Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo

"Quality Matters in your Business"

Monday, 16 December 2013

ISO 27001:2013 Upgrade

The new standard was published on 25 September 2013 and it was anticipated that a 12 month transition would be applied to existing certificate holders.  All the CBs (Certification Bodies) would have to train their auditors and then submit to a re-accreditation to the new standard  by UKAS before any third party auditing could take place; this will take some time and some of the CBs anticipate that they will be ready to carry out audits by about late spring.   Bearing this in mind and the short time remaining to upgrade, it has been decided to extend the deadline to 24 September 2015.

New applicants for 27001 can choose to have either the 2005 or the 2013 standard assessed up to September 2014.  All of us have heaved a sigh of relief as the previous time-scale was seen as very tight.  We hope that this extension will allow an orderly upgrade to the revised standard with time to plan and implement the changes.

We have started to plan our Client visits to allow the revision of documents and processes for the transition to take place.  More help is available if required.

This is our last blog before Christmas so we wish our Clients and readers of our Blog a very Merry Christmas and a Happy New Year.

Monday, 25 November 2013

Christmas break

Christmas is fast approaching and we thought it would be a good idea to let our blog readers know, in advance, our opening details over the Christmas period.

It is interesting to note that our first Christmas card catalogue was received in the office in mid-July!! but as you can imagine it went straight into the bin; far too early.

We will close on Monday 23 December 2013 and re-open on Thursday 2 January 2014.

Email will continue to be monitored during the break but response times may be a little slow, depending mostly on the amount of alcohol being consumed.   We do know that most of our clients close for the end of the year break anyway.

This year has seen ISO 27001:2013 being issued and all those organisations will be aware of the amount of work required to bring their systems up to date.  There is a transitional period of 12 months from publication (25 September 2013) for clients to upgrade to the revised standard, as ever we will be on hand to offer advice to lessen the burden.

Next year will see further stages of ISO 14001 and ISO 9001 being made, although the new standards are planned for final publication in 2015.

Our 2013 audit course will take place on 28 + 29 November 2013 and it is almost full.  These courses have proved to be very popular and very cost effective.  To date we have trained nearly 5000 management system auditors and organisations that have trained auditors often send more on our courses.

The 2014 dates have yet to be announced but details will appear on our web-site

Monday, 11 November 2013

October 2013 storms

The much forecast storm did hit the south of England and although not as ferocious as the 1987 storm it still did a great deal of damage.

I went into the office on the Monday and mentioned to our receptionist that the storm had taken my dustbin lid and thrown it down to the bottom of my garden.  My receptionist listen to me and then said that the wind had taken off most of her roof and it was lucky that she had moved her car the night before as most of the roof rubble landed where he car would normally have been parked.  One of my colleagues had no electricity for two days so I think I got away with it very lightly!

The only detrimental effect was that the power had gone off in the office for a period of time and then came back on; our UPS (uninterruptable power supply) protected the server and data but our Xerox Phaser printer went through a full restart; it uses solid ink blocks and in the event of a power outage runs through a cleaning cycle which dumps all the ink in the system into a waste tray.  These ink blocks are not cheap, but a clogged up printer would be a real problem.

I have spoken to a number of my clients who had differing experience of the storm; from “What Storm? ” in the north of the country to “quite extensive damage” in the west country.  No one had been injured and that is in part due to the Met Office giving accurate and timely warning about the storm. 

Sadly that was not the case in 1987, when poor Michael Fish played down the impending weather pattern. I remember seeing a fishing boat that had been picked up and dumped into the local tennis court and all the trees that had been uprooted,  A sorry state.

Clients that have a business continuity plan in place were prepared this time and were able to pick themselves up and continue to work. A lesson well learned.

Sunday, 27 October 2013

Green shoots?

At long last it seems that the economy is turning a corner; activity in both the manufacturing and service sectors does seem to be on an upward trend.

Now is the time that organisations look to increase training and in that light it is worth mentioning that we have a few spaces on our Management Systems Internal Auditing Course to be held in Colchester on 28-29th November 2013.

Readers of this blog will be aware that many of the Management Standards are changing:

  • ISO 27001 the information security standard just re-issued  1 October 2013;
  • ISO 14001 due for publication in 2015 (this was planned for 2014, but the response to the first draft was not too favourable);
  • ISO 9001 due for publication in 2015.

Inevitably other standards that are based on 9001 will also be updated but no information is available at the moment:

  • AS9100, AS9110, AS9120 – The Aerospace and Defence Standards
  • ATEX – Explosive atmospheres Standards
  • TS 16949 – Automotive Standards.
  • The list goes on.

The main aim of these updates is to bring the into line with modern thinking and to standardise the format to comply with Annex SL of ISO/IEC Directives ,Part one, Consolidated ISO Supplement.

