ISO 9001:2015 – Shifting Gears in the New Quality Management Standard

Moving from ISO 9001:2008 to ISO 9001:2015

ISO 9001 is a standard designed for organizations looking to optimize their operational excellence. It helps businesses and organizations to be more efficient and improve customer satisfaction. A new version of the standard, ISO 9001:2015, has just been launched, taking over the previous version.


ISO standards are reviewed every five years and revised if needed to ensure that it maintains its significance in today’s market place. This revision will also serve to bring ISO 9001 up to relevancy with regard to both challenges and opportunities that arise from changing technologies, globalization, and a reinforcement of a risk based approach, as well as structuring the standard to deal with future changes.

What are the Major Differences?

The new ISO 9001 standard aligns with high-level organizational structure, requiring all new ISO management system standards to be aligned on a high-level structure with a set of common requirements. Additionally, there is a greater emphasis on risk-based thinking as a basis for the management system, more focus on achieving value for the company and its customers, increased flexibility regarding use of documentation, and a more approachable structure for service businesses.

There are 10 clauses within the standard and here are the changes clause by clause:

Clause 1 is very similar to the 2008 version covering the scope of the standard and there has been very little change to this clause.

Clauses 2 and 3 cover normative references and term and definitions, both these clauses reference ISO 9000, Quality Management System – Fundamental and vocabulary which provides valuable guidance.

The remainder of the clauses includes some new key elements which need to be considered when implementing the new standard.

Clause 4: Context of the Organization

This is a new clause that in part addresses the depreciated concept of preventive action and in part establishes the context for the QMS.

Clause 5: Leadership

This clause places requirements on top management to demonstrate commitment to the QMS through taking accountability for the effectiveness of the QMS, establishing policies, objectives and promotion of continual improvement.

Clause 6: Planning

When planning the QMS, the organization will need to consider the external and internal issues along with needs and expectations of interested parties.

Clause 7: Support

The organization shall determine and provide the necessary resources to establish, implement, maintain and continually improve the QMS.

Clause 8:  Operation

This clause deals with the execution of the plans and processes that enables organization to meet their quality policy and quality objectives.

Clause 9:  Performance Evaluation

This clause sublimates all requirements for monitoring and measurement related to quality performance and effectiveness of their QMS.

Clause 10:  Improvement

The organization must determine the opportunities for improvement to continually improve the organization’s QMS.


Impact of the New Standard

ISO 9001:2015 is now taking off to replace ISO 9001:2008. Organizations who are already ISO 9001 certified should begin tracking their progress of the revision process and familiarize themselves with the various changes made. To maintain your certification to ISO 9001, you will need to upgrade your quality management system to the new edition of the standard and seek certification to it. You have a three-year transition period from the date of publication (September 2015) to move to the 2015 version. This means that, after the end of September 2018, a certificate to ISO 9001:2008 will no longer be valid.

According to the International Accreditation Forum (IAF), there are a number of recommended actions that organizations can take to successfully transition to the new requirements of ISO 9001:2015. These include:

  • Conduct a gap analysis

Identifying the gaps between current practices and the new requirements is the most effective way to evaluate the changes that are required in your current QMS.

  • Develop an implementation plan and timetable

A formal implementation plan and schedule will help your organization address the required changes within the anticipated three-year transition period.

  • Provide appropriate training for all parties

Ongoing education and training for all relevant personnel are critical to achieving the goals of your transition plan. More important, educated stakeholders are vital in ensuring ongoing compliance once the transition is complete.

  • Update existing QMS documentation

Clear and thorough documentation is essential to demonstrate compliance with the requirements of the revised standard and to help reduce the risk of nonconformities.

  • Involve your certification partner early in the process

An experienced certification body can provide invaluable assistance in the process of transitioning to the requirements of ISO 9001:2015. Its early involvement can help your organization save time and money.


In a nutshell, there are new areas that organization need contemplate in the implementation of the new standard, but it provides opportunity to review your current approach and modify it if necessary. This can help your business to grow, increase profitability and increase customer satisfaction. It is now a powerful business improvement tool for all sizes and types of organizations to help them remain irrepressible and achieve sustainable growth.


