Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo

"Quality Matters in your Business"

Monday, 15 December 2014

An Early Christmas Present?

Last week I received a telephone call in the office from a man with a very strong Indian accent; he told me that his name was Peter and he was calling from the windows technical team. They had become aware that my computer had a very nasty virus.  He went on to say that there were some very nasty people around and to show that he was genuine he was able to give me the windows licence key.   Peter would be able to fix my computer remotely if I entered a web-site and gave him access to my machine.  The service would be completely free of charge.

I asked him how he knew that my computer was infected but he stuck to his script telling me that his name was Peter…. etc.

Before I put the phone down I mentioned that this company was involved in Management Standards and in particular ISO 27001 Information Security and we wouldn’t give anyone access to our systems let alone someone pretending to be from the windows technical team.  Once the call was terminated I tried 1471 to see what the number was, but it was ‘number withheld’, surprise!!.

There are quite a few scams going around at this time of year but targeting companies is something of a departure from the norm.   Don’t be fooled into giving unauthorised access to your systems under any circumstances.

We are off to a well-deserved rest for Christmas and we hope that our clients and readers of our blog have a very merry Christmas and a prosperous and Happy New Year.

Tuesday, 2 December 2014

10 Web Security Myths Debunked

Myth 1:  Web security is for big companies.
False.  Most small companies (and individuals) are targeted at some time.

Myth 2:  Firewalls and antivirus software are sufficient to protect my computer.
False.  Anti-Virus software is only one area for protection, but it must be updated regularly.  Clearly antivirus software can only defend against known viruses.

Myth 3:  The internet is so big that nobody would single out my computer.
False.  Hackers use automated systems to continuously probe the internet for unprotected computers. 

Myth 4 :  here is nothing on my computer worth stealing.
False.  There may well be sensitive information contained in hidden files, such as stored passwords, email addresses, and account numbers.

Myth 5:  I have turned off the Microsoft Automatic Update to protect my Windows computer.
False.  Auto-update provides security patches to help protect your computer.

Myth 6:  Email is a secure method of communication.
False.  Unless you encrypt your email, it is visible.

Myth 7:  I cannot remember complex passwords so I use my dog's name, but that is secure.
False.  A hacker can run a dictionary test to find easy passwords like this.

Myth 8:  My company insists on 8 digit complex passwords so I have to write them down – but this is safe.
False.  Writing down passwords is a bad idea and is full of risk.

Myth 9:  In my company we all share a generic password but this is secure.
False.  If there is problem with a generic password is it almost impossible to find out who is responsible.

Myth 10:  When we get new computers we always format the old hard disks to ensure they cannot be hacked.
False.  Hard disks should be physically destroyed otherwise data can be recovered, sometimes by simply un-formatting.

It is important to be security aware, particularly at this time of the year when online shopping is at a peak.

We are grateful to SINGLEHOP of Chicago, Illinois for giving us some of these myths about security best practices, and are happy to spread the word to our readers.

30 November 2014 is Computer Security Day.

Tuesday, 18 November 2014

Another ISO 9001 success

One of our clients in Germany have just been awarded a Certificate for ISO9001:2008 for their liquid roofing products.  The Company near Hamburg have been operating a 9001 based system for a few years but decided that it was time to have this formally assessed and certified following a relocation from a small site near Cadenberge.    We were pleased that they passed without a single non-conformity, the Assessor said that he was very impressed with the new factory and procedures.

ISO 9001 is an International Standard and the Germans see this as an endorsement of their manufacturing management processes.  I was particularly impressed with the attention to detail and planning that went into their application and their  ethos of getting it right first time, every time.
The visit took place during a rail strike and as such the roads were exceptionally busy; the autobahn leading to the Elbe tunnel was completely stationary, it reminded me of the M25!

The Hamburg port is a very busy one and there were miles of trucks going to and from the port. A sure sign that the economy in Germany is flourishing.  The vast majority of incoming ships did seem to be from China, while those going out were to all over the world.

The weather for mid-November was exceptionally mild with one of the days seeing temperatures of 18 Celsius.  I remember last year at this time seeing snow!

The client now has both product and management system certification and these give them easy access to a number of markets.  We are pleased to have been associated with this company and hope to be of help to them for many years to come.

Monday, 3 November 2014

BSOHSAS 18001 Occupational Health and Safety Management Systems

A number of the Management Standards are going through a review and update at the moment:

  • ISO 27001:2013  Information Security Management – recently issued;
  • ISO 14001: 2015 Environmental Management -due to be released in mid 2015;
  • ISO 9001:2015 Quality Management – due to be released end 2015.
  • BS OHSAS 18001 was the odd one out as it was a British Standard and not an International (ISO) Standard; that is to change as ISO wish to have a universally accepted Occupational Health and Safety Standard. This ISO Standard will be known as ISO 45001 Occupational Health and Safety Management Systems and is anticipated that final publication will take place in late 2016.
Some of the accepted elements of 18001 will be ported over to 45001 and some new elements will be added.

