QualityMentors Blog

This blog is a membership based discussion forum on Project Management, Software Quality, CMMI® for development, ISMS and associated subjects. It provides a common platform for our training participants and others to share views and obtain expert opinion on issues related to above subjects. Also, it is used by QualityMentors training participants to upload their personal details in a secured manner in line to the guidelines laid down in ISO/IEC 17024:2003. This blog draws its strength from its members who are welcome to share professional and personal experiences, comments, articles and reference links to make it a preferred knowledge repository for their collective use. It encourages fact based decision making as an success enabler for projects in member organizations.

Competency matters, not training certificates

This article was first published in the SEI (Software Engineering Institute) Repository. It places significant importance on raising the ‘competency’ of trainees rather than just providing them the subject matter details. So, number of years of experience and/ or qualifications do not matter as much as the ‘competency’ acquired through training, mentoring and hard work. ‘Competent’ people in a project lead it to success.You will find this article quite interesting. Read on

Sequence of activities in BCMS

While conducting BCMS (ISO 22301:2019) Lead Auditor courses, participants ask me why the sequence of activities while preparing for BCMS does not follow plan-do-check-act sequence and why should we start with BIA (clause 8.2 of the standard) and not with clause 8.1- Operations plan. The answer is simple: one should be geared up with the pre-requisites for planning before embarking on the plan. This is the reason, we have to conduct the BIA for identified business critical functions, and plan for BCP based on the outcomes of BIA. To illustrate the whole process, I am presenting a flow chart for BCMS operations here.

ISO 9001:2015 at a glance

One of the participants of QMS Lead Auditor courses being conducted by me has contributed this graphics. Hope, the readers will find it informative and interesting. I thanks Mr. Siva Sankar Rao for this contribution!

GDPR Compliance with ISO 27001 and ISO 27018

Neeraj Rawat from BSCIC asked whether compliance to GDPR can be achieved by being compliant to ISO 27001:2013 and ISO 27018:2014.

ISO 27001 provides an excellent starting point for achieving the technical and operational requirements necessary to prevent a data breach under the General Data Protection Regulation (GDPR). A company that has effectively implemented ISO 27001 has already achieved about 50% of GDPR compliance by minimising the risks on CIA of information and data. The GDPR states that organisations must adopt appropriate policies, procedures and processes to protect the personal data they hold. This is achieved by implementing defining policies and processes under ISO 27001, keeping GDPR guidelines in mind.

Additional requirements in the GDPR that are covered by a privacy framework like BS 10012:2017 – Specification for a personal information management system (PIMS) have to be met before an organization is GDPR compliant.

ISO 27018:2014 is meant for protecting personally identifiable information in clouds. That means, being compliant to ISO 27001 and 27018 cannot guarantee compliance to ISO 27001.

Industry 4.0: An insight


An article by Jitendra Mathur

During Hannover fair, 2011, German government coined a term, ‘Industry 4.0’ which means 4th Industrial revolution. This denotes basically, ‘computerization of manufacturing’.

This means the civilization has already seen 3 industrial revolutions. Let us recapture in brief what were previous three revolutions and how they evolved.

1st Industrial Revolution:

The 1st industrial revolution dates back to 18th century, 1760 ~ 1840. During this time, the manual production started using mechanisation and production floors started using machines. The machines were powered by steam engines and water. The first industry to adopt usage of machines was textile industry. And slowly, people started using the word ‘factory’.

2nd Industrial revolution:

The second industrial revolution happened during 1870 ~ 1914. Mass production was the name of the game. Pre-existing systems of railways and telegraph got converted into industries. This was the time when steel was mass produced leading to growth of railways and researches in chemistry started. Also, notably, electricity became the source of power.

3rd Industrial Revolution:

This phase of industrial revolution started around 1950. This is the time when digitization grew and IT revolution started taking place. This led to automation backed by control systems. Mechanical machines and analog computers got combined to drive digital control systems using robots and basic machinary.

4th Industrial Revolution:

The fourth industrial revolution is the next generation manufacturing. Flexibility and customization in mass manufacturing is the new trend. This means:

  1. Machines will communicate with machines and humans, take decisions and adjust according to customer expectations.
  2. This means the machines will be fitted with sensors which will monitor the health of machine and predict the time of maintenance before failure, in a cloud computing environment.
  3. Manufacturers will be communicating to computers rather than directly operating the machines.