This will mean that the format will be:

  1. Introduction
  2. Scope
  3. Normative references
  4. Terms and definitions
  5. Context of the organisation
  6. Leadership
  7. Planning
  8. Support
  9. Operation
  10. Performance Evaluation
  11. Improvement

It is interesting to note that the P-C-D-A (Plan- Do- Check- Act) principles are no longer featured.

Fascinating times ahead?

Monday, 14 October 2013

Information Security Management Standards

The revised Standards are now published.  The revised contents of both ISO 27001:20013 and ISO27002:2013 are shown below:

ISO27001:2013 - Requirements

  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Context of the organization
  5. Leadership
  6. Planning
  7. Support
  8. 8 Operation
  9. Performance evaluation
  10. Improvement

ISO27002:2013 – Code of Practice

  1. Scope
  2. Normative references 
  3. Terms and definitions  
  4. Structure of this standard 
  5. Information security policies
  6. Organization of information security
  7. Human resource security 
  8. Asset management 
  9. Access control 
  10. Cryptography 
  11. Physical and environmental security 
  12. Operations security
  13. Communications security 
  14. System acquisition, development and maintenance 
  15. Supplier relationships 
  16. Information security incident management 
  17. Information security aspects of business continuity management 
  18. Compliance

New registrants can choose to become certificated to the new standard or to the old :2005 standard for a period of time.  Existing certificate holders will have to transition to the new standard during the next twelve months period.

Monday, 30 September 2013

ISO 14001, The Environmental Standard, Revision

Readers of my blog might remember I reported that the revision of this Environmental Standard was due to be completed in 2014 and the new Standard would be named ISO 14001:2014.
ISO received a vast number of comments following the release of the first committee draft and some serious revisions would have to be made if the Standard was to have been universally accepted.  Some of the comments were not particularly complimentary.

This has meant that the final issue has been put back to 2015.  This will give the ISO committee time to consider all the comments raised and incorporate these into the revised Standard.

The Environment and Environmental issues are very much in the public eye at the moment with scientists putting forward the view that mankind has been responsible for the climate change and resulting extreme weather conditions we have all experienced.

Getting the Standard ready for the rest of the 21st century is vital if we are to limit further damage to the environment.  Clearly it must also be readily adopted by companies across the world to be effective.  Setting unrealistic targets will be counter-productive.

Editors will note that ISO 9001 is also to be published in 2015,   so it will be an interesting year.

Monday, 16 September 2013

Data Protection Audit

Last year we were commissioned to carry out a data protection audit for a large public company and we have been asked to repeat the exercise again this year.

The Data Protection Act 1998 defines the Law on the processing of data on identifiable living people. It is the main piece of legislation that governs the protection of personal data in the UK. It follows the European Union directive of 1995 which required Member States to protect people's fundamental rights and freedoms and in particular their right to privacy with respect to the processing of personal data.

The Eight Data Principles are:

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –

    (a) at least one of the conditions in Schedule 2 is met, and
    (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

  4. Personal data shall be accurate and, where necessary, kept up to date.

  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

In auditing the requirements of the Act it was necessary to carry out two separate phases:

Adequacy Audit- Where the systems employed by the company were checked to see if they addressed all the requirements of the Act.

  • Were the eight data protection principles addressed?
  • Were there provisions for training of staff?
  • Was the Company registered with the Information Commissioners Office?
  • Was there a named Data Protection Officer?

Compliance Audit – where each of the eight data principles were tested to see what level of compliance had been achieved.

  • What data was being processed?
  • What level of Personal Data was being used?
  • Had a risk assessment for data usage been undertaken?
  • Did the staff understand what the eight data principles were?
  • What training in the DPA (Data Protection Act) had taken place?
  • What checks were in place to ensure the Act was being implemented?
  • What action was required if a breach of the Act was suspected or had taken place?
  • What corrective action would be taken to rectify a data breach?

Once the audit had been completed a number on non-conformities were declared and an action plan for rectification was agreed.

We checked back with the Company that the agreed actions had been completed and within the agreed timescale before concluding the audit.

Monday, 2 September 2013

Changes in Management Standards

ISO9001:2008, The most recognisable standard. This is a Quality Management Standard and addresses best practice for all processes within a business, be it small, medium or large. This is often an entry point to many tenders. Without 9001 you may not get past the starting gate;

Due to be updated and re-issued in 2015

ISO14001:2004, The Environmental Management Standard. This standard is used to show that you are protecting the environment, as well as saving money, by using practices that ensure your aspects (anything that interacts with the environment) are as kind to the planet as possible. You should be able to demonstrate that you take care not to pollute and use energy as efficiently as possible. This is often the second entry point to tenders and contracts that specify environmental protection as a requirement;

Due to be updated and re-issued in 2014

ISO27001:2005, The Information Security Management Standard. This standard is fast becoming the standard that companies are seeking. Those holding data or information that requires protection can show that the systems in place can ensure data is confidential, integrity is protected and available to authorised users;

Due to be updated and re-issued towards the end of 2013

We will endeavour to update our readers as these changes become clear. 

