Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo

"Quality Matters in your Business"

Saturday, 29 December 2007

ISO9001 Quality Management Standard Upgrade - 2008

ISO9001 has been around now since 2000 and it is normal practise for Standards to be reviewed and updated every five years or so. This update is now overdue.

The PDCA model has been retained and one member of then committee said it should stand for 'Please don't change anything' rather than PLAN-DO-CHECK-ACT.

The ISO Committee has proposed that only minor changes should be incorporated into the 2008 update:

Clause 0.2 (Process approach)
  • Text added to emphasize the importance of processes being capable of achieving desired outputs

Clause 4.2.3 (Document control)
  • Clarification that only external documents relevant to the QMS need to be

Clause 4.2.4 (Records control)
  • Editorial changes only (better alignment with ISO 14001)

Clause 5.5.2 (Management rep)
  • Clarifies that this must be a member of the organization's own management

Clause 6.2.1 (Human resources)
  • Clarification that competence requirements are relevant for any personnel who are involved in the operation of the quality management system

Clause 6.3 (Infrastructure
  • Includes information systems as example

Clause 6.4 (Work environment)
  • Clarifies that this includes conditions under which work is performed and includes, for example physical, environmental and other factors such as noise, temperature, humidity, lighting, or weather

Clause 7.2.1 (Customer related processes)
  • Clarifies that post-delivery activities may include:

    • Actions under warranty provisions

    • Contractual obligations such as maintenance services

    • Supplementary services such as recycling or final disposal

Clause 7.3.1 (Design & development planning)
  • Clarifies that design and development review, verification and validation have distinct purposes

  • These may be conducted and recorded separately or in any combination as suitable for the product and the organization

Clause 7.3.3(Design & development outputs)
  • Clarifies that information needed for production and service provision includes preservation of the product

Clause 7.5.4 (Customer property)
  • Explains that both intellectual property and personal data should be considered as customer property

Clause 7.6 (Now retitled Control of Monitoring and Measuring equipment)
  • Explanatory notes added regarding the use of computer software:

"Confirmation of the ability of computer software to satisfy the intended application would typically include its verification and configuration management to maintain its suitability for use."

Clause 8.2.1 (Customer satisfaction)
  • Note added to explain that monitoring of customer perception may include input from sources such as customer satisfaction surveys, customer data on delivered product quality, user opinion surveys, lost business analysis, compliments, and dealer reports

Clause 8.2.3 (Monitoring / Measurement of process)
  • Note added to clarify that when deciding on appropriate methods, the organization should consider impact on the conformity to product requirements and on the effectiveness of the quality management system.

I must emphasise that these are proposed changes and not 'set in stone'.

The 2008 Standard is expected to be published in November 2008.

Wednesday, 19 December 2007

Auditing Top Management

Internal auditors are required to audit top management as part of both ISO9001 and ISO14001 Management systems and most auditors find this task difficult.

The questions that I am asked include:
  • If I criticise my boss, will it affect my future with the company;

  • If I do not audit strictly enough will my boss think I am weak;

  • If I audit too hard will my boss think me too pushy?

The way to audit top management is to apply a code of conduct that cannot be misunderstood:
  1. Make an appointment to audit your boss, giving ample time;

  2. Always arrive at the appointed time;

  3. Determine what you need to know;

  4. Prepare your questions in advance;

  5. Always be polite and do not raise your voice;

  6. Treat any non-conformity as a matter of fact and not a triumph over your boss;

  7. Remember that your boss may feel the necessity to justify any non-conformity and you should allow him/her time to state the reasons for this;

  8. Always agree where a non-conformity is present and do not get into a discussion if this cannot be substantiated;

  9. Do not allow your boss to take over the process; you are in control;

  10. And finally do not carry on the audit beyond the agreed time;

If you do all these thinks you will find that auditing top management is as easy as normal auditing.

Sunday, 2 December 2007

Information Security - AGAIN

The latest security lapse where the HMRC ( Her Majesty's Revenue and Customs Service) has 'lost' a CD containing names, addresses , NI numbers, dates of birth etc of up to 15,000 Standard Life customers has provided a new round of concerns about security of data. Apparently the disk, containing very useful information to identity thieves went missing while being transported from HMRC TO Standard Life Offices in Newcastle. Standard Life Customers have been warned to look out for any unusual activity in their financial accounts.

As we approach the season of goodwill it makes even more sense to guard against identity fraud and unauthorised transactions in credit cards and other banking areas. Copied or cloned credit cards, people watching as you enter pin numbers into 'Hole in the Wall cash machines' or just simple pickpockets taking a wallet or purse are just some of the ways that we can be relieved of our hard earned cash.
  • Don't discard paper that has any personal or company details in the rubbish - shred all identifiable paper.

  • Destroy all expired or replaced credit and debit cards. Cut into many pieces or put into a shredder (if it had the ability to shred credit cards)

  • Don't respond to emails asking for user names and passwords - Banks never ask for this type of information in email.

Make the run up to the festive season a poor one for thieves.

Sunday, 25 November 2007

Security of Data

The loss and compromise of sensitive data by the Revenue has left most of us dumbfounded as every security precaution that could have been provided to protect this data were totally ignored.

Security professionals across the country gasped in amazement as the story unfolded. If a private company had lost this amount of data the Data Protection Act would be invoked and a criminal investigation and prosecution would follow. Will this happen in this case? I doubt it. Will the truth come out? Again I doubt it particularly as Civil Servants have been told to keep quiet or risk prosecution under the Official Secrets Act.

