Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo

"Quality Matters in your Business"

Monday, 12 December 2011

ISO27001 Information Security Management Executive Overview

It is generally accepted that information is the greatest asset any organisation has under its control.   Managing Directors are aware that the supply of complete and accurate information is vital to the survival of their organisations

Today more and more organisations are realising that information security is a critical business function.  It is not just an IT function but covers:
  1. Governance;
  2. Risk Management;
  3. Physical Security;
  4. Business Continuity;
  5. Regulatory and Legislative Compliance.
With increasing reliance on data, it is clear that only organisations able to control and protect this data are going to meet the challenges of the 21st century.

ISO27001:2005 which was formally BS7799 is the International Standard for Information Security Management (ISMS) and provides a definitive reference to developing an information security strategy.  Moreover a successful certification to this standard is the confirmation that the system employed by the organisation meets internationally recognised standards.

Information Security

Business has been transformed by the use of IT systems, indeed it has become central to delivering business efficiently. The use of bespoke packages, databases and email have allowed businesses to grow while encouraging remote communication and innovation.

Most businesses rely heavily on IT but critical information extends well beyond computer systems.  It encompasses knowledge retained by people,  paper documents as well as traditional records  held in a variety of media.   A common mistake when incorporating an information security system is to ignore these elements and concentrate only on the IT issues.

Information security is a whole organisation matter and crosses departmental boundaries.  It is more than just keeping a small amount of information secret; your very success is becoming more dependent upon the availability and integrity of critical information to ensure smooth operation and improved competitiveness.

C     I     A
1.    Confidentiality
2.    Integrity
3.    Availability

These are the three requirements for any ISMS.

Managing Directors’ Perspective

Your vision is central to organisational development; driving improvements in all areas of the business to create value. With information technology being key to so many change programmes, effective information security management systems are a prerequisite to ensuring that systems deliver on their business objectives.  Your leadership can help create the appropriate security culture to protect your business.

Organisations are increasingly being asked questions about ISO 27001, particularly by national or local government, professional and the financial sector.  This is being driven by adoption of the standard as part of their legal and regulatory obligations.  In some areas this is becoming a tender requirement.

Others are seeing a competitive advantage in leading their sector and using certification in information security management to develop customer/ client confidence and win new business.  With public concern over security issues at an all time high, there is a real need to build effective marketing mechanisms to show how your business can be trusted.

You will certainly be aware of your responsibilities for effective governance, and be answerable for damaging incidents that can affect organisational value.  The risk assessment, which is the foundation of the standard is designed to give you a clear picture of where your risks are and to facilitate effective decision making.  This translates into risk management, not simply risk reduction and therefore replaces the feeling many directors have of risk ignorance in this area.  This will help you understand the potential risks involved with the deployment of the latest information technologies and will enable you to balance the potential downside with the more obvious benefits.

CFO Scrutiny

Whether, as part of compliance, such as required by Professional Bodies, Sarbanes Oxley, Data Protection Act, or as part of an effective governance, information security is a key component of operational risk management.  It enables the formulation of effective risk analysis and measurement, combined with transparent reporting of ongoing security incidents to refine risk decisions.

Giving values to the impact security incidents can have on your business is vital.  Analysis of where you are vulnerable allows you to measure the probability that you will be hit by security incidents with direct financial consequences.

An added benefit of the risk assessment process is that it gives you a thorough analysis of your information assets, how they can be impacted by attacks on their confidentiality, integrity and availability, and a measure of their real value to your business.

Although the detail within the risk assessment process can be complex, it is also possible to translate this into clear priorities and risk profiles that the Board can make sense of, leading to more effective financial decision making.

Business Continuity

How well would you cope if a disaster affected your business? 

This could be from some natural cause such as flood, storm or worse from fire, terrorism or other civil unrest.  The areas not often considered are sickness, failure of utilities or technology breakdown.

Business continuity planning in advance of a disaster can mean the difference between survival or extinction of the business. 

Many of the businesses affected by the Bunsfield Fuel Depot disaster never recovered.  Those with an effective business continuity plan have emerged like the phoenix from the ashes.

Many businesses claim to have a plan but if the plan is untested or ill prepared then it is bound to fail.
ISO27001 states that a fully planned and tested BCP should be in place to prepare for and be able to deal with, such an emergency.

ISO 27001 Elements

  • Risk assessment and treatment - Assessing the risks to the company’s assets, devising a risk treatment plan and finally accepting those risks that cannot be mitigated.
  • Security policy - This provides management direction and support for information security.
  • Organisation of information security - To help manage information security within the organisation.
  • Asset management - To help identify assets and protect them appropriately.
  • Human resources security - To reduce the risks of human error, theft, fraud or misuse of facilities.
  • Physical and environmental security - To prevent unauthorised access, damage and interference to business premises and information.
  • Communications and operations management - To ensure the correct and secure operation of information processing facilities.
  • Access control - To control access to information
  • Information systems acquisition, development and maintenance - To ensure that security is built into information systems.
  • Information security incident management -  To deal effectively with any identified security incident.
  • Business continuity management - To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.
  • Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement.