It is early days yet but the Standard will follow the Annex SL model:

  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Context of the organisation
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance evaluation
  10. Improvement
This will ensure that all the management standards follow the same common numbering system and aid integration of the common management standards.

We will keep you informed as progress is made with this standard.


Monday, 20 October 2014

2015 Standards Update

These are BS EN ISO 14001:2015 The Environmental Standard with some 300,000 certificates to the existing 2004 Standard worldwide.  Publication was due in June 2015.

BS EN ISO 9001:2015 The quality Management Standard with some 1 million plus certificates to the existing 2008 Standard worldwide. Publication was due in September 2015.

The most recent drafts were submitted to the 45 member countries of ISO for approval;  It is a mandatory requirement that all countries endorse the changes to allow the review process to move forward to the drafts for public comment and  then Final drafts before publication.

We have been notified by one of the UKAS Accredited Certification Bodies that two member countries including USA have challenged the drafts.    This has, as you can imagine put the proverbial ‘cat amongst the pigeons’.    This may delay the publication of the next stages of these two Standards and may result in considerable changes.

There are other Standards that use ISO9001 as the basis of their own Standards:

  •  IAQG, AS 9100 series which cover the aerospace and defence industries;
  • SMMT, TS16949 series which cover the automotive industries;
  • HACCP, ISO 22000 series which cover the food safety industry;
  • ISO 13485 series which cover the medical devices sector.

There are many others which use 9001 as the base model. 

All these must consider whether they will follow the 9001:2015 model;  there is some doubt at this stage as some of the above are also unhappy with the proposed Standards.  If they decided to go their own way as standalone standards it may well cause the systems to become fragmented.

Time will tell…. Watch this space.

Monday, 6 October 2014

ISO 27001:2013 and Dangerous Bug Shell Shock

If you are involved in IT you may remember the Heartbleed virus which had the potential to bring the internet down; fortunately a fix and patches prevented the Heartbleed virus getting a foothold.
Now there is a new and more virulent virus named Shell Shock which has the ability to allow unauthorised disclosure of information; allows unauthorised modification; allows disruption of services.

This one attacks UNIX systems and Linux systems and can affect PCs, OS X Macs, home routers and many more systems.

Any system that uses BASH (widely used command interpreter) up to and including v4.3 is vulnerable.  DASH systems are not affected, including Ubuntu and Debian.

The risks are high as many government and military systems use BASH or BASH derivatives and a reliable patch has not yet been developed.

According to The Register (www.theregister.co.uk) you can test your systems using the following code in your default shell:

Env X=” ()   { :;}  ;  echo busted” /bin /sh  –c ”echo completed”
Env X=” ()   { :;)  ; echo busted” ‘which bash’  -c “echo completed”
If the words “busted” appear then you have a problem and are at risk.  We have copied the code from the Register and cannot guarantee its validity but it is worth checking.

Our systems here at Quality Matters appear to be safe from this bug (for now).

In short, this is a very dangerous bug which could affect tens of millions of systems.

Monday, 22 September 2014

E-Mail and security

Email is a staple of modern living; it would be very difficult to get things done without it.  We have all been shocked when suddenly email is not available due to some technical or mechanical failure.  This communication media however, is not secure; I liken sending email to writing the test on a post it note and placing it outside the street door, making it available to anyone who cares to read it.

Perhaps we should all encrypt our email?   This would bring the internet to its knees as the additional data would cripple the system.

Perhaps we should send our attachments as encrypted documents?  This is better but relies on a method of decryption.  Sadly I have seen encrypted attachments accompanied by the key in the body of the email, rendering it totally useless.

Perhaps we shouldn’t send anything sensitive by email at all?  This is the safest option but in practice totally unworkable.

We use a system which has proved successful:

We encrypt an attachment using bitlocker or similar rather than a straight password protection.  It is very easy to delete a password from a protected document.  Encryption to 256 AES ( Advanced Encryption System) renders the attachment pretty secure.  I say pretty secure because nothing is 100% secure, but the possible number of keys is  1x1x1077 a truly enormous number.

 We send the encrypted attachment by email and then send a SMS message to the recipient with the decryption key.  Using this method the attachment cannot be readily opened without the key and the Key is useless without the encrypted file.

Clearly anything that is classified should not be sent over the internet but over a secure channel and also encrypted.

The most effective way to pass highly sensitive information is by hand only and the receipt signed over to authorised persons only.

Monday, 8 September 2014

ISO27001 and Data Protection Act

We are all aware of the importance of taking computer back up on a regular basis to allow for the recovery of data in case of computer failure or corruption. 

The ICO (Information Commissioners Office) recently levied a huge fine of £180K on the Ministry of Justice for loss of data.

The fine was for the loss of an unencrypted hard drive used for backing up data at one of HM Prisons.  This was a repeated offence in that the ICO was advised in 2011 that an unencrypted hard drive containing the sensitive data of some 16,000 prisoners and vulnerable members of the public including victims had been lost.  To prevent a recurrence the Ministry issued hard drives to be used for backup which contained encryption software to protect data on these hard drives.  