Some Important terms used in this parlance are:

  1. Cyber physical systems (CPS): CPS is monitoring of physical systems by computers and networks at system level and take decentralized decisions. The system consists of 3 stages:
    • Unique Identification: e.g. RFID
    • Integration of sensors and actuators: The integration helped monitoring of machine parameters and environment conditions. But they don’t communicate with each other.
    • Development of sensors and actuators: The development means networking amongst sensors and actuators to be able to communicate with each other, store and analyse data.
  2. Internet of Things (IoT): CPS communicate and co-operate with each other and with human beings in real time, over the cloud to solve problems. In case the goals are conflicting, the case gets referred to higher ups for taking decisions.
  3. Internet of Services (IoS): Once we have devices like sensors, actuators, mobile phones, tablets, laptops etc. to do what they are supposed to do and deliver, a higher-level system is required to co-ordinate between them and simplify the process. This, simply is the IoS.
  4. Internet of People (IoP): The Internet of People is the service infrastructure that enables person-to-person relationships to be established for business transactions; its distributed and decentralized blockchain-based system allows personal data to remain on the end-user device, while the server profiles and proximity will be responsible for establishing the necessary connections to link them.
  5. Smart Factory: Thus comes the smart factory where the physical system (CPS) communicates with virtual system (IoS) over IoT and assists people and machine deliver what they are supposed to.

Design Principles of Industry 4.0:

The design principles for Industry 4.0 clarify how will the new revolution operate.

  1. Interoperability: Interoperability is the ability of machines, devices, sensors, and people to connect and communicate and communicate with each other via IoT and IoP. This is the principle which makes the factory truly smart.
  2. Information transparency or Virtualization: Is the ability of information system to create a virtual copy of physical world by enriching plant models with sensor data i.e. environment. So, this aggregates the raw sensor data to higher value context information
  3. Technical Assistance: Is provision of real time data collection, aggregation, analysis available for making informed decisions and solving urgent problems. Starting from internal processes, the TA has to extend to market, market response and then whole supply chain
  4. Decentralized Decisions: Decentralization is the ability of CPS to take own decisions and perform tasks as autonomously as possible. This gives system opportunity be flexible. Tasks are delegated to a higher level in case of exceptions, interferences or conflicting goals.

 Benefits of implementing Industry 4.0

  1. Optimization: The production will be optimized reducing all kind of wastages, improve machine availability and robust processing. Keeping an eye and maintaining quality across the entire system continues to be a requirement.
  2. Customization: Changing customer requirements can be addressed faster by decentralization of decision making and brining suppliers, factory and customers closer. Networking between suppliers and customers across distant regions also.
  3. Research & Development: The big data available through sensors and actuators, shall help lead R&D to produce better quality products, reduce costs and lead times.

 Challenges in implementing Industry 4.0

  1. Data Security is a big challenge.
  2. Reliability of communication intra machines.
  3. Protection of IPR.
  4. Scale of investment required.
  5. Clarity on financial benefits in short and long term.
  6. Complexity in educating machines to know what to do, when and how to do?
  7. Availability and clarity of required skills for implementation.
  8. Loss of lower level jobs in production.



  1. Industry 4.0 Wikipedia
  2. What everyone must know about Industry 4.0 – Forbes
  3. https://www.cleverism.com/industry-4-0/
  4. https://www.bcg.com/capabilities/…/embracing-industry-4.0-rediscovering-growth.asp

Project implementation by implementation partners

Meena Sharma has written to me about a situation in one of the companies she knows. She says: “A company has a software product. The product was being customized for individual customers and implemented by the delivery team. Now the company wants the implementation work right from gap analysis to final delivery done by the implementation partners instead of their own resources. What new processes will have to be evolved and implemented in this changed scenario ?

Under the circumstances you explained, I don’t think the company need to have any additional processes. If I understood your problem correctly, the situation is simple. This company’s project delivery processes have to be effectively transferred to selected implementation partners. This is to be done so effectively that the partners’ team works just like your own team. This will need a series of trainings right from your  mission, vision, policies, core values, quality processes, measurement framework and finally the project delivery processes. Same monitoring and control processes will now be applicable to the employees from the partners through their project managers. Monthly (or at whatever frequency) project progress reports should flow from the partners’ implementation team to company’s delivery management and PMO.

Only additional process steps I can envisage is  about signing a non-disclosure agreement between your company and each of your partner employees and a performance appraisal for them- based on  their performance in the projects.

Don’t forget, the onus of delivery within customer specified quality, cost and schedule parameters still remains with the company and not with their implementation partners. Your monitoring and control mechanism should be able to match this expectation under the new circumstances. Any risks anticipated on account of the said partnership must be identified and processes as per company’s existing processes…

I will welcome any clarifications on this issues.

Documentation for organisational context

Asheef Mohamed from Muscat, Oman has asked: “For context of organisation what record can be used?  Internal and external issues logs or something else?”