ISO9001 redraft is at the very early committee stage and some of the proposed changes could make the update relatively unworkable to smaller companies, however it may change considerably before publication.

ISO14001 redraft is a bit further along but still has a long way to go before publication.  The latest draft does have some merits and has brought environmental management up to date.

ISO27001 redraft is at the draft for public comment.  This draft cannot be considered final. It has become clear that the committee has received a vast number of comments and the final draft will reflect some of these comments.  We shall see.

Each of these standards will have a transition period where new applicants can choose to apply the existing standard or the new one.

Eventually though all users will have to update their systems to meet the revised standards.   Once these are known we will report them on this blog.

Tuesday, 30 July 2013

Data Destruction

It was reported in one of the security forums that a Hospital Trust has been fined for a data breach which exposed patient and staff information.

Apparently the computers were taken out of service and given to a company which promises to erase all data before reselling the hardware.  This is carried out free of charge and any monies are realised from the sale of the hardware.

In this instance the hard disks were not wiped and the data was intact when sold on eBay.  On examination it was found that several other computers still contained data.

The Hospital Trust failed to check that the hard disks had been destroyed by shredding as had been promised.

WEEE disposal free of charge can seem attractive, but we urge anyone using this service to witness the hard drive destruction and obtain a certificate of destruction.   There is the temptation by these companies to merely check that the computer works before offering it for sale and not even erasing data in a secure manner.  This maximises the amount of cash realised for the equipment; sadly it does nothing to protect the sensitive data that may be on the equipment.  It was the Trust’s responsibility to check that data was not compromised; hence the fine.

We, at Quality Matters, do not send any computers containing hard drives for disposal.  We remove all hard drives and have these shredded before sending the remaining hardware to a licenced WEEE disposal site.  This does involve some cost but we know that no data can be compromised.

Monday, 15 July 2013

Anti Virus Protection

I am fairly competent with computer systems  so you can imagine how I felt when the main office computer refused to boot up.  I tried 'safe mode', repair disk and all other  methods to get it up and running, but to no avail.

Reluctantly I took the machine to a local repair shop.  I did ask the technician to sign a non disclosure agreement before parting with the machine.

When I went to collect the machine I was astounded to hear that it was a virus that had incapacitated the computer.  This should not have happened as all our machines are installed with a very well-known anti-virus and anti-malware suite.     

The technician explained that the virus had simply turned off our anti virus software and then infected the computer.  No warning was given that AV was not functioning.

I believed our systems were safe and I asked the technician what the virus was and how it had affected the security of our systems;  fortunately none of our sensitive data had been affected and the virus was more infuriating than malicious.

Sensitive and Client data is encrypted using 256-bit AES so is pretty well protected.
A full review of our security systems took place and it was decided that we should install Windows Security Essentials on all our systems; this has a number of advantages;

  1. WSE is subscription free and updates are controlled by Microsoft.
  2. It was WSE, the technician had installed on this computer, which resulted in the virus being detected.
  3. WSE is not as resource hungry as our old anti-virus system.

Naturally our old antivirus and anti-malware was removed.  Two anti-virus systems running at the same time can cause problems.

A full scan of all data systems has been carried out and  our firewall systems have been scanned and  intrusion testing has been carried out.

Our systems are 'fingers crossed' once again very secure.

Monday, 1 July 2013

Car Comfort

I was in Bristol during the early part of June.  You may remember the couple of days when it was remarkably warm.  During my journey I noticed that the car was becoming rather hot.   This is the interior of the car rather than the engine and cooling system. I checked the climate controls and it soon became clear that the cooling part of the system was not working, the vents were blowing warm air.  I had to revert to the old fashioned system and open the window.

This was not the time for air-conditioning failure. 

When I arrived at my hotel I looked for local vehicle air-conditioning companies; my thought was that it could be fixed while I was at my Client's.

Several phone calls later I realised that every a/c engineer was fully booked. However one could fit me in an a couple of weeks' time !!.   The engineer did talk me though the dangers of working on my Honda Hybrid's climate control system.  Apparently there are two things that must be taken into consideration:

  1. The hybrid uses a dual scroll system which is a high voltage three phase compressor; the voltages present can be lethal.
  2. The coolant used in the system must be filled with a special high dielectric oil; using the wrong oil will wreck the whole system.
I waited until I returned home and spoke to my local garage, who are Toyota specialists, they were aware of these drawbacks, as Toyota hybrids use a similar system, and were able to sort out my climate control system.

All I now need is some warm weather to put it to a real test.

Monday, 17 June 2013

Social Engineering and Security

Last week I received a telephone call from our bank;  the caller explained that before discussing the matter in hand she would need to take me through some security questions.  Naturally I wanted to help and before volunteering information I said I wanted to positively identify the caller.  I first asked for my account number,  this apparently could not be given until I  formally identified myself, as the Date Protection Act would be breached.

