Comment by OkayPhysicist

Comment by OkayPhysicist 4 days ago

ISO9000 is, bar none, the most brilliant grift I have ever encountered. It's so simple, yet so elegant.

Step 1: Come up with an incredibly easy to meet standard (because you don't want anybody abandoning the process because it's too much of a hassle) that sounds like a reasonable requirement on paper (to make it easy to pitch as a basic requirement of doing business). Say, "Have a plan for the things you do".

Step 2: Add one additional requirement to your standard: "Prioritize Vendors that meet this standard".

Step 3: Obscure the hell out of the standard, (to not make the grift too obvious) and stick it behind a paywall.

Step 4: Franchise out the (nigh-impossible to fail) "approval" process to 3rd parties, who pay you for the privilege.

Step 5: Your first few "standardized" companies put pressure on their vendors and customers to get certified, so they hire consultants, who in turn pay you, who tell them "Good job, you meet the standard. But do your vendors?".

Step 6: Watch as the cash floods in.

(Optional, Step 7): Once a bunch of major companies are certified, target governments to do your marketing push for you.

hluska 4 days ago

I’m reading the original tender and there is zero mention of ISO 9000. In fact, the tendering authority even specifically stated this opportunity was a good fit for SMEs.

Where does all this talk of standards come from?

Reply View 8 replies

marcus_holmes 4 days ago

In the tender there's one line:
> IV.1.8) Information about the Government Procurement Agreement (GPA) The procurement is covered by the Government Procurement Agreement: Yes
Googling the UK Government Procurement Agreement got me to:
> https://www.gov.uk/government/collections/government-standar...
which was when I realised this was a rabbit hole and while I am positive that somewhere deep in that rabbit hole would be a requirement for all procurement suppliers to meet ISO9000 or similar, I was going to have to spend hours finding it. Hours I don't have.
You can cheerfully dismiss this opinion if you like, I don't have the data to provide you evidence.
But I also think this proves my point; if you have to spend hours just finding out what the requirements are, you probably don't meet them.

Reply View | 2 replies
- duckmysick 4 days ago
  
  It's there in the The Model Services Contract, under Core Terms:
  > Quality Plans
  > 6.1 The Supplier shall develop, within [insert number] Working Days of the Effective Date, quality plans that ensure that all aspects of the Services are the subject of quality management systems and are consistent with BS EN ISO 9001 or any equivalent standard which is generally recognised as having replaced it ("Quality Plans").
  The Short Form Contract also have optional ISO 27001 or Cyber Essentials (which is, uh, an adventure on its own). But there's also an option for no certification required. It depends on the contract.
  But yes, you're right. Dealing with requirements takes time and experience and you likely need a dedicated person (or team) to deal with it.
  
  Reply View | 1 reply
  
  marcus_holmes 3 days ago
  
  Thanks for going down the rabbit hole :)
  
  Reply View | 0 replies
Aeolun 4 days ago

If this was a good fit for SME, and the price paid for the whole thing was 4M pounds, why didn’t any SME win the tender? Seriously, that’s the whole yearly turnover for most SME shops I ever worked at. And all of them could do a better job than this.

Reply View | 1 reply
- hkt 4 days ago
  
  That's possibly why: small businesses reliant on contracts that are, to them, disproportionately huge.. well, they die at the end of the contract. HMRC killed off an OpenStack based AWS competitor by replacing them, about ten years ago. Anchor clients can be a real hazard if an SME can't live without them. Sometimes it just isn't worth it.
  
  Reply View | 0 replies
lwhi 4 days ago

For government tenders, I do know that agencies need certification. Maybe not ISO2001 (which is a security standard that many corporate procurement processes require the supplier to have obtained when purchasing software), but Cyber Essentials / Cyber Essentials Plus is common.

Reply View | 2 replies
- rcxdude 4 days ago
  
  Cyber Essentials is a lot more of a PITA than 9001, it's very prescriptive in ways that cause all kinds of headaches without helping security.
  
  Reply View | 1 reply
  
  henryaj 4 days ago
  
  I absolutely hated doing Cyber Essentials (Plus). Huge waste of time
  
  Reply View | 0 replies

pjmlp 4 days ago

Just like any other kind of certifications in the same domain.

Want to use enterprise product XYZ?

Need to have at least X amount of certified employees to reach the basic layer, additional certifications for the next layers.

The kind of support tickets, documentation and trainings available depend on the certification levels, and by the way they have to be renewed every couple of years.

However it is how the ball rolls in certain industries, and rebeling against it won't win anything, better switch jobs for those anti-certifications.

Reply View 0 replies

gerdesj 4 days ago

Please show me on the doll where ISO 9000 hurt you!

I have been an MD for 25 years. ISO 9001 reg. since 2006. Its been a bit of a pain at times but it does concentrate the mind towards doing things right. We've never used consultants, we've always just read and followed the standards.

What is your experience?

PS During our last assessment, the assessor described a few recent AI written efforts they had come across. Laughable.

PPS I've been doing this for over 25 years and I think that a quality based approach to running a company is a good idea ... you?

Reply View 3 replies

Supermancho 4 days ago

My father was a ISO9000 and ISO9001 certification consultant for over 10 years. He taught at Cal Poly Pamona, near the end of that era. This was my first exposure to using the familiar terms seen in RFCs like MUST MAY SHALL, etc.
Ever tried to write a quality based document describing how to create an air filled, japanese oragami balloon? (step 3 is the first big hurdle, https://www.wikihow.com/Make-an-Origami-Balloon). That was his goto starter for ISO classes.
> I've been doing this for over 25 years and I think that a quality based approach to running a company is a good idea ... you?
ISO standards don't ensure this, since certification is only based on verifying documentation format. What the ISO processes do tend to do is create a small memo indicating that every dept should justify the work they are doing by writing it down and showing it to their boss. What that does to an organization is to produce a crapload of near-useless documentation and throw a large number of people into political hell. After that, the solution is always the same. They quickly move from everyone trying to coordinate down to a very small number of people (1-3) taking charge of moving dept to dept. Either the agents or the supervisors who are articulate enough to gloss over inconsistencies and gaps to form a coherent story, write the documentation.
While this may lend well to shoring up some companies' internals, in the early 2000s, ISO certification consultancy was a lucrative gig. It was chased as a stamp to markup pricing, rather than a quality tool.

Reply View | 1 reply
- tverbeure 4 days ago
  
  I remember the backdated document signing parties at my previous company, the day before an ISO audit. So much fun!
  
  Reply View | 0 replies
napaparts 4 days ago

I think "concentrates the mind towards doing things right" is an accurate statement. On the other hand the parent is also correct that it is almost impossible to fail and the requirements are too broad to actually have much effect. The most helpful thing is you get the knowledge and experience of an auditor for a day. Other benefits are having someone make you write your processes down and making it easier to replace people, making sure there is a chart documenting the relationships between the people and to have some language about dealing with customer complaints and defective produce.

Reply View | 0 replies