Organizations and companies often go for certifications/assessment like ISO 9001 or ISO 27001 or CMMI. A company may decide to seek certification for many reasons, as certification can:

  • Meet Customer Requirements
  • Result in more revenue and business from new customers
  • Improve Company and Product Quality

Assessment process is a continuous cycle. There are some stages/steps in this continuous cycle leading to certification and sustenance.  For organizations that are new to the implementation process, attaining certification can be a little bit troublesome activity. This article helps to make the implementation stress-free through the ten points explained below. Assessment

1. Determine scope of registration

Determine whether the entire organization or a part of the organization is going for certification. Sometimes only a particular product in the organization is seeking for certification.

2. Get quotes from accredited third-party certifying bodies

The certifying bodies must be accredited to conduct audits. After evaluating several certification bodies (Transition partners in case of CMMI) based on their quotes and many other factors, the best suited certification body is selected by the organization. Once the quote is accepted by both parties – client and certification body, an auditor contacts the client to schedule the assessment audits. It’s vital to clarify and check for other hidden costs such as ‘registration’ and travel fees when obtaining quotes from the certification bodies.

3. Study of standard/model requirements

The first step in any certification/assessment process is ‘to have a clear understanding of the standard/model’. If people are not comfortable with the new standard, perhaps the first step in any implementation could be training on the new standard/model from experts in the industry. If required, organization can opt external consultancy to get help in implementation strategy. A good consultant can increase the value of the process.

4. Gap Analysis

It has to be evaluated how far away is the present management system or the product compliance from the new standard. Gap analysis, Pre-assessment, Internal audits etc. can be used for this evaluation. For more details on gap analysis, please refer Performing gap analysis. The Gap analysis documentation provides the input to the sub sequent phases.

5. Establish an implementation plan

An implementation team, work division, milestones of activities etc. need to be set up. Training has to be to be provided to the implementation team. Implementing the new management system needs to be an organization-wide target developed by senior management. (‘organization’ refers to the entire organization, a part of the organization or a project team as per the scope defined)

6. Ensure the implementation as per plan

The steps include preparation and review of procedures, manuals, other supporting documents, training to the affected parties on the new/changed system and deploying new/changed system.

7. Practice and live with the new system

During this period, observe and evaluate the new/changed system for its effectiveness. Audits need to be conducted to evaluate the changed system. Auditors must be trained to conduct the audits. Existing loop holes, inefficiencies, etc. are corrected and corrective actions are deployed. This leads to continuous improvement of the system. After a few months, the new system and the organization should be ready for the registration audit.

8. Third party Assessment/ certification

The number of auditors needed, and the time involved to conduct a registration audit may vary according to the size and complexity of the organization. Pre-assessments/Stage1 audits are conducted before the final assessment. During the pre-assessments, auditor reviews the existing systems and provides a report identifying further actions required to meet the standard requirements. Once the organization is ready and has fixed the gaps reported in the pre-assessment, the auditor performs the registration/final audit. The final audit is held in accordance with the audit plan. Upon completion of the audit, the auditor generates an audit report identifying non-conformances, if any are there. The client resolves these non-conformances. Once the auditor approves the closure of non-conformances, organization (or client) is recommended for certification. The auditor’s report is then verified via an approval process and if no anomalies are identified, certification is officially granted. Then the auditor works with the client to set up subsequent surveillance audits/health checks to ensure continuous adherence to the standard.

9. Sustaining the standard/model

Attaining a certification is not a one time job. The sustenance of the same is also equally important. So proper attention must be paid to ensure that level of certification is not degraded. To achieve the benefits of improvement from the new/changed system, an organization has to be committed in maintaining and amending the system over time to best suit its requirements. The tough work really starts with the maintenance of the new/changed system. And hence continued buy-in from everyone is important for the implementation to succeed, and for the organization to obtain the true advantages of becoming certified. So proper training needs to be carried out regularly to ensure on-going awareness. In addition, internal audits must be conducted to ensure the compliance to the requirements of the standard/model.

