10 Steps to Safeguard Maritime Property from Cybersecurity Threats

IJ Arora, Ph.D

Cybersecurity threats have become a pressing concern in the modern era due to our lives becoming increasingly dependent on computerization. However, with the convenience of technology comes vulnerability to malicious attacks. The maritime industry, with a growing reliance on technology, faces significant cybersecurity threats. Dr. Jekyll and Mr. Hyde (i.e., good and bad) exist and have always existed. Protecting against cyberattacks is crucial to ensuring the industry’s stability and security.

Understanding cybersecurity in the maritime industry

Cybersecurity in the maritime sector involves safeguarding systems, information, and assets from unauthorized access, disruptions, or manipulations. The industry’s growing reliance on technology, including networks controlling essential functions like navigation and communication, makes it an attractive target for cybercriminals. To maintain business continuity, it is crucial that companies assess their current cybersecurity posture and act to proactively improve it. The maritime industry supports trade and the economy at large, so a cyberattack can have broader consequences beyond just affecting a single vessel or company. For this reason, the intent of the attackers might be broader than simply affecting a specific entity for ransom.

Current challenges in maritime cybersecurity

Before delving into the 10 essential steps to fortify against cyberthreats, it’s crucial to acknowledge the prevalent challenges faced by the maritime industry, which include:

  • Business continuity disruption due to breaches
  • Lack of comprehensive response plans
  • Growing reliance on automation
  • Insufficient awareness
  • Vulnerabilities in cloud computing
  • Rise in phishing and social engineering attacks
  • Internal threats and attacks

Controlling both information technology and operational technology systems is critical to fortifying cybersecurity. Various systems within the small passenger-vessel sector are susceptible to cyberthreats, including bridge systems, access control systems, passenger servicing and management systems, and communication systems.

The 10 steps

When addressing cybersecurity, organizations must consider protecting information itself as well as the asset on which that information is stored. Control of both information technology (IT) and operational technology (OT) systems is critical to fortifying cybersecurity. Additionally, management must consider the confidentiality, integrity, and availability of information and how these three aspects may potentially be compromised.

Step 1: Leadership commitment

Leaders must drive the need for cybersecurity and ensure that it is baked in (not buttoned on) to processes. They need to engage the workforce to contribute to the system. To do this, they can:

  • Appoint a cybersecurity manager to ensure accountability and garner buy-in.
  • Make cybersecurity integral to business processes and consider risks vs. rewards.

Step 2: Use a system framework

Employ the plan, do, check, act (PDCA) cycle as the foundation for a robust cybersecurity approach. This is also the approach prescribed by the Passenger Vessel Association (PVA) safety management system (SMS) framework.

  • Develop and regularly update cybersecurity policies aligning with organizational needs and threat landscape changes.
  • Identify clear roles and responsibilities for all concerned with cybersecurity aspects of the SMS.

Step 3: Contextualize risk

  • Consider the broader context of operations, trade patterns, technology, and legislative factors.
  • Identify stakeholders, online networks, assets, critical components, and business-sensitive information.

Step 4: Risk assessment (3D framework)

Leaving hazards in uncertain states is a drawback for proper risk assessment. It is the responsibility of leadership to convert uncertainty into clearly defined risks within the context of the organization and then prioritize those risks.

  • Organizations must assess hazards in terms of probability, severity, and the likelihood of detection.
  • Risks should be prioritized with consideration given toward confidentiality, integrity, and the availability of information.

Step 5: Build controls into processes

Controls can be split into various categories, including administrative, physical, human, and technological. In some cases one control may suffice, but for the most part a combination of controls must be applied. Identified controls should be implemented based on the feasibility rule, meaning that although they may look good in a vacuum, ease of implementation must be considered. Information security should be a part of everything the organization does—not an add-on. This includes:

  • Implementing technical security controls like firewalls and intrusion-detection systems.
  • Adopting a layered security approach (i.e., “defense in depth”) to effectively mitigate against various threats. This entails creating multiple barriers to prevent access to information—physical, passwords, firewalls, VPNs etc.