Monday, 28 November 2011

ISO 14001 Factsheet

What is ISO14001?

An Environmental Management system for improving environmental performance. A set of common sense guidelines to help your organisation become 'green'.

What are the benefits of ISO 14001 Registration?

Internationally recognised environmental mark. Certificates awarded by independent accredited organisations. Customers do not have to do their own checks on a supplier. Proves environmental credentials to potential customers.

How many ISO 14001 Certificates have been issued?

Around a quarter of million worldwide.

The Model for ISO14001

What is covered by ISO14001?

BS EN ISO 14001:2004 requires 6 main sections to be addressed, these are:

  1. Environmental Management System;
  2. Environmental Policy;
  3. Planning;
  4. Implementation and Operation
  5. Checking
  6. Management Review.

Each section is subdivided as required and covers all elements of the business having an impact on the environment.

How long does it take to obtain certification?

This obviously varies from organisation to organisation, but the prime requirement is that the Organisation must have three months of 'track record' from completion of the document set.

As rough guide 14001 can be achieved in about 8-10 months.

What documentation is needed?

An Environmental Manual and procedures/processes for operating the environmental systems.

Once the certificate is issued what happens next?

The certification authority will carry out surveillance visits each year to ensure continued compliance.

Sections of ISO14001:2004

  1. Scope
  2. Normative references
  3. Terms and Definitions
  4. Environmental Management System Requirements
    1. General requirements
    2. Environmental Policy
    3. Planning
      1. Environmental Aspects
      2. Legal and Other Requirements
      3. Objectives, Targets and Programme(s)
    4. Implementation and Operation
      1. Resources, Roles and Responsibility and Authority
      2. Competence, Training and Awareness
      3. Communication
      4. Documentation
      5. Control of Documents
      6. Operational Control
      7. Emergency Preparedness and Response
    5. Checking
      1. Monitoring and Measurement
      2. Evaluation of Compliance
      3. Non-conformity, Corrective and Preventive Action
      4. Control of Records
      5. Internal Audit
    6. Management Review

Monday, 14 November 2011

ISO 9001 Factsheet

What is ISO 9001?

A Quality Management system  for turning customer requirements into customer satisfaction.
Provides the mechanism for continual improvement.  A set of common sense guidelines for running a successful business

What are the benefits of ISO 9001 Registration?

Internationally recognised quality mark.  Certificates awarded by independent accredited organisations.  Customers do not have to do their own checks on a supplier.

How many ISO 9001 Certificates have been issued?

Over  1 million worldwide.

The Model for ISO9001   

What is covered by ISO9001?

BS EN ISO 9001:2008  requires 5 main sections to be addressed, these are:
  1. Quality Management System;
  2. Management Responsibility;
  3. Resource Management;
  4. Product Realisation;
  5. Measurement, Analysis and Improvement
Each section is subdivided as required and covers all elements of the business having an impact on quality.

How long does it take to obtain certification?

This obviously varies from organisation to organisation, but the prime requirement is that the organisation must have three months of ‘track record’ from completion of  the document set.
As rough guide 9001 can be achieved in about 8-10 months.

What documentation is needed?

A Quality manual and procedures/processes for operating the systems.

Once the certificate is issued what happens next?

The certification authority will carry out surveillance visits each year to ensure continued compliance.

Sections of ISO9001:2008

  1. General Requirements
    1. Documentation Requirements
      1. General
      2. Quality Manual
      3. Control of Documents
      4. Control of Records
  2. Management Responsibility
    1. Management Commitment
    2. Customer Focus
    3. Quality Policy
    4. Planning
      1. Quality Objectives
      2. Quality Management System Planning
    5. Responsibility, Authority and Communication
      1. Responsibility and Authority
      2. Management Representative
      3. Internal Communication
    6. Management Review
      1. General
      2. Review Inputs
      3. Review Outputs
  3. Resource Management
    1. Provision of Resources
    2. Human Resources
      1. General
      2. Competence, Training and Awareness
    3. Infrastructure
    4. Work Environment
  4. Product Realisation
    1. Planning of Product Realisation
    2. Customer-Related Processes
      1. Determination of Requirements Related to the Product
      2. Review of Requirements Related to the Product
      3. Customer Communication
    3. Design and development
    4. Purchasing
      1. Purchasing Process
      2. Purchasing Information
      3. Verification of Purchased Product
    5. Product Provision
      1. Control of  Product Provision
      2. Validation of Processes for Product Provision
      3. Identification and traceability
      4. Customer Property
      5. Preservation of Product
    6. Control of Monitoring and Measuring Equipment
  5. Measurement, Analysis and Improvement
    1. General
    2. Monitoring and Measurement
      1. Customer Satisfaction
      2. Internal Audit
      3. Monitoring and Measurement Monitoring of Processes
      4. Monitoring and Measurement of Product
    3. Control of Nonconforming Product
    4. Analysis of Data
    5. Improvement
      1. Continual Improvement
      2. Corrective Action
      3. Preventive Action

