1 UNE ISO MANAGEMENT SYSTEMS FOR RECORDS An implementation example in a fictional company AENOR CTN50/SC1 (translated to English by Cristina Fernández)
2 An Implementation example in a fictional company. Scene: Company Les Xufes (Horta Nord, Valencia). From Industrial manufacture (elaboration, packaging and commercialization) of tiger nut juice from Valencia, according to standards from Regulatory Council of the Guarantee of Origin 250 staff. Production Area: 150, Logistic Area: 50, Commercial Area and Marketing Area: 30, Administration Area:13 (include Quality Department: 3), Technology Area: 7. From 2001 Quality Management System (QMS) according to standard ISO 9001 Quality Department. Values = Tradition + Innovation (Technological) + Quality. Strategic Plan : exportation to Asiatic market. Les Xufes and Records Management: When an ISO 9001 QMS was implemented an information officer was contracted for incorporation to Quality Department. Functions: Regulatory information retrieval, normative and technical, library maintenance, Intranet and website management, quality records control, quality documentation distribution.
3 An Implementation example in a fictional company. Scene: Les Xufes and records management: Records Management Philosophy : 2001 (after implementing the QMS according to ISO 9001):» Each area and process had its own methodology + specific methodology for records control and quality evidences (Quality Department).» External monitoring and certification audits: External audits: Non Conformity - NC- relative to QMS documents control (clause 4.2 ISO 9001). 2007: Changes will provide: only one methodology that follows good practices on international recognized records management ISO Information officer responsible: Information officer (records manager, RM).» 1st project ( ): The RM and Quality Department tried to align the records processes following ISO Documents were identified and associated to business processes; and a classification schema, basic access rules, and a disposition schedules were defined. The Technology Area implement SharePoint solution with the intention that document in paper were not distributed or archived within the organization. The Quality Department had the functional responsibility of this project, publish manuals and procedures for its implementation. Training at a higher level, administrative staff and any other people that deals with records (total=90 people).» 2nd project (2011): Implementation of a Records Management System according to ISO
4 An Implementation example in a fictional company. Preview: November 2011, Records manager (RM) Les Xufes : How do I propose the project to top management? November 2011, Chief Executive Officer (CEO) Les Xufes : Why should I approve the project? Expected results and benefits. November 2011, Records manager (RM) Les Xufes : How do I select the implementation consultant? December 2011, Records consultant (RC): How do I develop the project? March 2012, Records manager (RM) Les Xufes : How do I select the certification body? 19 March, Auditor (A): How do I develop the audit process? What is the result?
5 An Implementation example in a fictional company. Main characters: CEO = C.Bustelo RM = MR.Lloveras RC = M.Lorience A = A.Sellés
6 HOW DO I PROPOSE THE PROJECT TO TOP MANAGEMENT? Three reasons: 1: Consolidation of records practices. RMS = Management according to ISO Operative according to ISO : Certification of MSR. Better Guarantee > More Clients Penetration on new markets (Strategic Plan Les Xufes ) 3: Innovation. 1st certified organization in Spain.
7 HOW DO I PROPOSE THE PROJECT TO TOP MANAGEMENT? A strategy: - Scope risk free and scalable : - Risk free Scope of MSR according to ISO 9001 (from 2007: elimination of non conformities on Documentation section ). - Scalable As processes are included in QMS, they re also included to the MSR. - Low Investment: - External consultant : Audit + Implementation of uncovered requirements (estimation 30%; work done in 3 months). - Les Xufes : Top Management / RM/ Quality Department. - Certification Body. - Short period Results: Certification in March 2012.