Step 6: Maintain basic measures

Basic safety measures are easy to implement and, for the most part, they are cost-effective. This can include cybersecurity awareness training for personnel, physical security, and password security. Below are a few more, although this is not an exhaustive list:

  • Keep hardware and software updated.
  • Enable automated antivirus and anti-malware updates.
  • Limit administrator privileges and control removable media.
  • Avoid public network connections without a VPN.
  • Regularly backup and test information-restoration capabilities.

Step 7: Employee awareness

It is important to make employees aware of the need for good cybersecurity protocols. Employees are often the weakest link in the security chain. Statistics show that almost 36 percent of data breaches are caused by employee negligence. Immediate actions organization can take include:

  • Educate employees on cybersecurity best practices to minimize human error.
  • Train personnel to identify phishing attacks and report incidents promptly.

Step 8: Emergency preparedness

No organization is immune to cyberattacks. It is important to have a plan in place for responding to attacks quickly and effectively. The plan should include steps for mitigating the damage, containing the attack, and investigating the incident. You can use ISO 22301: 2019, “Business continuity,” to develop this plan.

  • Your plan should include comprehensive processes for responding to cyberattacks swiftly and efficiently, including reporting mechanisms.
  • Test and improve your business continuity plan regularly.

Step 9: Assess effectiveness

The check stage of the PDCA cycle is vital to instill confidence in the effectiveness of the organization’s cybersecurity measures.

  • Conduct regular cybersecurity assessments, including third-party evaluations for objectivity.
  • Evaluate assets, vulnerabilities, IT/OT risks, physical access, and breach potentials.

Step 10: Continual improvement

  • Embrace continual improvement through the PDCA cycle to maintain vigilance.
  • Invest in training personnel on cybersecurity standards like ISO 27001.

Conclusion

Taking cybersecurity seriously and implementing these 10 steps can significantly mitigate the risk of cyberattacks. Begin the process by conducting a gap assessment using a qualified person to assess where your system currently stands and what actions need to be taken.

Your action plan should identify risks, gaps, and the controls needed. These controls can easily be integrated into the existing safety management system. Investing in cybersecurity today will better prepare your organization to manage future risks. Leadership involvement is crucial, and these steps serve as a solid foundation to effectively fortify cybersecurity measures.

About the author

Inderjit (IJ) Arora, Ph.D., is the President and CEO of QMII. He serves as a team leader for consulting, advising, auditing, and training regarding management systems. He has conducted many courses for the United States Coast Guard and is a popular speaker at several universities and forums on management systems. Arora is a Master Mariner who holds a Ph.D., a master’s degree, an MBA, and has a 33-year record of achievement in the military, mercantile marine, and civilian industry.

Above article is featured in the following:-

Foghorn Magazine

Exemplar Global Publication “The Auditor”

P-D-C-A with a Christmas Tree

As a QMII employee, I can sit and observe classes whenever I want, more so since they are virtual instructor led these days. It allows me to get a refresher on the clauses, even though it is so hard to get them. It gets me every time. When the time comes to interview auditees, I smile like a Cheshire cat; not a confident grin but one that hopefully does not betray my nervousness.  Often, I am nervous as a long-tailed cat in a room full of rocking chairs. However, my QMII ISO lead auditor training has prepared me well. I am nervous as the auditee too, even though I know audits are not about pass or fail.  While I call myself a writer and researcher my greatest struggle perhaps lies with Audit Report writing. Oh, man! QMII lead auditor training, however, well prepared me to gather all notes during an audit to present a valuable report to the auditee. Smile.

The aspect of Lead Auditor training I like is the P-D-C-A cycle because I can use that analogy anywhere in my life. I have the responsibility of putting up the tree, however, currently, my application of the P-D-C-A is not going so well. Perhaps a re-plan is needed?