In 2013 another hard drive containing sensitive prisoner data was again lost.   Unfortunately the Prison concerned had not activated the encryption and as such the data was saved in an unencrypted format; this continued for a whole year.  It seems the encryption was not activated by default. When the disk was lost, the data was once again freely available.  This was the reason the ICO levied such a large fine.

The ICO said that government departments should be an example of best practice in handling sensitive information.  Sadly this was not the case.

The Ministry of Justice is now taking steps to train users and ensure that all hard drives used for computer backup are fully encrypted.

It is clear that organisations should ensure that those tasked with protection of data should have sufficient knowledge and skills to use appropriate levels of protection so that no data is lost or compromised. 

Monday, 18 August 2014

AS9100 Aerospace and Defence Standard

To meet the exacting standards  in aerospace the major aircraft manufacturers and IAQG (International Aerospace Quality Group) developed AS9100; based on ISO9001:2008 this standard fills the gap between military standards and the commercial ISO9001 quality management standard.  It makes good sense to have one aerospace standard for conformity to best practice; AS9100 is that standard.

AS9100  v  ISO 9001


Manufacturing an item as complicated and critical as an aircraft or space vehicle requires special attention during all the production processes.  A great deal of attention is placed on documentation and drawing control to ensure that the current revision of engineering drawings, part lists and test and inspection specifications is being used.  This 'configuration control'  is covered in far more depth than ISO9001,  as is identification and traceability.  The paperwork trail is vital following an incident or accident and these documents are always quarantined immediately by an accident or incident board of enquiry.

The AS9100 standard provides guidance for key characteristic management in both material, and process control. Clearly there is a good deal of emphasis on the design and development of the final structure as well as components used in that structure, the AS9100 standard includes additional references in design and development functions.   Explanatory notes are included for both design and development verification and validation highlighting traditional areas of emphasis. Additionally,  AS9100 provides information on areas of verification documentation and validating testing and results.

One area which receives greater attention is the inspection area, particularly the first off in a batch of items.  This is called first article inspection in AS9100.  The standard also gives guidelines for actions to be taken when it all goes wrong.  Any faulty part, which is scrap, must be put beyond use before disposition.

This standard can be applied in the following forms:

  • AS 9100 - Quality Management System requirements for Design and/or manufacture of aerospace products
  • AS 90110 - Quality Management System requirements for maintenance and repair operations
  • AS 9120 - Quality Management System requirements for Stockists and distributors 
Assessment and certification is carried out by properly accredited and competent assessors. The assessment is of necessity, more in depth than ISO9001 and the reporting is far stricter.  The assessor scores each item against a prepared score card; at the end of the assessment the scores are totalled and a decision to pass or require additional work to be carried out is made.  One major difference in the assessment is that no corrective action may take place during the assessment, unlike ISO9001.  Any CAP (corrective action plan) must take place afterwards.

Inevitably main suppliers who achieve certification to AS9100 will then require their sub-contractors and suppliers to achieve the standard as well.

Once accredited these organisations are featured in OASIS (the IAQG  Online Aerospace Supplier Information System).

Quality Matters can assist organisations to achieve certification to these standards

Monday, 4 August 2014

ISO Management Systems and Non UKAS Certification Companies

"The United Kingdom Accreditation Service (UKAS)  is the sole national accreditation body recognised by government to assess, against internationally agreed standards, organisations that provide certification, testing, inspection and calibration services. Accreditation by UKAS demonstrates the competence, impartiality and performance capability of these evaluators."

We have noticed that there are an increasing number of non-accredited organisations offering certification to various management standards, often at  a cheap rate.  Many offer to introduce, document and assess for a fixed fee and then issue a certificate of compliance. 

It is not always obvious that the certificates issued by these companies are not accepted as compliance to those standards but merely confirm that they are "certified" by that company.

A certificate of conformance to ISO9001:2008 or other Management Standards issued in the UK by a UKAS Accredited Certification Body guarantees that the organisation meets the requirements of the Standard. It will be accepted by everyone as evidence of compliance. Unfortunately a certificate issued by one of the non-UKAS companies does not.

The reason that UKAS accredited certification bodies offer the "real deal" is that they are regulated and inspected by UKAS and a certificate bearing the UKAS Logo is evidence that true compliance has been achieved

UKAS regulations state that consultancy and certification must be independent from each other.  The non UKAS companies are not governed or regulated, set up the system and then assess it; how could they fail?

We firmly believe that it should be illegal to claim that an organisation meets the requirements of this Standard or any other when it does not;  in the same way that it is illegal to claim that a product does something that it clearly does not (Trade Descriptions Act).

Look for the UKAS mark when selecting a certification body to ensure that your certificate is valid and will be accepted worldwide. 

Monday, 21 July 2014

The revised Environmental Standard ISO14001

The revised Environmental Standard ISO14001 has now been released as a DIS (Discussion document) but still has some way to go before it is finally published in 2015.

