FUJ00117290
FUJ00117290
Assessment Report
BSI
— ele
Organisation Fujitsu Services Limited
Report Author = John Cooper
Visit Start Date 29/05/2007 BD <a
Management
Systems
12
Introduction
This report has been compiled by John Cooper and relates to the assessment activity detailed below:
FUJ00117290
FUJ00117290
\Visit ref/Type/Date/Duration
\Certificate/Standard
Site address
7034247
Continuing assessment
29/05/2007
3 day(s)
FS 00445
BS EN ISO 9001:2000
Fujitsu Services Limited
Lovelace Road
Bracknell
RG12 8SN
United Kingdom
The objective of the assessment:
Continuing assessment against the requirements of both ISO9001:2000 and the TickIT Guide version 5.0.
aligned to the agreed arrangements outlined in the Fujitsu Service UK 2007/8 delivery plan.
Emphasis on the Software development process around the Royal Mail Account and associated
measurements.
22
FUJ00117290
FUJ00117290
Management Summary
A document has been produced to ensure deviations from core processes are appropriately approved and
effectively managed.
[This process is effective]
The areas assessed exhibited extremely good alignment between organisational policy and objectives. [This
area is effective]
Frequent local executive reviews are held to ensure alignment of organisational policy, strategic planning and
objectives. Results from monitoring account performance also form an integral part of executive meetings.
The Horizon Account is stable and generally operates within expected parameters.
[This area is effective]
HNG-X Account is embryonic and is still in a state of flux, issues exist concerning resources, planning etc.
[This area was generally found to be effective]
Processes within the POA show a good approach to the ethos of adopting the process approach, outputs
form one process can easily be traced to the input criteria of the next process. Internal audits have facilitated,
monitored, tested and taken corrective appropriate corrective action(s) to ensure the process approach to the
BMS is adopted successfully.
[This area was found to be effective]
Third party supply management appears to be well managed within the business and manages to effectively
detect poor performance, e.g. third party supplier to HNG-X project.
[This area was found to be effective]
With the recent changes to the HNG-X project resource planning has been a difficult area to manage. This is
most probably been caused by the requirement to use core services (e.g. non-local test beds) and the
realignment of the HNG-X plan. To alleviate resource issues, including resources from core, a new resource
manager was appointed as a result of Red Alert 892.
The new appointment has greatly reduced some of the earlier issues with resources for projects.
[Post new Resource Manager appointment; this area was found to be effective]
Account Performance measures are taken very seriously and are regularly monitored, effective preventive
and corrective action methods are in place.
[This area was found to be effective]
There were no outstanding issues/nonconformities to review from previous assessments.
4 issues requiring attention were identified. These, along with other findings, are contained within subsequent
sections of the report.
An issue relates to a single identified lapse, which in itself would not indicate a breakdown in the
management system's ability to effectively control the processes for which it was intended. It is necessary to
investigate the underlying cause of any issue to determine corrective action. The proposed action will be
reviewed for effective implementation at the next assessment.
3/12
FUJ00117290
FUJ00117290
Areas Assessed & Findings
Arrival and opening meeting. Jan Holmes
Introduction and Overview
<< 1SO9001 :2000 (TickIT) >>
Project Management of Horizon and its ongoing maintenance runs relatively smoothly, primarily due to it
having established processes and a reasonably stable group of people. However, its replacement HNG-X
has been subjected to a number of changes that have caused issues with the overall delivery
schedule. Executive management are reviewing the project plan and resource requirements as the plan
ramps up for installation in 2008.
All Employees spoken to undoubtedly have a commitment to provide the contractual service levels for
projects, they were also aware of their objectives and the importance attached to meeting them.
The competence displayed by staff is extremely high and communication across the teams appears to work
effectively.
Overall a very positive impression of service delivery for Horizon was observed across the various functions
audited. HNG-X is still embryonic, emphasis is being placed on delivery requirements by ensuring the
correct cross functional teams are in place. The approach taken to HNG-x is different to that used for
Horizon in that close relationships have been established with the customer to ensure their requirements
are built in to the projects right from the requirements side through to its eventual delivery.