So from the Lead Auditor classes that I have attended, P-D-C-A stands for the following and the task next to it is what I have to do:-

P – Planning: We have to put the tree. Also, the objective of my mission. Considerations include where are the decorations kept, do we have enough, do we need a ladder, what should be the first step, then the next (like testing the lights before we put them on the tree), and more. Most important plan the time to do it in my busy schedule!

D – Do: Now to put my plan into action! Locate the boxes, get them out, unpack, and, get my team to help me even if they don’t want to (just to cheer me on perhaps). Yay! Thanks guys, for your help! Thumbs up for that. Basically, everything else that needs to be completed before the tree is finally up and lit up and everyone is happy. The DO stage can be extremely exhausting. How about that drink to cool me down?

Note – From my Lead Auditor training and also when I am auditing my clients, I know that the ‘DO’ section of the process is where a lot of the “action” happens. Just because “you gotta do it, man, get on with it!” I feel the pain of the “Do’s” as it is easy sometimes to plan but more taxing to put the plan into action. Now getting back to my tree.

C – Check: Once the tree is up and you think the job is over, it is not. You have to wait for the others to “check” the tree out and give their opinions. Pass comments, critique your effort while you are bickering away that they didn’t do anything, but they get to analyze it. What was that? Oh yes, I agree it is just an opportunity for improvement and we love our non-conformities.

A – Act: The verdict is out. The tree looks great. Beautiful decorations. However, the lights seem to flicker at some places, we need better lights for next time. Get more decorations. Good job!

VERDICT

Plan it better next time. Stop bickering when you are doing the job. Be patient and stop being

grumpy when they are “checking” and analyzing your work. Continually Improve this process till you get your Act together – words of a wise Yoda who is enjoying the view of the Christmas tree and listening to the Christmas songs.

Can I get that drink now? Long Island, please. Merry Christmas!

Is your organization ready for MDSAP?

Quality is important in all industries but perhaps more so in the medical industry and for those organizations producing medical devices. Apart from ISO 13485 that defines the requirement for medical device quality management systems, medical device manufacturers have to also comply with the regulations of the country their devices are going to be used within. In an effort to streamline the program for manufacturers the Medical Device Single Audit Program (MDSAP) was devised. The MDSAP program is an audit done of the company to the regulations of five participating countries. It is thus much longer than a regular ISO audit as it has to assess the system against multiple regulatory requirements.  

As your company prepares for this new audit scheme perhaps the easiest thing to do is a self-assessment. Use the MDSAP audit model guide to assess whether the company processes meet all the requirements. Conduct a gap assessment and then work to fill in the gaps including keeping records as needed by MDSAP. Just because an organization undergoes MDSAP does not mean that it will not have an ISO 13485 audit as these are two separate schemes. In the conduct of the assessment ensure that the person conducting it is competent to do so. This will avoid any last-minute surprises. Make note that the MDSAP model grades non-conformities differently and so use the same scoring scheme to know what are the priorities that need to be addressed immediately.  

Is the leadership prepared? Often in preparing an organization focuses on the lower echelons as also on the processes involved in the design and manufacturing processes. Ensure the leadership is briefed on the model guide and understands the expectations from them. As a part of each audit, the AO focuses on the management and assesses their commitment to the system. The leadership once committed will drive the rest of the organization to follow suit. This will make it easier for those implementing the system and assessing it internally.  

Make sure personnel are trained and understand well the expectations. QMII offers a variety of MDSAP offerings that are tailored to meet the requirements of the organization with training for each level of the organization. In addition, QMII also offers ISO 13485 lead auditor training. Organizations must recognize that participating in MDSAP will not exclude them from regulatory audits from other organizations. While the audit program may seem cumbersome at first there are benefits from participating in it that include reduced costs and a streamlined audit process.  

How will ISO 22301 Benefit you?

What is ISO 22301?

ISO 22301 is an international standard for Business Continuity Management Systems. This standard is designed to protect, prepare for, respond to, and recover from unexpected incidents when they arise. When your organization has a Business Continuity Management System, it is prepared to detect and prevent unforeseen threats.

