I was called to a prospective client to help them implement ISO 9001. They seemed very interested at improving their processes in order to increase their quality and revenues. After contract negotiations, we were given the green light and quickly began process mapping the company’s main functions. As we moved from process mapping to procedure development, we have been hearing that the organization had also been trying to get C-TPAT certification for several months. With our experience in information security we knew we could help out, but decided to wait. Soon we were officially told “the company really wants to get C-TPAT certified, could you take a look at the C-TPAT requirements”? At this point we had already developed the Quality Manual, the required ISO procedures and also the company procedures to serve their core processes.
Surprise! A new variable was given to us and we loved it. What we really loved is the idea that we would be able to help the organization implement a single Quality Management System that would help them comply with both the ISO 9001 requirements as well as the C-TPAT requirements. Integrated Quality Management System, great! One of our best consulting traits!.
Back To the Process Map Board
As we got acquainted with the C-TPAT requirements, we found more similarities to the ISO 27001 standard, which of course is founded on the ISO 9001 standard. C-TPAT requirements however are not structured the way ISO 9001 is and also they are not as well organized. C-TPAT requirements are newer than ISO 9001 and obviously ISO 9001 counts with constant reviews by its international committees and subcommittees. We decided to go back to our original process map to identify where each of the C-TPAT requirements could be addressed. The objective was to use existing processes indentified during the process mapping stage at all possible and wherever we could not find a process already established then we would create a new one.
Here is a sample picture of an organization’s Process Map.
Each of the blocks above represented a procedure in itself. Each of these procedures was reviewed to assess if it needed additional measures to satisfy C-TPAT requirements. Basically we made the following decisions:
- If the C-TPAT requirements were same or less than that of ISO 9001:2008, then we would set the ISO 9001 standard as the requirements and make no change to the procedure.
- If the C-TPAT requirements were above the ISO 9001:2008 requirements, then we would address those requirements in the procedure by using italic font, to show that it is a C-TPAT requirement.
- If the C-TPAT requirement did not have a relationship to ISO 9001:2008 then we would create a new procedure.
The following table shows 2 C-TPAT requirements in parallel with ISO 9001:2008 requirements:
|#||C-TPAT Requirement||ISO 9001 Requirement|
|1||For business partners eligible for C-TPAT certification, the Customs Broker must have documentation (e.g., C-TPAT certificate, SVI number, etc.) indicating whether these business partners are, or are not C-TPAT certified. Current or prospective business partners who have obtained a certification in a supply chain security program being administered by foreign Customs Administration should be required to indicate their status of participation to the broker. To the extent such information can be obtained, brokers will maintain secure provider lists of C-TPAT certified (or equivalent) service providers in all relevant categories.||7.4.1. The organization shall evaluate and select suppliers based on their ability to supply product in accordance with the organization’s requirements. Criteria for selection, evaluation and re-evaluation shall be established. Records of the results of evaluation and any necessary actions arising from the evaluation shall be maintained.|
|2||Access controls prevent unauthorized entry to facilities, maintain control of employees and visitors, and protect company assets. Access controls must include the positive identification of all employees and visitors at all points of entry.|
In the case of item #1, the C-TPAT requirements were in essence merged with the organization’s Supply Chain procedure to ensure that suppliers’ evaluation includes review of the C-TPAT certificate, SVI number, etc. These requirements were made in italic on the same procedure.
In the case of item #2, an ISO requirement regarding security does not exist in ISO 9001, with the closest being perhaps 6.3 Infrastructure. In this case, we decided to go ahead and create a new procedure to address how access and security controls would be implemented and maintained.
Overall we only had to add 2 procedures, one to address physical security and another to address information security. In most procedures also, the requirements section was modified to ensure that it explicitly show that the procedure satisfies the requirements of ISO 9001 as well as C-TPAT. We also made sure that the Quality Policy was modified to be a Quality and Security Policy to show their commitment to cargo and information security.
Once all processes and procedures were established, they were rolled out as part of the Web QMS implementation. Employees were trained in their Quality Management System, which as we explained above satisfied both the requirements of C-TPAT and ISO 9001:2008. Most employees felt comfortable with the system, as they had been involved during the development process. After a few months of implementation, the Internal Audit was conducted. As ISO 9001 requires any company to include legislative, statutory requirements, C-TPAT requirements were also audited. There were several nonconformities but all were closed prior to the External Audit. A Management Review was also conducted and review of the organization’s C-TPAT profile was included in the presentation and made part of the agenda so that it will be reviewed periodically once a year.
Both the C-TPAT audit and ISO 9001:2008 were conducted with successful outcomes. The organization was made a C-TPAT partner and received its ISO 9001:2008 certification within a month of each other.
Integrated QMS is always a Winner
Whenever an organization wants its employees to follow procedures, it is best to have a single system of procedures than 2 or more set of directives. That is what an Integrated QMS means, a single set of directives that your employees can follow and identify with. An Integrated QMS can satisfy multiple requirements, is simple to maintain and best of all easy to follow! That is what Mireaux Management Solutions and the Web QMS can do for you to help you become a world class quality organization.
C-TPAT stands for Customs-Trade Partnership Against Terrorism and is a voluntary supply chain security program led by U.S. Customs and Border Protection (CBP) and focused on improving the security of private companies’ supply chains with respect to terrorism. The program was launched in November 2001 with seven initial participants, all large U.S. companies. As of April 2005, there were more than 9000 companies participating.