Tuesday, 1 November 2011

ISO/IEC 27001 Information Security Management

This Standard was last updated in 2005 along with the code of Practice ISO/IEC 27002 and is currently being reviewed and updated by JTC1/SC27, the ISO/IEC Committee responsible for these Standards.

The planned publication is sometime in 2012 although it had been previously been muted as 2011.

Readers of this blog may  remember that ISO 19011 (Quality/Environmental Auditing Standard Update) was to have been published in June 2011 however,  the final draft for public comment was so badly received that the proposed Standard was withdrawn in total and it was sent back to the 'drawing board'.

The 27001/27002 Standards have reached final committee stage, which is usually the precursor to a final draft for public comment.  There have been few details about the update but here are the ones that have been discussed:

  • No major changes to the Standard are envisaged as it is essential that full backwards compatibility is maintained.
  • All management Standards are adopting a common structure and terminology.  It is reasonable to assume that the Information Security Standards will follow this trend.
  • The part that has raised some eyebrows across the world concerns the Statement of Applicability which may be dropped from the 2012 Standard.  If this is the case then something will have to be put in its place, otherwise organisations would be able to claim conformity to ISO27001 without meeting all aspects of it.  The Statement of Applicability has up to now detailed the extent that the organisation has achieved compliance.   It could be that the level of compliance will have to be stated within the 'Scope' instead.
  • Most of the Management Standards  use the PDCA model (Plan-Do-Check-Act) as a tool to achieve  continual improvement.  It has been suggested that the PDCA should not be explicitly detailed in the updated ISMS Standards;  a move that has not been universally welcomed.
We will have to see what, if any of these elements will see the light of day and of course, when.

It is always useful to keep up to date with developments and for that reason I have posted these details.

Monday, 10 October 2011

100% Success rate

30 September 2011 was the culmination of two years work with one of our major clients and ensured that our 100% first pass success rate was maintained.  The external assessment  to ISO27001:2005 was conducted over five days at a number of locations.  There were 4 observations recorded and one minor non-conformity that was corrected during the assessment.

We are justifiably proud that all our clients have passed their assessments, and at the first attempt.  As you can imagine this is no mean feat;  we have been achieving this since Quality Matters Ltd was formed in 1991.

Our portfolio of Standards include:

ISO9001  The Quality Standard   
ISO14001 The Environmental Standard
ISO27001  The Information Security Standard    
AS 9100  The Aerospace Standard
OHSAS 18001  The Health & Safety Standard
ISO20000  The IT Service Management Standard
ISO22000  Food safety standard
TS 16949  The automotive standard

Plus a number of Product Standards including British Board of Agrément,
British Retail Consortium and other industry specific Standards.

To complete our service we offer certificated internal Quality & Environmental Auditing Training, both as public courses and bespoke in house courses.

Our next public course is to be held in Colchester 10 + 11 November 2011

Our Clients report that they are very satisfied with our services and come back time and time again.  They also recommend our services to other organisations.

20 Years of Success

Monday, 26 September 2011

ISO20001:2011 IT Service Management Standard and TickIT Plus

This Standard, formerly BS15001, was based upon the ITIL group standards. It was updated as ISO20001 and reissued as ISO20001:2011 in June this year.  There is also a code of practice ISO20000-2

The Standard covers five main areas within the IT service management processes:
  • Service Delivery
  • Relationships
  • Resolution
  • Control
  • Release
Overall this Standard incorporates the requirements of:
  • ITIL IT Infrastructure Library
  • ISO9001 Quality Management Standard
  • ISO27001 Information Security Management
The Standard, which is difficult to achieve, can be met in two ways; either by full certification, which is assessed by a third [party certification body or compliance route where the system is monitored and audited internally.   Both methods are time consuming but have significant benefits for the organisation.

These Standards have been adopted worldwide.

There is another Standard which deals with computer software, TickIT, now  in its 5.5 version specifies the requirements for software writing, development and  maintenance.  TickIT, although it models  ISO9001, has not been a runaway success as it is not widely adopted outside the UK and Sweden .

TickIT Plus, which has just been released is a stand-alone Standard incorporating 9001, 27001, 20000 and 25999.  The main difference with this one is that it will be independent from its constituent parts and may not change when the other Standards are updated. 