ISO 22301 applies to all organizations no matter the size or industry. In 2012, when this standard was first developed, it was the world’s first international standard for implementing and maintaining effective business continuity plans, systems, and processes. It was revised in late 2019 to bring it up to date with current best practices and is based on the High-Level Structure (HLS).  Consequently, it aligns well with many other internationally recognized management system standards including ISO 9001 (quality management) and ISO 14001 (environmental management).

What are the benefits of being ISO 22301 certified?

There are many possible threats that organizations face including supply chain issues as we saw in the recent pandemic, or natural disasters such as earthquakes, floods, hurricanes, and tornadoes, and even cyber-attacks such as the recent news with the ransomware attacks on the oil and gas and food industries. These are major threats, but there are even other types of risks, such as the loss of skilled labor, power outages, and IT breakdowns that can cause disruption to a business.

How is a certification in ISO 22301 beneficial to an individual?

With a certificate in ISO 22301, you will be able to help your organization meet its business objectives and gain the necessary knowledge to manage a team in the implementation of this standard.

If your organization does not have a Business Continuity plan, then they may be at risk.  It is important to take these plans seriously or your business could suffer consequences. Some impacts of not having a plan include business failure, damaged reputation, loss of data and clients, and business interruption.

 What will students learn about ISO 22301 from QMII?

During ISO 22301 five-day training at QMII, students will understand how to respond effectively based on the procedures that apply before, during, and after an event. It is important for an organization to implement a Business Continuity plan because it shows that you are prepared for the unexpected. This assures that your business will continue to operate without any major impacts or losses. Our training enables you to develop the necessary expertise to perform a Business Continuity Management System (BCMS) audit by applying widely recognized audit principles, procedures, and techniques.

 

Implementing Safety Management Systems for Passenger Vessels

PV SMS White Paper – FinalExcerpt below is from White Paper by ‘Implementing Safety Management Systems for Passenger Vessels’ by Dr. Inderjit (IJ) Arora (QMII), Julius Desilva (QMII) and Captain Lee Boone (USCG, Retired). To continue reading the paper click on link in text.

INTRODUCTION

All too often, major accidents are the catalyst for change in the maritime industry. Evidence of this is seen in the development and implementation of maritime conventions and codes in existence today. The International Safety Management (ISM) Code, the result of such a catalyst, was meant to change this reactive nature. The ISM Code intended to promote a safety culture wherein risks are properly considered, work is effectively planned, personal accountability is enhanced, and operations are continually improved.

Unfortunately, this target was missed in many cases and a pervasive by-product called compliance culture set in, wherein the system achieves the minimum and only to satisfy regulators. The maritime industry and regulators learned much from this experience. We know now that if the true value of safety management systems (SMS) is not realized, further implementation efforts become self-defeating. This leads to even more than normal resistance from many who have seen colleagues, shipmates and competitors negatively impacted. A carefully planned implementation strategy expanding the use of safety management systems (SMS) to domestic passenger vessels should therefore be executed to avoid these pitfalls. As Safety Management Systems for domestic passenger vessels are intended in the same way as those for SOLAS1 vessels, we must apply lessons that have been learned from similar regulatory efforts.

In this paper, recommendations are made for implementing SMSs for domestic passenger vessels (PV) based on the concepts of incentives, scalability, and collective use of resources. When implemented in the right way and for the right reasons, the value that SMSs offer passenger vessel owner/operators is maximized, while the cost of implementation is minimized.

BACKGROUND – RESISTANCE TO CHANGE

Looking at the data from the 1980’s to date, one would expect to see a decline in marine casualties starting in 1998 when the ISM code’s first compliance deadline came into effect. Initially the data shows a downward trend for a few years and then a spike starting in 2001. Those resisting change brought about by the ISM code would argue that the code had not delivered any improvements. However, the upward trend peaked in 2008 and has since seen a decline.

