Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo

"Quality Matters in your Business"

Monday, 21 December 2015

Merry Christmas and a Happy New Year

Yet another year draws to a close. It seems to come around quicker and quicker each year.

We have seen many changes during 2015, which have included the updating of ISO 9001 Quality Management Standard and ISO 14001 Environmental Management standard.  There has been a         3 year transition period declared for these Standards which means that any organisation not carrying out a transition to the 2015 Standards will automatically be deregistered in September 2018.   We recommend that transition should be carried out during 2016 or 2017 at the latest to avoid a last minute rush when assessors may not be available to carry out the work.

We are currently working out a timetable for our Clients and providing help and advice on the requirements necessary to achieve a satisfactory transition.

It has been interesting to see the approach taken by Certification Bodies in that each seems to have a slightly different view on the way forward.  Some see a considerable amount of work needed to satisfy the requirements while others take a more pragmatic view in that organisations that have held the Standards for some time will not need to change much to satisfy an assessor.

In any event the Standards will not change the way most organisations conduct their core business.
If you need any help or advice on the requirements and documented information needed, please contact us and we will be pleased to assist you.

This will be our final blog for 2015. Our offices will be closed from midday on Wednesday 23 December 2015 and reopen on Monday 4 January 2016.  Email will be monitored but may take longer for us to respond during this period.

We wish our Clients and readers of our blog a very Merry Christmas and a Happy and prosperous New Year.

Monday, 7 December 2015

Microsoft tracking in Windows 10

We at Quality Matters take information security very seriously so we were alarmed to be made aware that a data collecting system was being operated by Microsoft in Windows 10.

It is called “Diagnostics Tracking Service” and was introduced during the May 2015 windows update patch KB3022345.

The data being collected according to Microsoft:

Examples of data we collect include your name, email address, preferences and interests;  browsing, search and file history, phone call and SMS data; device configuration and sensor data; and application usage.

It is relatively simple to see if this is enabled in your system:

From the windows symbol on the bottom left of the screen right click and click run, type in services.msc and click enter.

Scroll down to Diagnostic Tracking Service, if this is enabled then you can stop and disable it by clicking on the element and then disabling it.  

Although Microsoft claim that this information will be used to allow developers to improve functionality, it would have been better if they had announced that this would be installed and given users the option of not installing it, rather than just including it as part of the routine update

We would not want our data to be accessed and we think that others will be of the same mind.

Monday, 23 November 2015

Revised Aerospace and Defence Standards

The IAQG have announced that the revised AS 9100 series of standards, which use ISI 9001 as the core requirements are going to be published in 2016. There will be a transition period until 15 September 2018.  Any organisation not transitioning to the revised standards by that time will automatically be deregistered.

The revised standards use the Hi Level Annex SL format produced for all new ISO standards and comprise ten clauses.

  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Context of the organisation
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance evaluation
  10. Improvement

Some of the requirements deemed unnecessary in ISO 9001 have been reinstated in AS 9100 These include:

  • management representative is required
  • documented information with items to be identified (Quality Manual)

In addition, a number of requirements have been added:

  • Protection from counterfeit products, 
  • Product safety (awareness and compliance)
  • Computer back up secured
  • Project management
  • Measures of on-quality and on-time delivery
  • Stakeholders
  • Transfer of work
  • Reviews of requirements related to products and services coordinated with applicable functions
  • Actions to be taken when not meeting customer requirements
  • Handling obsolescence
  • Changes
  • Controls of external providers and sub-tier providers
  • Additional evaluation of data and test reports
  • Controls of production equipment
  • Tools and software programmes
  • Validation of special processes
  • production process variations
  • problems detected after delivery
  • procedure to define NC process and responsibilities
  • review of on-time delivery performance
  • actions based on risk assessments, and human factors.

These additional requirements are necessary for control and traceability required in the aerospace industry, which would not be met with the basic ISO9001 standard.

Monday, 9 November 2015


Cybercrime, where sensitive details are stolen from web sites and providers is causing a great deal of concern.  The loss of this data can cause immediate loss of confidentiality and in some cases loss of funds from bank and credit card accounts. 

The other form of cybercrime is called “vishing” and this is where a criminal uses the information stolen to make contact, usually by phone or email, to encourage you to give further information about your passwords and in some cases get you to transfer money from your own account to a supposedly “safe” account.  In reality the money has gone.  Sadly as this transfer was “authorised”  the bank will not recover it for you.

