Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo

"Quality Matters in your Business"

Monday, 14 May 2018

ISO 27001 Information Security Management

There is increasing pressure from customers to show that any supplier (external provider) has a robust information security management system is in place to ensure that data is kept confidential, integrity is assured and is available when required.  This C I A is the cornerstone of the information security management standard ISO 27001.

The standard consists of a number of requirements (using Annex SL)
ISO27001:2013 - Requirements

  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Context of the organization
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance evaluation
  10. Improvement

However the nuts and bolts of the system is contained in ISO 27002 Code of practice
ISO27002:2013 – Code of Practice

  1. Scope
  2. Normative references
  3. Terms and definitions 
  4. Structure of this standard
  5. Information security policies
  6. Organization of information security
  7. Human resource security
  8. Asset management
  9. Access control
  10. Cryptography
  11. Physical and environmental security
  12. Operations security
  13. Communications security
  14. System acquisition, development and maintenance
  15. Supplier relationships
  16. Information security incident management
  17. Information security aspects of business continuity management
  18. Compliance

Once these requirements have been met an independent and Accredited Certification Body will assess the system and if compliant will issue a certificate.

The certificate issued in the UK by a UKAS accredited certification body is recognised world- wide and confirms that the holder takes information security seriously and can be trusted to look after data.

Tuesday, 1 May 2018

September 14 2018

This date is important for all holders of ISO 9001:2008, ISO 14001:2007, AS9100,
AS9110 or AS9120 that have not transitioned to the latest standards will find themselves automatically without certification. 

There will be no excuses and no extensions.  Recently I heard that some 40-50% of holders of these standards have not yet transitioned; one Certification Body (who shall remain anonymous) told a client that UKAS would not impose the deadline………….wrong.  A head in the sand approach could be costly.

Loss of certification may mean that tenders are ignored, positions on Approved Supplier lists may be lost and existing contracts may be lost.

We have been taking calls from ma number of organisations asking for help in the transition and unless the system is relatively simple then the timescales are very tight; in addition, the availability of Certification Body auditors is causing some concern. It could be that an organisation has done the necessary changes but the non-availability of an auditor could mean that they miss the deadline.

Realistically, if all the preparatory work has not been completed by July then transition is a non-starter.  Remember an auditor can only audit what you have done and not what you plan to do.

What can organisations do if they miss the deadline?   They are treated as though they never had a certificate and must start from scratch; application, Stage one and then Stage two Assessment.  In addition to these cost implications there is the loss of status and reputation which would accompany the loss of certification.  Competitors would not be kind enough to keep this news to themselves, would they?

Don’t leave it to the last minute or you could regret it.

Tuesday, 17 April 2018

GDPR deadline 25 May 2018

Readers of our blog are aware that GDPR (General Data Protection Regulation) comes into force on 25 May 2018 and it applies to the UK even though we are leaving the EU.

In addition, the UK Data Protection Act is due in May as well. The UK version will take precedence over the EU version once enacted into UK Law.

This week we saw an article from the Information Commissioners Office headed "Does GDPR apply to business to business marketing?" The next bit says yes but then defines the filing and storage of business cards.

Clearly if all business to business requires informed consent then the whole of business in the EU may well come to a standstill, our view is that business cards are given either by the person to identify themselves or as a point of contact at say an exhibition or trade fair. By giving the business card voluntarily that person is giving consent for that information to be used or processed.

In all other cases a company has a legitimate reason for using business date for marketing and that does not require separate and informed consent.

However, the marketing company must ensure that any organisation that has unsubscribed must not be contacted. In addition, the TPS list should also be used to make sure that any organisation (or individual is not contacted by phone if they have registered with TPS.

It is not helpful that many providers of GDPR information are unclear about the output of the GDPR and to whom it applies. The amount of misinformation is huge and getting it wrong may result in a considerable amount of pointless work and at the other end leaving a controller or processor liable to swinging fines.

The ICO has not provided the definitive information needed by companies in the UK but will be charged with the role of Judge and Jury for prosecutions.

Tuesday, 3 April 2018

ISO 45001:2018 Occupational Health & Safety Standard

Finally, the new Standard is here. It was published in March and as expected it is using the Annex SL: format. It has been a long time coming and now can be used by companies wanting to demonstrate compliance with Health & Safety Law and regulations.

 It has 10 sections which should make it easier to integrate with other Standards using the same format:

  • Scope 
  • Normative 
  • References 
  • Terms and definitions 
  • Context of the organisation 
  • Leadership and participation of workers 
  • Planning 
  • Support 
  • Operation 
  • Performance evaluation 
  • Improvement. 

Unlike other reissued standards this is a brand-new standard and is an ISO, (international) Standard). Where the old 18001 was a BS OHSAS Standard, therefore there is not a transition period.

However, ISO have decided that there will be a migration period of three years from date of publication for BS OHSAS 18001 users to address the new standard. 

It is hoped that there will be a greater uptake as it is now an ISO standard and that more companies will look to introduce an integrated management system with Quality (ISO9001) Environmental (ISO 14001) and Occupational Health & Safety (ISO 45001) together.

We have looked at the differences between the final draft and this published Standard and it seems that just a few words were amended and some of the items in lists are rearranged

There will be some delay in organisations offering certification to this standard as they must be accredited by UKAS before being able to issue UKAS Certificates.

As consultants we are able to offer consultancy services in this standard and training of internal auditors.

Quality Matters

P.O.Box 5479
Maldon
Essex
CM9 8GG
England

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design