When a new management system is put in place, irrespective of industry, the first sign of success albeit non-intuitive, is a spike in accidents, incidents and hazardous occurrences. This leading indicator should be accepted as a positive as it demonstrates that the personnel within the system have started reporting non-conformities that went unreported before. This reporting enables corrective action to be taken in a systematic manner to prevent a similar non-conformity from occurring again.

To continue reading click here.

ISO 14001 – Environmental Management System Auditing

With the HLS (high-level structure) common to all standards ensuring the ten-clause structure an organization can ensure the best results to its management system by having an integrated management system. A divided approach to managing an organization based on several standards can often result in environmental and quality policy being in conflict. If occupational health and safety (ISO 45001) are also to be integrated, it enables the management to consider the risks in the combined context of the organization. When these are separated the combined risks can be mixed. Further, if security is to be also part of the management system (ISO 28000 – still not in the HLS format), integrating the system would ensure a functional management system.

Environmental management system based on ISO 14001, has integral it the consideration of aspects, their impacts, recognition of significant impacts, and prioritization of the same. Experience shows that implementing ISO 14001 is easier and simpler and more readily accepted by the employees when the organization already has a functioning Quality Management System (QMS) based on ISO 9001 in place.

A well-implemented EMS, EMS ensures cost savings by recycling, reduction in consumption, and cost savings in waste. This gives tremendous advantages over competitors for projecting the organization as a responsible company but when tendering for business. Managing risks is more comprehensive, as the leadership is able to see combined risks to the organization in quality, safety, occupational health, and security. The demonstration of commitment to improving the environment in a socially responsible manner is more systematically implemented by interpreting the ISO 14001.

Auditing the integrated management system, if that be the choice (recommended), or just the EMS based on ISO 14001 requires the auditors to first interpret the standard based on company policy, the organization’s goals based on consideration including expectations of the interested parties and the external and internal issues aligned to statutory requirements. Auditors, particularly internal auditors must ensure the interpretations of ISO 14001 are aligned per guidelines for the industry. ISO 14001 certification can improve an organization’s reputation and result in improved relationships to the mutual benefit of stakeholders and the organization.

Auditors must not forget that internal auditing is not to judge the legal compliance of the processes. Legal compliance is a requirement and is best judged by compliance auditors. Internal auditors audit to see that the organization has the processes to ensure compliance. Internal auditors look at the plans of the organization to ensure processes monitor environmental aspects and mitigate as required, systematically address them.

QMII (www.qmii.com) has for 30 plus years integrated management systems and training lead auditors for various standards including ISO 14001. With our vast consulting experience in ISO 14001, we reinvest our field experience into the content development of our courses. The real-world experiences back our instructors and training material in ensuring auditors understand ISO 14001.

A good internal audit process, for any standard, particularly the ISO 14001, should start with a good plan. Good QMII training ensures, auditors prioritize audits, and allocation of time-based on risks, previous results, the importance of the process. The audit cycle is often one year (can vary), and so depending on the environmental importance of the process and past performance-critical environmental aspects can be audited.

Effectiveness of the ISM Code

The ISM (International Safety Management) Code, in itself, is not a magic wand, that will bring safety or prevent pollution. It depends on the organization on how it implements the Code. Safe operation of ships and the prevention of pollution should have been any organization’s objective. Yet all over the world owners to save money compromise these objectives. Did not the Titanic on April 15, 1912, sink, trying to create a record of crossing the Atlantic, by going North to cut distance, run into the iceberg?

The sinking of the Titanic, with a loss of nearly 1500 passengers and the crew was an eye-opener. It led to the SOLAS (Safety of Life at Sea) convention. Did the negligence and continued operation of ships compromising safety stop with SOLAS? Sadly not. The investigation by Justice Sheen into the sinking of the Herald of Free Enterprise, on March 6, 1987, looked at why SOLAS had not helped prevent the tragedy. It brought out the necessity for a process-based management system, and the SOLAS Chapter IX was updated to authorize the ISM Code. It provides the guidelines for the implementation of a system to ensure the safety of vessels at sea.