The main targets for these crimes tend to be the elderly or vulnerable.  The criminals are most convincing, even going to the trouble of explaining that there are a lot of nasty people out there who just want to steal your money; and just to convince you that they are genuine tell you to hang up the phone and then call the bank/credit card company using the information on your card or bank statement.  In reality the phone line never cleared and the criminal is still on the line and will answer with the name of the bank or credit card company.  They will then confirm that the call you received was genuine and you must take action immediately to safeguard your money.    Another successful crime committed.

I the event you are called by someone you don’t know then take extra care that you do not give information to the caller.

No bank or credit card company will ever ask for the complete password.   

No bank or credit card company will ever ask you to transfer money to another account.

If you need to contact your bank or credit card company always use a different phone, or if you have only one phone leave it for several minutes for the line to clear and then check that you have a dial tone before dialling.

If you have elderly or vulnerable relatives or friends tell them to trust no one until they are sure who they are.  If in doubt do nothing and get the help of a relative, friend or neighbour.

Tuesday, 27 October 2015

ISO 14001 and Office Based Environments

A number of our clients who currently hold ISO 14001:2004 have expressed concerns that the new 2015 standard makes a great play that significant aspects need to be incorporated into the risks and opportunities element and that a system of continual improvement needs to be put into place to address significant aspects.  Significant aspects are those defined as having a major impact on the environment.  These tend to be discharges to air, water, land or waste containing hazardous or toxic elements.

In an office environment there tend not to be any of these significant aspects and although there may be systems in place to separate paper, plastic, tins etc. and re-cycle these, together with energy reductions by turning off lights and reducing ambient temperatures, this clearly will not have any major impact on the environment.

The question being asked is “Does an office environment need ISO 14001 ?”  The short answer is no however, some purchasing authorities specify ISO 9001 and ISO 14001 as a prerequisite for tenders and those organisations not holding 14001 would be at a disadvantage.  Clearly having a third party certificated system for 14001 in an office environment is expensive and as stated above not particularly relevant.

There is another option for office based organisations wishing to have this standard:

The standard states that

“This International Standard contains the requirements used to assess conformity. An organization that wishes to demonstrate conformity with this International Standard can do so by:

  1. making a self-determination and self-declaration, or
  2. seeking confirmation of its conformance by parties having an interest in the organization, such as customers, or
  3. seeking confirmation of its self-declaration by a party external to the organization, or
  4. seeking certification/registration of its environmental management system by an external
  5. organization.

Option 1 – self declaration would seem to be the best of both worlds:

Retain 14001 while reducing the costs.  Obviously the organisation would need to show evidence that the standard was being followed and internally audited but no external certification would be necessary.

Organisations that DO HAVE significant aspects should always follow the formal certification route with a UKAS Accredited Certification Body  to evidence compliance with the standard and environmental legislation.

Monday, 12 October 2015

New Generation Hard Disks

We all tend to take our hard disk drives very much for granted; they start each day and provide sterling service,  with a little care and a bit of housekeeping such as defrag and clean-up.

A disk drive consists of disks of magnetic material spinning at relatively high speeds with a reading head flying less that the breadth of a human hair just above it. The smallest deviation will result in the reading head crashing into the magnetic disk with disastrous results. Add to this the mechanics and electronics of the thing, it is not surprising that ALL disk-drives will fail.

I visit a lot of clients each year and my laptop spends a fair amount of time bouncing around in the boot of my car, so it is not surprising that the number of sectors which have become damaged has increased.  At one stage nearly half of the hard drive became unusable. Time for a new laptop or just changer the hard drive?

I decided that instead of fitting a normal hard drive I would fit a SSD drive instead.  This is a solid state drive which has no moving parts. It looks similar to a normal hard drive and fits into the bay on the laptop.

What are the pros and cons?

Pros:  Boot up is quicker, the laptop is quieter and  the drive will not get damaged in the boot of my car.

Cons:  The cost is higher than a normal drive.

On balance I think that I made the right decision and unless something else fails in my laptop it should last a bit longer.

Of course taking a good back-up of the contents of the drive must be carried out to ensure that this is available when required.

Monday, 28 September 2015

At last ISO 9001:2015 has been published

The quality Management Standard ISO 9001:2015 was finally published on 23 September 2015 and all organisations holding ISO 9001:2008 must transition to the new standard by the deadline date of 22 September 2018. 

This may seem a long way off but if there are problems at the transition assessment then it is possible that the organisation will be de-registered.  A new certification would then be necessary. A break in certification plus the additional costs would make leaving it to the last minute a risky business.

The Environmental Management Standard ISO 14001:L2014 was published on 15 September 2015 and organisations holding ISO 14001:2004 must transition to the new standard by the deadline date of 14 September 2018.  Again leaving it to the last minute is inadvisable.