I tried to explain that I would be breaching our security management system by giving sensitive information to any caller; she rang off.

I think I should explain what was going on here, we do not bank with Santander so the caller was certainly not genuine. She wouldn’t answer any of my identifier questions, so even if she had been from our own bank she failed the first part.  I always ask for some information not readily available to a member of the public.  When I have any doubts I always take the person’s name and number and then call them back but on the number I have on file.

The number of phishing telephone calls and emails seem to be on the increase and anyone unwittingly supplying information could then find themselves out of pocket when money is taken or identify fraud takes place.

A genuine caller will be more than willing to identify themselves and would not attempt to use the Data Protection Act ploy to hide behind.

The other increasing trend seems to be the emails which seem “too good to be true”.

Here is the latest one I received:

"My wife Violet and I Allen Large won $11.3 million in a lottery 6-49 in July, 2010 and we have decided to donate the sum of $2,000,000.00 USD to you. Contact us via our personal email for more details ( ). You can verify our story by visiting the web page below."

If you click on the link it shows:

"The phone hasn't stopped ringing at Allen and Violet Large's home in Lower Truro, N.S., since news spread that the elderly couple has given away almost all their $11.2 million lottery win.
It is real shame that the couple’s generosity has been hijacked by crooks for fraudulent activity.  You may notice that the couple apparently won $11.3 million but the email claims this is $11.2 million,  inevitably the crooks attention to detail is poor, so be aware and stay safe."

Monday, 3 June 2013

Entry Level for Tenders

We get several calls each week from prospective clients saying that they are getting nowhere with tenders which require applicants to have a certificated quality management system, such as ISO9001. If they don’t have a qualifying system then their tenders are relegated to the state of  "also- rans".  Inevitably these enquirers want to know how quickly it can be incorporated into their business, and of course, how much it will cost.

I explain that ISO9001 as well as other management standards, needs to be set up and then operated for three months before undergoing formal assessment.  I will often be asked if this time-frame can be reduced.  My answer is always the same; an assessor can only assess what you are doing and not what you planning to do in the future.  This is why the three month operational requirement is so important. 

In addition to this, a business will have to have undertaken an internal audit, carried out by suitably trained auditors, and a management review must have taken place.    If any one of these has not taken place then the assessment will fail.

The costs of preparing for assessment will vary from business to business and whether external help is employed.  In my experience businesses “doing it themselves” often make fundamental errors and are surprised when the assessment fails and results in a re-visit because it does not meet the requirements of the standard.  At the other end of the spectrum is the business that has procedures for everything and very prescriptive procedures at that (an example would be "take screwdriver in right hand, insert the blade into the screw head and turn clockwise" . No consideration has been made for left-handers, cross point screws or left-hand threads.  Making procedures so prescriptive actually sets you up to fail, while insulting the intelligence of operators.  It is often better to state “using an appropriate screwdriver tighten the screw to the correct torque”.

External consultants are often a cost effective method of achieving compliance to ISO9001; not only have they done it all before, you will have a simple workable system and you are guaranteed to pass.
We, at Quality Matters have a large sign in the office K.I.S.S (Keep It Simple Stupid) which makes us realise that any quality system we produce has to be easy to use by our clients and effective. 

Monday, 20 May 2013

ISO27001 – Information Security Standard

Hardly a week goes by without a news article saying that some data has been stolen/lost/accidently revealed.  The Standard is due to change later this year but businesses considering incorporating this standard should not wait for the new standard, but start on the process now.

Information is the lifeblood of all organisations and can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by mail or by electronic means, shown in films, or spoken in conversation.  The loss or exposure of this information can be really damaging. So do not delay!

The three main principles of any information security management system are:-

Confidentiality – making sure that private date stays private;

Integrity – making sure that data is protected from loss or alteration;

Availability – making sure that data is available when required.


Where do I Start?


Develop an information security policy and identify your organisation's key information assets. Purchase the standard, ISO/IEC ISO27001 and the Code of practice ISO/IEC 27002 to help you do this.

  1. Carry out a risk assessment and build your ISMS. Training of key staff will help to ensure its successful implementation.
  2. Once your management system is fully implemented you can get your system certificated to ISO27001 with one of the accredited certification bodies


What is ISO27001?


ISO27001 is an international standard setting out the requirements for an Information Security Management System. Using 27002, it helps identify, manage and minimise the range of threats to information.

  • Security policy - This provides management direction and support for information security
  • Organisation of information security - To help you manage information security within the organisation
  • Asset management - To help you identify your assets and protect them as required
  • Human resources security - To reduce the risks of human error, theft, fraud or misuse of facilities
  • Physical and environmental security - To prevent unauthorised access, damage and interference to business premises and information
  • Communications and operations management - To ensure the correct and secure operation of information processing facilities
  • Access control - To control access to information systems
  • Information systems acquisition, development and maintenance - To ensure that security is built into information systems
  • Information security incident management – to react to security incidents or weaknesses
  • Business continuity management - To deal with  interruptions to business activities and to protect critical business processes from the effects of major failures or disasters
  • Compliance- To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirements.