Opening Meeting Jan Holmes
Account Director - (29 May 07) Mr lan Terblanche
Communication and transparency is seen as a priority by the Account Director and to ensure effective
communications he carries out an executive briefing of all staff where "headline news" is announced; this is
really an opportunity to reflect on current successes, lessons learned and strategic planning for the future.
In addition there are regular team emails and monthly executive team meetings to ensure objective
alignment occurs for all staff.
Services levels and requirements are regularly discussed at both internal and customer meetings, typically
these include:
e Tuesdays - Internal review Meeting.
e Wednesday - Internal Project Board Meeting.
e Thursday - External Project Board Meeting.
e Friday - Level Two Planning Meeting.
Service Delivery to Post Office Ltd (POL) - (29 May 07) Naomi Elliot, Liz Melrose,
Peter Thompson, Steven Taplin.
The aim in this area is to provide a defined service level to the branches; (this includes areas such as the
data centre, networks support and system monitoring) the service level is defined in the service description
document. Performance against this document is monitored against eighty two service level targets and is
monitored formally each month using the same format as defined in the service review book. Reported
service levels are communicated both in house and externally with the customer.
Any deviations from the agreed service level are reported to the Customer Services Director and if
appropriate they are added to the risk register.
The service levels are formally documented within contractual documents, these are consistently reported in
a customer agreed format. All staff interviewed were aware of the departmental objectives and what their
expected contribution was in respect of their achievement.
412
FUJ00117290
FUJ00117290
The expected service levels are realistic but it was noted that some targets for service delivery are not
wholly dependent on the performance of the group involved in delivery of the service. E.g. The target
documented in one service review book required "software incidents resolved by a re-boot in <=30 minutes
should be 100%" this is an ideal target but it requires the user calls back within the 30 minutes of placing the
call.
HNG-X Design & Development - (29 May 07) Gill Jackson
This area is responsible for the managing of teams, coding, unit testing, new work and modifications. User
requirements are effectively captured within the "DOORS" system.
Project "Moneygram" was selected and its progress monitored through the change process CP4269, the
introduction of a new data this was effectively traced through the version control, design and design
acceptance processes.
Horizon Design and Development - (29 May 07) Pete Ambrose
Primarily this area is involved in Horizon post design activities through to system test. Changes typically
originate from in house requirements but can also originate from the customer. If this results in a high level
design it will be passed to the design activity.
Occasionally small HNG-X projects fall into this area but this is as an exception rather than the rule.
Code is generally tested on the fly within the group but final testing is carried out by an independent group.
Change request CP4143 was tracked through the design and development process, however, this change
had not yet reached the final test stage.
*Change Request CP4143, the addition of RIP command !z !Z and !G
The unit test plan did not show the CP reference for additional testing required for XML data and new !z rip
commands.
Application Development - (29 May 07) Annie Stredwick
The principal function of this area is dealing with business cases from requirements in Horizon for counter
and access counter development; requirements are stored in "DOORS"
Released requirements from the requirement manager are held in a local spread sheet along with the
release requirements. Models are produced and when it is felt ready they are put forward for peer review,
following successful peer review Java units and test specifications are produced.
Source is held in CVS, after hand over the code is subjected to component integration testing and on
successful test documentation is pulled together for the technical authors , e.g. high and low level design
documents for the formal review process.
Bugzilla, an open source bug reporting system is used prior to test but post test "PEAK" is used to track
bugs.
System Integration Director- (29 May 07) Martyn Hughes
The current incumbent has only been in position for around three weeks so a general approach was used to
understand strategic planning, objectives, change control, project logs, lessons learned and CMMI
processes.
General project processes and governance meetings were discussed and the methodology of recordings
these formally was determined as being on the spotlight system.
Infrastructure - (30 May 07) Chris Beddoes, Dave Tanner
Currently the HNG-X project transition process has approximately 29 designers on board, the project
involves Networks, System and Estate Management, System Recovery and Platform and storage.