Both of these revised standards use the new format Annex SL which have 10 identical clauses.
The standards are quite different in their approach from the previous versions and although the requirements for lots of paperwork are reduced there is a greater requirement to identify the “context” of the organisation, Provide “Leadership” (with evidence) from top management and use “Risk based thinking”.  Measurements of effectiveness use KPI’s and these need to be well thought out to stop a “paper-chase”.

We can help in the transition to either or both of these standards and, with your involvement, produce the documented information required. 

We have been helping organisations with Standards for many years (since 1991) and have many satisfied clients.  They often comment that we go the extra mile for our clients.

Naturally we guarantee that you will pass the transition assessment(s), if you use our services.
Please note that OHSAS 18001 (Occupational Health & Safety Management) will transition to
ISO 45001:2016 next year.

Please feel free to contact us on our email or telephone 01621 857841 and we will be glad to advise the best way forward.

Monday, 14 September 2015

Internal auditors need to update training

The changes in both ISO 9001 and ISO 14001 to the 2015 versions have meant that internal auditors will need to update their knowledge in order to be able to audit these revised standards.

Most auditors who carry out continual professional development will know that all management standards issued since 2102 follow the revised format Annex SL, which has 10 identical clauses.

Annex SL is designed to make it easier to integrate management standards and provide a stable framework for users.

We at Quality Matters have been burning the midnight oil preparing revised internal audit courses to meet the new requirements.  There are a couple of places still available on our 22 + 23 October 2015 course to be held in Colchester, Essex.

Our course covers:

  • ISO 9001:2015 – Quality Management
  • ISO 45001:2015 – Environmental Management
  • A preview of ISO 45001:2016 – Occupational Health & Safety Management (was BS OHSAS 18001)
  • ISO 27001:2013 Information Security Management
  • ISO 500001:2011 – Energy Management
  • As well as Auditing information, Techniques, Practices and Actual Audit in role play.
  • All delegates receive a comprehensive audit course manual and a certificate of success.

Both ISO 9001 and ISO 14001 systems must transition to the 2015 versions during the three year transition period or risk having their certification withdrawn by Certification Bodies.

Monday, 24 August 2015

Windows 10 is Out

A big fanfare from Microsoft and Windows 10 is out.  A general view is that it is better than Windows 8 and 8.1 but hasn’t got much on Windows 7.  We use the Ultimate version so have had the handy bitlockler.  Windows 10 has this as standard.

No doubt there will be some teething problems with installation and initial working and this is where the scammers are taking advantage.  This morning I received a call from an Indian sounding woman who told me that my computer was infected with a virus as a result of the new windows installation and as a windows certified engineer she could help me to clean my computer.  She offered to give me my windows licence number to validate the authenticity of the call.  All I needed to do was to give her remote access and she would do the rest.  Fat chance!!!

I told her that this company specialises in ISO 27001 the Information Security Management Standard and that we do not respond to scam calls.   Not deterred by this she  carried on reading from her script.  Our on site IT team would not be able to detect the problem and only she could fix it.

I terminated the call.

The number she supposedly called from 020 3701 9260  does not ring out and is “unrecognised”
Under no circumstances should you ever give remote access to a cold caller and if in doubt offer to call them back on a different phone and to a recognised number.

Monday, 27 July 2015

ISO 50001:2011 Energy Management Standard

Published on 15 June 2011, the ISO 50001 Energy Management System (EnMS) standard is a globally accepted framework for managing energy, providing technical and management strategies for enterprises to increase energy efficiency, reduce costs, and improve environmental performance.
The Standard is useful to any organisation but will help large organisations comply with the ESOS (Energy Saving Opportunity Scheme) mandatory requirements.

The Environmental Agency, as Scheme Administrator for England, The Scottish Environmental Agency, Natural Resources Wales and the Northern Ireland Environmental Agency hold registers of all participants complying with the requirements.

All non SME organisations, those with 250+ employees or a turnover of €50m and a balance sheet exceeding €43m, must comply with ESOS.  Publicly funded organisations are exempt.

Those failing to comply with this requirement by December 2015 face penalties up to £50, 000 for each non conformity plus other non-monetary penalties.

The areas of non-conformity include:

  • Failure to notify the Scheme Administrator of compliance by the required date;
  • And/or failure to provide basic details as part of notification;
  • Failure to maintain adequate records to demonstrate compliance with ESOS;
  • Failure to undertake an ESOS Assessment;
  • Failure to comply with an enforcement, compliance or penalty notice;
  • Making a statement which is false or misleading.