However the format has been agreed and this is shown on the table, which shows the comparison of the old with the new.  We recommend that preparation can be made but readers should not prepare documents and processes before the Standard is released.
Comparison of existing & proposed ISO 14001 (click to zoom)

Monday, 7 July 2014

Email Scams …….again

I am sure everyone has received an email advising them that their bank has introduced some new security method which requires them to enter passwords and other security details into a web page to revalidate or face discontinuation of a service. The email, of course, has not come from the bank but from criminals trying to persuade you to give away information that they may use to gain access to bank accounts, credit card accounts or other financial accounts.

Don't click on the link provided or you will be taken to a web-site which looks remarkably like the web-site for your bank, cheekily, it may even have a warning on it that you should take care to make sure any information you provide is secure. You are invited to enter your security details. By doing this you have provided the criminal with information to gain access to your bank or credit cards.

No bank or other financial institution would ever ask you to enter these details in an email.

However, I recently had notification from HMRC that I was due a tax refund, I wasn't asked for credit card details but my bank details for the refund to be paid to me. Naturally I deleted this "scam email".
Later I received a letter from HMRC telling me that I had a tax rebate due. This was genuine but I still believe that the original notification looked so genuine that it must be false!!

The criminals are getting so clever that it is often difficult to sort the genuine from the false. The motto I always use is "if in doubt, delete".

A genuine notification will always repeat if unanswered, and I did check with my accountant as well.

Monday, 23 June 2014

Employment v Consultancy Choices

Should I employ a Management Representative to carry out the duties of Quality Manager, Environmental Manager, Information Security Manager or Internal Auditor or should I use the services of an external consultant?

The choice may revolve around cost; employment costs are probably the biggest overhead that any company has to cover and finding the right employee can be both time consuming and expensive.
The alternative, which many companies are using, is to use the services of a specialist consultancy where a consultant is used for a specific task or period of time.

There are a number of advantages in this sort of arrangement; consultants are paid only for the work or time involved, consultants are not 'employed' so do not have paid holidays, sickness, time off for domestic or social reasons, do not require pension or other benefits. There is also no risk that a consultant will become involved in company politics. And as they are not employed, no disciplinary processes and/or extended periods of notice are required to terminate a contract.

The consultant is usually an 'expert' in the chosen field and will often have a greater depth of experience than the equivalent employee.  The consultant will have up-to-date information.

Select a consultancy that is covered by the rules of a governing body such as the Institute of Consulting and is covered by appropriate Business Indemnity Insurance. Ask for details of previous assignments to assess how effective the proposed consultant has been in the past.

Employment or External Consultant, the choice is yours, consider:
  • Employment Costs
  • On costs
  • Expertise   
  • Previous knowledge of similar organisations
  • Time scales
  • Ease of termination

Monday, 9 June 2014

BREAKING NEWS: Hackers Steal Computer Information

The rate that data is being stolen seems to be accelerating; hardly a day goes by without a news item saying that customer sensitive data has been targeted by hackers. The main problem seems to be that the companies that are hacked are reluctant to publicise the fact that they have allowed the data to be compromised. Eventually, of course the details emerge into the public domain and then customers are advised to change passwords or watch their bank and credit card accounts for irregular transactions.

Once personal details such as addresses, dates of birth, telephone numbers and other identifiers including mother’s maiden name, place of birth etc have been taken then identity theft is easy. Sadly stolen data is sold freely on the internet and mass attacks are common.

It is not possible to have 100% secure systems but companies holding data should look to protect this data as far as possible; one such measure is the introduction of an information security management system ISO 27001:2013. Readers of this blog will have been following our tips on transition from the previous Standard, but equally companies looking to protect themselves and their customers are introducing 27001 as a means of gaining an externally moderated certificated system.

ISO 27001 is the hottest of all the Standards at the moment and it is fair to say that it is not the easiest Standard to put into operation; however, once fully operational it does offer some significant protection from data theft. We have been offering consultancy for companies wishing to incorporate this Standard for many years and have been successful in helping our Clients to pass their assessment for 27001 with a 100% pass rate.

 Don’t wait until your data has been compromised to motivate you to start on this journey to 27001 certification. Contact us and we can show you how to get certificated and protect both your company’s reputation and your own and customer data.

Call Chris Eden today for further information and a quotation.

Office:  01621 857041
Fax: (if you still have one) 01621 856016
Email: info@quality-matters.com

Or you can write to us:

Heybridge Business Centre
110 The Causeway
Heybridge
Maldon
Essex
CM9 4ND

Tuesday, 27 May 2014

ISO 27001:2013 Transition – Final Stage

Holders of the ISO 27001:2005 Standard will be aware that the "Clock is ticking" and they must upgrade to the new 2013 Standard by September 2015 or risk being de-registered.  However most organisations are being cautious not to rush the transition and perhaps get a system that is too complicated or difficult to maintain.  This final part of our series detailing the various steps needed to achieve a successful transition to the revised Standard.