TicklIT Plus will have a foundation level and then Bronze, Silver, Gold and Platinum levels.  Currently only foundation level is available.

These two Standards will be competing in a somewhat limited marketplace and it will be for individual organisations to decide which is suitable.   In the end it may well be a decision based on customer specified requirements.

Monday, 19 September 2011

Calibration of Equipment

I was carrying out an audit recently for a Client and as part of that audit I looked at a number of pieces of calibrated equipment; normally equipment is calibrated by a calibration house accredited by UKAS but in this instance the calibration house was not fully accredited to UKAS but claimed full traceability to National and International Standards using equipment that had been calibrated by a fully accredited calibration centre.  This is quite normal and acceptable.  They quoted the calibration certificate numbers of the equipment used.

I asked my Client if he could get copies of these certificates from his Calibration house so that I could check that full traceability was evidenced.

The owner of the calibration house confessed that as he didn’t use that equipment very often the original certificates of calibration had expired and he had extended their currency.  It turned out that the certificates had expired some years ago.  Extending these again and again is not permitted and unfortunately I had to issue a Major Non-conformity to my Client for using non-calibrated equipment.

In most respects my Client had everything under control but this issue was very important as my Client had produced product using what he thought was calibrated equipment. 

It is probable that no real damage has been done but it could have been disastrous.

The moral here is to question a statement that "this measuring equipment is calibrated using Items traceable to an International or National Standard" if the Calibration House is not accredited to UKAS.  If it is not then you need to see the certificates to show that their equipment is calibrated and in date.

Tuesday, 6 September 2011

Internal Quality and Environmental Auditing Course

We are again running our certificated internal auditing course in Essex on 10th and 11th November 2011.  This popular and cost effective two day course will take place at the Rivenhall Hotel on the A12.

The course content is:
  • ISO 9001: 2008 and ISO 14001:2004 and other Standards
  • Management System documentation
  • ISO19011:2002 – Auditing Standard
  • The audit cycle and schedules
  • Preparation and planning of an audit
  • Conducting an audit
  • Auditing top management
  • Reporting non-conformities
  • Qualification & training of auditors
  • Nonverbal communication
  • Live audit practice

The maximum number of delegates is 20; we like to keep numbers down to this level to allow for  individual interaction and structured learning.

This is NOT an IRCA Certified course but it is accepted by all the certification bodies as meeting the requirements for internal auditor training covered by ISO9001:2008 and ISO14001:2004 as well as providing a good grounding in audit techniques for all the major management standards, such as ISO27001, ISO22000, ISO 20000 and Aerospace AS9100, 9110 and 9120.

Over the years we have trained hundreds of auditors and previous delegates have recommended the course to others.  We receive comments such as 

"A very enjoyable course",                                                                           
"I thought it would be boring, but was pleasantly surprised; I actually enjoyed it",                                                   
"It has given me the information I need to carry out audits at my own Company",                                    
"I went on an audit course many years ago but this one not only cost less than the previous one, but was far more interesting".

We still have some places available at £315.00 + VAT.  This cost effective two day public course continues to satisfy both our Clients, potential Clients and certification bodies.

Monday, 15 August 2011

Accounting Package

You might think it strange that I am discussing accounting on this blog, but it is vital to any business; get it wrong and you could end up in a right mess.

The conventional accounting route has been Sage, but a good number of people I know say that Sage is expensive, sometimes complicated and not particularly user friendly to the non-accountant types.

My accountant recently introduced me to Xero which is an on-line accounting package.  There is a month's free trial and then, if you take it up, a subscription each month.

Xero was founded in July 2006 by successful technology entrepreneur Rod Drury and specialist small business accountant Hamish Edwards. Xero is listed on the New Zealand Stock Exchange and is a fast growing company with teams in Wellington, Auckland, Melbourne, Sydney, Brisbane and the UK.

I found that it was easy to use, presented data in a logical manner and best of all it ensured that my data was secure and always available.  No more back-ups.  I can access Xero from anywhere there is an internet connection and I only need the one licence.  I can allow my accountant access to my data so I can get problems sorted out much quicker than before.  The package has a vast FAQ’s and an online help facility.  My one query to the online help desk was answered in less than two hours.

The system is intuitive and easy to use; errors can be rectified quickly and efficiently without the need to do journals all over the place.  I often found that in Sage I would do a journal to correct an error only to find that I had done it the wrong way round and doubled the original error. One novel feature is that it can download bank statements and tries to reconcile the bank data automatically. Naturally you have to authorise the reconciliation but it takes the pain out of this monthly chore.   I have spent hours chasing an elusive payment or odd pence in a transaction.  This does it for me.

Data is presented in a format that is easy to understand; a dashboard shows the financial position of the Company at a glance and allows me to get the accounting bit done accurately and much quicker.

The one thing that Xero doesn’t do yet is print cheques, but it is on the wish list from customers.

