1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Problems with 9001 accredited employer. Looking for any thoughts or advice.

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by ShaunR, Oct 20, 2018.

  1. ShaunR

    ShaunR Member

    Joined:
    Oct 20, 2018
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Any reactions, thoughts or advice would be greatly appreciated. (To be honest, simply writing this has been therapeutic!!)

    I am the sole software developer in an organisation that offers a cloud-based service. Our service consists of off-the-shelf products combined with software which is developed in-house. Our customers interact with (and rely on) all these pieces of software.

    Before I joined, development of the in-house software was outsourced to a company in India. No controls were in place and there was no reference to the software or it’s development in the BMS. The BMS only referenced the off-the-shelf products that form only part of our service.

    I joined the company to take over the development of the in-house software. I identified that the software and its development should be covered in the BMS. I also suggested that some processes and controls should have been in-place when the software development was out-sourced.

    It didn’t take long for me to realise that no-one in the company really buys into (or understands) the idea of quality management. They just see it as a box ticking exercise.

    Top management believes that it was not their fault that software development was in no way included in the BMS. In fact, suing the quality management consultancy / accreditors was mentioned. They believe that accreditation was simply something that they paid for and that ISO 9001 is generally meaningless.

    When I attempted to explain issues relating to software quality management it was clear that management did not want any overhead. It was implied numerous times that I was over-complicating things. It was even suggested that we could get around the issue by setting up another company, which was not ISO 9001 accredited, and out-sourcing development to it.

    Nearly 12 months later and no real progress has been made to determine/produce appropriate processes and controls for software development. Anything/everything else has taken precedence.

    During this time, we have had our first surveillance audit. During this audit it was clear to me that everyone intentionally avoided the subject of our own software and its development. There were no real problems raised during the audit.

    Aside from the software development dimension, I was very surprised that the audit went well. The processes and controls defined in the BMS are poor, out-of-date and not used. Records are created just before the audit. I consider that we were very lucky.

    I should mention that our BMS also covers our ISO 27001 accreditation.
     
  2. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Firstly, it's not accreditation. It's (only) certification - the 2 are significantly different. ISO 27001 is about information security, it's not about the software development process. What is the scope of the certification? The way I read your post, while I understand your concerns and frustration, it may well be that you can do nothing in regards to the "BMS".
     
    ShaunR likes this.
  3. ShaunR

    ShaunR Member

    Joined:
    Oct 20, 2018
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for your time in replying Andy!

    Indeed, I believe that I do not understand the distinction between accreditation and certification here.

    With regard to 27001, a lot of the controls in "A.14 System acquisition, development and maintenance" apply to the software development process and life-cycle.

    It certainly does seem that I cannot change things, but this conclusion causes me a little ethical and professional stress.
     
  4. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Hi Shaun:
    It's partly true, however, if you're looking at the quality of the software product, then the controls apply "after" the development, in other words, to the deliverables. So I'm still not certain you'd have a cast iron case to discuss with management the error of their ways. I've experience of immature software developers and it's like casting pearls before swine to talk about structured, controlled development...

    Certification vs accreditation is simple. In accreditation the auditor can demonstrate competency in the disciplines they audit. In certification the auditor is a generalist at best... scary, huh?
     
  5. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Since you mentioned that your scope is "System acquisition, development and maintenance", the requirements under clause 8.3 - Design and development of products and services - is applicable to your QMS. If your organization decides to outsource the system development to another company, your organization is still responsible for satisfying the requirements in 8.3.

    Your certification body should raise concerns about "not having controls" on the software development process of your organization. All the more when the in-house-developed software are incorporated into the off-the-shelf products. If your QMS only includes the off-the-shelf products, then your organization is only a trader/distributor company and should not claim "development" in the scope statement.
     
    Jennifer Kirley likes this.
  6. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    816
    Likes Received:
    402
    Trophy Points:
    62
    What does the scope on your certificate say? What role does the software play? What does it do? How is it integrated with the off the shelf products?
     
  7. ShaunR

    ShaunR Member

    Joined:
    Oct 20, 2018
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Thanks Andy. Can't quite get my head around the distinction between "certification" and "accreditation".

    In software development, quality assurance within the software development process / life-cycle is crucial. I believe that this is essential under various parts of 9001 section 8.

    Unfortunately discussions relating to 9001 / 27001 have become painful. I am no longer inclined to try and improve things.
     
  8. ShaunR

    ShaunR Member

    Joined:
    Oct 20, 2018
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for your reply!

    Your comments are very helpful and confirm my current understanding (still learning).

    The certification body is not currently aware that the organisation carries out software development. Our scope does not include software development. The BMS contains no reference to software development (in-house or out-sourced). There is no mention of the fact that the function has been added to the business.
     
  9. ShaunR

    ShaunR Member

    Joined:
    Oct 20, 2018
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Thanks.

    The certificate refers to the provision of a cloud based service. (Apologies for being a little vague here, the web can be a small place.)

    The off-the-shelf products perform the “heavy-lifting” of the service. The in-house software sits in-front of the off-the-shelf instances providing aggregation, administration, configuration, automation, reporting etc to our customers. It also serves as the “back-office” internal system for monitoring, invoicing etc.

    Integration is via multiple means including web based API on the off-the-shelf products.
     
  10. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    816
    Likes Received:
    402
    Trophy Points:
    62
    So based on some of your answers, imo the question becomes what value does ISO 9001 certification even have to your organization and customers. Is it required by your customers? Are your competitors ISO 9001 certified? Even without ISO, I can't imagine you don't have a decent process to develop your software that would likely be compliant with the standard.
     
    ShaunR likes this.
  11. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    I'm not sure this is correct, Tony. The organization isn't ISO 9001 compliant for their software product and ISO 27001 has nothing to do with that side of the business. The 27001 auditor wouldn't touch the product quality side - they are mutually exclusive.
     
  12. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Have you ever been inside a software developer to see what goes on?
     
  13. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    For an ISMS/ISO 27001 audit, the auditor wouldn't be! Not their area of expertise.
     
  14. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Just to be clear...your organization is certified to what standard?
     
    Andy Nichols likes this.
  15. ShaunR

    ShaunR Member

    Joined:
    Oct 20, 2018
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    ISO 9001 & 27001.
     
  16. ShaunR

    ShaunR Member

    Joined:
    Oct 20, 2018
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    I believe that the original motives were to open up the public sector (e.g., schools).

    Our competitors are not generally certified to either standard.

    Unfortunately an appropriate software development process is not possible at the moment.

    Sound like a mess!?
     
  17. Golfman25

    Golfman25 Well-Known Member

    Joined:
    Nov 6, 2015
    Messages:
    816
    Likes Received:
    402
    Trophy Points:
    62
    There is no way you have a development process which is disfunctional to the point that it doesn't work. Otherwise you would not continue in business. It may be a "mess" and not to your liking, but something is there and is working well enough to sustain business activities. It's kind of like making sausage -- the result tastes really good, but you don't really want to watch them make it. Good luck.
     
    John C. Abnet and judegu like this.
  18. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    5,086
    Likes Received:
    2,553
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    What are the scopes?
     
  19. ShaunR

    ShaunR Member

    Joined:
    Oct 20, 2018
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Scope, as defined in the BMS and stated on the certificates, boils down to the provision of a cloud based service.
     
  20. tony s

    tony s Well-Known Member

    Joined:
    Sep 10, 2015
    Messages:
    1,350
    Likes Received:
    1,054
    Trophy Points:
    112
    Location:
    Laguna Philippines
    Can you clarify the reason why your management would sue the consultant and the certifying body?