Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo

"Quality Matters in your Business"

Monday, 20 March 2017

Transitions to ISO 9001, ISO 14001, AS 9100, AS 9110 & AS9120

The deadline for transition to ISO 9001:2015, ISO 14001:2015 and the Aircraft, Space and Defence Standards AS 9100D, AS9110C and AS 9120B is 15 September 2018.

While this may seem a long way off it is important to remember that the transition and correction and acceptance of any corrective action identified by an assessor must be completed satisfactorily by the deadline date.

Both UKAS for the quality and environmental standards and IAQG for the Aircraft, Space and Defence standards have made it very clear that there can be no extensions or relaxation of the deadlines for any reason.  Any organisation missing the deadline will be deregistered.

There is no appeal mechanism.  The organisation will lose certification and will have to start from scratch to regain certification.  There is a fairly big cost involved in this and loss of certification in the intervening period may result in inadmissibility for tenders and/ or cancellation of contracts requiring one or more of the standards as a mandatory requirement.

The revised Standards are quite different in their approach and require more involvement from Senior Directors and Managers.  This can be a problem where the requirement for understanding and operating the standards has, historically, been delegated to others lower down the organisation.
We at Quality Matters have helped a number of Clients to effect the transition and while we have sought to make it simple to use there have been a number of top management who have been  forced to become engaged in the systems.

The Aircraft, Space and Defence Standards were issued at the end of 2016 but the transition dates have been aligned with the ISO standards. I.E.  15 September 2018 ; a fairly tight schedule.

We urge all holders of certification that are affected by these changes to ensure that their transition is carried out in good time to avoid loss of certification.  Remember you may be ready, but assessors are committed to the stage one for transition followed by stage two on site.  Availability may be a governing factor.

Monday, 6 March 2017

A detailed look at ISO 27001: Part 4

Section 10:  Cryptography 

 

A cryptography policy must be developed and implemented.  This must include:

  • The required level of protection required;
  • The type, strength, and quality of the encryption algorithm to be used;
  • Key management;
  • Integrity/authenticity of using digital signature or message authentication codes; 

 

Section 11:  Physical and Environmental Security 

 

Critical or sensitive information processing facilities must be physically protected against malicious or accidental damage or loss, overheating, loss of mains power etc.  It must also be sited to prevent unauthorised viewing of confidential matter.

There is a need for concentric layers of physical controls including barriers, walls, card controlled entry gates or manned reception desks (rather like  an onion) to protect sensitive IT facilities from unauthorised access.

A secure area may be a lockable office, a computer room or several rooms surrounded by a continuous internal physical security barrier.

Critical IT equipment, cabling and other assets must be protected against physical damage, fire, flood, theft, and interception etc., both on and off-site.

Power supplies and cabling must be secured. IT equipment must be maintained properly and disposed of securely.

Access to and within application systems must be controlled in accordance with a defined access control policy. Particularly sensitive applications may require dedicated (isolated) platforms, and/or additional controls if run on shared platforms.

The application of physical controls must be adapted to the technical and economic circumstances of the organisation.

11.2 Equipment


To prevent loss, damage, theft or compromise of assets and interruption to the organisation’s operations.

This includes the siting of equipment to reduce the risks from environmental threats and hazards, and opportunities for unauthorised access.

Supporting utilities must be inspected regularly to detect damage and malfunction.
Cabling must be protected and checked for unauthorised interception.

Clear desk and clear screen policies must be in use.

Section  12:  Operations Security


This is a big clause and it covers all aspects of operations security.

To ensure correct and secure operations of information processing facilities.

Documented operating procedures must be available to all users who need them.

Change control procedures must be used to record and authorise changes to the organisation, business processes, information processing facilities and systems that can affect information security.

Capacity management must be monitored, tuned and projections made of future capacity requirements to ensure the required system performance,

12.2 Protection from malware

 

To ensure that information and information processing facilities are protected from Viruses and other malware.

12.3  Backup

 

Systems  must be backed up to protect against data loss.

12.4    Logging and monitoring

 

To record events and generate evidence.

12.5    Control of operational software

 

To ensure the integrity of operational systems.

12.6  Technical vulnerability management

 

To prevent exploitation of technical vulnerabilities.

12.7   Information systems audit considerations

 

To minimise the impact of audit activities on operational systems.

Section 13: Communications security

 

This is a big clause and covers all aspects of communications security

To ensure the protection of information in networks and its supporting information processing facilities.