As you can tell I am pretty impressed with Xero.  I would urge everyone who is involved in accounts to have a look at Xero and take up the month’s free trial. I am sure that, like me, you will be impressed and will want to use it.

Tuesday, 2 August 2011

More Data Loss

We at Quality Matters use internet banking and just recently I realised that checking and double checking  before pressing 'send' is pretty important.  I meant to send a BACS payment to one of our suppliers but managed to send it to entirely the wrong bank account.  I was lucky that the receiving company realised that this payment was not for them and alerted me and fortunately returned the remittance.

Something similar happened recently within the NHS where patient information was sent to the wrong fax number.  The Information Commissioner rightly stated that hospitals hold very sensitive and personal information and once lost or compromised cannot be undone.  He accepted that there were good procedures defined but the loss of data within the NHS remains a systematic problem as these procedures are not always followed.

What is needed is a complete culture change where data was concerned, he said:

"Non-encrypted data sticks, lost laptops and exposing data to unauthorised persons are still top of the data loss charts."

ISO27001 systems and procedures are a good method of defining data protection, but procedures alone cannot safeguard data;  it must be impressed on staff  that data protection is a number one priority and regular update training should be carried out to reinforce the message.

A look into a railway lost property office will show just how lax some security measures are.  I saw laptops, memory sticks, paper files and correspondence clearly marked as restricted or confidential. All these had been left on trains.  The sad thing was that some of these had been in the lost property office for some time;  the owners obviously did not attach the same level of importance as I did.    I wonder if the loss has even been noticed!

Monday, 18 July 2011

AS9100 Rev C Aerospace Standard

This Standard was updated to Rev C but until 1st July was not generally available, as Certification  Bodies had to upgrade their assessors to be able to audit against this revised Standard.

We recently had our first Client assessment against the New Rev C Standard and I am delighted to say that our Client passed both the Stage one (Document Review) and Stage two (On site assessment).  The real result was that there were no major, no minor or even any OFI (opportunities for improvement issued); an excellent result.  Well done Elixair International and well done to Maria Peavoy, the Quality Manager.

This means that our Client has been recommended for certification.  The Assessors report now goes for verification by an Aerospace Certification Manager and the certificate will be issued.

Most people accept that the Standard AS9100 is very hard to achieve and yet our Client, Elixair International of  Broadmayne in Dorset not only passed but passed without adverse comment. 

As you can imagine this was our first assessment to the Rev C Standard and to get a ‘Gold Star’ as well bodes well for Quality Matters and our Clients seeking certification to this Standard.

We join in celebrating this wonderful result with Elixair International Directors and Staff.

I believe that this shows that our motto Quality Matters in your Business is as valid today as it was back in 1991 when the company was formed.

Another success for Quality Matters Ltd

Monday, 4 July 2011

Certification Process

The process  of obtaining certification to any of  the management standards is often viewed as a secretive and difficult routine.  In fact it is a logical progression.

Once you have selected your Standard, it might be useful to ask why it is needed;  It could be that you need it to gain a qualification to bid for work;  it could be that you simply want the certification to use as a marketing tool or it could even be that you want to improve your overall efficiency.

Whatever the reason it makes sense to review your existing practices and procedures.  You should then compare those practices and procedures against the requirements of the Standard.  It is often found that some of the practices will meet the Standard and some will fit with some minor modification.

Prepare working documents;  most Standards require a manual of some kind and this should be written with your own organisation and the Standard in mind.  Remember that a very comprehensive document may not be the best option.  I always try to think K.I.S.S which stands for KEEP IT SIMPLE STUPID .  A system which is succinct and targeted will always be better than a huge document that, in truth, nobody will read.

Having produced the Manual it is necessary to prepare procedures, processes and working instructions to show how the organisation works:

  • A Procedure is a set of instructions or a mode of operation
  • A Process has an input and an output;  quite often a flowchart to show graphically what is done.
  • A working instruction is a detailed piece of work to show exactly how something is performed; usually a step by step instruction.

Once all this work is produced it will be necessary to put it into operation, then it is tested to see if it is effective.  This last step is called auditing and will tell you if you are ready to move on to the next step, formal certification.  If all goes well the certification, which is carried out by an independent certification body will conform that you have met the requirements of the Standard and a certificate of compliance is issued.

The whole process is relatively easy if these simple steps are followed.

Monday, 20 June 2011

Hot Standards - ISO27001 and AS9100

I am often asked about the trends for companies wishing to incorporate Management Standards and how this impacts on the UK. 

Recently there has been a major shift in requirements from the traditional Quality Management Standard ISO9001 and Environmental Management Standard ISO14001 to the Information Security Management Standard ISO27001 and the Aerospace and Defence Standard AS 9100 (or EN9100).