You should have all the procedures, records and evidence in place to show that your ISMS (information Security Management System) is working.

To confirm this you should now carry out an internal audit.

The first part of your audit will cover the 27001 mandatory requirements:

Documented Information  (formerly document and records control)

Management review
Internal audit
Risk assessment
Risk treatment

Then you can use this modified  SOA as a checklist   (you may need to adjust the formatting to suit your paper format)








Once the audit is complete you should carry out any corrective action for non-conformities found during the audit.

You will then be ready to have your chosen certification body carry out an assessment.

If all is well you will be awarded a certificate of compliance to ISO 27001: 2013.

If you have problems or think that you need help simply email us at QMLUK@aol.com.  We have been doing this type of work since 1991 and offer a guarantee of success.

Monday, 12 May 2014

ISO 27001:2013 Transition – Stage Six

Holders of the ISO 27001:2005 Standard will be aware that the "Clock is ticking" and they must upgrade to the new 2013 Standard by September 2015 or risk being de-registered.  However most organisations are being cautious not to rush the transition and perhaps get a system that is too complicated or difficult to maintain.  This is the sixth part of our series detailing the various steps needed to achieve a successful transition to the revised Standard.

By this time you should have created your documentation set.  Now the records and logs are produced to provide results achieved or providing evidence of activities performed. As each organisation will have different requirements for records, we have not gone into detail in this Blog.
These records and logs are identified in the Standard and Code of Practice.  The text tends to say “records should be maintained”. Records can be in any format, paper or electronic.

Records shall be protected from loss, destruction, falsification, unauthorised access and unauthorised release, in accordance with legislatory, regulatory, contractual and business requirements.

In addition to the documents and records required, there is a need to have a business continuity plan and a disaster recovery plan for IT systems.  Once produced the plans should be tested and adjusted as required.  Testing can be done in a number of ways:

Table top exercise, where the company carries out the test around a table but no operational systems are interrupted.

Partial test, where the recovery systems are tested, but a full evacuation of the premises is not required.

Full test, where all systems are tested against the Business Continuity plan and DR plan as though a real emergency situation had occurred.

Lessons learned from these tests are incorporated into the documented plans.

Our final part (7) of this series of transition steps will conclude with a full internal audit prior to the external certification body assessment.

Monday, 28 April 2014

ISO 27001 : 2013 Transition - Stage Five

Holders of the ISO 27001:2005 Standard will be aware that the "Clock is ticking" and they must upgrade to the new 2013 Standard by September 2015 or risk being de-registered.  However most organisations are being cautious not to rush the transition and perhaps get a system that is too complicated or difficult to maintain. 

This is the fifth part of our series detailing the various steps needed to achieve a successful transition to the revised Standard.

The certificate will show compliance with ISO27001:2013 but the procedures are defined within the code of Practice ISO 27002:2013. This Standard has a good deal of guidance.

Here are the procedures that make up the minimum requirements:

  1. INFORMATION SECURITY POLICIES
    1. MANAGEMENT DIRECTION FOR INFORMATION SECURITY
  2. ORGANISATION OF INFORMATION SECURITY
    1. INTERNAL ORGANISATION
    2. MOBILE DEVICES AND TELEWORKING
  3. HUMAN RESOURCES SECURITY
    1. PRIOR TO EMPLOYMENT
    2. DURING EMPLOYMENT
    3. TERMINATION OR CHANGE OF EMLOYMENT
  4. ASSET MANAGEMENT
    1. RESPONSIBILITY FOR ASSETS
    2. INFOPMATION CLASSIFICATION
    3. MEDIA HANDLING
  5. ACCESS CONTROL
    1. BUSINESS REQUIREMENT FOR ACCESS CONTROL
    2. USER ACCESS MANAGEMENT
    3. USER RESPONSIBILITIES
    4. SYSTEM AND APPLICATION ACCESS CONTROL
  6. CRYPTOGRAPHY
    1. CRYPTOGRAPHIC CONTROLS
  7. PHYSICAL AND ENVIRONMENTAL SECURITY
    1. SECURE AREAS
    2. EQUIPMENT
  8. OPERATIONS MANAGEMENT
    1. OPERATIONAL PROCEDURES AND RESPONSIBILITIES
    2. PROTECTION FROM MALWARE
    3. BACKUP
    4. LOGGING AND MONITORING
    5. CONTROL OF OPERATIONAL SOFTWARE
    6. TECHNICAL VULNERABILITY MANAGEMENT
    7. INFORMATION SYSTEMS AUDIT CONSIDERATIONS
  9. COMMUNICATIONS SECURITY
    1. NETWORK SECURITY MANAGEMENT
    2. INFORMATION TRANSFER
  10. SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE
    1. SECURITY REQUIREMENTS OF INFORMATION SYSTEMS
    2. SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES
    3. TEST DATA
  11. SUPPLIER RELATIONSHIPS
    1. INFORMATION SECURITY IN SUPPLIER RELATIONSHIPS
    2. SUPPLIER SERVICE DELIVERY MANAGEMENT
  12. INFORMATION SECURITY INCIDENT MANAGEMENT
    1. MANAGEMENT OF INFORMATION SECURITY INCIDENTS AND IMPROVEMENTS
  13. INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT
    1. INFORMATION SECURITY CONTINUITY
    2. REDUNDANCIES
  14. COMPLIANCE
    1. COMPLIANCE WITH LEGAL AND CONTRACTUAL REQUIREMENTS
    2. INFORMATION SECURITY REVIEWS
The procedures need to be written around the organisation’s actual practices; some are reasonably generic but others require bespoke action. These, of course, do need to satisfy the requirements of the Standard.