ISO5001 has the following elements and adopts the P-D-C-A (plan-do-check-act) principle:

  • General Requirements
  • Management Responsibility
  • Energy Policy
  • Energy Planning
    • Legal and other requirements
    • Energy review, baseline and performance indicators
    • Energy objectives, targets and action plans
  • Implementation and Operation
    • Competence , training and awareness
    • Communication
    • Documentation
    • Operational controls
    • Design
    • Procurement of energy services, products and energy
  • Checking
    • Monitoring, measurement and analysis
    • Evaluation of compliance with legal and other requirements
    • Internal audit
    • Non-conformities, corrective and preventive actions
    • Control of records
  • Management Review
  • Improvement on Energy Performance

Only UKAS Accredited Certification Bodies may certify ISO 50001 systems for evidence of ESOS compliance.

Monday, 13 July 2015

ISO 14001 and ISO 9001 make it to Final Draft

Both Standards have now been issued as Final Drafts:

FDIS 14001  Environmental Management Systems  - Requirements with guidance for use
Issued on 2 July 2015

FDIS 9001 Quality Management Systems- Requirements
Issued 9 July 2015.

We are told that the only changes that will be made are editorial or corrections but the main elements will be unchanged.

Actual publication of the Standards is still expected in September but training and preparation can be made using these Final Drafts.  Final Systems should wait until actual publication.

The Standards both follow the annex SL format with 10 sections that will allow for direct comparison and integration.

  1. Scope
  2. Normative References
  3. Terms and Definitions
  4. Context of the organisation
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance Evaluation
  10. Improvement.

Naturally the sub sections for each standard are specific to the Quality / Environmental system.

Copies of the Standards are available from BSI Standards and ISO.

Monday, 29 June 2015

Standards update

We have been notified that the two standards which are in the process of revision:

  • ISO 9001:2015 Quality Management Standard and
  • ISO14001:2015 Environmental Standard are reaching their final hurdle before publication.

The FDIS (Final Draft) of each Standard will be published in July 2015 and the actual Standards are planned for September 2015. Once issued the main elements and structure cannot change but minor editorial changes are permitted

  • FDIS ISO 9001:2015 to be issued on 9 July 2015 with the Standard published in September 2015
  • FDIS  ISO 14001:2015 to be issued on 2 Ju8ly 2015 with the Standard published in September 2015.

Once the Standards are published, certificated organisations will be allowed up to three years top transition from the existing Standards to the 2015 versions.

Our Internal Management System Auditor Course, 22 + 23 October 2015, will cover the new Standards and allow delegates to better understand what is required.  This course is particularly cost effective at £365.00 + VAT per delegate for the two day course.

Monday, 15 June 2015

Repair man Scam

We have been getting quite a number of calls in the office from ‘Claims Companies’ despite being registered with the TPS (telephone preference service).  We have put the numbers into an automatic rejection list which advises that “this phone does not accept calls from this number”.  Clearly they are not stupid and now call without giving a caller ID.  We have been just putting the phone down on these callers.

On Saturday morning I received a telephone call from a man with a very strong Indian accent; he told me that his name was Mark and he was calling from Microsoft windows technical team. They had become aware that my computer had a very nasty virus.  He went on to say that there were some very nasty people around and to show that he was genuine he was able to give me the windows licence key.   He would be able to fix my computer remotely if I entered a web-site and gave him access to my machine.  The service would be completely free of charge. 

We have had this type of call before so we were not fooled.

I mentioned that we were involved in Computer Security, particularly ISO 27001 Information Security and we wouldn’t give anyone access to our systems let alone someone pretending to be from Microsoft windows technical team.  He seemed unperturbed and kept to his script.  I told him to s - -  off several times before he put the phone down.

Don’t give any details including your name, make of computer, operating system, etc., as this information will be used next time.

Don’t be fooled into giving unauthorised access to your systems under any circumstances.

Tuesday, 2 June 2015

Just in Case

I drive an awful lot of miles each year and replace my car on average each two and a half years; pot holes and carelessly discarded bolts, nails and other metal parts inevitably mean that at some time during the life of a car I will get a flat tyre.  Nowadays most cars have a can of sealant rather than a spare wheel; sadly the sealant will only work with a very small hole in a tyre, and certainly not in the tyre wall.

I remember the last time I had a flat tyre it was dark, raining and I was miles from anywhere.  The magic can of sealant did not work as the hole was too big. It seemed hours before the breakdown truck arrived only to be told that the tyre had to be replaced as it was irreparable.

I decided that I should invest in a spare wheel.  Honda sell a thin spare wheel which sits in the bottom of the boot.  The 2013 and onward Honda Civics also do not have a jack, wheel brace and tools as standard.