10. Get Buy-In

Getting full support from management and employees is crucial for the success of any certification/assessment program. The company executives need to be well clear on the advantages, requirements and costs etc. It’s also important that the employees are confident on the new system.

How will you answer to a common man’s question upon your profession?

Suppose, you are a Quality engineer. But if a person who is not at all related to IT world asks you about your job, how will you answer?

I thought about the same in many dimensions.

Hmm.. It is easy to have a complex definition.. but It is pretty difficult to make it a simpler one

So coming back to the Question, “Who is a Process Engineer/Process consultant/Quality Engineer”?


We all are working based on certain discipline.

Companies are also not at all an exception. They are abiding to some standards. Sometimes they make their own standards and follow the policies inline to those standards.

Otherwise they seek compliance to industry wide accepted standards and models like ISO, CMMI, ASPICE, TL 9000, FDA, AS 9100 etc.

Sometimes they even go for certification or assessment against these standards, so that they can proudly claim that “we are compliant to ISO xxx etc” and definitely which will be an added value in front of the clients.

Now who will be monitoring the compliance on a long run? Disciplines are to be ensured life long, right?

Similarly companies need to ensure that the defined policies are implemented and updated on a regular basis. If the responsibility is shared among each and every employee, it will end nowhere and ultimately everything is diluted.

So companies keep a separate group known as process consultant or QA engineers.

  • They mainly help the organization to comply with these standards.

  • They train the employees on the implementation part.

  • They write policies and procedures and ensure that it is shared to relevant people.

  • They ensure that these policies are practiced inside the projects through proper audits.

  • They escalate the issues and update the status to senior management.

  • They initiate corrective actions and preventive actions whenever required.

  • The job does not end here. If the company had gone for certification/assessment this team plays a main role for an easy go.

So this is the bare minimum responsibility of a QA engineer. And depending upon the organization, tasks vary. There are consultants who do data analysis and come up with interesting facts about the organization.

So in short, QA team is the team who ensures process compliance within an organization.

What is Annex SL in ISO 9001-2015?

Annex SL is a platform upon which all the ISO management system standards rest. Yea, many more are there yet to reach the platform.  Some already took their places, including ISO 9001. With the September 2015 release, ISO 9001 also became a member in this Annex family.

Through this post I’m trying to analyze the change in perspectives/added advantages introduced in the ISO family with the introduction of Annex SL.

Annex SL- An Integrated Management System Approach

It was pretty difficult to manage the parallel show inside an organization with multiple management system standards. And difficult for the auditors too. Even though the standards like ISO 9001, ISO 14001, ISO 27001 have many common elements, there were described and organized differently. Thus it was a cumbersome task for organizations to implement them together. Now the similarities across the standards are framed under a common umbrella and removed the conflicts across the standards. Thus Annex- SL makes the creation of an integrated management system much easier.

Annex SL – A new template for ISO management system standards

Annex SL is written primarily as a guide to who creates new standards. The core of Annex SL consists of 8 clauses and 4 appendices. (Illustrated in the below figure)

It is said that every ISO standards should adhere to the clause structure defined in Annex SL. Hence in fact, with this framework ISO itself got a template to build new standards. To address industry specific needs, additional requirements for discipline specific sectors will be added to this generic framework.

Annex SL – Easier for Users

Annex SL provides an identical structure, terms and common concepts for all ISO management system standards. This will ensure consistency among revised and future management system standards. Hence users will find it easier to read and understand the standards.

Annex SL- Easier for Auditors

Auditors will have a generic set of requirements as a guideline to follow irrespective of the discipline. This will make their job much easier.

 Annex SL – Is it not a cost saver..?

Definitely Yes, It saves pretty much time as well as cost.  It helps to have an integrated management system eliminating the duplication efforts and conflicts within the multiple standards.  Conflicts always call for additional resources. If the conflicts are reduced, rework and in turn resources are reduced. Also it is pretty much clear that the maintenance of an integrated management system is always economical compared to the maintenance of multiple separate management systems.

