When our company decided to pursue the ISO 9001:2015 (latest version) certification, I worried about the possibility of having to create tons of documentation. ISO 9001:2015
sets out the criteria for a quality management system and is the only standard in the family that an organization can be certified to. Luckily, taking a deep dive into the ISO 9001 specification proved my worries wrong. There were many amendments in the 2015 version of ISO that go hand in hand with the way Agile projects are executed. We discovered that we didn't have to write volumes of documentation; rather, one or two extra documents served our purpose. Embracing the ISO journey assured us that whatever we stated was being done, and whatever was being done was stated.
ISO 9001:2015 focuses on the quality of your entire management system. This system brought to light many grey areas throughout our process. Internal audits helped us uncover the flaws. ISO states, "Say what we do and do what we say." For an Agile-centric organization, the challenge is the "say" part of it. But the beauty of the ISO 9001:2015 version is that we didn't have to change any existing processes to adhere to any of the clauses. Rather, it helped us to identify many gaps, which in turn made our Scrum process stronger and more efficient.
ISO talks about the Plan-Do-Check-Act (PDCA) cycle as the basis of the quality management systems. Let me first summarize how PDCA is similar to the way we do sprints.
- Plan. We plan for the current sprint and the future sprint through backlog grooming and sprint planning.
- Do. We execute the sprint through the sprint backlog.
- Check. We review and retrospect the sprint through the sprint review and retrospective.
- Act. We act on retrospective outcomes and plans for continuous improvements.
Here's how we found that the ISO 9001:2015 quality management system maps to Agile methods.
Backlog grooming and sprint planning: Quality objectives and impediment handling
Apart from the organizational risks, it was easy for us to adapt to risk-based thinking, which is the core of the ISO 9001:2015 version.
We develop in two-week sprints, and when we do the sprint planning on day one, we take into consideration all factors that will impact the commitment. This is analogous to the risks that we foresee for the next two weeks. The only change that we implemented is that previously we didn't track the risks. By adapting to the ISO world, we now have a risk tracker or impediment log in place. Each Scrum team proactively enters any risks that it foresees for the sprint. The daily stand-up also helps us ensure that we check for risks/issues faced by the team.
Overall, Agile methods fit well into the risk-based approach that ISO follows.
Agile process and tools: Maintaining documented information
The ISO myth says you have to be well equipped with a lot of documentation. In the 2015 version, the ISO myth is debunked; it clearly states that documented information is accepted in any format, which is a blessing, especially for software companies. Your knowledge base, your e-document repository, tools, etc., are treated as documented information.
We use the AtlassianTM
suite to store all our project-related artifacts, which are version controlled and easily traceable. Any documentation related to projects is always kept in Confluence, and hence it is very useful during the audits. If the Scrum process is balanced by use of a valid tool, it really helps us to be one step closer to getting certified in minimal time.
Management support: Focusing on leadership
As they say, "T
ore" (Team). In our case, we had strong support and motivation from management. Any changes to the process were discussed and debated, and then the process was rolled out. The intensity and involvement from the management side is important in achieving this crucial milestone.
A core leadership team was formed during the ISO activities. I recommend that you seek continuous support from leadership during this time. Leadership involvement is checked during the audits as well. Leadership has to support the organization's quality objective and policy. Leadership should meet frequently to check on the health of any team. Make sure to record and monitor the outcome of meetings and capture the effectiveness of an action-item implementation.
Becoming ISO certified proved that we were a customer-centric organization. Because our team (product development) doesn't interact with the end customers, we all agreed that our customers are our product owners (POs). PO feedback was collected for the first time, and we acted on the feedback with a definitive action plan, recording the outcome. We also decided to collect PO feedback every six months to ensure that customer requests are always given importance. Many of the feedbacks were eye-openers, and we got a chance to tweak the process to produce a better-quality product with enhanced customer satisfaction.
Sprint execution: Delivering value
End-to-end traceability can be measured accurately if your organization is using a tool to capture the user stories and all the sequential activities.
Traceability is a key factor that auditors are interested in. In Scrum, as we perform small chunks of work in each sprint, we may not have a high-level sequence diagram and then a low-level sequence diagram, as in Waterfall. Nonetheless, the Scrum architecture evolves and emerges. This concept may be difficult to digest for auditors who come from the old school of thought. Therefore, if you can trace from a user story all the way to its design, code, test cases, and bugs (if any), it really helps during the audits.
Be ready to show the traceability from an epic or user story to its deployment in production. Walking through this traceability really helped us identify where we were lacking documentation and where the process had to be strengthened or improved. Undergoing a couple of informal audits and providing awareness sessions to teams are a few of the core activities that help a team face the external audits with confidence.
Review and retrospective: Ensuring continual improvement
The ISO 9001:2015 version removed preventive action and focused more on continuous improvements. During our audits, we showed the continuous improvements sprint after sprint. Retrospectives are great ways to portray this. Any other organizational activities, such as Hackathons, tech talks, or process change forums, can qualify for continuous improvements. Since continuous improvement is inherent in Agile methods, it is easy for an Agile-centric organization to highlight this specific area.
Getting the ISO certification is not an easy job, but with proper guidance from ISO gurus, unwavering support from leadership and your team, steady support from your support functions (HR, IT, procurement, and the talent acquisition team), as well as proper planning, you can achieve the world's most trusted certification. And yay! We are proud to say that we are ISO 9001:2015 Certified!
Anand Paropkari, "ISO 9001:2015: 7 Things You Should Know." LinkedIn Pulse
. October 23, 2015. https://www.linkedin.com/pulse/iso-90012015-7-things-you-should-know-anand-paropkari?trkSplashRedir=true&forceNoSplash=true