There will be a transitional period when the revised standard is issued, and businesses can choose to be assessed against the existing or new standards.   Once the transition period is completed (usually 12 months) then all businesses will have to comply with the new standard.

Tuesday, 7 May 2013

What no Broadband?

I came in to the office early as I had a lot of work to do only to find that the broadband was not available.   The internet light on the router was flashing amber and no amount of rebooting and obvious checking was going to have any effect. 

I was left with no option but to call the dreaded broadband helpdesk.   Three hours later, and having dismantled the telephone line box, changed cables, rebooted the router, the computer and messed about with the router settings with no good result, my blood pressure was very raised and having answered the same question with four different people with escalating areas of knowledge, I was beginning to lose my sense of humour.

The calls (0844) were costing me money and of course were not achieving anything.   The final straw came when the woman at the end of the line suggested that I would be charged £50 for an engineer to visit my home!!!   Why in God’s name would I need to have an engineer visit me at home when the problem lay with the broadband at the office?  

I know they have a job to do and it cannot be the easiest job in the world, but it would help if they could pass the job to a more experienced person when “rebooting the router” doesn’t work rather than reading through the whole script.

In desperation I asked to speak to a manager; I explained that I had been a customer since 1997  and I was not particularly pleased at being treated like a an idiot; I did say that I would ask for a mac code so that I could take my business elsewhere;  finally I was assured that an engineer would call at my office the next day and without charge, I even had a choice of times.  In the meantime I tried to work using a 3G modem on my laptop.  This is fine for internet connections when I am out of the office but painfully slow compared with broadband.

The engineer, a very cheery chap arrived within the timescale agreed and saw that the green internet light on the router was now lit but still no broadband connection.  He said that in 99 times out of a 100 it would be a faulty router.  He would pop down to his van a get a new one.  Within 15 minutes he had configured the new router and all was well again;  my blood pressure returned to normal.

The engineer asked me to complete a customer satisfaction form and he said that I should concentrate on his performance etc. and not on the help desk performance.  I was happy to do this and scored him at the top of the range.

I have deliberately not named the broadband provider as I am reliably informed, by other companies on the business estate that they are all pretty similar.

Monday, 22 April 2013

Business Continuity Management

Our winter has been the coldest (or 2nd coldest, depending on which set of statistics you view) however, it has been a very testing time for businesses.  Heavy snow has meant that staff could not get into work and deliveries could not be made.  The end result has been that businesses are reviewing their business continuity plans.  Most have a BCP in place, but extended periods of snow were not always included.  

The revised plans should include actions to be taken when access to workplaces is impossible and of course dealing with problems associated with staff where they have managed to get to work but then cannot leave.

Some businesses are considering putting in food stores of tins and other long life stores as well as bottled water and toilet rolls etc. 

In addition, stocks of rock salt will be topped up to ensure pathways are kept clear.

Businesses in areas that were subject to power outages which lasted for several days are looking at generators and other emergency power options as well as bottled gas for heating.

2012/2013 winter may be a one off and we may not see another winter like that for another fifty years but then again we may have one next year. It is better to be safe than sorry.

Remember BCM (Business Continuity Management) is part of ISO27001 (Information Security Management) due to be reissued as ISO27001:2013 later this year.

Monday, 8 April 2013

IS027002 Information Security Code of Practice

This Standard last reviewed and updated in 2005 and linked to ISO27001, is about to be re-issued as ISO27002:2013 later this year.  The current position is that the draft has reached the “draft for public discussion” stage.

There were a number of inconsistencies in the 2005 code of practice which do seem to have been addressed in this draft:

Some of the section elements have been removed:

Addressing security when dealing with customers (6.2.2)               
Controls against mobile code (10.4.2)                                 
Information handling procedures (10.7.3)                             
Security of system documentation (10.7.4)                            
Business information systems (10.8.5)                                 
Publicly available information (10.9.3)                              
User information for external connections (11.4.2)                    
Equipment identification in networks (11.4.3)                        
Remote diagnostic and configuration port protection (11.4.4)          
Network connection control (11.4.6)                                   
Network routing control (11.4.7)                                      
Input data validation (12.2.1)                                        
Control of internal processing (12.2.2)                               
Message integrity (12.2.3)                                            
Output data validation (12.2.4)                                      
Session timeout (11.5.5)                                              
Limitation of connection time (11.5.6)                                
Sensitive system isolation (11.6.2)
Information leakage (12.5.4)                                          
Business continuity and risk assessment (14.1.2)                      
Developing and implementing business continuity plans (14.1.3)        
Business continuity planning framework (14.1.4)                       
Prevention of misuse of information processing facilities (15.1.5)    
Protection of information systems audit tools ( 15.3.2)

These controls have not entirely abandoned but have been incorporated elsewhere in the standard or have been renamed for clarity but are not duplicated as before.