Are these harder to get (and keep) ?   The clear answer is yes they are. I often use the comparison that if ISO9001 is a mole hill then ISO27001 is Mount Everest.

AS9100 is similar and covers all the requirement of ISO9001 plus 80 additional requirements.  It is a huge undertaking.

Why are these two Standards becoming so popular?

The loss of data and personal information through hacking, theft and in some cases sheer stupidity has prompted organisations to look for a method to secure their data and protect it from unauthorised disclosure.  Even a minor loss could damage an organisation's reputation and in a worst case scenario result in the Information Commissioner levying heft fines.  The publicity alone can cause a loss of confidence by customers and potential customers.  ISO27001, if properly used, can prevent this happening.  It also shows that an organisation takes this element very seriously.

Organisations supplying goods and services to the Aerospace and Defence industries are increasingly being asked to incorporate AS9100.   The latest revision 'C' is a substantial piece of work, requiring organisations to put many additional controls into place to ensure that any goods or services are fit for purpose in this highly regulated industry.  AS9100 or as it is sometimes known in Europe as EN9100 is the Standard that major aircraft and aerospace manufacturers are putting into place and requiring their suppliers to do the same.

How long does it take to put these Standards into place?

Very much depends on the size and complexity of the organisation but it is likely that from start to certification may take 12, 18 or 24 months to achieve.

Remember before the first (stage 1) assessment any organisation must have been working to the Standard for at least 3 months; we normally recommend 6 months to ensure any difficulties are ironed out.

This includes all the new documentation, procedures, processes, work instructions and records must be working, have been internally audited and are ready for external assessment.

Once Stage 1 has been completed and any non-conformities cleared the Stage two can be undertaken.  This on site assessment will be an in depth audit against both the Standard and organisation declared documentation.

If all goes to plan, any non-conformities are rectified and a certificate of compliance can be issued. 

Is this the end of story?    No, the Certification Body will make surveillance visits to check that the organisation remains compliant.  If there are serious breaches the certificate may be suspended or withdrawn.

Why is it so difficult?   I usually say that 'if it was easy to get then everyone would have it and if it was easy to get then it probably would not have such positive benefits'.

How does this impact on the UK?  

ISO27001 certifications are increasing rapidly, Japan, India and China lead the way with the UK in fourth place.

AS9100 lead by the major aircraft manufacturers in the USA but becoming a requirement for UK suppliers.

Monday, 6 June 2011

ISO14001 and Waste Carrier Licences

If you want to transport other people's controlled waste, or your own construction and demolition waste, you must register with the Environment Agency as a waste carrier. From 29 March 2011, new regulations introduced a two-tier registration system for waste carriers, brokers and dealers.

Controlled waste includes commercial, industrial and household waste, as well as hazardous waste. Most radioactive wastes and explosive wastes are controlled by other regulations.

All businesses can register as waste carriers including self-employed individuals, partnerships, companies or other types of organisation. You need to register even if carrying waste is not your main business activity or if you only carry waste occasionally.

If you do not register and you carry waste, you could be prosecuted.

Upper tier waste carriers

If you transport other people's controlled waste, or your own construction or demolition waste, you must register as an upper tier waste carrier unless you fall into one of the categories for lower tier waste carriers.

If you had a waste carrier certificate before 29 March 2011, you don't need to do anything. When your certificate is due to be renewed it will be replaced with an upper tier certificate.

Lower tier waste carriers

Lower tier registration replaces registration as a professional collector or transporter of waste.

You must register as a lower tier carrier if you only carry:
  • animal by-products 
  • waste from mines and quarries 
  • waste from agricultural premises

You will also need to register as a lower tier carrier if you carry waste, and are:
  • a waste collection, disposal or regulation authority 
  • a charity or voluntary organisation

Lower tier carriers are also known as 'specified persons'.

If you were registered as a professional collector or transporter of waste before 29 March 2011, you do not need to do anything. You will automatically transfer to being a lower tier carrier, broker or dealer.

From the end of December 2013, you will also need to register as a lower tier carrier if you normally and regularly carry controlled waste produced by your own business.

Reprinted from Net Regs/Business Link  web-site under open Government Licence

Monday, 23 May 2011

Internal Management System Auditing Standard ISO19011…….. delayed

Last August, we announced on this blog that the revised Standard ISO19011 was to be issued in June of 2011.  

We relied on the final draft and produced an updated audit course to fit this new Standard.  In hindsight this was somewhat foolish.   As the date of our audit course neared (12+ 13 May 2011) I thought it wise just to check with BSI that the awaited Standard would in fact be published in June as, from past experience, there has been some slippage in the past for Standards issue.  An example of this was the ISO9001:2000 Standard which was due in mid 2000 and it finally made it on 30 November!!.