Annex SL – The business focus

When different management streams are integrated, it becomes easier for the senior management to set their vision mission, goals etc. Also the integration helps the management to streamline the entire business operation.

annex SL

In short, Annex SL is a lot more than just a common framework for Management System Standards. It streamlines the creation of new ISO standard as well as provides an option for integrating multiple management system requirements.

Auditing is sampling. The choice of right sample is crucial for the success of a good audit. Scope of audit also needs to be well defined before starting the audit. Normally evidences of non-conformances are collected through document review, observation, interviews etc. In addition there are certain advanced procedures to conduct an audit.

Physical Auditing                              : Usually auditors limit themselves after

Audits are the mechanisms of ensuring the integrity of the product as well as process. During audits a number of deviations may be revealed. It is extremely important to ensure that the deviations are documented or reported properly. Deviations can be of specific or generic in nature. If it is a generic one, the auditor needs to report multiple instances of the issue. A well-documented deviation should be self-explanatory and should address the following questions.

  • What is the issue?
  • What is the importance of the issue?
  • What is the impact of the issue?
  • When was the issue observed?
  • Where was the issue observed?

A non-conformance could be stated simply as

‘Planned review of a work product is not done ‘.

This statement is not self-explanatory; instead it triggers few other questions like whether any alternative methods were adopted in the absence of review or what could be the impact etc. So a non-conformance needs to be reported completely and correctly.

The above deviation could be made much more self-explanatory if written as below,

“In a Project ‘A’ implementation is done by average skilled resources. Even though independent review was planned, it didn’t happen. Review practices are required as per organizational policies to produce high quality work products. The project team didn’t take any additional measures or alternative mechanism to overcome the issue. In this scenario, absence of review will lead to more testing bugs and thereby causing schedule slippage or poor quality product.

1. Interviewing the Project team

A quality audit can be done easily by interviewing the project manager as well as some of the project team members. Before starting the interview try to understand the project scope, known risks, problems etc. And even can have some quantitative analysis done, on effort variance or schedule slippage (assuming sufficient access permission is provided to pull the data for analysis). At the time of interview, auditor can ask about the project, current status etc. Even auditor can ask some pre-planned general questions to evaluate the knowledge of interviewee. (Generic questions could be based on the management system in the organization). Then observe how the interviewee responds to the questions. From his response itself, definitely there will be an opening to another question. The response might give you hints leading to a different set of questions. So an interview based audit is somewhat easy compared to a remote audit. But auditor has to lead the show; otherwise in order to hide non-conformances, auditor might get misled by the interviewee.

2. Check Tailoring

Project team will define their own process by suitably tailoring the Organizational Set of Standard Process (OSSP). These tailored processes should be submitted to process owners of the organization like Engineering Process Group, Only with their approval, the tailored process can be executed within the project. Auditor has to check the necessity of these tailoring, approval details etc. Also the auditor has to ensure that the tailored process is not a risk to the organizational business needs.

3. Project compliance audit

Normally project activities are executed as per a plan. Plan could be a management plan, test plan, integration plan, configuration management plan, QA plan or an integrated master plan. If there is a template defined for these plans, it would be adhering to the organizational practices. Thereby a plan template will detail all the processes which are supposed to be executed within the project as demanded by the organization complying to specific standards/models. So during a project audit, it is very important to ensure that the project plan used is in line with the template defined in the organization. It has to be ensured that the sections in the template are not removed while taken for the project. Each section in the plan might be a specific practice to be adhered. So there are chances of sections being removed if project team do not want to practice it.