There will be 14 sections in the new standard instead of the 11 sections in the 2005 standard but the number of controls required to be addressed has come down from 133 to a mere 113.

  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Structure of this standard
  5. Security Policies
  6. Organisation of information security (now includes controls for mobile devices, apps and teleworking).
  7. Human resource security
  8. Asset management
  9. Access control (Password is supplemented by Secret Authentication to recognise that other methods may be used to validate users identity)
  10. Cryptography (now given a separate section to recognise its importance)
  11. Physical and environmental security
  12. Operations security (operations and communication now separate sections)
  13. Communications security
  14. System acquisition, development and maintenance
  15. Supplier relationships (new separate section). 
  16. Information security incident management
  17. Information security aspects of business continuity management
  18. Compliance

The revised standard seems to be more ordered rather that the splatter approach used in the 2005 standard.  As mentioned in the 27001 blog last time, it is a pity that there is not more emphasis on the cloud, but there is still time for this to be incorporated.

Remember, this is only a draft and it may (almost certainly will) change before final publication in 4th qtr 2013.

Monday, 25 March 2013

IS027001 Information Security Standard.

This Standard last reviewed and updated in 2005 is about to be re-issued as ISO27001:2013 later this year. The current position identifies that the draft has reached the "draft for public discussion" stage.

Two things are really obvious:

  • The PDCA (plan- do- check- act) method  is no longer mentioned.
  • There is no mention of cloud computing or storage.
The first change (PDCA) is to align  with the new ISO/IEC directives and is no great loss. The second is a bit disappointing; I would have thought that as Cloud computing and storage were a large part of current practice, it would have merited at least a sub-section if not a whole section in the new Standard, but no.

The proposed section in the new Standard are:

  1. Introduction
    1. General
    2. Compatibility with other management system standards
  2. Scope
  3. Normative references
  4. Terms and definitions
  5. Context of the organisation
    1. Understanding the organisation and its context
    2. Understanding the needs and expectations of interested parties
    3. Determining the scope of the ISMS
    4. Information security management system
  6. Leadership
    1. Leadership and commitment
    2. Policy
    3. Organisational roles, responsibilities and authorities
  7. Planning
    1. Actions to address risks and opportunities
      1. General
      2. Information security risk assessment
      3. Information security risk treatment
    2. Information security objectives and plans to achieve them
  8. Support
    1. Resources
    2. Competence
    3. Awareness
    4. Communication
    5. Documented information
      1. General
      2. Creating and updating
      3. Control of documented information
  9. Operation
    1. Operational planning and control
    2. Information security risk assessment
  10. Performance evaluation
    1. Monitoring, measurement, analysis and evaluation
    2. Internal audit
    3. Management review
  11. Improvement
    1. Nonconformity and corrective action
    2. Continual improvement
Annex A remains but the useless Annex B and C are abandoned. The next stage will be a final draft which may or may not take notice of the comments submitted by interested parties.

The standard may change before final publication (4th qtr 2013) so readers should not amend their systems until the standard is formally issued. The standard ISO27002 is also in draft format and I will report on those changes in the next blog.

Monday, 11 March 2013

Environmental Standard ISO 14001 revision

In my last Blog I reported that ISO9001, the Quality Management Standard, was being revamped with a released date promised in 2015.  Now I can report that the 14001: 2004 Standard is being reworked with a planned release date of 2014. 

This Standard published in 2004 is overdue for revision and it is hoped that some of the proposals we have suggested will be included in the 2014 version.

All new and revised Standards will be following the 2012 issue of the ISO/IEC directive which sets out guidelines for high level structure and content.  This will enable all Management Standards to be able to integrate into an organisations overall strategy, rather than being "a bolt on".

The proposed 14001 (and of course 14004) have been subject to wide consultation and this has allowed environmental interested parties (some 1650 professionals responded to the consultation) to provide good input to the revision process.

Here are some of the suggested areas for inclusion put forward by IEMA, the Institute of Environmental Management and Assessment:

  • Clarity about the principal aims of any EMS to protect the environment;
  • Consider impacts from the changing environment to allow organisations to manage risks and opportunities as well as managing their impacts on the environment;
  • More emphasis on managing impacts across the product / service lifecycle;
  • There should be a greater emphasis on the demonstration of compliance with Statutory and Regulatory requirements;
  • And continual improvement of any environmental performance.

The next round of discussions by ISO are due to take place in June 2013 and no doubt we will be updated on their deliberations. 

Watch this space!!!

Monday, 25 February 2013

What next for ISO 9001- The Quality Management Standard?