Confidence on the Cloud – A New Cloud Privacy Standard (ISO 27018)

The Cloud Today

The growing marketplace of cloud computing.

Cloud computing’s growth in use and popularity has been soaring at a great pace! According to Gartner (2013), the marketplace for cloud computing will grow ~20% to USD 131 billion in 2017 from USD 111 billion in 2012.

What’s more?

2016 will be a defining year for cloud as this cutting-edge technology will just get more sophisticated in the next few years.

The Cloud Landscape

Cloud computing started as an in-house infrastructure established by companies such as Microsoft, Google and Amazon to serve their individual business needs. This consists of a set of technologies and service models that focus on Internet-based use and delivery of IT applications, processing capability, storage and memory space.

But now it has evolved into a platform that most part of our daily life is dependent on. While public and private cloud offers one means to differentiate the infrastructure sharing options, SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service) have come to define the extent and level of control held by the cloud service provider (CSP) vs. the cloud user.

According to National Institute of Standards and Technology (NIST), the “cloud” is composed of five essential characteristics.

  1. the on-demand self-service which implies that a customer can order service via the web or some other method at any point in time, to become immediately available for his or her use.
  2. the broad network access, in the sense that services are available over the network and are accessed through standard mechanisms (mobile phone, tablet, laptop, etc.).
  3. Other characteristics are the rapid elasticity of the cloud capabilities and the fact that it is a measured service – means additional capacity remains available and accessible on an ‘as needed’ basis and customers are automatically billed for their consumption.
  4. Last but not least, resource pool, meaning the provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand.

The Confidence for Tomorrow – ISO 27018

The massive courses of data across cloud computing services are becoming ever more complex. Identifying and protecting personal data in those flows is becoming a daunting issue for many cloud service providers and cloud users. Given the substantial data protection risks, cloud computing measures need to be undertaken in order to mitigate their effect to the benefit of the cloud computing industry and its clients.

While there are several laws and regulations around it, a common benchmark or standard was lacking for some time. ISO 27018:2014 – Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors is the first set of international privacy controls launched.

Following and using the privacy controls foreseen in ISO 27018 offers greater assurance for service providers that they are doing the right thing and doing everything recommended to protect customers’ personal information. This mechanism also offers beneficial effect for both cloud providers and cloud users – if a consumer is buying cloud services, it can help them to identify the requirements for selecting a cloud provider and in defining contractual clauses and for cloud service provider, it can provide them with a unique selling proposition to potential clients because as more clients become familiar of the standard, the more that they will see it in their request proposal.

ISO 27018 has taken into account as a public policy from around the world as it integrates input from many regional regulators. A cloud service provider and it’s conformation to the standard makes the whole job of compliance to particular legislation in one country or region that much easier. The standard provides a common set of guidelines for the whole industry and adds needed protections to improve PII security and defiance in an increasingly cloud-based information environment.

ISO 27018 – Quick Overview

Key Elements of the Standard

ISO 27018 is a standard out forward by Internal Organization for Standardization (ISO) that seeks to create a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a data processor. In order to fulfill the standard, cloud service providers must understand the following key elements:

  1. Personally Identifiable Information (PII) instead of Personal Data

Scope of “personal data” is not only about the information that “can be used” or “linked” to a PII principal/ data subject, but “any information” relating to an identifiable natural person 

  1. Cloud Providers as Data Processors

In ISO/IEC 27018 the client is regarded as PII controller and the cloud service provider is the PII processor.

  1. Personal Data Protection Principles

The ISO/IEC 27018 contains a comprehensive set of controls regarding:

  • Information security policies
  • Organization of information security
  • Human resource security
  • Asset management
  • Asset control
  • Cryptography
  • Physical and environmental security
  • Operations and communications security
  • System acquisition, development and maintenance
  • Supplier relationships
  • Compliance
  • Information security aspects of business continuity management.

As the PII processor enables the cloud service client to comply with its regulatory obligations (data protection), through this controls, PII processor conforms to its own obligations, either legal or contractual.