Section 14: Information Systems acquisitions, development and Maintenance

 

To ensure that information security must take into account the Systems Development Lifecycle (SDLC) processes for specifying, building/acquiring, testing, implementing and maintaining IT systems.

14.1 Information Security Requirements analysis and specifications

 

Automated and manual security control requirements must be analysed and fully identified during the requirements stage of the systems development or acquisition process, and incorporated into business cases. Purchased software must be formally tested for security, and any issues risk-assessed.

14.2 Security in development and support processes

 

To ensure that information security is designed within the development lifecycle of information systems.

14.3 Test data

 

To ensure the protection of data used for testing.

Section  15:  Supplier relationships

 

This new section deals with the protection provided in supplier agreements.

Section 16: Information Security Incident Management

 

Information security events, incidents and weaknesses (including near-misses) must be promptly reported and properly managed.

16.1 Reporting Information Security Events and Weaknesses 

 

A formal incident/weakness reporting procedure is required, plus the associated response and escalation procedures. There must be a central point of contact, and all employees, contractors etc. must be informed of their incident reporting responsibilities.  Feedback to the person reporting an incident must take place.


16.2 Management of Information Security Incidents and Improvements 

 

Responsibilities and procedures are required to manage incidents and weaknesses effectively, to implement continuous improvement (learning the lessons), and to collect evidence in accordance with legal requirements.

Section 17: Information Security Aspects of Business Continuity Management          

                                  

This section describes the objective to counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. A business continuity management process must be implemented to minimise the impact on the organisation and recover from the loss of information assets.

The relationship between IT disaster recovery planning, business continuity management and contingency planning, ranging from analysis and documentation through to regular exercising/testing of the plans. These controls are designed to minimize the impact of security incidents that happen despite the preventive controls noted elsewhere in the standard.

Section 18: Compliance

 

18.1 Compliance with Legal and Contractual Requirements         

                                       

The organisation must comply with applicable legislation such as copyright, data protection, protection of financial data and other vital records, cryptography restrictions, rules of evidence etc.

18.2  Information Systems Reviews

 

System audits must be carefully planned to minimise disruption to operational systems. Powerful audit tools/facilities must also be protected against unauthorised use.

Monday, 20 February 2017

A detailed look at ISO 27001: Part 3

Section 8:  Asset Management

Assets associated with information and information processing must be identified and appropriate protection responsibilities defined.

8.1  Responsibility for Assets

 

The organisation must identify assets relevant in the lifecycle of information and document their importance.  The lifecycle information must include creation, processing, storage, transmission, deletion and destruction. Documentation must be maintained in dedicated or existing inventories as appropriate.

The Asset inventory must be accurate, up to date, and consistent and aligned with other inventories.
Ownership of assets and their classification must be defined

8.2 Information Classification

 

Information must be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.
It is usual to apply the test of analysis of the effect on Confidentiality, Integrity and Availability.
Examples can be based on four levels:

  • Disclosure causes no harm   -   Public domain
  • Disclosure causes minor embarrassment or minor operational inconvenience  - Restricted
  • Disclosure has a significant short term impact on operational or tactical objectives – Confidential
  • Disclosure has a serious impact on long term strategic objectives or puts the survival of the organisation at risk - Secret

Section 8.3 Media 

 

To prevent unauthorised disclosure, modification, removal or destruction of information stored on media.

Removable media must be protected and stored in accordance with the organisation’s security classifications.

Media contents no longer required must be made unrecoverable.
If data confidentiality or integrity are important considerations then cryptography techniques must be considered.

Registration of removable media must be considered to limit the opportunity for data loss.
Removable media drives must only be enabled if there is a business case for doing so.
Media that is no longer required must be disposed of securely. Audit trails of these media must be maintained.

Section 9: Access Control


Logical access to IT systems, networks and data must be suitably controlled to prevent unauthorised use.

9.1 Business Requirement for Access Control

 

The organisation’s requirements to control access to information assets must be clearly documented in an access control policy, including for example job-related access profiles (role based access control). [This is an important obligation for information asset owners.]

9.2  User Access Management

 

Formal procedures for the allocation of access rights to users must be controlled through user registration and administration procedures (from initial user registration through to removal of access rights when no longer required), including special restrictions over the allocation of privileges and management of passwords, and regular access rights reviews.