This system is probably the most well-known standard in the world and provides confidence for customers that their quality needs will be satisfied and that the product or service will meet their specified requirements.

With its origins based on the Defence Standards through to AQAP (Allied Quality Assurance Publications) and BS5750, finishing up as the truly International ISO9001.  The current version is ISO 9001:2008.

It has been the policy of the International Standards Organisation (ISO) to review and update standards on a regular basis.

A review was carried out in March 2012 which decided that it still was fit for purpose for the time being.  However the ISO/TC176/SC2 (the committee responsible for updating the Standard) met in Bilbao in Spain on June 2012 to start the process of updating the ISO 9001 and its complementary standard ISO 9004. 

However this is not going to be completed any time soon, like most update schedules the ISO committee have produced a preliminary time line.

June 2012 the draft design and strategic plan stage 

The draft specification:

  1. The main task was to provide a core set of requirements that would be valid for another ten years or so.
  2. Continue to remain generic and relevant to organisations of all sizes and types
  3. Maintain focus on effective process management
  4. Ensure the standard reflects changes in quality management and technology
  5. Ensure that the standard meets the changing requirements for complex
  6. Ensure that the standard remains compatible with other ISO management standards
  7. Facilitates effective implementation by organisations and effective conformity assessment by first, second and third parties
  8. To use simplified language and writing styles to improve the ease of use and understanding of the standard.

December 2012 Draft design approved
April 2013  First committee draft for comment
March 2014 First draft ballot
November 2014 Final Draft for public comment
June 2015 Final draft ballot

and if all goes to plan……………………….

September 2015 - Publication

It is encouraging that this standard, which was the basis of all the management standards, will be kept up to date and will continue to be the most effective and visible quality management standard across the world.

Monday, 11 February 2013

ISO27001:2005 Information Security Management Standard

ISMS Light touch Directors' Brief

Executive Summary

It is generally accepted that information is the greatest asset any organisation has under its control. Directors are aware that the supply of complete and accurate information is vital to the survival of their organisations.

Today more and more organisations are realising that information security is a critical business function. It is not just an IT function but covers:
  1. Governance;
  2. Risk Management;
  3. Physical Security;
  4. Business Continuity;
  5. Regulatory and Legislative Compliance.
With increasing reliance on data, it is clear that only organisations able to control and protect this data are going to meet the challenges of the 21st century.

ISO27001:2005 which was formally BS7799 is the International Standard for Information Security Management (ISMS) and provides a definitive reference to developing an information security strategy. Moreover a successful certification to this standard is the confirmation that the system employed by the organisation meets internationally recognised standards.

However reduced resources may cause problems when planning and implementing a full ISMS; this can be resolved by using a reduced scope. This does allow for extension at some time in the future.

The Statement of Applicability which accompanies the application can be tailored to meet the specific requirements of the organisation.

Information Security

Business has been transformed by the use of IT systems, indeed it has become central to delivering business efficiently. The use of bespoke packages, databases and email have allowed businesses to grow while encouraging remote communication and innovation.

Most businesses rely heavily on IT but critical information extends well beyond computer systems. It encompasses knowledge retained by people, paper documents as well as traditional records held in a variety of media. A common mistake when incorporating an information security system is to ignore these elements and concentrate only on the IT issues.

Information security is a whole organisation matter and crosses departmental boundaries. It is more than just keeping a small amount of information secret; your very success is becoming more dependent upon the availability and integrity of critical information to ensure smooth operation and improved competitiveness.


  1. Confidentiality
  2. Integrity
  3. Availability
These are the three requirements for any ISMS.

Directors' Perspective

Your vision is central to organisational development; driving improvements in all areas of the business to create value. With information technology being key to so many change programmes, effective information security management systems are a prerequisite to ensuring that systems deliver on their business objectives. Your leadership can help create the appropriate security culture to protect your business.

Organisations are increasingly being asked questions about ISO 27001, particularly by national or local government, professional and the financial sector. This is being driven by adoption of the standard as part of their legal and regulatory obligations. In some areas this is becoming a tender requirement.

Others are seeing a competitive advantage in leading their sector and using certification in information security management to develop customer/client confidence and win new business. With public concern over security issues at an all time high, there is a real need to build effective marketing mechanisms to show how your business can be trusted.

You will certainly be aware of your responsibilities for effective governance, and be answerable for damaging incidents that can affect organisational value. The risk assessment, which is the foundation of the standard is designed to give you a clear picture of where your risks are and to facilitate effective decision making. This translates into risk management, not simply risk reduction and therefore replaces the feeling many directors have of risk ignorance in this area. This will help you understand the potential risks involved with the deployment of the latest information technologies and will enable you to balance the potential downside with the more obvious benefits.