Government departments with their immunity from prosecution are often cavalier with the rules that apply to the rest of us.

This scandal should bring down the Government or as an absolute minimum result in the sacking of the Chancellor.

However for the law-abiding and professional users of data here are the basic precautions that should be taken when transmitting sensitive data:
  • Never send data over the internet unless securely encrypted;

  • Never send more data that is actually required;

  • If data is to be burned onto CD or DVD, it must be properly authorised and the disks numbered, monitored and tracked.

  • Never send disks of this type by post;

  • If they need to be sent to another location, a hand to hand transfer is most secure followed by a data tracking delivery and lastly by a registered method.

  • Once the disks have been used they should be returned to the originator by a secure method for destruction.

  • If there is an apparent loss of disks then an immediate and high priority search should be made and interested parties informed.

These are the basics which seem to have been ignored by the custodians of our personal information.

If the Government is to hold even more data (ID cards for example) then their systems have to be bomb proof.

Industry is adopting ISO27001 - information security management - to protect data and so it should. It is a sad reflection on HMG that these standards are not adopted by them.

Saturday, 3 November 2007

BS OHSAS 18001:2007 - Health & Safety Management

18001 has at last been issued as a formal standard which can be assessed and a certificate issued. Previously the guidelines could be adopted but didn't carry the same weight as a British Standard. Many organisations wanted a recognisable occupational health and safety management system standard that could be assessed and certificated.

The format of the standard is similar to the template set for ISO9001 - the quality standard and ISO14001 - the environmental standard. The structure of all three standards allow for integration if desired.

There are elements of communality:
  • Management review

  • Internal audit

  • Non-conformity control

  • Evaluation of compliance

  • Performance measuring

  • Document control

  • Control of records

  • Communication

  • Competence, awareness and training

  • Control of resources

  • Objectives & targets

Many organisations are choosing the integrated approach to incorporate
'industry best practice' to maximise compliance to the raft of regulations
facing businesses today. Certification provides independent evidence of compliance which can be used to offset any problems in the quality, environmental of H & S areas.

Sunday, 28 October 2007

Myths Surrounding ISO27001 Information Security

This week I am carrying the series of myths forward and this time surrounding Information Security (ISO27001).

  1. Information Security is for big companies

    False Most small companies (and individuals) are targeted at
    some time.

  2. My computer has virus control software so I am safe.

    False Anti-Virus software is only one area of protection.

  3. I have turned off the Microsoft Automatic Update to protect my computer.

    False Auto-update provides security patches to help protect your computer.

  4. I always tear up sensitive paper information before putting it in the dustbin to
    protect myself.

    False tearing up paper is never as secure as shredding.

  5. Cutting a credit card in half makes it useless to a thief.

    False Shred any non required credit cards as a thief can copy the detail and your signature.

  6. Email is a secure method of communication.

    False Unless you encrypt your email, it is visible.

  7. I can't remember complex passwords so I use my dog's name, but that is secure.

    False A hacker will run a dictionary test to find easy passwords like this.

  8. My company insists on 8 digit passwords so I have to write them down – but this is safe.

    False Writing down passwords is a bad idea and is full of risk.

  9. In my company we all share a generic password but this is secure.

    False If there is s problem with a generic password is it almost impossible to find out who is responsible.

  10. When we get new computers we always format the old hard disks to ensure they cannot be hacked.

    False Hard disks should be physically destroyed otherwise data can be recovered, sometimes by simply un-formatting.

Information security is everyone's responsibility.

Sunday, 21 October 2007

ISO9001 Quality Management System Myths

There are loads of myths concerning ISO9001 and most are perpetrated by those who are ignorant of the true facts, nevertheless I hear these repeated as though they were absolute gospel.

Here are just some of these:

ISO9001 is a bureaucratic system which requires a piece of paper for everything.

False. The system should work for the organisation and not the other way round. If set up correctly ISO9001 will prove highly beneficial. Paper heavy systems are really out of date.

Dictates how any business must be run.

False. The standard states that all businesses are different and that the standard should be adapted to fit the business and not be prescriptive so that the business has to fit the standard. However the main elements are parts of any good practice system and there is no 'Rocket Science' involved.

Inflexible system.

False. If correctly set up the system will allow for unexpected events and can be as flexible as you need it to be.

Directors only must sign off all released work.

False. It is usual for identified job functions to release work but these do not have to be Directors. Most good systems will allow deputies to release work if the primary release person is unavailable.

Costs a fortune to set up and run.

False. The actual assessment and certification fees vary between certification bodies and of course the size of your company but these can be very reasonable.

As far as setting up your system, you could do it yourself. It could be more effective in the longer term to employ the services of a qualified consultant who will utilise best practice.

Requires huge quality manuals.

False. The days when manuals filled a bookcase and were almost too heavy to lift are long gone

Requires procedures for everything.

False. The standard specifies only six mandatory procedures;
Documents control, control of records, internal audit, Control of Non-conforming product/service, Corrective action & preventive action. Most businesses will have other process orientated elements documented but these are decided by the management of the business

You can produce faulty products and still meet ISO9001 provided you do it all the time.

False. Customer satisfaction is a primary measure. Poor quality products would mean dissatisfied customers and not meet ISO9001

Does not allow for quick turnaround of urgent work.

False. ISO9001 does not hinder fast turnaround of orders, in fact it ensures that records are kept to show what has been done and when

Must answer a phone by the third ring.

False. There is no mention of this in ISO9001. Some call centres have this as a requirement but it is certainly not specified in the standard.