  1. Accountability and Certification

Elements of the principle of accountability are incorporated into the standard, in particular the data breach notification, privacy by design, audits and certifications. In general, the standard may be seen as an instrument that assists the PII processor to comply with the principle of accountability requirements. Key to the demonstration of compliance in the context of the principle of accountability is third party certification. The cloud service provider that implements the new standard may ask for a conformity assessment, in order to be certified for complying with the standard.

In order to comply with the standard, participating cloud service providers must provide transparency in the following practices:

  • only process personal data in accordance with the customer’s instructions;
  • only process personal data for marketing or advertising purposes with the customer’s express consent;
  • be transparent around the use of sub-processors (which will include providing the names of, and any possible locations where the data may be processed by, any sub-processors);
  • ensure that staff who have access to personal data enter into confidentiality agreements and receive appropriate staff training;
  • make required disclosures to law enforcement authorities and/or regulators only when legally bound to do so;
  • assist cloud customers to comply when individuals assert their access rights; and
  • help cloud customers comply with their notification obligations in the event of a data breach.

Top 10 Things to Know about Cloud Security and ISO 27018

Way Forward

The current landscape for cloud security standard is best characterized as immature but emerging. ISO 27018 provides a transparent guidance for cloud service providers to establish privacy protection and allows businesses to make careful decisions about the cloud. But even with the present guidelines that ISO 27018 provides, it can also serve as reference point for standards’ future improvement. As the first international standard dedicated for cloud privacy, it initiated CSPs interchange of ideas on providing the best practice on data privacy and security.  ISO 27018 is an important step to protecting PII in the cloud, it emerges from previous ISO guidelines and it will continue to evolve along with cloud service providers’ technology to provide more secure services for the growth and success of businesses.

ECC International is a leading process improvement solutions provider in Southeast Asia, focused on process consulting, automation solutions and learning outsourcing services. We help companies achieve performance excellence by assisting them implement management systems and international standards/best practices across multiple domains and industries.

Our partnerships with nest-in-class technology companies help drive sustained excellence for our customers. As a solutions provider with instructional design capability and subject matter expertise in niche areas, we help organizations implement learning strategies and design learning content for improved performance.

APEX Global (The Academy for Professional Excellence) is the learning solutions arm of ECCI – the leading process improvement solutions provider in Southeast Asia.

Our sole aim is to promote performance excellence among professionals. We help our customers achieve greater success through effective, experiential and result – oriented training delivery.

Empowered with a strong pool of expert trainers and facilitators having expertise in a niche array of domains and a strong regional presence, we provide an extensive portfolio of excellent industry specific and functional programs coupled with high quality training materials to provide best –in – class services for professionals around.

We are a market leader when it comes to Information Security and Risk Management solutions (in the form of training, consulting and GRC solutions- in SE Asia.

To learn more about cloud security, ISO 27018 guidelines and requirements, correlation with existing standards such as ISO 27001 and EU Data Protection Laws, join us at the Confidence on the Cloud- Data Security Best Practices based on ISO 27018 training program.




50 Sensor Applications for a Smarter World

50 Sensor Applications for a Smarter World

Smart Cities

  • 01 Smart Parking

    Monitoring of parking spaces availability in the city.

  • 02 Structural health

    Monitoring of vibrations and material conditions in buildings, bridges and historical monuments.

  • 03 Noise Urban Maps

    Sound monitoring in bar areas and centric zones in real time.

  • 04 Smartphone Detection

    Detect iPhone and Android devices and in general any device which works with WiFi or Bluetooth interfaces.

  • 05 Eletromagnetic Field Levels

    Measurement of the energy radiated by cell stations and and WiFi routers.

  • 06 Traffic Congestion

    Monitoring of vehicles and pedestrian levels to optimize driving and walking routes.

  • 07 Smart Lighting

    Intelligent and weather adaptive lighting in street lights.

  • 08 Waste Management

    Detection of rubbish levels in containers to optimize the trash collection routes.

  • 09 Smart Roads

    Intelligent Highways with warning messages and diversions according to climate conditions and unexpected events like accidents or traffic jams.