CFO Scrutiny

Whether, as part of compliance, such as required by Professional Bodies, Sarbanes Oxley, Data Protection Act, or as part of an effective governance, information security is a key component of operational risk management. It enables the formulation of effective risk analysis and measurement, combined with transparent reporting of ongoing security incidents to refine risk decisions.

Giving values to the impact security incidents can have on your business is vital. Analysis of where you are vulnerable allows you to measure the probability that you will be hit by security incidents with direct financial consequences.

An added benefit of the risk assessment process is that it gives you a thorough analysis of your information assets, how they can be impacted by attacks on their confidentiality, integrity and availability, and a measure of their real value to your business.

Although the detail within the risk assessment process can be complex, it is also possible to translate this into clear priorities and risk profiles that the Board can make sense of, leading to more effective financial decision making. Basic risk assessment is a preferred method when smaller organisations are starting on the road to an ISMS.

Business Continuity

How well would you cope if a disaster affected your business?

This could be from some natural cause such as flood, storm or worse from fire, terrorism or other civil unrest. The areas not often considered are sickness, failure of utilities or technology breakdown.

Business continuity planning in advance of a disaster can mean the difference between survival or extinction of the business.

Many of the businesses affected by the Bunsfield Fuel Depot disaster never recovered. Those with an effective business continuity plan have emerged like the phoenix from the ashes.

Many businesses claim to have a plan but if the plan is untested or ill prepared then it is bound to fail. ISO27001 states that a fully planned and tested BCP should be in place to prepare for and be able to deal with, such an emergency.

ISO 27001/2 Sections

  • Risk assessment and treatment – Assessing the risks to the company's assets, devising a risk treatment plan and finally accepting those risks that cannot be mitigated.
  • Security policy - This provides management direction and support for information security.
  • Organisation of information security - To help manage information security within the organisation.
  • Asset management - To help identify assets and protect them appropriately.
  • Human resources security - To reduce the risks of human error, theft, fraud or misuse of facilities.
  • Physical and environmental security - To prevent unauthorised access, damage and interference to business premises and information.
  • Communications and operations management - To ensure the correct and secure operation of information processing facilities.
  • Access control - To control access to information
  • Information systems acquisition, development and maintenance - To ensure that security is built into information systems.
  • Information security incident management – To deal effectively with any identified security incident.
  • Business continuity management - To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.
  • Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement.


A light touch ISMS can be very effective in providing confidence to customers/clients if careful selection of the elements, incorporated in the ISMS, is made. The Statement of Applicability details which parts are included/excluded.

Many organisations have benefited from this approach and with assistance from Quality Matters have maximised the use of resources while providing good levels of data protection.  

This brief has been prepared by Chris Eden of Quality Matters Limited. Chris Eden FIC, MISSA, ACQI, A director of Quality Matters Limited with over 20 years experience in setting up, auditing and evaluation of systems. He is a Registered QMS2008 Internal Auditor (IRCA).

Monday, 28 January 2013


The current bad weather has identified a number of omissions  in company Business Continuity Plans. These plans usually concentrate on fire, flood, utility interruption and health scares.  This year it should also include snow and ice. 

Now is the time to review Business Continuity and Disaster recovery plans.

Some elements are:

  • What to do if staff are unable to get in to work;
  • What to do if deliveries cannot be made;
  • What to do if incoming goods cannot be delivered;
  • Purchase rock salt or ice melting products;
  • Check heating, purchase heating oil supplies if appropriate;
  • Ensure that company vehicles are ready to meet the winter;
  • Tyres are correctly inflated;
    • Tyres have at least 1.6mm of tread;
    • Antifreeze is at the correct level;
    • Windscreen washer filled with screen wash solution and not just plain water;
    • Screen scraper and de-icer kept in the vehicle.
  • Computer systems  checked and updated as necessary
  • Uninterruptable power supplies tested and batteries replaced as necessary;
These are just some of the precautions which will make life a little easier until the Spring arrives.

Monday, 14 January 2013

Welcome to 2013

Well it's back to work after a very enjoyable break and time to look again at the Standards that will make your business more efficient and enable you to get more work as a result of gaining an entry qualification to tenders.

Standards to consider:
  • ISO9001 - The Quality Management Standard; always a good standard to put into place and probably the most recognisable Standard in the world.
  • ISO14001 – The Environmental Management Standard; shows that you care about the environment.
  • ISO217001  - The Information Security Standard; most important if you handle or store data or work with or for an organisation that does.
  • ISO200000 -  The IT Service Management Standard;  a good Standard for IT organisations.
  • AS9100- The Aerospace and Defence Standard; this is 9001 extended to meet the strict requirements of the aerospace industry.

These are just 5 of the Standards in which we offer professional consultancy.  All work is guaranteed.

We are proud to boast that every Client proceeding to Assessment has passed the assessment, and at the first attempt since 1991.

If you would like further details or a quote for our services please contact us and we can ensure that you have a Very Happy and prosperous New Year.

Quality Matters

P.O.Box 5479

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design