The standard says "Say what you do - do what you say and prove it".

True. The standard uses the PDCA model - Plan, Do, Check, Act.

Most good businesses are already doing most of the requirements of ISO9001.

True. Enough said?

Sunday, 14 October 2007

Security of Credit Cards

The criminal fraternity are again turning their sights on credit cards, not just in the UK where face to face sales and chip and pin have made considerable reductions in fraud, but in 'Customer not present' transactions, often on the internet where fraud has risen.

The real growth area for fraud has been in overseas transactions, particularly where chip and pin has not been fully implemented. These transactions use the magnetic stripe on the back of the card and a signature for evidence of card ownership. There are a great number of counterfeit cards doing the rounds and these net the thieves a considerable bounty.

We all pay the costs of these frauds in card charges and interest rates, so it is in all of our interests to combat this fraud wherever possible.

There are various systems which can help to prevent these frauds but most rely on cardholders taking responsibility:

  • Ensure that your card does not get taken away for scanning (it could be copied)

  • Always shield the keypad when entering your four digit pin (opportunists can see your pin)

  • Never tell anyone your pin number (that is just plain stupid

  • Never lend your card to anyone else (that is worse)

  • Take receipts for ATM transactions away and not put them in the bin provided by the ATM owner (the information contained on these slips could be useful to thieves)

  • If you are suspicious about a transaction tell the card issuer (common sense)

  • Tell your card issuer if you are going abroad so they don't suspend your card for unusual transactions (prevents embarrassment)

Taking these sensible precautions could help stop these unscrupulous people from taking your money.

Protect your Cards from Fraud

Sunday, 30 September 2007

Monitoring and Measuring Devices

Both ISO9001 Quality Management and ISO14001 Environmental Management systems require that devices used for making meaningful measurements or tests should be calibrated or verified before use. Any calibration must be traceable to a National or International Standard.

There is an increasing trend for small companies to purchase so called "calibration boxes" and do it themselves. While this may be adequate as a verification it cannot take the place of a proper calibration by a calibration house.

I have witnessed the level of checking that takes place during a routine calibration and in comparison with a quick plug in check shows how much risk could be generated by not knowing the level of uncertainty.

Some electricians and electrical system testers are relying on the calibration box to assure themselves that their equipment is accurate. This may not be the case and if (when) someone is injured or killed their Insurance Company may void the policy for the company and the liability would then revert to the directors/owners for compensation. This could mean seizing of assets, and at worst bankruptcy.

The small amount of money that is saved by the DIY calibration route may well prove to be an expensive option. In addition the loss of reputation and damage to personal pride in the job may well have far reaching consequences.

Generally, the 'calibration boxes' that are available today are designed to be used for a daily or weekly check of the proper operation of equipment. However, such checks should no more be relied upon as a demonstration of accuracy than you would rely upon a check of the dipstick to replace servicing of a modern motor car.

The message is clear: If you use any monitoring and measuring equipment that is used for making meaningful measurements or tests then have it calibrated by a professional calibration house to ensure that the risk is minimal.

Friday, 21 September 2007

ISO9001 Certification or Not

Many organisations put a quality management system into place but don't go forward to formal certification. This is usually due to the fear of failure and of course cost.

The advantages of formal certification are many:
  • An independent verification of the organisation's quality arrangements;

  • Formal recognition, that is accepted world-wide;

  • Continuing checks that the system is still valid;

  • Requires evidence of continual improvement.

Systems that are not formally certified tend to drift over time. It is often the case that the system will deteriorate and the people involved with the quality management system are so close to it that they don't actually see the downward trend.

Where formal certification is used there is always a degree of uncertainty about the regular surveillance visits: "What will the assessor find?", "Will he/she still recommend continuing certification?"

It is this regular routine that ensures that the system retains that edge and still meets the needs of the organisation.

When all is said and done, the organisation wants to see some benefits from a quality management system and this can only really be achieved by third party certification.

Sunday, 9 September 2007

ISO09001 vs ISO027001


What is ISO9001?

  • A Quality Management system for turning customer requirements into customer satisfaction.

  • Provides the mechanism for continual improvement.

  • A set of common sense guidelines for running a successful business.

What are the benefits of ISO9001 Registration?

  • Internationally recognised quality mark

  • Certificates awarded by independent accredited organisations.

  • Customers do not have to do their own checks on a supplier.

How many ISO9001 Certificates have been issued?

Over 1 million worldwide.

The Model for ISO9001

The Model for ISO9001

What is covered by ISO9001?

BS EN ISO 9001:2000 requires 5 main sections to be addressed, these are:

  1. Quality Management System;

  2. Management Responsibility;

  3. Resource Management;

  4. Product Realisation;

  5. Measurement, Analysis and Improvement

Each section is subdivided as required and covers all elements of the business having an impact on quality.


What is ISO27001?

  • An Information Security Management System for protecting customer information and data from unauthorised disclosure.

  • Confidentiality, Integrity and Availability

  • Risk assessment and management

  • Access controls and computer security

  • Protection of hardware and software assets

  • Business continuity management and disaster recovery

What are the benefits of ISO7001 Registration?

  • Internationally recognised Information Security Mark.

  • Certificates awarded by independent, accredited organisations.

  • 3rd Party assurance of information security credentials.

How many ISO27001 Certificates have been issued?

Under 4000 worldwide (includes BS7799 certificates)

The Model for ISO27001

The Model for ISO27001

What is covered by ISO 27001?

