/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsTickIT is UK Government's
Department of Trade and Industry originated scheme for the ISO 9000 certification of IT
organizations. It arose from needs identified by the IT industry. Its use for
UK-accredited certification is mandatory and it is rapidly spreading to other countries.
ISO 9001, EN 29001, BS5750 Part I are equivalent International, European and British
standards for Quality Management Systems (QMS). There are many other equivalent national
standards. ISO 9002, EN 29002, BS5750 Part 2 are the equivalent standards for
organizations which do not design products or services to order.
ISO 9000 accredited certification has increasingly become a requirement for suppliers to
large organizations and a sign of an organization's commitment and systematic approach to
quality. Many companies need ISO 9000 to stay in business.
The market need for ISO 9000 certification has been met by independent consultants who
advise their clients on how to set up a QMS and how to get certification; and by
accredited certification bodies who assess organizations against ISO 9000 and award the
certificate if successful.
'Accredited' essentially means government approved. TickIT certification bodies must be
accredited. DNV Quality Assurance was the first certification body to be accredited
followed by BSI Quality Assurance (a separate organization from BSI Standards), LRQA, BVQI
and SGS Yarsely.
A QMS is a management system for ensuring that customers receive the products or services
as promised. For ISO 9000 it needs to be formal which implies thought out, documented and
evidenced, ie records need to be kept to show that key management controls have been
applied. Here lie two of the problems for an organization going for ISO 9000: how much to
document and what records to keep.
The glitches
The main problems encountered by an IT organization going for ISO 9000 certification are:
* Deciding whether TickIT applies.
* Choosing a consultant.
* Winning over independently minded technical staff.
* How much to document.
* What records to keep.
* How to make sure that key activities have been properly included.
* How to choose a certification body.
Does TickIT apply?
The main guidance document, ISO 9000-3, covers only the software development aspects of
TickIT. Clarification on the wider aspects of IT has been helped by the publication of a
concise definition of TickIT (Disc TickIT Office (1), which lists the following areas:
* Software development where software forms all or part of the organizations product or
service.
* Internal software development where it is not part of the product but can significantly
affect the organization's product or service.
* Non-trivial software replication
* IT facilities management.
* Computer operations involving software development or maintenance.
* Non-trivial systems integration services.
* Services where software evaluation or selection takes place.
* Non-trivial software archiving and storage services.
* Prime contractors who sub-contract software development.
Not covered include:
* Software stockholding (warehousing).
* Software sales (over the counter, mail-order)
* This still leaves 'grey' areas like, how does one know when the systems integration of
software evaluation cases apply? The author has a simple test for 'grey' areas: if the
skills of a TickIT auditor are needed for a proper audit, then it comes under the TickIT
scheme.
Those organizations who are in a 'grey' area may ask the advice of certification bodies. A
non-TickIT certification body will err on the side of 'not applicable.' While a TickIT
certification body will be able to advise from the point of knowledge and experience.
At the end of the day, the need is to have a credible certification that is recognized by
one's business partners and customers. TickIT will impose no extra requirements on an
organization. It merely gives guidance for IT organizations and ensures that properly
qualified auditors are used. You don't want your WMS audited by someone who requires you
to "calibrate your floppy disks." Do you?
Which consultant?
Some organizations choose a consultant to help them set up their QMS on the basis that he
is known by a friend of the company's MD. Others will pick one from a business directory.
There are many 'quality consultants' around, but not many who know how to apply ISO 9000
to IT organizations. Here are some simple tests to help you select a consultant:
* Are they a registered TickIT auditor? If they are, then they will know about IT
organizations and what auditors look for.
- If they are not a TickIT auditor
then you should:
* Test their knowledge and experience of setting up a QMS.
* Test their knowledge of IT
- Do they know what configuration
management is and how it applies to you?
-What experience do they have of different development life-cycles?
- What would they expect coding standards to cover?
* Do not employ a consultant if:
- They offer you an 'off-the-peg' QMS (they rarely fit, will not stand up to an
assessment)
- They offer to write a large part of your QMS for you (they are only interested in your
money and will pad the job out by creating mountains of paper and bureaucracy).
- They try to baffle you with science and jargon (certification is a simple process;
anyone who cannot explain it in simple terms is incapable, just wants your money, or both)
Winning over the staff
IT people are highly intelligent, creative and independent minded. Their initial reaction
to the proposition to put in place an audited QMS is that it will stifle their work and
turn them into mindless form fillers. This, of course, is rubbish. Do not try to impose a
QMS. It will not work. You will fail the assessment because your staff will not be willing
to work to the QMS. Staff can be won over by:
* Giving awareness talks on what IT will really be like, preferably from someone who has
experienced what it is like. This will not convince them but it should open their minds.
* 'Seeding' the organization with staff who have been on an Internal IT Auditor Course.
This will turn most sceptics into converts. Their colleagues will then start to accept
that perhaps it will be okay.
How much to document?
ISO 9000 certification requires a written system. In practice, this means a quality manual
and procedures. It is a mistake to document too much. Only document enough to:
* Impose standard practice where it is desirable, for example, how to record the result of
a design review or what to put in a code header.
* Meet the standard, for example, there must be a procedure for 'contract review.'
* Give instructions for unusual or infrequent actions, for example, disaster recovery or
complaints.
A quality manual of 20 to 40 pages will be quite sufficient. It should say what your
organization does to ensure quality. It can be written against ISO 90001 or ISO 9000-3
clauses if desired, but does not have to be.
What records to keep?
'Quality Records' are records kept to:
* Demonstrate that a key control action has taken place, example a contract review.
* Record an item of information that may be needed if there is a subsequent quality
problem, example a modification to code took place.
Only keep what is essential. Develop simple forms and standard formats to make it easy,
reliable and foolproof.
Key activities to pay attention to
The main causes due to which organizations fail to get certification right the first time
are:
* Design control
- No project plans
- Plans not up-dated
- No progress control
- Rules, practices and methods not complied with
- Phase inputs and/or outputs not defined
- No design verification
- Design change not controlled
* Contract review
- Contracts not being adequately reviewed
- Quality system
* Absence of key procedure(s)
- Document control
- Inadequate system for control of documents
- Widespread inadequate control of procedures/project documentation
Special attention to these areas will increase your chances of getting ISO 9000/TickIT
certification at the first attempt.
Which certificating body?
The five TickIT accredited bodies have been listed earlier in this paper. Some
organizations make the mistake of approaching just the one that gives the 'kite mark.'
They think that this will be more credible. A look at the IT client lists of some of the
others will show this is to be untrue. But aren't they all the same when it comes to how
certification is done? No! examples of difference are:
* Some abandon audits if a category 1 non-conformity is found.
* Some do planning visits to ensure audits run smoothly.
Recommendations
The probability of getting an ISO 9000/TickIT certification on the first audit will be
greatly increased if:
* Treat certification as a project and appoint a project manager
* Choose the right consultant
* Win over your staff
* Document your systems to the right extent
* Keep adequate and appropriate records
* Ensure key activities are covered
* Ensure everything is in order by performing at least two thorough internal quality
audits prior to the certification visit.
Excerpted from ISO 9000 One Source for Software Units, Volume (I).
Courtesy: QAI (India).