Our company specialises in 27001 consultancy and we are available to assist companies that need help.

In stage 6 we will look at the records and logs required to provide evidence that the procedures are being followed

Monday, 14 April 2014

ISO 27001:2013 Transition Stage 4

Holders of the ISO 27001:2005 Standard will be aware that the "Clock is ticking" and they must upgrade to the new 2013 Standard by September 2015 or risk being de-registered.  However most organisations are being cautious not to rush the transition and perhaps get a system that is too complicated or difficult to maintain.  This is the fourth part of our series detailing the various steps needed to achieve a successful transition to the revised Standard.
   
All certifications require a detailed set of requirements, that have been met (or excluded) to be identified and documented.  This document is called a S.O.A. Statement of applicability.  This is  public document that accompanies the certificate and shows which elements of 27001 are compliant (and which are not).

It is usual to look at annex A which has all the requirements set out in ISO27001 ( The Code of Practice). There are 18 sections and a number of sub-sections.

Below you will see a typical SOA. If the organisation is compliant it should show what control, policy or process is being used.  If the organisation is going to exclude that element it should be shown as EXCLUDED.











In the next stage we will look at the type of documentation which is required.

Monday, 31 March 2014

ISO 27001:2013 Transition Stage 3

Holders of the ISO 27001:2005 Standard will be aware that the "Clock is ticking" and they must upgrade to the new 2013 Standard by September 2015 or risk being de-registered.  However most organisations are being cautious not to rush the transition and perhaps get a system that is too complicated or difficult to maintain.

This is the third part of our series detailing the various steps needed to achieve a successful transition to the revised Standard.

The RISK ASSESSMENT PROCESS identifies the risk to the organisation and prioritises the risk as a High. Medium or Low risk; once these have been determined then it is necessary to transfer the high and medium risks into a risk treatment plan, but more of that later.
The first step is to identify which assets are to be included in the risk assessment process; these are normally entered into an asset register.

Some examples of these assets will be:
  • Accounts
  • computer back-up systems
  • internal computer operating and package systems
  • desktops, laptops and servers,  
  • active directory, 
  • data links, 
  • VPN
  • Other remote connections, telephony and voice recording, human resources, buildings, utilities and emergency power systems, 
  • Secure storage of documents and records.  

This list is not exhaustive and will need to be tailored to individual organisations.

The next step is to decide on the value to the organisation; this is not necessarily the monetary value to the organisation but the value in terms of information security.  You could use any scale but for ease we tend to use low medium and high value (1, 2 or 3)

Now score each asset against the three main elements of 27001, C.I A. Confidentiality, Integrity and Availability, again using the low , medium or high method.  The scores are entered into a matrix.


Every medium or high risk is transferred to the risk treatment plan mentioned before.  The idea is to mitigate the risk.  Inevitably there will be some medium risks that will have to be accepted as acceptable, it is most unlikely that any risk in the high level would be acceptable.  The medium risks that are accepted by the management of the organisation should fall into four categories:

  • Applying appropriate controls to reduce the risk
  • Knowingly and objectively accepting risks, providing they clearly satisfy the organisation policy and criteria for risk acceptance
  • Avoiding risks by not allowing actions that would cause the risk to occur
  • Transferring the associated risks to other parties. e.g. insurers or suppliers

There are other methods that can be used for risk assessment and these are equally valid.  We feel that it is important to have a risk assessment process that is effective but easy to administer and our method meets these criteria.

Stage four of this series will look at the documentation needed for this revised Standard.


Monday, 17 March 2014

ISO 27001:2013 Transition Stage 2

Holders of the ISO 27001:2005 Standard will be aware that the "Clock is ticking" and they must upgrade to the new 2013 Standard by September 2015 or risk being de-registered.  However most organisations are being cautious not to rush the transition and perhaps get a system that is too complicated or difficult to maintain. 

This is the second part of our series detailing the various steps needed to achieve a successful transition to the revised Standard.

The revised Standard emphasises the role of "Interested Parties" and it does specify that all interested parties should be listed.  It may be useful, at this stage,  to identify just who these are.

  • Owners and/or shareholders of the business;
  • Employees;
  • Contractors;
  • Partners;
  • Sub-Contractors;
  • Clients;
  • Customers;
  • Suppliers;
  • Authorities
    • Legislation
    • Statutory
    • Regulators
    • Contractual
  • Trade Associations;
  • Trades Union.