ISO27001 requires 5 main sections to be addressed, these are:

  1. Management Responsibility;

  2. Internal ISMS Audits;

  3. Management Review;

  4. ISMS Improvement

Correlation between ISO9001 and ISO27001

Photo Sharing and Video Hosting at Photobucket

Photo Sharing and Video Hosting at Photobucket

How long does it take to obtain certification?

This obviously varies from organisation to organisation, but the prime requirement is that the organisation must have three months of 'track record' from completion of the document set.

As a rough guide, ISO9001 can be achieved in about 6 months while ISO27001 takes about 12-18.

What documentation is needed?

A Quality & ISMS manual and procedures/processes for operating the systems.

Once certificates are issued what happens next?

The certification authority will carry out surveillance visits each year to ensure continued compliance.

Thursday, 30 August 2007

Phishing and Computer Security

I am sure everyone has received an email advising them that their bank has introduced some new security method which requires them to enter passwords and other security details into a web page or face discontinuation of a service.

This is called PHISHING and is usually carried out by criminals to persuade innocent victims to give away information that they may use to gain access to bank accounts, credit card accounts or other financial accounts.

It usually starts with an email

'The xyz bank has recently upgraded its security systems to make your account more secure and to protect your account from unauthorised access. To ensure that these new security measures are applied to your account you must change your password.
Click on the link'

If you click on the link you are taken to a web-site which looks remarkably like the web-site for your bank, cheekily, it may even have a warning on it that you should take care to make sure any information you provide is secure. You are invited to enter your security details. By doing this you have provided the phisher with information to permit theft of your money.

No bank or other financial institution would ever ask you to enter these details on an email.

If in any doubt carry out the following:

  • Never put passwords into an email (email is not secure)

  • If asked to click on a link, hover your mouse over then link and see if the link is the same as the hover information

  • If possible type in the web information you hold already for your bank

  • On a bank website look for the closed padlock symbol which shows that the site is secure

  • If it looks at all suspicious don't do anything with it

  • Forward the email to your bank for them to deal with it

  • Telephone your bank and ask if the email is genuine

  • If you have been fooled and do enter information into a phishing web-site contact your bank immediately and them what you have done. This may mean that your account is frozen while action is taken. You will have to change passwords of course.

Phishing is the number one method at the moment for fund generation by criminals.

Don't fall for it

Wednesday, 22 August 2007

Business Continuity Planning

The flooding in July has shown that companies with proper business continuity plans have done well with little or no interruption in services. Those companies with no business continuity plans in place have fared less well. Some of these have been caught napping and their systems went down with uncertainty about resumption dates and doubts about insurance cover may mean that some companies ceased to trade.

A basic Business Continuity Plan looks at possible threats to the company and what action would be appropriate in these circumstances, moreover the actions are tested before disaster strikes and any corrective actions incorporated.

Plans that are put in place but are untested often fall at the first fence; an example of this is the company that has an uninterruptible power supply in place to deal with mains power loss, but takes no account of an interruption lasting an hour or more when the UPS power is exhausted.

Most of the planning is just common sense, but tell that to those companies facing ruin.

Monday, 30 July 2007

Be Kind to the Planet (and your Pocket)

While reviewing the energy usage both at work and at home I did some research on the subject of hot water and central heating. I found that although our boiler at home was only 12 years old it was rated as a G on the modern scale, where A is the most efficient 95-98% and G the least efficient 20-30%.

This prompted me to look deeper into the subject. A normal boiler where the oil, or gas in our case, heats the water and transfers it to a storage tank is the most inefficient method of all; the losses are great even with a fully lagged cylinder.
A combi boiler is one where the water is heated on demand and is 60% more efficient than the indirect method. A combi condensing boiler is one where water is heated on demand and the hot exhaust gas normally vented to the air is used to heat a secondary coil; this extracted heat is then used to heat water. In addition exhaust gas emission is drastically reduced.

I decided on this combi condensing boiler as the one of choice. It is A-rated and heats the water as and when I need it. In addition it has a preheat facility that is turned off in summer that keeps a small reservoir of water hot so that there is no delay in obtaining hot water. The system also provided central heating.

I am assured that my gas bill will be drastically reduced as the change to a combi boiler will save 60% and then the condensing boiler will save a further 80% of the remainder.

At this rate my gas supplier should be paying me! but I believe I am in for a pleasant surprise when my next bill is due and I have the satisfaction that my CO2, CO and NOx emissions are much reduced.

Monday, 23 July 2007

Spam and Computer Security

Spam, or unwanted email, is often seen as a nuisance rather than a threat but the reverse can be the case. Spam can fill your inbox rapidly, tie up your servers and desktops processing needless data and sometimes the spam carries un unwanted payload of Trojans or viruses.

There are many anti-spam programmes available and while these can cut down the amount of spam received they cannot stop it altogether. Any system that will block 100% of spam will also block good email so there is a trade off to be considered.
Anti-spam systems should always be accompanied by good anti virus measures. These anti spam and anti virus programmes also nee to be kept up to date, otherwise they soon become relatively useless.

The one thing you should never do is to respond, even in anger, to spam; to do so will result in even more spam because responding simply proves that your email address exists and will certainly be sold on to another spammer.

Eventually Governments will act against spammers but until that happens the byword is vigilance.

Monday, 9 July 2007

Green Living

I recently took delivery of my new car, a Honda Civic Hybrid, and was pleasantly surprised to find that it drove like a 2ltr car but in reality only had a 1300 cc engine.