I am now confident that the additional weight in my car of a spare wheel, jack and tools, will be worth the cost and effort if I get a puncture. 

We help organisations to incorporate various management standards to reduce risk and apply continual improvement in their businesses and if they did not carry out risk assessment then they would potentially be vulnerable.  I wonder if businesses needed ‘a spare wheel’ would they have a can of sealant instead;  I think not.

There is work in hand to review the existing Standard BS OHSAS 18001 (Operational Health and Safety Standard) and upgrade it to be a full health and safety standard; It will be an ISO Standard,    ISO 45001 probably due for publication in 2017/18.

If the committee developing the standard needs ‘a spare wheel’ then I am as certain as I can be it will provide one rather than a can of gunk.

Monday, 18 May 2015

Quality in our Road Infrastructure

Last Thursday (14 May)  I was in Dorset seeing one of our Clients and another successful surveillance visit to one of the management standards.

My journey home was far from enjoyable; just to remind you it was raining heavily.  A journey, which should take three to three and a half hours, took six hours.  The route took me along the A31, M27, M3 and M25. At best we were travelling at walking pace and at times we were stationary for extended periods.  The information signs on the M3 advise that roadworks started in November 2014 and will last for 26 Months. Anyone using the M3 will attest that the repairs are causing long delays.

There were lorries parked on the hard shoulder of the M25 motorway, obviously they had run out of tachometer hours, and this added an extra hazard.  By the time I got home I was exhausted and angry that the infrastructure was unable to cope with rain.

If the requirements of ISO9001 (Quality Management Standard) were applied to the road system it would fail miserably:

  • Customer satisfaction  - none whatsoever
  • Customer complaints – very high
  • Control of non-conformities – none apparent; no sign of Highways Agency traffic officers or Police patrols;
  • Product and Service delivery – was abysmal.  The variable speed limit signs were set variously at 40 MPH (the lowest) and seemed to be randomly set at anything from 40-60.  It was farcical that we were stationary and the indicator was at 50 MPH.
All in all you can tell that I was not amused.  I also thought about the environment; all those vehicles  pumping out exhaust fumes and consuming vast quantities of petrol and diesel.

The road infrastructure really does need some serious investment to allow journeys to be completed in a reasonable time.  I drive on the continent and apart from some exceptions the motorway networks seem to cope well - even in the rain!!

Tuesday, 5 May 2015

Information Security Management Standard ISO 27001

Organisations that are certificated to ISO27001:2005 are required to upgrade to the 2013 version of the Standard.  ISO 27001:2013 was published in September 2013 and there was a transition period to allow organisations to review their systems and upgrade their operations to comply with the revised requirements specified in 27001:2013.
This transition period will expire in September 2015 and any organisation that has not upgraded their systems and had their certification body reassess and recertify to the 2013 Standard will automatically be deregistered.
The revised Standard addresses the new Annex SL format and has 10 main sections

  1. Introduction
  2. Scope
  3. Normative references
  4. Terms and definitions
  5. Context of the organisation
  6. Leadership
  7. Planning
  8. Support
  9. Operation
  10. Performance evaluation
  11. Improvement.