See Related Articles


Smart Environment

  • 10 Forest Fire Detection

    Monitoring of combustion gases and preemptive fire conditions to define alert zones.

  • 11 Air Pollution

    Control of CO2 emissions of factories, pollution emitted by cars and toxic gases generated in farms.

  • 12 Snow Level Monitoring

    Snow level measurement to know in real time the quality of ski tracks and allow security corps avalanche prevention.

  • 13 Landslide and Avalanche Prevention

    Monitoring of soil moisture, vibrations and earth density to detect dangerous patterns in land conditions.

  • 14 Earthquake Early Detection

    Distributed control in specific places of tremors.

See Related Articles


Smart Water

  • 15 Potable water monitoring

    Monitor the quality of tap water in cities.

  • 16 Chemical leakage detection in rivers

    Detect leakages and wastes of factories in rivers.

  • 17 Swimming pool remote measurement

    Control remotely the swimming pool conditions.

  • 18 Pollution levels in the sea

    Control realtime leakages and wastes in the sea.

  • 19 Water Leakages

    Detection of liquid presence outside tanks and pressure variations along pipes.

  • 20 River Floods

    Monitoring of water level variations in rivers, dams and reservoirs.

See Related Articles


Smart Metering

  • 21 Smart Grid

    Energy consumption monitoring and management.

  • 22 Tank level

    Monitoring of water, oil and gas levels in storage tanks and cisterns.

  • 23 Photovoltaic Installations

    Monitoring and optimization of performance in solar energy plants.

  • 24 Water Flow

    Measurement of water pressure in water transportation systems.

  • 25 Silos Stock Calculation

    Measurement of emptiness level and weight of the goods.

See Related Articles


Security & Emergencies
  • 26 Perimeter Access Control

    Access control to restricted areas and detection of people in non-authorized areas.

  • 27 Liquid Presence

    Liquid detection in data centers, warehouses and sensitive building grounds to prevent break downs and corrosion.

  • 28 Radiation Levels

    Distributed measurement of radiation levels in nuclear power stations surroundings to generate leakage alerts.

  • 29 Explosive and Hazardous Gases

    Detection of gas levels and leakages in industrial environments, surroundings of chemical factories and inside mines.

See Related Articles



  • 30 Supply Chain Control

    Monitoring of storage conditions along the supply chain and product tracking for traceability purposes.

  • 31 NFC Payment

    Payment processing based in location or activity duration for public transport, gyms, theme parks, etc.

  • 32 Intelligent Shopping Applications

    Getting advices in the point of sale according to customer habits, preferences, presence of allergic components for them or expiring dates.

  • 33 Smart Product Management

    Control of rotation of products in shelves and warehouses to automate restocking processes.

See Related Articles



  • 34 Quality of Shipment Conditions

    Monitoring of vibrations, strokes, container openings or cold chain maintenance for insurance purposes.

  • 35 Item Location

    Search of individual items in big surfaces like warehouses or harbours.

  • 36 Storage Incompatibility Detection

    Warning emission on containers storing inflammable goods closed to others containing explosive material.

  • 37 Fleet Tracking

    Control of routes followed for delicate goods like medical drugs, jewels or dangerous merchandises.

See Related Articles


Industrial Control

  • 38 M2M Applications

    Machine auto-diagnosis and assets control.

  • 39 Indoor Air Quality

    Monitoring of toxic gas and oxygen levels inside chemical plants to ensure workers and goods safety.

  • 40 Temperature Monitoring

    Control of temperature inside industrial and medical fridges with sensitive merchandise.

  • 41 Ozone Presence

    Monitoring of ozone levels during the drying meat process in food factories.

  • 42 Indoor Location

    Asset indoor location by using active (ZigBee) and passive tags (RFID/NFC).

  • 43 Vehicle Auto-diagnosis

    Information collection from CanBus to send real time alarms to emergencies or provide advice to drivers.

See Related Articles


Smart Agriculture

  • 44 Wine Quality Enhancing

    Monitoring soil moisture and trunk diameter in vineyards to control the amount of sugar in grapes and grapevine health.