For the uninitiated a hybrid car has a small engine and an electric motor in series. The gearbox is a CVT (continuously variable transmission) so no automatic gear changes are perceptible. In normal motoring the car uses the small engine; when you need more power, the electric motor assists the engine and conversely when less power is needed the car charges the batteries, equally when braking the energy is directed to the batteries as well.

The one feature which was initially unsettling was that the engine stops when at a standstill with the footbrake applied. Releasing the footbrake starts the engine again.

The dashboard has an additional dial which indicates the state of charge of the batteries and an indication of assist (using the stored power from the batteries) or charge (putting power back into the batteries.


Do the batteries need recharging?
No, they are automatically charged when the car is used.

Do the batteries make the boot very small?
No, the 150 volt batteries sit behind the rear seat so the boot is a normal size.

What MPG is available?
The car is new so 50 MPG is what I am getting now, but I am assured that this will increase as the car loosens up, although the published top MPG of 65+ I think is unrealistic.

What are the other advantages?
Exempt from the London Congestion charge, £18 road tax and low CO2 emissions.

Is the car reliable?
Honda comes top in the car reliability stakes.

Thursday, 28 June 2007

Why the use of an External Consultant Makes Sense

Employment costs are probably the biggest overhead that any organisation has to cover taking on specialist employees such as Quality Manager, Environmental Manager, Information Security Manager or Internal Auditor are not only hard to find but attract a premium in salary and total package.

A number of companies are taking the view that it is better to use the services of a specialist consultancy where a consultant is used for a specific task or period of time. There are a number of advantages in this sort of arrangement; consultants are paid only for the work or time involved, consultants are not 'employed' so do not have paid holidays, sickness, time off for domestic or social reasons, do not require pension or other benefits. And as they are not employed, no disciplinary processes and/or extended periods of notice are required to terminate a contract. There is also no risk of the dreaded Employment Tribunal.

The consultant is usually an 'expert' in the chosen field and will often have a greater depth of experience than the equivalent employee.

Used on a short term basis a consultant represents good value for money as there are no overheads to take into consideration.

But be sure that the consultant is covered by the rules of a governing body such as the Institute of Business Consulting (IBC) and is covered by appropriate Business Indemnity Insurance.

Consultants Are Good Value

Thursday, 21 June 2007

Laptop Data Safety

Basic levels of password protection on laptops are easily overcome by the experienced thief and this is causing considerable concern within the industry.

There are two things you should do:

  1. Physical security - Don't let your laptop out of your sight. Never leave it unattended in a public place. Never leave it in the boot of your car overnight at hotels. Always use a steel cable to attach it to a firm structure when in use outside your normal environment.

  2. Electronic security - Don't have sensitive data on a hard disk in the first place. Use a complex password and if possible second level authentication, such as a token or other device. When the laptop is on but is not being used, use the electronic lock facility to activate the password entry facility. Use a password on any screensaver.

That takes some account of security for the laptop, but with attached devices such as SD cards and USB pen-drives the situation is different:

Anyone stealing the SD Card or Pen-drive can read the data on any computer loaded with similar software. This is clearly a point of vulnerability; the best method to protect this type of device is to encrypt it so that it is useless without the decrypt key.

This protection is not the expensive option it used to be, with open source software freely available. The best of these encrypt and decrypt on the fly and are transparent to the authorised but render the device useless to the thief and in may cases appear to be a blank device.

ISO27001 and Laptop Security

Thursday, 14 June 2007

Quality is not an Option, it is Essential

Any organisation is unlikely to last long if quality is not built into the product or service supplied. Most purchasers will be looking for that little extra when making a buying decision; this could be a superior after sales service, fast delivery or better value but in every case quality is assumed, if this base quality level is not in place then the purchaser will look elsewhere.

With this mind many organisations will choose ISO9001 as their preferred method of demonstrable quality. ISO9001 is a third party assessed system and so it is an independent body that is certifying the quality management system of the organisation; this says much more than any self certifying system can.

There are over a million organisations certificated to ISO9001 and there are many more in the pipeline.

Tuesday, 5 June 2007

Don't Hit Your Laptop

I was with a client recently and using my HP Laptop when it suddenly stopped working, froze completely and refused to do anything at all. I tried to shut it down by Ctrl – Alt Del, but nothing. I was getting very frustrated by this time and uncharacteristically I lost it, I thumped the keyboard. Result: the screen went blank and the laptop never worked again.

This was an expensive tantrum as I had to buy a new laptop, software and then spend what seemed a lifetime setting up the machine.

Worst of all I have lost some important data. I do of course back up but on this occasion this component was missed. A security lapse which shouldn't have happened.

Don't take it out on machines they don't care.

Thursday, 24 May 2007

Memory Sticks, Sd Cards and Other Removable Media

ISO 27001 calls for controls to be implemented on removable media to stop unauthorised access/ transmission of data. It is not unknown for a disgruntled employee to download data containing commercial information onto some form of portable memory device just before leaving employment. This can be customer information, product information, designs or drawings.

The compromise of these documents can be very damaging for the employer. It does not matter that the employee has signed a confidentiality agreement because the damage is done.

Sensible employers who wish to prevent data downloads can stop any transfer of data from a USB port or other device by incorporating this into the Computer Group Policy, installed from the network during boot up, this disabling the USB port for this purpose; the port can still be used for a keyboard or mouse.

A less effective method would be to have a 'No USB memory stick' condition in the Employee's terms and conditions, but this does need to be policed.

I am constantly surprised that companies that are normally careful with computer data have no firm policy on removable or portable memory devices.

