Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo

"Quality Matters in your Business"

Monday, 18 May 2015

Quality in our Road Infrastructure

Last Thursday (14 May)  I was in Dorset seeing one of our Clients and another successful surveillance visit to one of the management standards.

My journey home was far from enjoyable; just to remind you it was raining heavily.  A journey, which should take three to three and a half hours, took six hours.  The route took me along the A31, M27, M3 and M25. At best we were travelling at walking pace and at times we were stationary for extended periods.  The information signs on the M3 advise that roadworks started in November 2014 and will last for 26 Months. Anyone using the M3 will attest that the repairs are causing long delays.

There were lorries parked on the hard shoulder of the M25 motorway, obviously they had run out of tachometer hours, and this added an extra hazard.  By the time I got home I was exhausted and angry that the infrastructure was unable to cope with rain.

If the requirements of ISO9001 (Quality Management Standard) were applied to the road system it would fail miserably:

  • Customer satisfaction  - none whatsoever
  • Customer complaints – very high
  • Control of non-conformities – none apparent; no sign of Highways Agency traffic officers or Police patrols;
  • Product and Service delivery – was abysmal.  The variable speed limit signs were set variously at 40 MPH (the lowest) and seemed to be randomly set at anything from 40-60.  It was farcical that we were stationary and the indicator was at 50 MPH.
All in all you can tell that I was not amused.  I also thought about the environment; all those vehicles  pumping out exhaust fumes and consuming vast quantities of petrol and diesel.

The road infrastructure really does need some serious investment to allow journeys to be completed in a reasonable time.  I drive on the continent and apart from some exceptions the motorway networks seem to cope well - even in the rain!!

Tuesday, 5 May 2015

Information Security Management Standard ISO 27001

Organisations that are certificated to ISO27001:2005 are required to upgrade to the 2013 version of the Standard.  ISO 27001:2013 was published in September 2013 and there was a transition period to allow organisations to review their systems and upgrade their operations to comply with the revised requirements specified in 27001:2013.
This transition period will expire in September 2015 and any organisation that has not upgraded their systems and had their certification body reassess and recertify to the 2013 Standard will automatically be deregistered.
The revised Standard addresses the new Annex SL format and has 10 main sections

  1. Introduction
  2. Scope
  3. Normative references
  4. Terms and definitions
  5. Context of the organisation
  6. Leadership
  7. Planning
  8. Support
  9. Operation
  10. Performance evaluation
  11. Improvement.

ISO 27001: 2013 ISO 27001:2005
0 Introduction 0 Introduction
1 Scope 1 Scope
2 Normative references 2 Normative references
3 Terms and definitions 3 Terms and definitions
4.1 Understanding the organisation and its context 8.3 Preventive action
4.2 Understanding the needs and expectations of interested parties 5.2.1(c) Identify and address legal and regulatory requirements and contractual security obligations
4.3 Determining the scope of the information security management system 4.2.1 (a) Define scope and boundaries
4.2.3 (f) Ensure the scope remains adequate
4.4 Information security management 4.1 General requirements
5.1 Leadership and commitment 5.1 Management commitment
5.2 Policy 4.2.1(b) Define an ISMS policy
5.3 Organisational roles, responsibilities and authorities 5.1 (c) Establishing roles and responsibilities for information security
6.1.1 Actions to address risks and opportunities - general 8.3 Preventive action
6.1.2 Information security risk assessment 4.2.1 (c) Define the risk assessment approach
4.2.1 (d) Identify the risks
4.2.1 (e) analyse and evaluate the risks
6.1.3 Information security risk treatment 4.2.1(f) Identify and evaluate options for treatment of risks
4.2.1 (g) Select control objectives and controls for the treatment of risks
4.2.1 (h) Obtain management approval for the proposed residual risks
4.2.1 (i) Obtain management authorisation to implement and operate the ISMS.
4.2.1 (j) Prepare a statement of applicability
4.2.2 (a) Formulate a risk treatment plan
6.2 Information security objectives and planning to achieve them 5.1 (b) Ensuring the ISMS objectives and plan are established
7.1 Resources 4.2.2 (g) Manage resources for the ISMS 5.2.1 Provision of resources
7.2 Competence 5.2.2 Training, awareness and competence
7.3 Awareness 4.2.2 (e) Implement training and awareness programmes
5.2.2 Training, awareness and competence
7.4 Communication 4.2.4 (c) Communicate the actions and improvements
5.1 (d) Communicating to the organisation
7.5 Documented information 4.3 Documentation requirements
8.1 Operational planning and control 4.2.2 (f) Manage operations of the ISMS
8.2 Information security risk assessment 4.2.3 (d) Review risk assessments at planned intervals
8.3 Information security risk treatment 4.2.2 (b) Implement the risk treatment plan
4.2.2 (c) Implement controls
9.1 Monitoring, measurement, analysis and evaluation 4.2.2 (d) Define how to measure effectiveness
4.2.3 (b) Undertake regular reviews of the of the ISMS
4.2.3 (c) Measure the effectiveness of controls
9.2 Internal audit 4.2.3 (e) Conduct internal ISMS audits
6 Internal audits
9.3 Management review 4.2.3 (f) Undertake a management review of the ISMS
7 Management review of the ISMS
10.1 Nonconformity and corrective action 4.2.4 Maintain and improve the ISMS
8.2 Corrective action
10.2 Continual improvement 4.2.4 Maintain and improve the ISMS
8.1 Continual improvement

Moving on to ISO  27002: 2013 Code of Practice.  This has been changed to take into account modern practices.  It also puts elements into far more logical sequences.  Much of the duplication has been removed.

Operations and communications security have been separated and cryptography has been given its own section.   A completely new section has been added for Supplier relationships.

This standard has been expanded from the previous 15 sections to 18 sections and 35 main security categories with 114 controls, reduced from 133.


  1. Introduction
  2. Scope
  3. Normative references
  4. Terms and definitions
  5. Structure of the standards
  6. Information security policies
  7. Organisation of information security
  8. Human resources security
  9. Asset management
  10. Access control
  11. Cryptography
  12. Physical and environmental security
  13. Operations security
  14. Communications security
  15. System acquisition, development and maintenance
  16. Supplier relationships
  17. Information security incident management
  18. Information security aspects of business continuity management
  19. Compliance
Remember time is running out and certification bodies need to plan well ahead so carry out the upgrade now.  If you need help, we are available.

Quality Matters

P.O.Box 5479
Maldon
Essex
CM9 8GG
England

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design