CCAT Audit and Its Relationship to ISO Standards

You must have heard the word “CCAT” or “Corporate Audit” several times within your company either directly from your management or through the Quality/Risk functions who are busily preparing for the annual corporate audits and using super jargons like CCAT, ISO etc.… and some crazy long numbers.

Well, so let’s understand what is CCAT Audit and its relationship to ISO standards?

Let’s take a closer look at some of these audits and their criteria.

I have gone through several Internal and External Audits in my career, the first question I had the moment I heard CCAT audit was, what is the abbreviation and who are they?

People who have been part of these audits for years may not even know the abbreviations or the actual purpose of doing it. So, it’s important to educate your teams on the purpose of these audits.

So, getting back What is CCAT?

Connecticut Center for Advanced Technology, Inc.  or Corporate Certifications Audit and Assessments Team (in short CCAT)

In Simple words

CCAT program is designed to provide practical tips and skills for auditing ISO 9001-based quality management systems to ensure that required standards are met.

In short, CCAT provides internal auditing techniques (audit preparation, planning and reporting) for companies to get certified as ISO 9001.

CCAT | Connecticut Center for Advanced Technology, Inc.

CCAT Announces Process Auditing Workshop for ISO 9001 (prweb.com)

I am sure your organization might have similar groups who will audit the below areas before heading the external ISO Audits.

• Service Delivery,
• Service Quality Processes,
• Service Design,
• Standardization of Operations,
• Automations in Delivery and any opportunities identified to further improve and Strengthen businesses.
• ITIL Practices

What is ISO and their purpose?

ISO – International Organization for Standardization

ISO is derived from the Greek ‘isos’ meaning equal the founders just called it ISO though it has different names

It is an independent, non-governmental international organization with a membership of 165 national standards bodies.

Through its members, it brings together experts to share knowledge and develop voluntary, consensus-based, market relevant International Standards that support innovation and provide solutions to global challenges.

Think of them as a formula that describes the best way of doing something.

It could be about making a product, managing a process, delivering a service or supplying materials – standards cover a huge range of activities.

Standards are the distilled wisdom of people with expertise in their subject matter and who know the needs of the organizations they represent – people such as manufacturers, sellers, buyers, customers, trade associations, users or regulators.

1. ISO 9000 Family: Quality management standards to help work more efficiently and reduce product failures.
2. ISO 14000 Family: Environmental management standards to help reduce environmental impacts, reduce waste and be more sustainable.
3. ISO 45001: Health and safety standards to help reduce accidents in the workplace.
4. ISO 50001: Energy management standards to help cut energy consumption.
5. ISO 22000: Food safety standards to help prevent food from being contaminated.
6. ISO/IEC 27001: IT security standards to help keep sensitive information secure.

Above mentioned standards are defined and explained in depth here – ISO – Standards

PS: I have experience covering Quality Management Principles and Security Audits so my coverage will be mainly around these areas. Please feel free to go through the above links to learn more about the rest of the standards or best practices

How did this all get started?

In London, in 1946, 65 delegates from 25 countries meet to discuss the future of International Standardization. In 1947, ISO officially comes into existence with 67 technical committees (groups of experts focusing on a specific subject).

Go through the ISO Story here on how they started and where they are: ISO – About us

ISO does not perform certification or issue certificates, instead they develop international standards and the actual audits are performed by external certification bodies. ISO – Certification

ISO 9001:2015 – Quality Management System

Quality management system is a strategic decision for an organization that can help to improve its overall performance and provide a sound basis for sustainable development initiatives.

The potential benefits to an organization of implementing a quality management system based on this International Standard are:

1. the ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements;
2. facilitating opportunities to enhance customer satisfaction;
3. addressing risks and opportunities associated with its context and objectives;
4. the ability to demonstrate conformity to specified quality management system requirements.

The ISO 9001 standard requires your organization to address seven key areas

The seven quality management principles are:

1. Customer focus – Increase benefits towards Customer Value, CSAT, loyalty, repeat business, reputation of your organization, customer base, revenue and market share
2. Leadership – establish unity of purpose and direction and create conditions in which people are engaged in achieving the organization’s quality objectives.
3. Engagement of people – Competent, empowered and engaged people at all levels throughout the organization are essential to enhance its capability to create and deliver value.
4. Process approach – Consistent and predictable results are achieved more effectively and efficiently when activities are understood and managed as interrelated processes that function as a coherent system.
5. Improvement – an ongoing focus on improvement.
6. Evidence-based decision making – Decisions based on the analysis and evaluation of data and information
7. Relationship management – For sustained success, an organization manages its relationships with interested parties, such as suppliers.

Quality management principles – This document provides the key principles, why the set principles are important, examples of benefits associated with the principle and actions to improve

ISO/IEC 27000 Family — Information security management (ISMS)

An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes.

Here are some of the ISO 27001 requirements which are clearly explained in detail – ISO 27001:2013 – Requirements and Annex A Controls

• 4.1 Understanding the organization and its context
• 4.2 Understanding the needs and expectations of interested parties
• 4.3 Determining the scope of the information security management system
• 4.4 Information security management system
• 5.1 Leadership and commitment
• 5.2 Information Security Policy
• 5.3 Organizational roles, responsibilities and authorities
• 6.1 Actions to address risks and opportunities
• 6.2 Information security objectives and planning to achieve them
• 7.1 Resources
• 7.2 Competence
• 7.3 Awareness
• 7.4 Communication
• 7.5 Documented information
• 8.1 Operational planning and control
• 8.2 Information security risk assessment
• 8.3 Information security risk treatment
• 9.1 Monitoring, measurement, analysis and evaluation
• 9.2 Internal audit
• 9.3 Management review
• 10.1 Nonconformity and corrective action
• 10.2 Continual improvement

The above certification helps you to identify the risks, assess them and put systemized control in place.

work with your Risk Management Team to set up appropriate controls in place.

Note: while displaying your certificate ISO – Certification

• Don’t say: “ISO certified” or “ISO certification”
• DO say: “ISO 9001:2015 certified” or “ISO 9001:2015 certification” (for example).

Conclusion

Setting up all these standards effectively as part of your governance model and delegating some of these key tasks within your team members will increase the understanding towards these audits and enhances your delivery teams to provide better value to stakeholders (both internal & external)

More importantly you don’t have to spend too much time preparing the documents for these audits as you shall have all these prepared and thoroughly updated as part of your configuration management.

I do hope you have an idea about CCAT audit and how it is related to ISO standards

Do you have any interesting stories you went through while preparing for these audits, please leave your comments below?

Once again, thank you so much for taking the time to read this article. For more content on Project and Operations Management and best practices, I encourage you to explore my other articles here at Project Insights – for best practices and real project experience (www.projinsights.com)

Your comments and feedback are always welcome and appreciated.