BSI told me that the 19011 Standard had  been delayed and would now be a 2012 version.  It would be published in November 2012. It was clear that the final draft had not met universal  approval .  Our efforts in producing an updated auditing course were wasted.   Our May course had to revert to the 2002 Standard which will be in use until the eventual  issue of the revision.

"Don’t count your chickens until they are hatched" is a saying that comes to mind.  A lesson was learned here at Quality Matters.

Tuesday, 26 April 2011

ISO27001 and Data Cleaning

At long last we seem to have seen the last of winter. … I hope.  It was the coldest winter for many years and as the country emerges from the recession we all need to be on guard for computer viruses, Trojans and malware:

Our homes tend to get a thorough Spring-clean at this time of year and so should our computer systems:
  • We use Mc Afee as our antivirus supplier and in the package is an application to scan the whole disk or disks and clean where anything adverse is found.
  • It also has a registry cleaner to remove all the odd bits left behind from various download, software installation and deletion. 
  • A defrag utility to consolidate the disks.
  • We always review our computer settings and permissions; adjusting where necessary.
  • We review all passwords and check that they are not easy to guess, are complex enough and contain a minimum number of characters.
  • We review our wireless settings and change the code.We review our PDA settings and if the voicemail pin is still at default  then change the pin.
  • And finally we review our intruder systems and again change the ode.
These are all sensible precautions and provide the basis for any secure system.

Tuesday, 29 March 2011

ISO14001 and Rising Fuel Prices

Unwelcome as it is, the rise in petrol and diesel  has some environmental benefits; the average speed on motorways has apparently fallen with the attendant reduction in emissions. People are thinking twice before using their cars for leisure activities; car sharing is becoming more popular. All these reductions in fuel usage will help our carbon footprint.

The spiralling cost of fuel has also prompted motor manufacturers to move to more efficient engines and hybrid vehicles.  When Rolls Royce announces that they are to produce a fuel efficient hybrid car it is obvious that the message is getting through. 

Pure electric cars are not yet a viable alternative and the time to recharge after a relatively short journey is off-putting.  In some cases an overnight stop is required to complete a journey.

The hydrogen fuelled car may fit the bill but the sheer lack of refuelling points is critical to the uptake of this new fuel option.  Hydrogen is also explosive when mixed with air and the Hindenburg disaster showed just how dangerous this can be.

Readers of my blog will know that I drive a Honda Hybrid this is my third hybrid and I am very pleased with it; no road tax, 50 mpg and exemption from the London Congestion Charge (at least until 2012 when the rules change again), but even with these advantages fuel costs are a  real burden.

Let us hope that motor manufacturers faced with the decline in fossil fuels and increased costs will accelerate their R & D to find another cost efficient method of powering our personal transport.

Monday, 14 March 2011

Biometric Security

It is a fact that we consultants get through quite a few laptops each year.  They get broken or dropped or in extreme cases both, particularly if they lock-up. 

I previously had a netbook, which is great for collecting email when on the move, light to transport and small in size. Where it falls down is the small screen and keyboard which makes working on anything other than simple word processing a complete pain.  Its very small size also meant that additional data storage, either SD cards or USB sticks were necessary to store any decent amount of data.  A security nightmare if not handled correctly.  I must say that the netbook was a rebound from the HP 19 inch laptop I had before that; the large size was easy to use but it was very heavy to carry, especially on aeroplanes.

I decided to go for something in-between and plumped for a Lenovo 410i ThinkPad.  Easy to use and I don’t get a hernia carrying it around.  A good feature is the Lap-top "airbag system" which protects the hard drive from damage due to hard bumps, etc.   It also has an impressive security system which includes a fingerprint scanner.  It requires a scan of a fingerprint to power the system on and access any files.

I started off using the index finger of my right hand but after doing some DIY at home I noticed that it rejected my finger swipe for ages before finally accepting it.  It turns out that the reader is very sensitive and my finger had suffered from the DIY and would not scan.   Armed with this knowledge I decided to use the index finger of my left hand instead.  This is Ok except first thing in the morning when obviously, my hands are a bit swollen and again the fingerprint is rejected.  Putting my hand in cold water seems to do the trick.

I am a firm believer that security is a compromise.  Extreme security means you do nothing but very securely and lax security means that you do everything but it is risky.  Something in between is needed.

I will stick with the fingerprint reader as first level security and then use my favourite encryption system, Folder Lock, on my data.  In my business I cannot afford to lose data and the small inconvenience of repeated scanning is only a mild annoyance and gives me some peace of mind.

Monday, 28 February 2011

Anti Virus Systems and ISO 27001

It is quite noticeable that the number of detected viruses and malware has gone through the roof recently.  It is a sad fact that as times get harder the number and ferocity of attacks on our computer systems increases.

Most people, fortunately have anti-virus and ant malware on their systems, however not all these are kept up-to-date; if they are not updated with the latest signature data they could be worse than useless.