The original project plan is currently under review due to time slippage on the project, primarily caused by
resource shortages, integration into core services, underestimation of migration timescales and continuing
changes to requirements. Resources that used to be immediately available such as the test rig is now off
site and this has reduces flexibility. The new project plan is still in the design stage and has not yet been
agreed and finalised.
5/12
FUJ00117290
FUJ00117290
Integration Manager - (30 May 07) David Hinde
The function of the integration team is to take deliverables from development and infrastructure teams and
reintroduce back into the configuration system "Dimensions".
The area has recently had its scope of operations broadened to include building definitions and building in
governance, to date only one release delivery has occurred.
Drop dates are currently being revised in terms of what is dropped within defined timescales, this is still
waiting to be formalised within "Dimensions".
The first drop occurred in early 2007 and Int2 has just been dropped, it is anticipated that by drop 4 the local
processes in line with Core processes will have been formalised and documented.
+ Evolving integration process documents at the local level are yet to be aligned with core processes.
Release Manager - (30 May 07) John Budworth, Sarah Payne
Sarah Payne
The release management process is currently awaiting approval following feedback from inf1. A second
draft is now being produced and is held within dimensions; in fact it is planned that the whole release
process will work within dimensions.
The prime function is to build system test rigs with particular base lines, sent to dimensions, authorised and
child MSC raised.
PC0145919, clarion storage for HNG-X-INF2 Parent 043j0107959, Child 043j0107959-02, build instruction
Dev/INF/LLD/0015.1S was tracked through the MSC system and release note process, no issues were
raised.
John Budworth (Software code fixes, Daily processes)
For new functionality a CP is generated. PEAK is the system used to control releases for Horizon.
User calls are raise via the call centre in the "Power help system", if the call centre is unable to resolve the
problem or a bug is found a PEAK is created and development weigh up the risks, in turn this may be
discussed at the weekly meeting to weigh up the value of the fix.
the tracking of Incident management is via PEAK.
PEAK reference PC014036 was chosen and followed through PEAK to evaluate the effectiveness of record
keeping within PEAK, all records relating to this PC were effectively recorded.
Test Manager - (30 May 07) Peter Dreweatt
The test team in this area is responsible for functional testing of Horizon and HNG-X systems; though the
amount of test work on Horizon is reducing as HNG-X is being developed.
Inf1 is the only code that has passed test and beendelivered, appropriate records were found to
demonstrate its progress through the testing.
Presently there is no formal method of recording where actions from lessons learned are transferred to or
closed, i.e. where records of resolution of these issues lay.
Resource Manager - (30 May 07) Peter Davenport
This is a newly created function developed from Red Alert 892 and is designed to chase resource requests.
The issues revolving around HNG-X development resources have resulted in a second quality alert (949);
however it is fair to say that the introduction of this position has reduced the number of resource request
outstanding.
Security Manager - (30 May 07) Brian Pinder, Peter Sewell
The security manual is an integral part of the contract documentation and forms the basis of the
organisations security policy.
An audit of the process of issuing, tracking, cancellation and withdrawal of security tokens was undertaken.
A volunteer's token was validated against the list of approved token holders held on the local recording
system to ensure the token had been appropriately registered; the volunteer's token had been registered.
Lost tokens can be revoked via the local secure teminal or via an offsite unit, this was again validated
6/12
FUJ00117290
FUJ00117290
against the locally held list of token holders and was found to be correct.
System virus definitions and system software patches are recorded in the vulnerability register and applied
monthly.
The vulnerability register records system vulnerabilities, these are recorded in the PEAK system and are
evaluated by the appropriate operational team to evaluate the actual or perceived risk to the system.
Presently there are a number of vulnerability issues that have not been recorded as being resolved; insome
cases this appears to be due to the fact that some teams asked to evaluate vulnerabilities do not have
access to PEAK.
Records need to be generated to demonstrate that adual or potential risks have either been considered and
dismissed or rectified.