ISO 27001: 2013 ISO 27001:2005
0 Introduction 0 Introduction
1 Scope 1 Scope
2 Normative references 2 Normative references
3 Terms and definitions 3 Terms and definitions
4.1 Understanding the organisation and its context 8.3 Preventive action
4.2 Understanding the needs and expectations of interested parties 5.2.1(c) Identify and address legal and regulatory requirements and contractual security obligations
4.3 Determining the scope of the information security management system 4.2.1 (a) Define scope and boundaries
4.2.3 (f) Ensure the scope remains adequate
4.4 Information security management 4.1 General requirements
5.1 Leadership and commitment 5.1 Management commitment
5.2 Policy 4.2.1(b) Define an ISMS policy
5.3 Organisational roles, responsibilities and authorities 5.1 (c) Establishing roles and responsibilities for information security
6.1.1 Actions to address risks and opportunities - general 8.3 Preventive action
6.1.2 Information security risk assessment 4.2.1 (c) Define the risk assessment approach
4.2.1 (d) Identify the risks
4.2.1 (e) analyse and evaluate the risks
6.1.3 Information security risk treatment 4.2.1(f) Identify and evaluate options for treatment of risks
4.2.1 (g) Select control objectives and controls for the treatment of risks
4.2.1 (h) Obtain management approval for the proposed residual risks
4.2.1 (i) Obtain management authorisation to implement and operate the ISMS.
4.2.1 (j) Prepare a statement of applicability
4.2.2 (a) Formulate a risk treatment plan
6.2 Information security objectives and planning to achieve them 5.1 (b) Ensuring the ISMS objectives and plan are established
7.1 Resources 4.2.2 (g) Manage resources for the ISMS 5.2.1 Provision of resources
7.2 Competence 5.2.2 Training, awareness and competence
7.3 Awareness 4.2.2 (e) Implement training and awareness programmes
5.2.2 Training, awareness and competence
7.4 Communication 4.2.4 (c) Communicate the actions and improvements
5.1 (d) Communicating to the organisation
7.5 Documented information 4.3 Documentation requirements
8.1 Operational planning and control 4.2.2 (f) Manage operations of the ISMS
8.2 Information security risk assessment 4.2.3 (d) Review risk assessments at planned intervals
8.3 Information security risk treatment 4.2.2 (b) Implement the risk treatment plan
4.2.2 (c) Implement controls
9.1 Monitoring, measurement, analysis and evaluation 4.2.2 (d) Define how to measure effectiveness
4.2.3 (b) Undertake regular reviews of the of the ISMS
4.2.3 (c) Measure the effectiveness of controls
9.2 Internal audit 4.2.3 (e) Conduct internal ISMS audits
6 Internal audits
9.3 Management review 4.2.3 (f) Undertake a management review of the ISMS
7 Management review of the ISMS
10.1 Nonconformity and corrective action 4.2.4 Maintain and improve the ISMS
8.2 Corrective action
10.2 Continual improvement 4.2.4 Maintain and improve the ISMS
8.1 Continual improvement

Moving on to ISO  27002: 2013 Code of Practice.  This has been changed to take into account modern practices.  It also puts elements into far more logical sequences.  Much of the duplication has been removed.

Operations and communications security have been separated and cryptography has been given its own section.   A completely new section has been added for Supplier relationships.

This standard has been expanded from the previous 15 sections to 18 sections and 35 main security categories with 114 controls, reduced from 133.

  1. Introduction
  2. Scope
  3. Normative references
  4. Terms and definitions
  5. Structure of the standards
  6. Information security policies
  7. Organisation of information security
  8. Human resources security
  9. Asset management
  10. Access control
  11. Cryptography
  12. Physical and environmental security
  13. Operations security
  14. Communications security
  15. System acquisition, development and maintenance
  16. Supplier relationships
  17. Information security incident management
  18. Information security aspects of business continuity management
  19. Compliance
Remember time is running out and certification bodies need to plan well ahead so carry out the upgrade now.  If you need help, we are available.

Monday, 20 April 2015

Auditor Training

I am sure that everyone now knows about the problems concerning the revisions to both ISO9001 and ISO 14001;  these two standards are due to be upgraded to the new Annex SL format when they are reissued to the 2015 versions.  There were some significant problems as two of the ISO signatories failed to ratify the FDIS Version.  This meant that there was furious reworking going on in the background.

The reason I mention this is because we have been getting emails asking when we are running our next Internal Auditor Training Course.  We have been waiting for some indication of the likely release dates for the two standards but now accept that we should put a date in the diary for our next course. This will now be 22 & 23 October 2015 and the course is to be held in Colchester in Essex.  The price for each delegate will be £365.00 + VAT.

The course is currently being rewritten to address the two new standards and we will use the very latest information to achieve this. 

Course Content (updated to include revised standards and annex SL)


  • ISO 9001: 2015, ISO 14001:2015, OHSAS 18001, ISO27001:2013 and other Standards
  • Management System documentation
  • ISO19011:2011 - Auditing Standard
  • The audit cycle and schedules
  • Preparation and planning of an audit
  • Conducting an audit
  • Auditing top management
  • Reporting non-conformities
  • Qualification & training of auditors
  • Non verbal communication
  • Live audit practice
  • Tests of competence of delegates

We can accept bookings now through our web-site or email

Tuesday, 7 April 2015

Accredited Certification Bodies v non Accredited Organisations

I recently received a letter from a company offering ISO9001, ISO14001 and ISO27001 certification for a fixed fee based on my turnover and guaranteed to take a matter of weeks.  Further it guaranteed a no pass no fee arrangement.

The company claimed to be accredited by an organisation called IAB and displayed their logo.
In the UK the sole accreditation organisation is UKAS (United Kingdom Accreditation Service); no other organisation may accredit a certification body. 

These Certification Bodies are allowed to display the UKAS accreditation logo, a distinctive crown and tick logo and is displayed alongside the certification body logo.  If in doubt look at the UKAS web-site -

Sadly a number of non-accredited companies use a logo which contains a tick. This is not illegal but may give the impression that they are accredited. This can confuse anyone not aware of the difference.