The Flag State Administrations whose flag the ships sail under, legitimize the use of the code making it mandatory for internationally trading vessels. If any company is bent upon not implementing it in the spirit of it, then of course the objectives of the code as also the functional requirements will not be met. Owners and Operators of the vessels often look to short term gains wherein they compromise the standards and bypass the rules. They have to understand that behind every casualty at sea are many detentions and behind them indicators like Major NCs (non-conformities) and near misses.

The Flag States who do not strictly inspect and audit vessels to the ISM Code and issue SMC (safety management certificates), are actually, to retain the business of ship owners, jeopardizing the same ships! Even some responsible Flag States, due to shortage of manpower outsource their duties to ROs (recognized organizations), often represented by class societies. This results in diluted control, as an outsourced process needs strict monitoring of the process to ensure the performance is not affected. Not managing an outsourced process is as good as not taking responsibility. Authority can be delegated, bot the responsibility.

NCs (non-conformities) drive correction and CA (corrective action), and as such should be welcome as inputs to ensure continual improvement of the system based on the ISM Code. Yet, there are every day common examples of Masters of ships negotiating to somehow get the auditors to not give NCs. This is because the management ashore is not mature to realize, that keeping the master’s pressurized and performance being judged by NCs reported is creating an environment of fear and hiding of NCs. A good SMS (safety management system) based on the ISM Code, if correctly implemented should welcome NCs. The DP (designated person) should know that the “only bad NC, is the one which the organization does not know about.”

For domestic vessels, and for that matter towing and small vessels, and perhaps in due course of time for domestic passenger vessels, one would think a new standard would be required? Sub Chapter M for the towing industry in the USA, is nothing else but the ISM Code domesticated. The ISM Code is a useful well thought of document which provides strong fundamentals based on hundreds of years of sea experience, loss of life, cargoes, ships, and fortunes. The process-based management system it propagates would systematize operations. However, for an effective management system, the implementers have to be motivated and committed. The Flag States have to be strict and vigilant in their issue of certificates. When they outsource the certification to Ros, they must not wash their hands of their responsibility. The strict monitoring of the ROs by ensuring good clear concise MOUs (memorandums of understanding) with clear provisions to audit the ROs must be put in place. The owners and operators through their organization should put in place a robust internal auditing program that gives the objective inputs on the implementation of the ISM Code.

– by Dr. IJ Arora

Eight steps for a successful internal audit program

Internal audit programs play an important role in ensuring the success of the system. ISO standards such as ISO 9001, ISO 14001,  ISO 45001 provide the framework for management systems to function using a process-based approach, to achieve customer and other stakeholder’s requirements. Organizations certified to ISO standards, strive to be compliant, efficient and remain certified. Successful systems have Top Management (TM) / Leadership that are committed to and engaged with the system. They ensure regular internal audits and conduct management reviews (MR) to assess the continuing suitability, adequacy and effectiveness of the system. They further ensure that their decision-making process uses the inputs from the MR to ensure objective resourcing and support for efficiency.

External third-party audits too add value to this system, provided the auditors remain objective throughout the audit. Over the years QMII has come across instances where Non-Conformities (NC) were issued without the requirement being clearly stated or the evidence did not substantiate the requirement not met. However, these NCs are rarely challenged by organizations for “fear” of upsetting the auditors. Changes are further implemented to the system as a part of corrective action based on these findings. At times when the management is disconnected from the working system they often are surprised by the NCs presented at the closing meeting.

Is there, as a result, a case for preparing the organization for both internal audits and external audits? In well-functioning systems the organization should never have to prepare for an internal audit. The systems are designed to drive success and not for auditors or to get through audits without any NCs. NCs are, after all, an opportunity for continual improvement of the system and should be embraced, provided they are objective and not subjective to an auditor’s experience or opinion. An organization can and must respect a good NC and use it to drive correction and corrective action (CA). After all CA is NC driven. The organization/ auditee should be happy to receive a NC for risk(s) not appreciated.

