International Management Systems 16835-236 Algonquin Street Huntington Beach, CA 92649 (800) 644-2056