8 HOW TO MPLEMENT IT IN AN ORGANIZATION? WHY SHOULD I APPROVE THE PROJECT? EXPECTED RESULTS AND BENEFITS TRADITION + INNOVATION + QUALITY PRINCIPLES -Quality compromise -Internationalization -Respect tradition of manufacturing processes -Innovation -Efficacy and efficiency in administrative processes Family company 2001 Professionalization of Top Management
9 WHY SHOULD I APPROVE THE PROJECT? EXPECTED RESULTS AND BENEFITS 2001 Development plan and expansion: - Implementation of standard ISO Modernization of technological structures - Modernization of administration: reducing paperwork years later: IN GENERAL- VERY ACCEPTABLE - COMPANY HAS DOUBLED ITS STAFF - EXPANSION PLAN IN THE ASIATIC MARKET ( ) - COMPANY HAS TRIPLE ITS REVENUES
10 WHY SHOULD I APPROVE THE PROJECT? EXPECTED RESULTS AND BENEFITS OUR PHILOSOPHY: CONTINUOUS IMPROVEMENT FUTURE PLANS - Commitment with social responsibility and environment - Electronic commerce wholesale opening - Asiatic market consolidation TOP MANAGEMENT REVISION OF THE MANAGEMENT SYSTEM Most of the non conformities come from documentation section TECHNOLOGIC PLATAFORMS OVERLOAD. Some problems when searching information QUALITY/RECORDS MANAGER PROPOSAL TO IMPLEMENT THE STANDARD ISO 30301
11 WHY SHOULD I APPROVE THE PROJECT? EXPECTED RESULTS AND BENEFITS COST STRATEGY BENEFITS INVESTMENT 1% BENEFITS IMPLEMENTATION CERTIFICATION Quality system improvement Redundant information deletion Preparation for support of electronic commerce processes Legal support in every country in which we operate Conservation of knowhow of manufacturing methods and company knowledge International recognition Quality trade reinforcement Committed and leading company image Proof of quality
12 HOW DO I SELECT THE EXTERNAL CONSULTANT? Three technical questions: 1: Experience demonstrable experience within the implementation and auditing scope of MSR according to ISO 30301, and business area? 2: Compromise towards certification? Advice for resolution to solve Non conformity-nc found in the external audit. 3: Ability to respond to additional services? For example, information security actualization advise.
13 HOW DO I DEVELOP THE PROJECT? 1. Pre-implementation Audit (1 month): Objective: Identify not covered requirements (Non Conformities - NC) and identity actions to implement them Methodology: Comparison of requirements with existing processes, controls and documentation Result: Report on actions to be taken 2. Consultancy I (2 months): Objective: Elimination of Non Conformities - NC. Methodology: Implementation of actions. Result: Implemented system ready to external audit. 3. Consultancy II external post audit for certification: Objective: Confirm the resolution of Non Conformities - NC identify by external audit. Methodology: Implementation of actions. Result: Disposal of Non Conformity - NC and RMS certified.
14 HOW DO I DEVELOP THE PROJECT? REQUIREMENTS ORGANIZATION CONTEXT Item 4 NON CONFORMITY (NC) / CONSULTANCY ACTIONS (A) NC = Needs to be documented A.1 = Draft formal document that includes MSR scope, external and internal factors, legal, business and any other requirements. LEADERSHIP Item 5 NC= Doesn t exist a records policy. NC= The roles and responsibilities in Records Management are not explicitly documented. A.2 = Establishing jointly with Top Management and the RM officer a records policy. A.3 = Integration = including into Quality Policy document the records policy. Top Management approval. In this document the roles and responsibilities are included jointly with the quality ones. A.4 = Spreading = presentation meeting with Area Managers; publication of the new policy in Intranet; Top Management to the staff advertising the modification of quality policy including records policy.
15 HOW DO I DEVELOP THE PROJECT? REQUIREMENTS PLANIFICATION Item 6 NON CONFORMITY (NC) / CONSULTANCY ACTIONS (A) NC = Objectives not established NC = A plan doesn t exist to achieve them A.5 = Establish jointly with RM officer the records objectives and the plan and actions to achieve them: who is going to develop them, which resources are necessary, when they are going to be completed and how they will be evaluated. The plan is also integrated with the planning of QMS, and quality objectives SUPPORT Item 7 NC = Doesn t exist. The staff is capable, and communication and approval procedures of QMS are perfectly valid.
16 HOW DO I DEVELOP THE PROJECT? OPERATION REQUERIMENTS Item 8 + Annex A NON CONFORMITY (NC) / CONSULTANCY ACTIONS (A) Determining what, when and how records shall be created and captured for each business process Determining the content, context and control information (metadata) that shall be included in the records Deciding in what form and structure the records shall be created and captured. NC = The classification scheme and the determination of records of each procedure is valid, but doesn t exist a written procedure on how to determine retention periods A.6= Drafting and implementation of a procedure to determine retention periods and disposition schedules NC = Information included is not enough. A.7 = Changes on records system implementation to allow collect all the necessary metadata, specially the ones referred to electronic signature. NC = Electronic signature has not been included until now. A.8 = Modification of the system for the access of records with electronic signature. Determining appropriate technologies for creating and capturing records NC = Doesn t exist. SharePoint is the technology for the preservation of records.