I do however think that there are steps organization can take to build employee confidence in the  system, including the confidence to challenge the auditor when a NC is not clear or incorrectly given. Here are eight steps an organization can do to have its employees get that confidence for internal audit and subsequently for external audits:

  1. Conduct orientation on the process-based management system (PBMS) approach in general, and introduction to the highlights of the specific standard (e.g. ISO 9001:2015). This ensures that the basics of system approach and the internal management system are clear to all personnel.
  2. All TM must do a short training to be aware of the ISO standard, the main clauses and the benefits of the management system. This awareness leaders workshop (ALW) brings the confidence in the system, its implementation and continual improvement. This leadership awareness further encourages engagement of all personnel to use the system and increases buy-in.
  3. On regular basis, in day to day work and meetings refer to the management system. Ensure Quality, environment, safety, security, social responsibility, compliance are topics of discussion at periodic intervals. Even the middle and lower management e.g. supervisors should be encouraged to use the  system and engage others to do so. Management may have to support others in their roles of leadership at relevant levels.
  4. More than just following processes, all personnel must feel free and confident to challenge the process, make suggestions, raise NCs and submit innovative ideas. A participatory approach to system implementation is very cost effective. Let employees voice their concerns. Once they confident of their process and their system (with the fundamentals of the ISO Standard/other requirements built-in) the fear of audits will reduce.
  5. Put in place an aggressive internal audit program. When an outside (third party) auditor raises a NC, the organization does RCA (Root Cause Analysis) of the NC, but rarely does it challenge its Internal system and ask how the internal audit program missed the NC raised by the third party? Internal audits must be objective and strict and must raise all NCs.
  6. NCs must be tracked diligently and addressed within the time frame the organization has set for itself. TMs must stay involved by asking on the progress to the CA process. Overdue NCs must be investigated and TM must ask during the MR why the concerned department did not address it in time. Encourage PSW (Problem Solving Workshops) so teams can look at complex, inter-departmental NCs. Encourage use of tools as Causal Analysis and FMEA (Failure Mode Effect and Analysis).
  7. Creating a lesson learned data base has many advantages. It acts as a historic record for new joiners to learn of past occurrences. Additionally, it has great participatory value connecting each future task as a driver of improvement based on the past. The collective intelligence of the organization is available to the organization and does not vanish when individuals leave the organization.
  8. Some additional points for ISO 9001/ ISO 45001/AS9100 audit preparation:
  • Answer audit questions to the point. Do not volunteer information not sought.
  • Do not be reluctant to ask for your manager/ supervisor to support you if you are not clear on the question.
  • Have the confidence in your professionalism to ask the auditor for the requirement based on which the auditor is planning to raise a NC.
  • Be aware of risks associated with their process and actions taken to address them.
  • Explain the risks in the context of the organization and the context of what the employee does to them.

Aspects and Impacts: Let’s start here

Every organization needs to consider the aspects of their organization, and the impacts they have on the planet.  Understanding the impacts is critical to the sustainability of the organization, and in the long run, the planet.

Most organizations only consider the impacts of their processes in relation to waste created and materials used.  While these are important, an organization should consider all aspects of their operation and processes before they start a business.  This includes the facilities, people, materials and other elements of their operations.  Once operational, they need to continually evaluate all process to look for improvement.

Many aspects are considered by organizations in order to borrow money to launch a product or service.  This is a good place to start.  Clearly understanding the impacts the organization will have on the local environment and community is a good step toward launching a sustainable business.  Lenders, both private and public, will be more generous lending if they know the organization is considering all three pillars of sustainability; social, environmental and economic.