One startling bit of information came my way this week, ‘a computer system connected to the internet will become infected with viruses and malware in as little as twenty minutes’; some put it at less than that.

We tend to concentrate on PC’s rather than Macs and it was thought that the MAC was better protected than the PC, but we are lead to believe that modern virus and Malware attacks MAC's as well.

One clever virus found and blocked on one of our systems had the ability to turn off the anti virus system; fortunately it was detected and quarantined before it could infect our systems.  This is in part due to our antivirus software which alerts as soon as a hint of infection is sensed and our two level stage firewalls.

Here at Quality Matters we are always on guard against these threats and our antivirus updates automatically each day. 

We help organisations put in ISO27001 systems (Information Security Management) which protect their data from unauthorised access and corruption.

The three letters (CIA) mentioned  in 27001 put it well:

C Confidential – keep data safe from others
I Integrity – ensure that data remains uncorrupted
A Availability – ensure that data is available when needed

Monday, 14 February 2011

Valentine's Day and Data Security

Social Engineering is the method by which information about an organisation or its operation is obtained by devious methods.  This method is used to great effect to defeat the security systems set up by many companies certificated to ISO27001, The information security management standard.

This time of year we often act on behalf our Clients to see if their systems are as secure as they believe they are;  we use computer penetration testing and social engineering to defeat our Client's systems and then help them to plug the holes.

One method used is very simple but effective.  We arrange for a young, pretty girl, clutching a bunch of flowers, a bottle of Champagne or a teddy bear to arrive at reception of any large company on 14 February;  she explains to reception/security that she wants to surprise Mr (pick a common name)  on this auspicious day, as it is the only day in the year when a girl can propose to a man.  She thinks he works on the 4th floor.  The helpful receptionist/security guard corrects her and tells her that he works on the 2nd floor;  "once you leave the lift turn right and his office is 4th on the right".

She is in, and has the freedom of the building; if challenged she can explain that she is lost and is looking for Mr …. on the 2nd floor.  Eager to help she is taken through secure access points and given information about the company. 

This information adds to that already gathered from other sources and can lead to a significant security breach.
The motto here is to trust no one and insist the even pretty young girls bearing gifts must follow secure access procedures.

Monday, 31 January 2011

ISO27001 and Password Controls

I visit quite a number of businesses each year and those seeking certification to ISO27001, the information security management standard, are rising in numbers.

The first step in any 27001 assignment involves a gap audit to see how near (or far) the company is from  meeting this standard.  Usually it transpires that some significant work is required to meet this exacting standard.

To put the standard into perspective;  If ISO9001 , the quality management standard, equated to a molehill then 27001 would equate to Everest. I hope I haven’t put you off!!

One of the sections within 27001 deals with access control and the part I want to cover is the control and use of passwords.  Here are some rules for passwords:
  • Passwords should be complex, i.e should be six characters or more, must contain at least one number , one uppercase letter and if possible a non alpha or numeric character.   I often put £ in my passwords because only UK keyboards have this.
  • The password should not be in a dictionary either forwards or backwards.
  • Never use Pa33w0rd (Password) or lEt m3 1n (letmein) or a pet or partners name.
  • Never disclose your password to anyone
  • Change your password regularly
  • Never write it down unless it is heavily disguised.

I see breaches of these rules on a regular basis including:
  • Post it notes with the password stuck to monitors or under keyboards.  
  • Passwords with three characters, 
  • Passwords that are really obvious like January-week 1, which increments to January-week two and so on.

Most systems can be hacked in a relatively short time so I recommend that a computer should lock if more than a set number of incorrect passwords is entered. Make it harder and time consuming for the hacker.

Let us make 2011 a more secure year for our computer systems.  Remember the data on your system is valuable and can cause a great deal of distress, if not financial loss if it is stolen by others.

Monday, 17 January 2011

A Happy New Year

May we at Quality Matters wish all our Clients and Blog readers a very Happy New Year.
The new year promises to be more challenging, if the pundits are to believed, with the potential for interest rate rises, higher taxes  and difficult trading.  However there are a number of things that the astute business leader can do:

Increase efficiency  - ISO9001 Quality Management is a good way to achieve this
Improve environmental impact – ISO14001 is the way to achieve this
Protect information -  ISO27001 is designed to protect organisations from information loss
Manage Health & Safety – OHSAS 18001 – an excellent way to ensure your H & S is efficient
Aerospace provider?   - AS9100is the way to go
Food safety ISO22001 - is a good standard
IT Service Management- ISO20001 -  is the standard you need.

If any of these is of interest to you then we can help, after all we have been doing it for nearly twenty years;  Give us a call  01621 868767 or email and we can provide you with a no obligation quotation or a visit to your premises to show what we can do for you.

Quality Matters

P.O.Box 5479

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design