  • 45 Green Houses

    Control micro-climate conditions to maximize the production of fruits and vegetables and its quality.

  • 46 Golf Courses

    Selective irrigation in dry zones to reduce the water resources required in the green.

  • 47 Meteorological Station Network

    Study of weather conditions in fields to forecast ice formation, rain, drought, snow or wind changes.

  • 48 Compost

    Control of humidity and temperature levels in alfalfa, hay, straw, etc. to prevent fungus and other microbial contaminants.

See Related Articles


Smart Animal Farming

  • 49 Hydroponics

    Control the exact conditions of plants grown in water to get the highest efficiency crops.

  • 50 Offspring Care

    Control of growing conditions of the offspring in animal farms to ensure its survival and health.

  • 51 Animal Tracking

    Location and identification of animals grazing in open pastures or location in big stables.

  • 52 Toxic Gas Levels

    Study of ventilation and air quality in farms and detection of harmful gases from excrements.

See Related Articles


Domotic & Home Automation

  • 53 Energy and Water Use

    Energy and water supply consumption monitoring to obtain advice on how to save cost and resources.

  • 54 Remote Control Appliances

    Switching on and off remotely appliances to avoid accidents and save energy.

  • 55 Intrusion Detection Systems

    Detection of windows and doors openings and violations to prevent intruders.

  • 56 Art and Goods Preservation

    Monitoring of conditions inside museums and art warehouses.

See Related Articles



  • 57 Fall Detection

    Assistance for elderly or disabled people living independent.

  • 58 Medical Fridges

    Control of conditions inside freezers storing vaccines, medicines and organic elements.

  • 59 Sportsmen Care

    Vital signs monitoring in high performance centers and fields.

  • 60 Patients Surveillance

    Monitoring of conditions of patients inside hospitals and in old people’s home.

  • 61 Ultraviolet Radiation

    Measurement of UV sun rays to warn people not to be exposed in certain hours.

See Related Articles





APEX Global runs 1st Joint Knowledge Forum with SHRM on The Future of Learning & HR


APEX Global, the learning solutions arm of ECC International has recently partnered with SHRM (Society of Human Resource Management) from USA to bring professional development solutions for HR practitioners in the Philippines. Together with SHRM, APEX Global jointly run the 1st Knowledge Forum focused on whats in store for global corporations – both big and small and how HR will play a crucial role in shaping this future.

This forum was held at the Mandarin Oriental, in Makati City this 10th April 2014, and was well attended by senior HR executives from banking, financial services, manufacturing, Outsourcing / BPO, government agencies and IT companies. The group had several meaningful exchanges and a lively discussion in the field they get to oversee – HR & Learning.

Some of the key highlights / strategies for the future shared from the presentation included

1. Grow from Within – Need for organisations to focus internally for future leaders rather than outside

2. Business Partner Approach – Shifting towards the setup of ‘HR business partner’ model rather than viewing HR as a support department

3. (Re)Building Employer Brand – Creating new strategies to retain performers and reduce recruitment related costs

Keeping the extensive interest among the participants, SHRM’s professional certification programs will be launched in the Philippines starting May 2014.
          HRMP (HR Management Professional) – May 26-28 2014

For more information about the courses, pre-requisites and the value of the professional certification, please email us at to contact you with details.

Continue reading →

Another milestone in Sustainability Reporting for ECCI

ECCI helped Ayala Corporation in developing their 2011 Sustainability Report for at the conglomerate Level. The report focuses on the Environmental, Economic and Social performance of the group for the past year based on the GRI G3.1 Guidelines. The report was released during the recently held  Sustainability Summit at the Ayala Museum on Friday, October 5, 2012. The report was officially launched by its Chairman, Jaime Augusto Zobel de Ayala. The event was organized by Ayala Corporation to strengthen the sustainability initiatives in the group. Lory Tan, WWF President, Philippines and Adam Brennan, Global Sustainability Manager for Puma where speakers in the event who shared their views on the Climate Adaption Project in the Philippines by WWF and implementing sustainability measure in their organizations respectively. At the end of the Sustainability Summit JAZA’s message was “We all have a big job to do”. This statement by the chairman clears out the vision and direction given by the Chairman to its subsidiaries.