Generally speaking, recycling an existing structure to a new operational use has less impact than building a new facility.  Applying building technics recommended under Leadership in Environmental and Energy Design (LEED) and Energy Star, will also reduce environmental impacts, and improve the operational economics.  If new structures are required, considering the site location, building facing direction and proximity to water, public transportation, and workers, will also help the organization conform to LEED and other building Standards.  Local communities will be much more accepting of an organization operating in their community if the proper design considerations are considered before construction is begun.

Once operational, every group in an organization needs to evaluate their processes on a regular basis to determine what improvements can be made to the aspects of the organization, and the impacts of there processes.  Management is accountable for the operation of the organization, but every department needs to be responsible for their processes.  This is not just the manufacturing or production departments, but also sales, marketing, receiving, packaging, shipping and customer services.  Organizations are also responsible for the performance of their products and/or services, and often the potential recycling of products. 

The International Organization for Standardization (ISO) has established Standards that can be used by an organization to help improve their management system processes and reduce risks.  ISO 14001:2015 Environmental Management Systems and ISO 9001:2015 Quality Management Systems can be used separately, or together, to provide guidance in improving an organization’s operations.  Lenders and communities appreciate the value of a well-run organization that understands the aspects of their operations and addresses the impacts.

What is ISO 14001 Lifecycle Perspective?

ISO 14001 Lead Auditor training introduces students to the ISO 14001 standard and its interpretation as well as the skills needed to assess the effectiveness of the environmental management system. ISO 14001 in its 2015 revision introduces the lifecycle perspective. In essence, the standard asks organizations to use a lifecycle perspective when designing/manufacturing their products/services. This means that instead of a cradle to grave concept organizations need to think of a cradle to cradle concept.

Cradle to Grave

ISO 9001 ‘Requirements for Quality Management Systems’ ushered in a new era of process-based management systems that could be used to improve the quality of products/services being delivered to customers as well as when well implemented to increase efficiency and productivity. However, as productivity, efficiency and quality were being improved; the by-products of the system were not addressed. During the 1980s there were some regional efforts to address the impact of organizations on the environment and ISO 14001 was ISO’s effort to lay down the requirements for a management system that addressed the aspects and their associated impacts. Organizations were expected to take action on these impacts to reduce them. Auditors undergoing ISO 14001 Lead Auditor training were now ready to assess the effectiveness of these systems.

In its initial publication and subsequent revision in 2004 ISO 14001 asks organizations to take a ‘cradle to grave’ approach to managing their impacts on the environment. This meant reducing the immediate impact on the environment. However, with time we learned that this does not address the growing landfill issues being faced by countries globally. To address this issue as well as to align with international efforts to address climate change, rapid depletion of the planet resources and encourage sustainable operations the ISO 14001 standard introduced the concept of ‘cradle to cradle’ in its 2015 revision.

Cradle to Cradle

ISO 14001 defined lifecycle as “consecutive and interlinked stages of a product (or service) system, from the raw material acquisition or generation from natural resources to final disposal.” Life cycle stages can include the acquisition of raw materials, design, production, transportation/delivery, use, end-of-life treatment, and final disposal. A great example of a lifecycle perspective in manufacturing is the recycling of Lead-Acid Car Batteries. Nearly 99% of these batteries are recycled/reused. Major battery manufacturers have programs in place to encourage the recycling of car batteries.

While ISO 14001 does not call for a formal life cycle assessment ISO 14044 provides the guidelines for a life cycle assessment should an organization wish to do so. In determining the end of life disposal organizations may choose products that are recyclable, sustainable and even perhaps biodegradable. ISO 14001 lead auditor training provided by QMII, highlights the concepts of a lifecycle perspective and how to incorporate it into your environmental management system.

Conclusion

ISO 14001 Lead Auditor training enables participants to go back and implement environmental management systems that will benefit their organization, the environment, and stakeholders. It also enables participants to conduct value-adding audits of their systems. The intent of the audit is to identify opportunities for improvement. With the skills, ISO 14001 Lead Auditor training by QMII and the knowledge of a life cycle perspective participants are ready to hit the ground running in implementing and auditing environmental management systems.