9.3 User Responsibilities

 

Users must be made accountable for safeguarding their authentication information. e.g. keeping their secret authentication confidential and not divulging to any other parties, including those in authority. SSO (Single Sign On and other secret authentication information management tools reduce the amount of secret authentication information that users are required to protect and this can increase the effectiveness of this control. However, these tools can also increase the impact of disclosure of secret authentication information.

9.4  System and Application Access Control

 

Access to information and application system functions must be restricted in accordance with the access control policy.

The following may be considered:

  • Providing menus to control access to application systems function;
  • Controlling which data can be accessed by a particular user;
  • Controlling read, write, delete and execute functions;
  •  Controlling the access rights of other applications;
  • Limiting information contained in outputs;
  • Providing physical or logical access controls for the isolation of sensitive applications or applications data or systems.

Password management systems must be employed to ensure that secure log-on procedures are followed, including the use of strong passwords and regular changing of these passwords.

Monday, 6 February 2017

A detailed look at ISO 27001: Part 2

27002 is the code of practice and it is normal to use this to set up a comprehensive Information Security Management System (ISMS).  There are 15 main sections 4.0 to 18.0:

ISO 27002 BY SECTION


Section 0:  Introduction

Starting from ‘What is information security?’ the introduction explains about information and how to make use of the standard.

Section 1: Scope 

The Standard gives information on the extent of cover for an ISMS.

Section 2:  Normative References. 

Reference is made to documents that are referenced within 27002 and are indispensable for operation of the Information Security Management System.

Section 3: Terms and Definitions

Including ISO 27000, which is a set of terms and definitions

Section 4:  Structure of the Standard

This page simply explains that the standard contains 14 security control clauses containing a total of 35 main security categories and 113 controls. 

Section 5: Information Security Policies


A set of policies for information security defined, approved by management, published and communicated to employees and relevant external parties.

Management must define a policy to clarify their direction and support for information security, meaning a short, high-level information security policy statement laying down the key information security directives and mandates for the entire organisation.

Normally it will spell out the three main criteria
CIA
C -  Confidentiality
I  -  Integrity
A -  Availability

This is normally supported by a comprehensive set of more detailed corporate information security policies, typically in the form of an information security policy manual. The policy manual in turn is supported by a set of information security procedures and guidelines.

This policy is normally signed by the most senior person and displayed.

Section 6: Organisation of Information Security

A management framework must be designed and implemented to initiate and control the implementation of information security within the organisation. Responsibilities for information security risk management and in particular for acceptance of residual risks.

A Forum, made up of a cross section of people in the organisation must meet regularly.

6.1 Information Security Roles and Responsibilities

 

The organisation must have a management structure for information security. Senior management must provide direction and commit their support, for example by approving information security policies. Roles and responsibilities must be defined for the information security function. Other relevant functions must cooperate and coordinate their activities. IT facilities must be authorised.

Confidentiality agreements must reflect the organisation’s needs. Contacts must be established with relevant authorities (e.g. law enforcement) and special interest groups. Information security must be independently reviewed.

6.2 Mobile Devices and Teleworking

 

Mobile devices are being used extensively within organisations and it is vital that the security of business information is protected. This is particularly important when working outside the organisation in unprotected environments.
Mobile devices must be protected from theft and where possible must have the ability to be remotely wiped of information when needed.

Section 7:  Human Resources Security

The organisation must manage system access rights etc. for ‘new starters, promotion and leavers’, and must undertake suitable security awareness, training and educational activities.

7.1 Prior to Employment

 

Background verification checks must be carried out in accordance with relevant laws, regulations and ethics and must be proportionate to the business requirements, the classification of the information to be accessed and the perceived risks. 

Security responsibilities must be taken into account when recruiting permanent employees, contractors and temporary staff through adequate job descriptions, pre-employment screening and included in contracts (e.g. terms and conditions of employment and other signed agreements on security roles and responsibilities).

7.2  During Employment

 

The organisation must ensure that employees, contractors and third party users are properly briefed about information security threats and concerns and their responsibilities regarding information security must be defined. Employees and (if relevant) third party IT users must be made aware, educated and trained in security procedures. A formal disciplinary process is necessary to handle security breaches.

7.3 Termination and Change of Employment

 

Security aspects of a person’s exit from the organisation are managed (e.g. the return of company assets and removal of access rights, change of access codes or passwords). Clearly some of the controls are different if the person has been dismissed and must leave the premises immediately.
Changes in roles must be managed and the termination of current responsibility or employment combined with the start of new responsibility or employment.

Quality Matters

P.O.Box 5479
Maldon
Essex
CM9 8GG
England

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design