I have spoken here about USB sticks but this applies equally to SD cards, i-pods, etc. The relatively large capacity of these devices, often gigabytes in size, does mean that a considerable amount of data can be downloaded.

Security of data must be extended to portable memory devices.

Tuesday, 15 May 2007

Integrated Management Systems

There are many management systems that companies are employing such as Quality Management, Environmental Management, Information Security Management, Food Safety Management, IT Service Management, Health and Safety etc. Usually each requires a set of manuals and forms to satisfy the requirements of each standard.

The modern approach is to use an integrated approach and employ one manual, one set of procedures and when it all works, one formal assessment by an Accredited Certification body. This approach reduces paperwork, reduces the number and complexity of internal audits and the inevitable disruption that these audits generate.

Companies that have adopted the integrated approach have seen a significant benefit to their organisations.

The usual integrations are:

  • quality ISO9001 + environmental ISO14001

  • quality ISO9001 + Health and Safety 18001 + environmental ISO14001

  • quality ISO9001 + Information Security IS027001

  • quality ISO9001 + IT Service Management (ISO20000)

  • quality ISO9001 + Food Safety Management ISO22000

It is clear that quality management is the base standard and others are integrated with it.

Sunday, 6 May 2007

Security in the workplace

ISO27001 The information security standard calls for building security to be part of the overall system.

Most companies will have some security on the front door; it could be a fully manned reception desk or a keypad entry system or even a locked door. Anyone intent on gaining unauthorised access will usually target another entry point. This could be an insecure window or even better a rear door or fire door that has been left ajar for those that smoke.

I have seen some quite secure buildings which are neglecting the "back door".

In the warmer months of the year companies that do not have air conditioning often prop open rear doors to allow for better air circulation.

If no one is watching a thief or data gatherer can simply walk in.

Tuesday, 24 April 2007

Carbon Footprint

Open any new publication and you are sure to find a reference to carbon footprint and the impact that this footprint has on the environment, from destroying the polar ice caps to altering the weather. There is little doubt that the evidence is irrefutable; mankind has done some real damage to the planet and its ecosystems.

What is a carbon footprint and what is a carbon neutral company?

Your carbon footprint is the amount of C02 (Carbon dioxide) that you and your business are putting into the environment. The direct causes are business activities including manufacturing, processing and service industries, also leisure activities and our own homes. We can all reduce this impact by using less electricity, gas, oil and water and by buying materials locally to cut down on transportation. Flying less, driving smaller cars, recycling and buying food that is in season all have a positive impact on your carbon footprint. However don't think that recycling has no effect on the environment because there is a carbon cost to recycling although less than manufacturing a new item.

If you are carbon neutral you are offsetting the amount of carbon dioxide you produce by providing (or getting others to provide) a positive impact on the environment. Tree planting is a good way to offset carbon dioxide production as is the use of renewable energy from wind, solar power or wave power and the use of renewable sources of fuel such as sugarbeet, oilseed and all other bio-fuels. If you can balance the amount of CO2 produced by these offset methods you are considered to be carbon neutral.

If this is part of a comprehensive environmental management system such as ISO14001 the rewards are even greater.

Monday, 16 April 2007

Poor Security in Wireless Connections

I am often early for appointments with my Clients (by design, as I hate being late) and to while away the time I often turn on yhe wireless function on my laptop. I am staggered just how many businesses, and home users, leave their WiFi unprotected!

They possible do not understand the implications of this but this ignorance can be costly in terms of poor security.

There are two standards available to protect any WiFi setup and these are WEP (Wired Equivalent Privacy), this is the minimum requirement for safety and WPA (WiFi Protected Access) this comes as WPA1 or WPA 2. Wherever possible I recommend that WPA2 is used; it is far more secure and uses a better protocol than WPA1 and a far superior protection to WEP.

WPA requires you to set up a pass-phrase rather than the usual six digit password.
I would be surprised if a hacker could guess a pass-phrase and it certainly would defeat all but the most determined dictionary attack.

Here I have spoken about the application of basic security for WiFi but without this protection your system is like an open door; at best it allows others to use your bandwidth and at worst it allows access to your system with all the risks that unauthorised access can cause.

Would you leave your front door wide open?

Wednesday, 4 April 2007

Internal Auditor Training on your Site

It is well known that training for internal quality or environmental auditors is a requirement of both ISO9001 and ISO14001 Standards. The usual way is to find a company offering audit courses and then to arrange for your trainee auditors to attend the course and receive a certificate (if they pass).

Although this method does provide your auditors with proper training in auditing the product or service element of the course is unlikely to be an exact fit; although training in audit principles and specimen tasks will be provided.

An ideal solution is to have the audit training provider tailor make the course to fit your own organisation; this way your auditors will have proper training in the standards and auditing, plus audit practice on your own production or service provision.

This may be a little more expensive but will pay dividends in targeted training which will shorten the learning curve. Your auditors will have the advantage of bespoke training and

Bespoke auditing training for medium and large organisations

Monday, 26 March 2007

Why you should use A UKAS Accredited Certification Body?

You have done all the hard work and your management system is ready for External Certification. It should be straightforward and after one or more days of intensive investigation, the Assessor finally declares your management system compliant to the appropriate standard.

This is how it should be, however, there are companies touting for business that offer certification on the cheap and in double quick time; these are the companies not accredited to UKAS and offer certification for a fee. The certificate issued is usually only recognised by them and does not stack up against any of the UKAS accredited bodies. It could be a complete waste of money.