This list is not exhaustive and should be specific to the organisation.  Against each stakeholder their requirements as far as information security, should be stated.

Having defined all the Stakeholders you can now move forward to identifying the SCOPE.   You will be generating a new S.O.A (Statement of Applicability) and defining the scope will help in deciding which elements are not applicable in the application.

Once again I would stress that these steps should not be rushed;  the better the preparation the better the final result;  my father used to drum this into me for decorating and in particular, painting of woodwork which always lasted longer if good preparation was taken.

Next time we will look at the revised requirements for Risk Assessments.

Monday, 3 March 2014

Information Security ISO27001:2013 (Stage 1)

Holders of the ISO 27001:2005 Standard will be aware that the "Clock is ticking" and they must upgrade to the new 2013 Standard by September 2015 or risk being de-registered.  However most organisations are being cautious not to rush the transition and perhaps get a system that is too complicated or difficult to maintain.

Over the next few weeks we will be showing simple steps to the transition; here is information about the mandatory policies that are required:

  • Information Security Policy – sets out the policy of the company and covers C.I.A  (confidentiality,  integrity and availability)
  • Mobile Device Policy – sets out the protections and controls for mobile devices, which includes tablets, laptops/notebooks and smart phones.
  • Termination of Employment Policy – sets out the controls and actions to be taken when an employment ends; both resignation and dismissal or redundancy is covered.
  • Teleworking Policy – sets the information security controls required for off-site workers.
  • Acceptable Use of Assets Policy - sets out the policy on use of equipment and also the uses which are not permitted.
  • Cryptographic Policy – sets out the controls for the use of cryptographic controls necessary to maximize the benefits and minimise the risks of using cryptographic techniques and to avoid inappropriate or incorrect use. 
  • Cryptographic keys Lifetime Protection Policy – Sets out the controls for the issue, protection, storage and actions for retiring keys.
  • Security for Assets while Off Site Policy- Controls to protect equipment and data when outside the protection of the organisation.
    Unattended Equipment Policy – sets out the controls to protect unattended equipment on site.
  • Clear Desk Policy – sets out the controls to protect sensitive documents or data on desks.
  • Clear Screen Policy – sets out then controls for screens to be protected from being viewed by unauthorised people.
  • Formal Information Transfer Policy - sets out the controls and protocols for the transfer of data. This include the methods of transfer and the requirement for  cryptographic controls where necessary.
These policies are required in addition to the policy usually displayed.  We recommend that these policies are prepared and kept available in a file or document repository.

This is an important stage in the transition to the new standard.

Sunday, 16 February 2014

An External View is Productive

Most companies holding a certifications to ISO9001, 1SO14001 or ISO27001  have done so for many years and although the standards call for 'Continual Improvement' this is often product or service based and often reflects normal organic growth. While there is nothing intrinsically wrong with this approach, Directors are not always taking advantage of the latest techniques and processes.

Many companies certified over five or six years may have a fairly large management systems manual and processes to match; some of these will have been expanded as a result of auditors' comments and some by customers' complaints or observations, but not all will add any value to the company's operation.

It is often difficult for internal auditors to "see the wood for the trees";  What is a good idea is to have someone have a look with fresh eyes at what you are doing; get a real heads-up on the latest techniques and ways to reduce the administrative burden of Systems Management.

Professional consultants have verifiable qualifications and accreditations plus Professional Indemnity Insurance and considerable and varied experience.  It is worth asking for evidence of these qualifications. Also any consultant worth his/her salt will be able to furnish you with a list of satisfied clients with whom you can obtain references.

A good consultant is worth his/or her weight in gold; not only can a gap audit or review actually save money it can result in greater efficiency. Remember an experienced consultant will have been involved with a number of organisations and will be able to use that experience to help you. Cherry picking the best practices and techniques while retaining strict confidentiality will add real value to your business.

Although external consultants can look expensive initially, the overall outlay is extremely cost effective when combined with other advantages, such as no holidays to pay for, no sickness or other absence to factor in;   most consultants will offer a guarantee of work performed.

And the best bit is you only pay for actual work performed.

Monday, 3 February 2014

Water, Water Everywhere

The recent torrential rain has caused major problems for households but even more so for businesses. Rivers have burst their banks and sea defences have been breached.  Businesses that have computer systems damaged by flood water may have additional problems for data recovery, particularly when battery back-up systems and data media have been put out of action by water.

Most businesses will have some form of business continuity plan in place and the conditions will have tested these extensively.  Disaster recovery plans for IT will also have been put into action.