Each country has its own accreditation service – in Germany for instance has Dakks while USA has ANSI-ASQ.  Look at the international register of accreditation organisations by country (IAF)

You have done all the hard work and your management system is ready for External Certification. It should be straightforward and after one or more days of intensive investigation, the Assessor finally declares your management system compliant to the appropriate standard. The main question is one of recognition. 

If the certificate is issued by a UKAS accredited Certification Body then it is accepted worldwide, if not then it probably is only recognised by the company that issued it.  You may have wasted your money.   You may find this out when sending a copy of your certificate of ISO9001 or ISO4001 to a prospective customer only to have it rejected.

Reputable consultants recommend only UKAS accredited Certification Bodies.

Monday, 23 March 2015

Light at the end of the tunnel for ISO 9001:2015

We have now been notified (at long last) that following detailed discussions with the two country organisations which did not ratify the  final committee draft, the revised standard should be published in September.  The FDIS (Final draft for public discussion) will be issued within the next week or so.

This will mark the penultimate stage before formal publication of BS EN ISO 9001:2015.

On this basis we have planned our annual internal audit training course which will be held at the Mark Tey  Hotel in Colchester, Essex.

Course Content  (updated to include revised standards and annex SL)

  • ISO 9001: 2015, ISO 14001:2015, OHSAS 18001, ISO27001:2013, ISO20000-1, ISO22000, Aerospace AS9100 and other Standards
  • Management System documentation
  • ISO19011:2011 - Auditing Standard
  • The audit cycle and schedules
  • Preparation and planning of an audit
  • Conducting an audit
  • Auditing top management
  • Reporting non-conformities
  • Qualification & training of auditors
  • Non verbal communication
  • Live audit practice
  • Tests of competence of delegates

Candidates who can demonstrate an adequate level of competence in internal auditing will be awarded a certificate.

The course is not an IRCA registered  course but certificates are accepted by all the Certification Bodies as evidence of competence in training of Internal auditors.

Course dates: 22nd - 23rd October 2015
Cost: £365.00 + VAT per delegate

You can book a place on this course through our web-site

Monday, 9 March 2015

Tax rebate

Boy, am I lucky?  HMRC have just emailed me to say that after calculating my annual fiscal activities I am due a tax refund of £364.02.  All I have to do is send them my credit card details including the 3 digit number on the back and they will credit the amount direct onto my credit card.  I can’t thank the tax man enough.  Sadly it is a scam, one of many, which are circulating at the moment.

Common sense should alert anyone receiving this type of email that it is not genuine by answering the following questions:

  • Is the link they use in the email a .gov  URL?      
    No It's not.

  • Why would HMRC need a credit card to rebate my tax? 
    They wouldn't

  • HMRC takes the tax money, via payroll, direct from my salary so why do they not address me by name? 
    The scammers do not know my name.

  • I also received a notice of coding for the upcoming tax year by post and this does not show that I have overpaid my tax; is this correct? 
    Yes it is as they show my name and my address as well as the tax reference and my employer.

  • As I pay tax on PAYE is it realistic that I have been overcharged tax?

  • HMRC usually contact me by post using my name so why have they decided to use insecure  e-mail? 
    HMRC would not use email to contact me.

Once the answers have been taken it is clear that the email is not genuine and should be deleted.

Quite a number of people have been taken in by this scam and lost money as a result.

Perhaps I am becoming cynical but I tend to question anything that is out of the ordinary.  Of course there have been the odd occasion when I have been caught out but vigilance is paying dividends.

Common sense 1   
Scammers 0

Monday, 23 February 2015

DATA Lost …….again

There has been considerable interest, and dismay, at the number of times sensitive data has been lost or stolen, indeed the amount of data lost seems directly proportional to the technological advances in devices and perhaps the stupidity or arrogance of their owners.

Government seems to be a prime data loser, despite telling businesses how important data security is to them and the country.

Desktop computers - these are sitting on our desks giving access to vast amounts of data, yet many people get up and leave their desks without a thought to the risk they are taking. I always lock my desk computer before leaving it, even for a few minutes, because I understand that a moments inattention could put my data at risk and seriously damage my reputation as a security conscious individual. I use Windows L.

Laptop computers - these are becoming smaller and smaller. My latest acquisition is a tablet,  no hard drive and is small enough to slip into my briefcase. The down side of this is that it is even easier to lose. I encrypt my data so that would not be a problem but the loss of the thing would be very inconvenient. The data is, however, safe.