How can you tell if the certification body is accredited to UKAS? Look up the UKAS web-site. Accredited companies can display the distinctive crown and tick. If they do not have accreditation then their certificate will not bear the UKAS logo and is potentially worthless. You may find this out when sending a copy of your certificate of ISO9001 or ISO4001 to a prospective customer only to have it rejected.

Reputable consultants recommend only UKAS accredited Certification Bodies.

Thursday, 15 March 2007

ISO27001 and Hard Disks

We all tend to take our hard disk drives very much for granted; they start each day and provide sterling service. With a little care and a bit of housekeeping such as defrag and cleanup.

A disk drive consists of disks of magnetic material spinning at relatively high speeds with a reading head flying less that the breadth of a human hair just above it. The smallest deviation will result in the reading head crashing into the magnetic disk with disastrous results. Add to this the mechanics and electronics of the thing, it is not surprising that ALL disk-drives will fail; yes 100% of them.

If you have been clever and have taken good backups of your data and have ensured that you have verified that the backup is good then you will have only a moderately bad time reinstalling the programs and settings etc. If you have been super efficient and have used a mirror raid system where the information on one disk is mirrored onto another, then you will have very little down-time.

The sad thing is that very few organisations have a full mirror set-up, not all organisations have a verified back-up and some organisations have no back-up at all. Irretrievable loss of all data can be very damaging, if not fatal, to an organisation.

ISO27001 Information Security Management Standard specifies the level that backup should take, the protection given to back up media and finally how redundant media is de-commissioned and disposed.

Don't let short term gains result in data loss.

Sunday, 11 March 2007

ISO22000 Food Safety Management System

There is a great emphasis on food safety, and rightly so. The consumer is having a greater say in these matters and cover all aspects of food safety from Farm to Fork. These include all elements in the food chain including packaging, cleaning materials , machines as well as foodstuffs and catering.

Previously there was HACCP Hazard Analysis and Critical Control Points (HACCP) is a systematic preventative approach to food safety that addresses physical, chemical and biological hazards as a means of prevention rather than finished product inspection. A number of other emerging national food safety standards has led to more confusion than was intended and it was time that a definitive harmonised International Standard was produced

ISO22000 covers the majority of the existing retailer food safety standards and is a standard that is truly auditable; it aligns with other Management Standards such as ISO9001 Quality Management and ISO14001 Environmental Management. Indeed integrated systems are seen as the way ahead.

The approach, as with the other standards is a process rather than product and emphasises continual improvement as an important element.

Organisations achieving 22000 certification will have met or exceeded the existing Standards.

ISO22000 Food Safety - The Way Ahead

Wednesday, 7 March 2007

Why is ISO 9001 so Successful?

The Quality Management Standard ISO9001 is the worlds most recognisable standard, with approaching 1,000,000 certificates issued in 130 countries this is a truly global standard.

The standard requires an organisation to turn customer requirements into customer satisfaction; something we all aim to do, but those achieving the required level are awarded a certificate of conformance, declaring this fact to the world.

Most organisations claim to be the best, the quickest, the most cost effective, etc, but an endorsement by a third party often carries more weight. This is where ISO9001 scores highly.

ISO, The International Organisation for Standardisation is a non governmental body whose country members are permitted to issue certificates. In this country there are some 268 bodies permitted to issue certificates and are accredited by UKAS, The United Kingdom Accreditation Service. Certificates issued by an accredited body have the distinctive CROWN and TICK logo next to that of the certification body.

There are a number of non-accredited bodies issuing certificates, unfortunately these certificates are recognised only by the issuing authority and are often worthless as a reference. The certificate is usually issued after a very short time frame and is essentially a receipt for monies paid rather than proof of conformance.

Achieve recognition from a UKAS approved body.

Thursday, 1 March 2007

Security of Smartphones

The mobile phone is far more than just a device for making telephone calls these days. Most have a camera, some have the ability to receive and send email and some have the ability to log into servers remotely, so it is surprising that often the basic levels of security are not used.

Mobile theft and loss can cause significant problems to organisations especially those phones that do not have a pin in place to prevent unauthorised access.

There is little point in having high levels of security on networks if smartphones are readily accessible.

  • Set a pin for power on (usually turned off by default)

  • Set an automatic lock to occur after a period of inactivity

  • Don't use your device when walking along a street (theft is highly likely and additionally you could be distracted and get run over by a bus)

  • Don't leave your device in your jacket pocket unattended

Common sense - Protect your systems and your security.

Sunday, 25 February 2007

If (When) Disaster Strikes can you Cope?

There are many potential disasters that can affect our organisations, some serious and some just inconvenient.

A sensible precaution is to put into place a Disaster Recovery Plan. The main parts of which are kept off site:

  • A good back-up of computer data
  • An inventory of all important hardware (to enable you to replace items)
  • An inventory of all important software (to enable you to replace software)
  • Details of Insurance Company, Bank Details etc (Don't rely on memory)
  • Contact details for staff (they will need to know what to do)
  • Contact details for major customers and suppliers
  • A copy of your Business Disaster Plan

The plan should look at potential areas for disaster, including fire, flood, power or other utility interruption, sickness and terrorism.

To be successful the plan should show what should happen immediately an incident is discovered, what should happen after two hours then four hours and so on.

Test the plan before you need it; It is surprising how many plans fall flat when tested.

Remember to test it before it tests you.