Some of the precautions I would have expected to be used were not always present:

  • Computer equipment should not be kept on the floor in flood prone areas;
  • Frequent back ups of  data should be made;
  • Back up media should be kept off site
  • Server images should be taken to allow swift recovery from failures;
  • Where possible, electrical sockets should be raised from floor level to mid wall level;
  • Ground floor businesses should consider air brick covers to prevent water entering;  
  • Sand bags or water sealing devices to stop water entry;
  • Ensure company vehicles are parked on higher ground when flood warnings are issued;
  • Instruct company car drivers that flooded roads are not to be driven into, unless the water level can be seen.  30 inches of water can cause severe damage to vehicles;
  • Fast moving water of 30 inches can sweep a vehicle away;
  • Check that insurance policies cover flood damage;
  • Put a business continuity/disaster recovery Standard into place (ISO 22301 or the information security Standard ISO 27001, which includes a clause for Business Continuity

It is always easy to be wise after the event, but it pays to be proactive; even if this is for next time.

Monday, 20 January 2014

Common Standards

Here are the most used Standards and their revision status:

ISO 9001: 2008

The Quality Management Standard - Probably the most recognisable standard throughout the world.

Currently being rewritten and is scheduled to be issued in third quarter 2015.    Early drafts show that this is a major revision and will probably have a three year transition from date of issue.

ISO 14001: 2004

The Environmental Management Standard – now under review for scheduled publication during 2015. It was originally planned to be issued in 2104, but there were a number of major issues raised in the first committee draft.  It was decided that further review should take place.  It is anticipated that there will be at least a two year transition period from the date of publication.

ISO 27001: 2013

The Information Security Management Standard - Reissued in September of 2013.  This recent issue brings the Standard up to date.   There is a two year transition period from the 25 September 2013 publication.

The transition arrangements – New applicants may choose to be assessed to the 2005 standard up to 24 September 2014 or go straight to the 2013 Standard, once the certification bodies have been accredited to the new Standard.   Existing 27001 certificate holders can choose to keep to the 2005 Standard but must transition to the 2013 Standard by 24 September 2015; failure to do this will mean that the 27001 certificate is withdrawn.

OHSAS 18001:2007

The Occupational Health and Safety Standard – This standard is current and we are not aware of any changes planned.

AS 9100:2009

The Aerospace and Defence Standard – This standard is based on the 9001 standard and it is possible that this will be updated, but we are not aware of any plans to do this.

ISO 20000:2011

The IT Service Management Standard – Updated in 2011; this is a huge standard and take up has been slow.   To put this standard into perspective, one clause requires the organisation to have an information security management system in place!!

ISO 22000: 2005

The Food Safety Standard - Last updated in 2005.  No plans to update this Standard but some of the subsidiary Standards 22002-6 are under review.

There are, of course a number of Standards that we have not mentioned but are available for certification.  We will keep you advised as we learn about developments.

Monday, 6 January 2014

A Happy New Year 2014

We should all hope that 2014 is going to be a more secure year for our data. It seems that every day brings fresh news that our data has been compromised in one way or another. The chief culprits appear to be government departments, banks and hospitals which are being forced to own up to data breaches.  The fines being levied by the Office of the Information Commissioner are higher if the organisation is caught out rather than owning up to a breach.

In addition to lost data disks, there are paper records discarded in public dustbins and lost laptops by the boat-load. Security which was trumpeted by ministers as being paramount seems to have been very low on their priority list in their own domains. It is also lamentable that there has been a deliberate policy of hiding the facts from those people most at risk.

We must be vigilant as these data breaches might not affect us until some date in the future. Criminals will wait until the furore has died down before using the data illegally.

Let us make sure that 2014 is a year of increased data security, here are a few precautions that can help to reduce the possibility of data loss:
  • Always shred or burn confidential documents or documents having identifiable data;
  • Very confidential documents should be cross shredded rather than strip shredded;
  • Never give passwords or log on information to email enquiries, telephone callers or visitors;
  • HMRC will never refund overpayments of tax to your credit card; It is a scam.
  • Be wary of emails directing you to a bank or other secure site which asks for personal information;
  • Never give passwords or pin numbers to anyone calling on the telephone even if they identify themselves as police or bank officials;
  • Do be aware that information put into social sites such as Facebook may be visible to people other than the intended audience. Dates of birth, names and addresses, telephone numbers and details of family can be used to steal identities.
  • Never dispose of old computers/laptops or tablets until the hard drives have been removed or destroyed; remember deleting or re-formatting the disk does not actually delete the data;
  • Never leave confidential documents on desks overnight or when unattended (clear desk policies);
  • Laptops should be secured with a multi-strand cable to an immovable object like a radiator, when unattended;
  • Laptops should be password protected;
  • Laptops and tablets should kept close to you in public places to prevent theft;
  • Laptop disks should be encrypted, if data is sensitive;
  • Never share passwords and use complex passwords to prevent other gaining access to desktops and laptops;
  • When considering a complex password use a £ as this is not available on non UK keyboards;
  • Never leave desktops and laptops logged in and unattended;

The list goes on and on but use common sense - assume that the worst may happen and take precautions to stop or at least reduce it.

Let us all have a happy and safe 2014


Quality Matters

P.O.Box 5479
Maldon
Essex
CM9 8GG
England

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design