Memory sticks and SDHC cards - probably the greatest threat to data known today. These tiny devices can hold Giga bytes of data and yet can slip easily into a pocket. These devices should always be encrypted, but sadly many are not. All my data sticks have the ability to lock and encrypt data.

Mobile phones and PDA devices - most people do not activate the pin number lock to prevent unauthorised access and a s such they risk having their phone numbers taken, their email contacts list taken and if secret pin numbers and passwords are stored, then these are at risk. Add to that the ability of many devices to access business based systems and email remotely then it is easy to see what a major security threat these unprotected devices can pose.

I use a pin to protect my smart phone and have set a pin to protect the sim card as well. If my phone was lost or stolen, I can send it a text message which locks it and no amount of fiddling will unlock it, even if a new sim card is inserted and the factory defaults enabled.

A recent threat concerns web cams which bare on most des and laptops; it is possible for a remote hacker to turn on the webcam without the warning LED being activated and look at the use without their knowledge or consent.  I have a sticker over my webcams which is removed when I want to use it and replaced when I am not.

Keep data secure

Monday, 9 February 2015

ISO 9001 & ISO 14001 Latest information

A while ago we advised you that the two updated Standards that were due to be published this year had some problems.

It is normal practice for draft standards to go through a number of stages before final publication.
The Quality Management Standard ISO 9001 was put before the ISO Member countries for approval, unfortunately the USA and one other country did not approve the draft.

The Environmental Standard ISO 14001 was also put before the ISO Member countries for approval and again the USA and one other country failed to approve the draft.

This has caused a certain amount of consternation as both were due to be published as 2015 Standards; 14001 was due to be published in June 2015 and 9001 was due to be published in September 2015. 

The latest information we have (from URS, one of the Accredited Certification Bodies) is that UKAS (the United Kingdom Accreditation Service) will look at the proposed changes and issue guidance on the revised Standard which is now due for publication in December 2015.

The ISO 14001 Standard  is even more contentious and there is no proposed publication date.

The good news is that once published each of these Standards will have a three year transition period before certificate holders must move to the new versions.

Clearly organisations offering training courses in the new Standards will be guessing what they will contain.  It may be better to hold fire until the Standards have been ratified before expending time and money on these courses.

We will let you know if there are further updates

Monday, 26 January 2015

Cyber Essentials and IT security

Last October (2014)  saw another IT assessment system being mandated by Government for anyone wishing  to bid for contracts; this one is designed to protect computer systems from malware, Trojans and other nasties.

There are two levels:

  • Basic level where the CEO or MD of a company self certifies that the following elements have been introduced and tested
    • Boundary firewalls and internet gateways,
    • Secure configuration,
    • Access controls,
    • Malware protection and
    • Patch control.
    • The declaration and completed questionnaire is reviewed by the assessing body.

  • Cyber Essentials Plus where the six elements are introduced and then externally audited and a certificate is issued.

I have heard that these two assessments are more akin to a vehicle MOT and provide the bare essentials for computer safety.

Many organisations have achieved certification to the widely known ISO 27001:2013 Information Security Management Standard and ISO 27002 Code of Practice which cover all of the Cyber Essentials requirements but goes much further and addresses :

  • Information security policies
  • Organisation of information Security
  • Human resource security.
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operations security
  • Communications security
  • System acquisition, development and maintenance
  • Supplier relationships
  • Information security incident management
  • Information security aspects of business continuity management
  • Compliance

We have yet to hear whether Government will accept ISO 27001 as evidence of IT security or will need one or both as tender entry qualifications. 

Watch this space!!

Monday, 12 January 2015

Another year starts

We at Quality Matters wish our Clients and potential new Clients a Very Happy and Prosperous New Year.

Obviously there are a number of actions to be taken on the first day back at work:

  1. Review the email in box; there are loads to look at; most are junk but it does take time to sort the wheat from the chaff.
  2. Watch out for the inevitable virus attachments; we received a remittance advice from a company in Essex (not one of our Clients) which if opened would have infected our computer system.  In case you wondered, we didn’t open it.
  3. Get prepared for the two main Standards, ISO 9001 and ISO 14001, to progress towards publication. 
We have yet to hear what impact the International DIS being rejected by the USA and one other country will have on the proposed publication dates. 

These proposed dates are June 2015 for ISO 14001:2015 and September for ISO 9001:2015.
Certificated holders of 9001 and 14001 will have a generous transition period once these Standards are published.  If you need help with these then please let us know.

Finally, we suggest that you review your processes and look for ways to make these more efficient and effective.  Continual improvement and awareness of new legislation plus vigilance for cyber issues will ensure that 2015 is a good year. It will also be our 24th year in business.

Quality Matters

P.O.Box 5479

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design