17 HOW DO I DEVELOP THE PROJECT? OPERATION REQUIREMENTS Item 8 + Annex A Determining what control information (metadata) shall be created through the records processes and how it will be linked to the records and managed over time Establishing rules and conditions for use of records over time Maintaining the usability of the records over time Implementing authorized disposition of the records Establishing conditions for administration and maintenance of records systems NON CONFORMITY (NC) / CONSULTANCY ACTIONS (A) NC = Certain metadata are not collected related with records processes. A.9 = Implementation of RM module for SharePoint NC = Doesn t exist. The defined security and access system is valid and documented. NC = A preservation plan doesn t exist. A.10 = Establishment of PDF-A formats conversion plan NC = Evidence of authorization doesn t exist. It s not specified because the transfer controls doesn t exist. A.11 = Incorporation of RM module of SharePoint. A.12 = Formal document including reasons of not implementing transfer controls NC = Doesn t exist updated documentation to customization of SharePoint. A.13 = Updating the functional analysis document.
18 HOW DO I DEVELOP THE PROJECT? REQUIREMENTS EVALUATION Item 9 NON CONFORMITY (NC) / CONSULTANCY ACTIONS (A) NC = elements to be monitored and evaluated shall be established. The audit system and non conformity procedures of QMS can be increased perfectly with record requirements. A.14 = Establishing the evaluating elements and indicators of MSR to be integrated in QMS procedures IMPROVEMENT Item 10 NC = Doesn t exist. The improvement procedure of QMS can be applied perfectly
19 DELIVERABLES OBTAINED Business Processes CONTEXT ORGANIZATION Records Identification Capture Registration Metadata Workflow Use and accessibility Classification Conservation MRS Roles /Responsibilities Communication Training LEADERSHIP PLANIFICATION SUPPORT IMPROVEMENT EVALUATION Assessment Report Procedures Manual Work Instructions Performance indicators Eventuality Plan OPERATION
20 HOW DO I CHOOSE THE CERTIFICATION BODY? Three technical questions: 1: Accredited entity? 2: Experience verifiable in the MSR scope according to ISO 30301, and also in the business area? 3: Les Xufes QMS has been audited before?
21 HOW DO I DEVELOP THE AUDIT PROCESS? 1. Audit Plan: scope, criteria, duration (dates), audit team. 2. Audit process: Opening meeting (participating CEO and RM). Documentation analysis (participates RM). Conclusions preparation. Closing meeting and audit report delivery (participating CEO and RM). Global summary. Informing about the negative, positive and being observed. [what we have observed, negative or positive] Discussion about Non conformities NC, and corrective actions and periods agreement. About the certificate: scope, status (recertification), internal audits, use of logo, etc. 3. Non conformities -NC following and closing: Documented evidences of actions taken Traceability of processes and procedures implemented
22 HOW DO I DEVELOP THE AUDIT PROCESS? AUDIT REPORT To produce value, the audit team in the certification process, will present a complete audit report including the results indicated below. The audit report will provide precise and concise evidence of the audit made, to allow and inform about the decision of being certified, for this reason, should include or make reference to: a) Identification to the certification body b) The name and address of the client and elected delegates c) The audit type (e.g. initial audit, rectification audit or acknowledgement) d) The audit criteria e) The audit objectives f) The audit scope, particular identification of functional units or audit process while auditing g) Identification of project leader, audit team members and any other staff involved h) The dates and places where audit activities (internal or external) have been done i) Conclusions, evidences, and audit fails, consisting with the requirements of audit type
23 HOW DO I DEVELOP THE AUDIT PROCESS? Conformity Best practices Strengths Findings improvement Opportunities Weakness Non Conformity Risks
24 WHICH IS THE RESULT OF THE AUDIT REPORT? GLOBAL EVALUATION: It s been verified that the implemented system is in a very youth stage. However, this finding hasn t prevent the verification of the adequate implementation and efficacy of the implemented procedures. The system fulfill the requirements of the standard ISO with the exception of the NC indicated. REQUERIMENTS NON CONFORMITY (NC) EVALUATION (item 9) NC = As the audit is being in progress, it can t be taken as evidence, how the management has proceeded for the reviewing, because the review deadline hasn t yet expired. To considerate the preimplementation audit as an internal audit, an audit report is required. The audit plan of QMS doesn t specify MSR auditing. Corrective Action 1= The audit plan for QMS will be revised an modified for including that MSR Corrective Action 2= Obtaining the preimplementation audit report. IMPROVEMENT (item 10) NC= In the non conformity procedure it doesn t mention explicitly the MSR Corrective Action 3= Review and approve the non conformity detection and corrective actions procedure. Audit report extract. The corrective actions are proposed by the company to eliminate non conformities
25 WHICH IS THE RESULT OF THE AUDIT REPORT? CORRECTION PERIOD AGREED WITH THE CERTIFICATION BODY = 15 days LES XUFES First Spanish company certified on ISO 30300!!