4. Plan based audit

After ensuring that the plans are compliant to the organizational template, go through the plan section by section. Plan will direct you to each artefact in the Configuration Management (CM) tool. Take the respective artefact or Configurable Item (CI) and do a configuration audit on the CI. CM audit cannot be done on the entire CIs, so do it randomly. While checking the CI for process compliance, it may lead to another audit. Say for example, if a requirement document is taken, first check the contents for completeness and correctness. Check whether any legal or regulatory requirements are mentioned. If mentioned, trace it out in the lower level documents like design. If it cannot be traced, it could be a noncompliance. Then ensure other CM aspects of the requirement document like document history. If reviewer column is unfilled in the document history, check whether review is actually done or not, assuming review is not tailored. Likewise, audit goes on. Then go back to project plan and continue with next section.

5. CM audit

Functional and physical configuration management audit needs to be done on work products. Functional configuration audits are a kind of work product audits. It is done to ensure the functional performance of the work products. As a part of Physical configuration audit check the correct versions, ensure properly filled in document history/amendment record, impact analysis document for changes, change tracking sheet traceability document etc.

6. Quantitative Data Audit

Auditor can randomly verify the data collected. If there are some specific measures to be collected as instructed by the organization or customer, ensure the availability of the same. Auditor can check the integrity of collected data. In addition check whether corrective actions planned in the milestone analysis are implemented inside the project or not.

7. Workproduct audit

In addition to process audits, work products are also audited to check compliance. CMMI PA- PPQA talks about the same. Auditor has to do some sample validation of final work products. If it is a product, probably testing might be a mechanism for work product audit. It need not be a regular testing as done by testers. Instead, auditor can take some sample Test Cases, a representative sample Test Cases which are already certified as ‘passed’ by testers and execute those Test Cases to ensure compliance


8. CAPA based audit

As part of internal quality audits, corrective actions are planned for non-conformances. During course of time, those actions/plans are usually ignored. Auditor has to ensure the compliance to those corrective or preventive actions

9. Audit of customer driven points

Inside the project, there may be a lot of customer reported issues, customer feedbacks, complaints etc. Timely analysis and proper actions needs to be taken on all those points. Audit must check and report deviations if the issues are not addressed.

10. Check List based audit

Finally take the audit checklist and ensure coverage. A checklist based audit is not a recommended practice. Checklists may make your audit a machine kind. But checklists can definitely be used to ensure coverage in the final stage of your audit.

How can we optimize the time and effort of a full time QA person (process consultant) in a project..? In majority of the cases, at least 50 % of the auditing work done by QA could be automated.. Then how could the QA work be made cost effective..?

A traffic police controls the traffic in a road. Now we could see traffic signals in majority of the places, which too automated system regulating traffic according to the situation. Is there really a need of a full time traffic police..? Of course people intervention is required when there is some critical issues which cannot be rectified by machines/when machines are down. Other than that, is it not a waste of effort/money to employ a man full time to regulate the traffic? May, be at peak hours, at some busy junctions, can have man also in addition to machines. Or rather, if still a full time person is required, his time should be used more fruitfully, not merely limited to traffic regulations, say like helping high way police, supporting as a travel Guide to whoever required etc , etc .

Similarly, how can we optimize the time and effort of a full time QA person (process consultant) in a project..? In majority of the cases, atleast 50 % of the auditing work done by QA could be automated, and then it is a matter of proper interpretation/analysis of the findings. So wherever possible routine stuffs should be automated and QA person needs to put his/her eyes mostly on taking preventive measures/risk identification. Prevention is always better than detection. Prevention could be triggered through day to day project level activities, data examination, statistical analysis etc. Now, what more action could be taken so that full time QA persons can be cost beneficial to the project/organization? Or what do you think about the presence a full time QA person in a project?


A process consultant’s activities inside a project start with the project kick-off meeting. And finally it ends up with closure meeting. The sequence of activities carried out during the project life cycle is as explained below.
1. Help Project manager in project planning
• Defining the workflow and milestones for project activities.
• Identifying the risks during project start up and execution.
• Defining process and product goals using process performance objectives and models defined in the organization
• Identifying the critical parameter for statistical process monitoring.
2. Review the project plan and it’s annexure like CM plan, auditing plan, risk management plan, Quantitative project management plan, estimation, schedule etc.