HR Manager - (31 May 07) Chris Bridgland
The HR function in the PBU is a generalist function covering the planning, implementation, measurement
and reporting upon core HR policy that is held on Café Vic, no parallel local procedures exist.
The area of appraisal monitoring was selected for audit. Currently the level of completed employees
appraisals stands at 66% even though the target date for the completion of employee appraisals is the end
of May 07. Presently completion of employee appraisals does not form part of the Managers performance
targets but it is anticipated this will be introduced.
Any delinquency in employee appraisals is reported to both the manager responsible for carrying out the
appraisal and to director level.
Supply Chain - (31 May 07) Andy Tait
The area works to core processes and its main function is to manage migration between sites and
procurement.
Objectives include the forward planning of expenditure, monitoring expenditure against plan and to
maximise the effectiveness of controlling purchasing costs within defined targets; this is reported in PL.
Orders are placed on corporate via the "CAFOS" system; corporate also measure the performance and
selection of suppliers though supply chain performance can be fed back directly.
* Opportunity for improvement.
Visibility of approved suppliers is not currently available to people based in the local procurement area;
there may be potential efficiency benefits to be realised if access to these people were to be granted
Sales and Marketing - (31 May 07) lan Terblanche
Overall business objectives are tiered down into lower level objectives and KPI's, these are monitored to
better understand developing trends within the processes.
Currently the PO is the largest area of spend and is financed by the government, all other RMG units are
self financing. Growth opportunities are less feasible within PO than other RMG's and it is anticipated that
additional effort will be put into the RMG area.
A regular RMG marketing news letter is produced to highlight successes within RMG and it is anticipated
that this will help make potential customers more aware of the products and services available from Fujitsu.
72
FUJ00117290
FUJ00117290
Assurance Manager - (31 May 07) Jan Holmes
Processes such as policy, objectives, customer satisfaction, corrective and preventive actions have been
covered within the individual areas defined within this audit.
The internal audit process has been fully aligned with core processes, no deviations have been sought.
The local, internal audit plan for 2007 has been defined, authorised and implemented and the 2006 internal
audit schedule has been formally closed down. The latest schedule defines the areas to be audited suchas
T releases, HNG-X, third party suppliers, appraisals and joint audits with POL.
The audit plan and detail reports demonstrate effective process coverage, positive audit trails are recorded
and corrective actions are raised and closed out appropriately.
Monitoring of open corrective actions takes place until effective closure is obtained, monthly reports
detailing corrective actions, corrective action trends, process performance and are produced and presented
to executive management for their consideration.
8/12
FUJ00117290
FUJ00117290
Issues Arising from this Assessment
Ref IArea/Process Clause
A88325/1 Horizon Design and Development - (29 May 07) Pete Ambrose 7.3.7 ISO
9001:2000
Details: Change Request CP4143, the addition of RIP command !z !Z and !G
The unit test plan did not show the CP reference for additional testing required for XML
data and new Iz rip commands.
Ref IArea/Process Clause
A88325/2 Integration Manager - (30 May 07) David Hinde 4.2.1 1SO
9001:2000
Details: Evolving integration process documents at the local level are yet to be aligned with core
processes.
Ref IArea/Process Clause
A88325/3 Test Manager - (30 May 07) Peter Dreweatt 7.2.2 ISO
9001:2000
Details: Presently there is no formal method of recording where actions from lessons learned are
transferred to or closed, i.e. where records of resolution of these issues lay.
Ret IArea/Process Clause
A88325/4 Security Manager - (30 May 07) Brian Pinder, Peter Sewell 7.2.2 ISO
9001:2000
Details: The vulnerability register records system vulnerabilities, these are recorded in the PEAK
system and are evaluated by the appropriate operational team to evaluate the actual or
perceived risk to the system. Presently there are a number of vulnerability issues that
have not been recorded as being resolved; in some cases this appears to be due to the
fact that some teams asked to evaluate vulnerabilities do not have access to PEAK.