26 And King James I said això és or, xata If he could have implemented ISO he would also said this? THANK YOU VERY MUCH!
Appendix 3 (normative) High level structure, identical core text, common terms and core definitions NOTE In the Identical text proposals, XXX = an MSS discipline specific qualifier (e.g. energy, road traffic
INTERNATIONAL STANDARD ON QUALITY CONTROL 1 QUALITY CONTROL FOR FIRMS THAT PERFORM AUDITS AND REVIEWS OF FINANCIAL STATEMENTS, AND OTHER ASSURANCE AND RELATED SERVICES ENGAGEMENTS (Effective as of December
2008 by Bundesamt für Sicherheit in der Informationstechnik (BSI) Godesberger Allee 185-189, 53175 Bonn Contents Contents 1 Introduction 1.1 Version History 1.2 Objective 1.3 Target group 1.4 Application
The Auditor s Communication With Governance 2083 AU Section 380 The Auditor s Communication With Those Charged With Governance (Supersedes SAS No. 61.) Source: SAS No. 114. Effective for audits of financial
Guidance for Industry Q10 Pharmaceutical Quality System U.S. Department of Health and Human Services Food and Drug Administration Center for Drug Evaluation and Research (CDER) Center for Biologics Evaluation
Managing digital records without an electronic record management system Crown copyright 2012 You may re-use this information (excluding logos) free of charge in any format or medium, under the terms of
United States Government Accountability Office Report to the Subcommittee on the Legislative Branch, Committee on Appropriations, U. S. Senate March 2015 INFORMATION TECHNOLOGY Copyright Office Needs to
General Principles of Software Validation; Final Guidance for Industry and FDA Staff Document issued on: January 11, 2002 This document supersedes the draft document, "General Principles of Software Validation,
HKSQC 1 Issued June 2009; revised July 2010, May 2013, February 2015 Effective as of 15 December 2009 Hong Kong Standard on Quality Control 1 Quality Control for Firms that Perform Audits and Reviews of
Audit Manual PART TWO SYSTEM BASED AUDIT Table of content 1. Introduction...3 2. Systems based audit...4 2.1. Preparing for & planning the audit assignment...5 2.2. Ascertaining and recording the system...7
M-IC Comptroller of the Currency Administrator of National Banks January 2001 M Management Table of Contents OVERVIEW... 1 BACKGROUND... 1 Objectives... 2 Regulatory Requirements... 3 Components... 5 OCC
Standards for Internal Control in New York State Government October 2007 Thomas P. DiNapoli State Comptroller A MESSAGE FROM STATE COMPTROLLER THOMAS P. DINAPOLI My Fellow Public Servants: For over twenty
Records Management: NHS Code of Practice Part 1 DH INFORMATION READER BOX Policy HR/Workforce Management Planning Clinical Document Purpose Estates Performance IM & T Finance Partnership Working Best Practice
Alberta s First Nations Consultation Guidelines on Land Management and Resource Development (Updated November 14, 2007) Outline: Part I: Alberta s Guidelines Part II: Alberta Energy Part III: Alberta Environment
ISO/IEC DIR 1 ISO/IEC Directives Part 1 Edition 11.0 2014-05 colour inside CONTAINS THE FINAL VERSION AND THE REDLINE VERSION Procedures for the technical work ISO/IEC DIR 1:2014(EN) THIS PUBLICATION IS
Records Management Best Practices Guide A Practical Approach to Building a Comprehensive and Compliant Records Management Program Protecting and Managing the World s Information. Since 1951, Iron Mountain
Joint UNECE/Eurostat/OECD Work Session on Statistical Metadata (METIS) Generic Statistical Business Process Model Version 4.0 April 2009 Prepared by the UNECE Secretariat 1 I. Background 1. The Joint UNECE
Prologue This amendment of The FAA and Industry Guide to Product Certification (CPI Guide) incorporates changes based on lessons learned and supports the broader use of this guide by providing additional
Code Corporate Governance Financial Reporting Council September 2012 The UK Corporate Governance Code The FRC does not accept any liability to any party for any loss, damage or costs howsoever arising,
Practice Guide Reliance by Internal Audit on Other Assurance Providers DECEMBER 2011 Table of Contents Executive Summary... 1 Introduction... 1 Principles for Relying on the Work of Internal or External