Wednesday, 21 February 2007

How you can Protect the Environment(And save some money as well)

Here are some simple ways to reduce your carbon footprint; the added bonus is that it will save you a considerable amount of cash:

  • Unplug or turn off mobile phone chargers when not in use;

  • Don't leave TV, Computer, DVD players, etc on standby;

  • Replace ordinary bulbs with low energy fluorescent types;

  • Turn off lights when leaving a room unattended;

  • Turn down heating by one degree;

  • Don't have air-conditioning and heating on at the same time;

  • Reduce water consumption by installing dual flush toilets;

  • Don't wash/rinse items under running water;

  • Walk or cycle where possible;

  • If you must drive, then drive a low CO2 type of vehicle or better still a hybrid.

This will help save the planet and help your bank balance.

Saturday, 10 February 2007

Information Security and Social Engineering

Social engineering is the term used to obtain information from people without them realising what is going on.

A recent exercise carried out by one of our clients was to invite by email, specially selected employees (although all employees received the invitation) to take part in an exciting new venture. All, they had top do was to go to a secure web-site and enter their company log on and password to verify their interest. The recipients were warned not to talk about this venture to any of their colleagues as the matter was highly secret.

This company (that I will not identify) is accredited to ISO27001 and takes security very seriously but many of the employees did enter this confidential information into the web-site believing that it was quite innocent.

On a completely different angle and with Valentines Day approaching the chances of unauthorised entry to your organisation increases.

A delivery of flowers or chocolates is made, usually by a pretty girl, and the idea is to surprise the recipient so the usual security at reception is waived.

Entry to the company is that easy.

Social engineering can damage your security

Saturday, 3 February 2007

Pre-Qualification for Tenders

Many Large Organisations and Government Departments have set minimum entry criteria for quotations and tenders for products and services; these are usually in the form of recognised quality and/or environmental standards.

If the tender request states that ISO9001 and ISO14001 are entry requirements and you don't have these, your quotation or tender, however well prepared, will not get beyond the starting gate.

These organisations simply do not have the time to vet each potential supplier for quality or environmental status. It is easier to rely on one of the Certification Bodies to do the work for them. If the supplier can show that it has passed, and continues to pass, the International Requirements for quality and environmental performance it will be considered for inclusion of that organisation’s preferred suppliers list.

ISO9001 & ISO14001 open doors

Saturday, 27 January 2007

Basic Computer Security

Many businesses are considering the introduction of ISO27001 - Information Security Management - as part of their strategic plan to protect computer and other records from unwanted disclosure or misuse.

Other organisations should consider basic security on their computer systems however, it is surprising that really basic security measures on desktop and laptops isn't always being used.

Here are 10 basic security precautions:

  1. Always set the option to force a user to press CTL- ALT-DEL before logging on

  2. Passwords should be at least six characters long and contain letters and numbers

  3. Don't use your name, your partners name or the name of a pet as a password

  4. Don't write the password on a post-it note and stick it to the screen or under the keyboard

  5. Passwords should be changed regularly

  6. Don't share your password with anyone

  7. Use antivirus software and keep it up to date

  8. Use an anti spyware programme regularly

  9. Turn on the inbuilt firewall ( Windows XP and later machines)

  10. When leaving the desktop or laptop unattended, lock the system by pressing the windows button and L.

Better safe than sorry

Monday, 8 January 2007

Internal Quality Auditing

Most of the management standards call for internal auditing to be carried out at least once a year by competent persons, correctly trained. This process, if carried out correctly, will be of great benefit to the company, providing detailed information about the parts of the company that work (and the parts that don't). The results when analysed allow for continual improvement and increased customer satisfaction.

The main problem today is that some organisations will try to audit the processes without knowing exactly how this should be done. The results are inconclusive at best and misleading at worst.

The only way to be sure and to get the best results is to have your auditors trained properly. Proper courses are based on the Standard ISO19011, Auditing Requirements for Quality & Environmental Audors and are usually two days in duration and successful candidates receive a certificate of successful completion.

The first day concentrates on the two main standards 9001 & 14001 and how these are applied to organisations. An end of day test confirms understanding.

The second day looks at audit practices, techniques, routines and form filling, and finishes with tests of understanding and competence.

Thursday, 4 January 2007

The Basics of Laptop Security

It is startling to see that a recent statistic records that one in ten laptops will be lost or stolen. These laptops often contain sensitive or very sensitive information but some have only minimal security in place.

Recent thefts of laptops include:

  • Irish Army

  • Metropolitan Police

  • Ministry of Defence (21 lost or stolen between July 2005 and July 2006)

  • Nationwide

  • Ernst & Young

The loss of the hardware is bad enough but the data that they hold could be very damaging.

The strict rules at airports last year meant that laptops could no longer be carried as hand luggage and as a direct result many hundreds of laptops were never reunited with their owners.

Rule 1: Never leave a laptop unattended in a car or in a public place.

Rule 2: Keep a minimum of data stored on the laptop.

Rule 3: If you need access to large amounts of data use VPN to access the main system.

Rule 4: Use complex passwords and log-in methods to protect data

In addition to these main rules:

  • If possible use two factor authentication, where a token, card or bio-metric is used to gain access to the laptop data.

  • If possible use encrypted data so that it is useless to a thief

  • When using a laptop in a public place avoid being overlooked.

  • The above are really simple and sensible precautions.

Some very secure organisations make use of the so called 'logic bomb', where four wrong attempts to log in to a laptop results in the entire hard disk being destroyed. Not something that should be used lightly!.. Think if the poor IT manager who will need to purchase new hardware.

Let's make 2007 a secure year for laptops

Quality Matters

P.O.Box 5479

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design