High quality morning coffee - a big deal for your dough

Header background
Yritykset  •  Valmennukset

What are ISO 9001 and 27001 standards and why are they important if a company is seeking to become a supplier for NATO procurement? And what does NATO's AQAP-2110 mean? These were some of the issues discussed at a coffee morning organised by SEMUKAS-project in Kaustinen.

Saija Pottala, SK Protect's Development Manager, introduced the audience to the basics of ISO 9001 and ISO 27001 standards and presented the PRO24 HSEQ system developed by Protect. Ms Pottala emphasised that the ISO management system standards have been designed to be suitable for companies of all sizes.
- ISO standards do not, for example, tell you how to do things. Instead, it is up to each company to decide how to meet the ISO standards. It is all about customers and customer satisfaction.
ISO 9001 defines an organisation's quality management system. ISO 9001 contains elements that, by defining them, everyone knows what is done in a company, why and how.This makes it clearer, more transparent and easier to manage, which in turn improves the quality of operations, streamlines processes and improves customer satisfaction.
- Processes are also documented, making it easier to train new employees, for example. In addition, staff are brought into a common way of working, which leads to efficiency gains and probably cost savings. When things run smoothly, staff are happy and this is reflected in customer satisfaction.
One of the key elements of management standards is continuous improvement. Once you have a description of your operations and processes, it's easier to improve them. Pottala said it's possible to improve things in small steps all the time when you have a way of doing things and a way of evaluating what you're doing.
- My own view is that in practice all companies have a quality management system in place. It is another matter whether it is written down or whether it contains all the elements required by the standard. If the management system is certified, then it is easy to demonstrate to the outside world. Nowadays, many subscribing customers require suppliers to have a certified system.

Saija Pottala, Development Manager, SK Protect Oy.


ISO 27001and PRO24 HSEQ system

ISO 27001 is a management system standard for information security, which Pottala says has the same basic structure as ISO 9001. If a company has an ISO 9001-compliant system, it is worth including an information security aspect. The ISO 27001 standard includes a mandatory annex on risk management measures, which should also be reviewed separately.
- ISO 27001 protects the company's business and tells customers and other stakeholders that the company is managing its risks, helping to meet legal requirements such as data protection and reducing the risk of data breaches and leaks.

Pottala also talked about Protect's PRO24 HSEQ system, which he described as a modular management system platform.
- Once a company has a management system in place, it needs to be documented somewhere. Standards bring requirements for things like incident management, recording and handling, as well as a place to do risk assessments and opportunity assessments. The PRO24 HSEQ system includes, among other things, the above elements of a management system, i.e. it provides a clear platform for these activities.
- It also includes document management and an induction and training component to manage qualifications," Pottala said, listing examples.

- One of the best modules in my opinion is the desktop view, where you can easily make the content of the management system available to everyone," he continued.

AQAP-2110 ensureshigh quality ofproducts and services

Geopolitical changes and the global situation have put enormous pressure on the growth of the defence industry market.
- ISO 9001 has long been the international basis for quality management, providing a structure for systematic improvement of operations and process management. The AQAP (Allied Quality Assurance Publications) requirements are additional requirements developed specifically for the defence industry, building on the ISO 9001 system," said Miia Aaltonen, Division Manager, Kiwa Certification Ltd.
NATO's AQAP is a set of quality standards and guidelines developed by NATO to ensure quality management in the defence supply chain. The Finnish Defence Forces require defence equipment suppliers to comply with NATO's AQAP publications in their procurement contracts.

Defence material is defined as material suitable for military use, but it can also be a dual-use product suitable for military purposes in addition to civilian use.
- The armed forces, like NATO, do not require AQAP certification. However, they do require that companies supplying products or services operate in accordance with AQAP requirements. If AQAP-compliant activities are to be certified, the basis must be a certified ISO 9001 system," Aaltonen said.


Miia Aaltonen, Division Manager, Kiwa Certification Ltd.


"AQAP requirements are notrocket science"

AQAP emphasises risk management and the resulting anticipation, configuration management, transparency to the customer and active communication.
- There is a specific ISO 31 000 standard for risk management, which needs to be extended to the supply chain. Main suppliers and subcontractors need to identify their own risks associated with the supply project. For example, if a defence contractor is sourcing from a local machine shop, the AQAP requirements will also apply to that machine shop.
- Configuration management comes into play when a company has its own product design, and there is a standard for that as well, to ensure that the configuration follows the product throughout its lifecycle, from product design to end-of-life," Aaltonen said, giving examples of AQAP requirements.
He reminded companies that AQAP requirements are ultimately not rocket science and not all requirements apply to all companies.
- But it is also important to remember that all the additional benefits that AQAP requirements bring will improve and enhance a company's operations. There is no need to fear certification either. It is just a small addition to ISO 9001.

Return to article list