Another milestone in Sustainability Reporting for ECCIIn their third conglomerate sustainability report, it reinforces the group’s commitment in creating shared value to the broader communities in which they operate. It highlights Ayala’s pledge to improve their sustainability impact through their operations, products and services, supply chains, human resources practices, community involvement and management approach.

After helping Globe Telecom’s 2011 Sustainability Report and helping them achieve a B+ level of external assurance, ECCI assisted Ayala Corp to attain GRI Application Level B Check for the report to strengthen the credibility of the report.

Being one of the leading training and consulting companies in Southeast Asia, ECCI has been taking active participation in helping companies developing their Sustainability initiatives and disclosing them through reporting. Some of the key areas where ECCI helps clients are in Energy Management, Carbon Footprint, Sustainability Reporting and CSR.

For more information on ECCI’s Corporate Sustainability & Governance services portfolio, please email

ECCI helps Indra achieve another milestone – CMMI Dev v1.3 ML 3 Appraisal

On May 25, 2012, Indra was appraised at Maturity Level 3 of CMMI Dev v1.3 for the Software Development Practice. CMMI is a process improvement approach that provides organizations with the essential elements of effective processes that ultimately improve their performance. An appraisal at maturity level 3 indicates that the organization is performing at a “defined” level. At this level, processes are well characterized and understood, and are described in standards, procedures, tools, and methods. The organization’s set of standard processes, which is the basis for maturity level 3, is established and improved over time.

Indra Philippines is one of the leading IT services providers in the Philippines and in Southeast Asia. Indra, with headquarters in Spain, has been operating in the Philippines for the past 17 years, providing a wide range of services across various industries. Indra’s global as well as local experience in systems development and integration, business intelligence, management consulting, managed services and outsourcing of IS/IT operations put the Philippine affiliate in a strong position to be able to respond effectively to the requirements of the various markets not only in the country but also in the Southeast Asia region.

ECCI consultants worked in collaboration with Indra’s Quality Assurance team – working with them as a partner throughout the project providing guidance to help them implement the required processes for this appraisal. The appraisal is a testament to Indra’s remarkable commitment and dedication to quality and process improvement.

With this, Indra is now better equipped to manage critical business processes for continuous operations.  And, the appraisal is a testament to Indra’s capability to provide better quality services to their valued clients.




ECCI takes part in the 49th PMAP Annual Conference in Cebu City

ECCI participated in the recently concluded 49th PMAP Annual Conference.  The three-day conference was held at the Waterfront Hotel, Lahug Cebu City last September 12-14, 2012. Mr. Karthik Subburaman, ECCI Philippines Country Manager, was invited as one of the guest speakers with the featured topic Revolutionizing People Productivity: New Approaches to Measuring Employee Productivity. This is in line with this year’s conference theme, “Revolutionizing People Management: Great Minds. Bold Changes. Unparalleled Results.” It is a reflection of the wave of revolutions on the political front and how businesses and organizations share the same challenge of not only changing our leaders but also changing the way we lead people.

ECCI takes part in the 49th PMAP Annual Conference in Cebu CityPMAP Conferences being the most prestigious and well-attended in the country drew together over 1,300 delegates from all industries across the nation. First and second days of the conference featured plenary sessions by CEOs and organizational leaders from various industries including who tackled the changing business environment and strategic role of HR in leading and executing HR programs to transform and support business goals. Focus areas for days one and two are: Deepening Leadership Bench, Driving Innovation, and Accelerating Talent Development.

The final day of the conference featured breakout sessions and workshops with topics on Talent Acquisition, Organizational Change, People Productivity and People Engagement. Delegates also had the opportunity to participate in creating and managing their own agenda around the central theme of the conference through Open Space Technology.

The conference also featured dozens of exhibit booths greatly supported by local companies. ECCI had the opportunity to showcase its e-Learning and Learning on Demand products including the HR and Standards and Compliance toolkits.