Records need to be generated to demonstrate that actual or potential risks have either
been considered and dismissed or rectified.
9/12
FUJ00117290
FUJ00117290
Assessment Participants
The assessment was conducted on behalf of BSI by:
Name Role
John Cooper Team leader
.. and on behalf of the organisation:
Name Position
Jan Holmes Assurance Manager
Next Visit Plan
Visit objectives:
As detailed in the published plan, recommendations to be found in appendix to this report.
Visit scope:
Continuing assessment against the requirements of both ISO9001:2000 and the TickIT Guide version 5.0.
aligned to the agreed arrangements outlined in the Fujitsu Service UK 2007/8 delivery plan.
Emphasis on the Software development process around the Royal Mail Account and associated
measurements.
Date [Assessor [Time _IArea/Process \Clause
John Cooper Recommendation for the next visit
have been detailed in the appendix to
this report. However these will be
confirmation will be in the published
schedule of audits for 2007/8. Once
agreed the visit plan will be notified to
the location so that appropriate timings
can be assigned to each portion of the
schedule.
Please note that BSI reserves the right to apply acharge equivalent to the full daily rate for cancellation of the
visit by the organisation within 30 days of an agreed visit date. It is a condition of Registration that a deputy
management representative be nominated. It is expected that the deputy would stand in should the
management representative find themselves unavailable to attend an agreed visit within 30 days of its
conduct.
10/12
FUJ00117290
FUJ00117290
Notes
The assessment was based on sampling and therefore issues may exist which have not been identified.
If you wish to distribute copies of this report external to your organisation, then all pages must be included.
BSI, its staff and agents shall keep confidential all information relating to your organisation and shall not
disclose any such information to any third party, except that in the public domain or required by law or
relevant accreditation bodies. BSI staff, agents and accreditation bodies have signed individual confidentiality
undertakings and will only receive confidential information on a ‘need to know' basis.
‘Just for Customers’ is the website that we are pleased to offer our clients, designed to support youin
maximising the benefits of your BSI registration - please go to www.bsi-emea.com/JustForCustomers to
register. When registering for the first time you will need your client reference number and your certificate
number.
The CO2 emissions due to the planning, delivery and administration of this assessment have been fully off-
set through the BSI CarbonNeutral® project. For more information on CarbonNeutral® please visit www.bsi-
uk.com/carbonneutral.
Should you wish to speak with BSI in relation to your registration, please contact our Operations Support
Team:
BSI Management Systems UK
PO Box 9000
Milton Keynes
MK14 6WT
Tel: +44 (0)845 080 9000 Fax: +44 (0)1908 228123
11/12
Appendices
This account requires a TickIT auditor.
Assessment Record and Future Plan (TBC)
Assessed
2007
Next Plan
Date TBA
(Account Directorate / Manager
P
Sales
A
IBid Management
P
Service Delivery Manager
A
[Change Management
IQuality Management
IRisk Management
Local Process Owner
(Communications Manager
Core Service Delivery areas
[Solutions Architect (CSA) - IDBM
[Technical Strategy
Prog / Project Management
(Consultancy
IS/W design & dev (ADBM)
>
[S/W Support
[Tech Support
[Test
Integration / Release
Infrastructure (IDBM)
INetwork Design Support
>I I>I>I>I
(Call Centres/ Helpdesk
Field Engineers
IDeskside Engineering
acl)
[Supply Chain / Logistics
[Data Centres
Procurement / Suppier Management
[Security Requirements (sample any IS
jarea)
[Shared Services
IHR
(Commercial
Marketing
Finance
links to Core
Potential Projects for sampling (Confirm
during assessment planning)
HNG-X
Horizon
Assessment Themes
Local processes link BMS.
(Cascade of Strategy / Objectives
Management Review activities
Process Approach
>I >I >I >]
0I 0] 0} 0}
[Third party supplier management
[Resource planning
Performance Measures
>I>I
a]
[Sense & Respond Accredited ?
FUJ00117290
FUJ00117290
12/12