Here are my views on this issue:

Except clause 4.3: Scope, the requirements of clause 4 of ISO 9001:2015 are not covered in the list of mandated documents. However, determination of external and internal issues, interested parties and their requirements are ‘shall statements’. Not only this, their  monitoring and review to ensure their continued suitability for the organization are also shall statements. How to achieve these requirements without excessive documentation is part of your question. Here are some of the ways you can achieve  this objective of yours:

Clause 4.1:

  • Organizational goals, purpose, intended outcomes may be in the form of mission, vision, Quality Policy and core value  statements
  • Internal and external issues may be included in organizational risk register, strategy, MoMs, email circulars, posters etc)
  • Context statement in  a few organization

Clause 4.2:

  • Applicable legislation and regulatory compliance register
  • Contracts with customers and suppliers
  • Complaints/ complements received from customers and others
  • Interested parties and their needs & expectations

Since your query is for organisational context, I take it for entire clause 4 of the stadard. Let me therefore include clauses 4.3 and clause 4.4 also.

Clause 4.3:

  • Documented Scope statement, which anyways remains a mandated requirement

Clause 4.4:

  • Defined process framework and interrelations between processes
  • Evidence and of continual improvement
  • Formats, guidelines, standards, checklists, directives etc.

Hope this satisfies your query. I will be pleased to more clarify issues …

Communications as per clause 7.4 of ISO 9001:2015

Salman Raziq <salman.raziq@tqcts.com> writes from Muscat, Oman: “Clause 7.4 speaks of communication. It says all the communication regarding QMS should be recorded and I have a communication register with me. </salman.raziq@tqcts.com>How do I record all the communication happening in the organization in the register? Is it really possible”.

My answer: Clause 7.4 merely asks for determination of internal and external communications relevant to QMS and details thereon. It does not ask for recording all the communications taking place across the organization. Probably you want to create  a communications register to use it as an evidence for the auditors, which in my opinion, is not the right approach. Let us do our business as usual without bothering about audits. Usual channels of communications in any organization are emails, town-hall meets, posters, danglers and internet/ intranet sites etc. Most of these are already pieces of recorded evidence. Meeting minutes of management addresses or speeches are also records. Even if a number of sampled employees in an organization tell the auditors about a speech or  meeting with relevant details, it is a piece of evidence.  Creating a separate register for recording communications is not a good idea.

Hope this explanation satisfies you…


Mapping an NC to applicable standard’s clauses during audits

Today I concluded conducting an IRCA authorized  QMS Lead Auditors Course. During the mock audits conducted as part of the course curriculum, the participants’ ability to identify most appropriate clause of ISO 9001:2015 against an NC remained a challenge. In real life first/second/third party audits, even experienced auditors find it challenging to map a given NC to the right clause of the standard.  For example, an NC about product delivery with known defects is mapped not only to clause 8.6 of ISO 9001 but also to 8.5.2 (Identification and tractability), 8.7 (control of NC outputs), 9.1 (monitoring and measurements etc) and 7.3 (competence). Needless to say, by doing this the focus on right correction and corrective action is lost, leading to vague responses from auditees.

My advice to auditors is to think for a few moments on the NC or the situation on hand and then mentally map it to ‘most appropriate clause’.  Only if necessary, start going through the clauses of the standard for such mapping, To the extent possible, map the situation to one clause only, unless off-course when there is a genuine need to refer to two clauses.

In no case, more than two clauses should be mapped.


Risk Management Guidelines

Alex Dali from The Global Institute for Risk Management Standards posted this question on LinkedIn group ISO 27001:

"ISO 27001:2013 aligns its risk assessment & treatment with ISO 31000 (see clause 6.1.3) but ISO 27002:2013, clause 0.2 says such guidelines are provided by ISO 27005. Which one should be followed?"

Here is my response:

Answer to this question lies  in the titles of the two standards referred by you. ISO 31000 is "Risk Management- Principles and Guidelines" while ISO 27005 is "IT-Security Techniques- Info Security Risk management". So which one is  more appropriate for implementing information security? Obviously, ISO 27005.                                                               Alex, please let me know if you have different views. Thanks!


Risk based auditing

My friend AKM Desai (desaiakm@hotmail.com ) wants me to comment on this topic.

ISO 9000:2005 defines the term risk as ‘effect of uncertainty’, i.e. any potential deviation from expected results which may be positive or negative…

ISO 19011:2011 introduced the concept of risk in auditing. It included  both, the risk of the audit process not achieving its objectives and the risk of the audit to interfere with the auditee’s activities and processes. However, it does not provide specific guidance on the
organization’s risk management process.

Specific requirements for managing an effective risk management is provided  in Annex SL standards like  ISO 9001:2015 (QMS Requirements), ISO 27001:2013 (ISMS Requirements) and ISO 27002:2013 (Implementation guidance to ISMS) etc. Internal and external audits  conforming to  ISO 19001:2011 guidelines and clause 9.2 of requirements standards like ISO 9001:2015 and ISO 27001:2013 can be defined  as ‘Risk based auditing’. Such internal and external audits  should be conducted in a seemliness  manner to achieve stated audit objectives, without interfering with organisational operations to the extent possible  and with full conformance to the requirements in clause 4, 6 and 8  of above requirements standards.


%d bloggers like this: