Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo

"Quality Matters in your Business"

Monday, 11 December 2017

A Very Merry Christmas and a Happy New Year

This year has probably been the most frantic time ever. Not only have there been the requirements for transition to the Quality Management Standard, ISO 9001:2015 and the Environmental Standard, ISO 14001:2015 but the Aircraft, Space and Defence Standards  AS9100,  AS9110 and AS9120 have been upgraded, but with a two year transition instead of the usual three year period. This has made diary planning a little difficulty, to say the least.

Clients not yet transitioned must do so before September 2018  or they will automatically be deregistered.  However, no new certifications, re-certifications or surveillance visits may be carried out to the old Standards after March 2018.  UKAS have stated that there will be no exemptions to this rule and no extensions will be granted.  The transition by your Certification Body must have been completed by the drop-dead date and of course any non-conformities must be cleared and accepted by the CB.   The Certification Body will expect to see that the revised Standard(s) have been in use for some time before transition as clearly they can only assess what you have been doing and not what you intend to do. 

We have had a number of new clients who have employed the services of consultants only to find that the consultants in question do not want to be involved in the new Standards. These new clients have come to us for help.  In all cases we have been able to provide or exceed the level of service they required and have managed to prepare them for transition to the new Standards and in some cases, provide consultancy to help them gain certification from a UKAS Accredited Certification Body rather than one of the non UKAS and non-regulated organisations claiming to offer certification.

UKAS is the sole accreditation Body in the UK and only UKAS can accredit the many Certification Bodies.  Many companies believed that the certificates they were issued from one of these Non- accredited organisations would be recognised widely by others, but sadly this is not true.

This will be our final blog for 2017. Our offices will be closed from midday on Thursday 21 December and will reopen on 3rd January 2018. Our email will be monitored but may take longer for us to respond during this period.

We wish our Clients and readers of our blog a very Merry Christmas and a Happy and prosperous New Year.

2017 year end and onwards and upwards to 2018

Tuesday, 28 November 2017

Transitions to ISO 9001 and 14001:2015

Readers of this blog will be aware that the deadline for transition of 9001 and 14001 is 14 September 2018 and know that there are quite a few companies leaving this to the last minute.

There is yet another spanner in the works in that certification bodies have been told that they may not carry out any new certifications or surveillance visits to the old standards after March 2018.  This has effectively moved the goalposts again.

Any Organisation planning to have a 2008/2004 surveillance in the second quarter of 2018 is going to find out that this is not possible and the assessor will be obliged to audit to the 2015 standards.  This will inevitably result in non-conformities and if these are classified as majors then a return visit may be required. Not only will this be inconvenient it can be costly.

We are recommending our few remaining clients that have not transitioned to make all efforts to do so before March next year.

We are getting a number of new clients that have yet to transition and are finding the way that the standards have been written is confusing and at face value contradicts the way that organisations have been working.  The removal of the requirement for a Management Representative has caused some concern amongst Quality & Environment Managers who mistakenly believe that they are no longer needed.  The function carried out by these managers still exists but the responsibility moved upwards to Top Management.

In addition, the requirement for a Quality and/or Environmental Manual also has been confusing.  The Standard says that these are not needed but documented information is required. Most of my clients have retained many of their previous systems and   adjusted them to meet the requirements of the new standards.

We are here to advise if required.

Monday, 13 November 2017

ISO 45001:2018 Occupational Health & Safety Standard

It is now planned to be issued as a final draft this month and the actual publication and release in March 2018.  It will be in the Annex SL format to make integration with other management standards easier. (Ten identically named clauses).

We at Quality Matters will relax once it is published.   We were all fired up in 2015 when it was first due but it was found to be totally unacceptable to a large number of the ISO participants. 

A total rewrite was commissioned and the second draft failed again to get a unanimous vote.  There were three votes against the new draft, but it was decided to move onward to a final draft.

There will be a transition period of three years to move from BS OHSAS 18001.  Naturally, we will be on hand to help clients with the transition.

Monday, 30 October 2017

ISO 27001:2013 Information Security Management

This standard has been very effective in preventing or mitigating data breaches and the risk of ransomware.

Ransomware is where a virus or other malware is allowed to get onto your server or PC/Laptop/tablet. It searches for any data such as word, excel etc and encrypts them with a large password. The criminal then demands a payment in return for the Password, usually in untraceable Bit Coins.  In some cases the password is not given and you are therefore out of pocket and still faced with systems locked out.   If you don’t have excellent computer backup systems then you are in real trouble.

The recent attacks paralysed the NHS and other organisations around the world.  It was apparent that organisations using Windows XP were particularly vulnerable.

The Information Standard ISO 27001:2013 looks quite easy to achieve on the face of it but the code of practice contained in ISO 27002 shows a different story.   This details how each element of the standard can be achieved.

Having 27001 certificated makes compliance to the new GDPR (General Data Protection Regulation) much easier.

The route to certification to ISO27001 is certainly not cheap but trying to “do it yourself” is fraught with obstacles.

We at Quality Matters have been providing consultancy in ISO27001 for many years and can boast that all our clients moving forward to certification passed the assessment at the first attempt.  We also provide auditing and preparation for GDPR as well.

The risks of data loss or compromise can be very expensive indeed and the costs of putting in a robust system far outweigh the costs of non-compliance.    Damage to reputation can put an organisation out of business, not to mention the GDPR fines which will be up to twenty million Euros or up to 4% of global turnover.

Please contact us if you need any help with ISO27001 and/or GDPR.

Tuesday, 17 October 2017

Guidelines for Auditing Management Systems Standard ISO 19011

Yet another Standard is being revised; it is beginning to look like buses: You wait for ages then several come along.

This time it is the Auditing Standard or more precisely the Guidelines for Auditing Management Systems.  It should be noted that this is not a Requirements Standard but a set of Guidelines. 

Nevertheless, this Standard has been adopted as the norm for auditors.

The reason why this one is being reviewed and updated is that as a 2011 Standard it has not kept up with the changes to main management standards and the wealth of new management standards which follow the Annex SL format.

The proposed 19011:2018 still has 4 main elements:

  • Principles of audits, but with the addition of a new element- Risks and opportunities
  • Managing the audit programme
  • Conducting audits
  • Evaluation of competence.

There are some structural changes and reordering of some clauses to clarify auditing routines in the way that it is done in real life.

A new clause has been added to audit virtual items and elements of ICT as well as allowing professional judgement for auditors when an element is not fully verifiable.

Naturally some of the terminology has been updated to meet the vocabulary in the new standards:
Documented information replaces the term documents and records;

External providers replaces the term suppliers.

The next review will take place in Mexico in November 2017 with an expected formal publication in mid-2018. 

Once the standard is published we will update our Internal Management System Audit course content.

Monday, 2 October 2017

ISO 45001: 2017 Occupational Health and Safety Management Standard

Here we are again, discussing this proposed Standard.  Possibly for the last time.
Once again the ISO members failed to agree unanimously that the Standard should be issued in its present form.

However, there were only three dissenters so it was decided to move to a final draft, probably to be issued in November 2017.

It should mean that (if accepted) the published Standard may see the light of day in the final days of 2017 but if not then early 2018.

Once the Standard has been published there will be a transition period, likely to be three years.
Holders of the existing BS OHSAS 18001 Standard will be able to plan ahead for the transition.     Naturally there will be a time lag before certification bodies qualify (with UKAS)  to carry out assessments. 

Our internal audit courses cover the proposed ISO 45001 standard and will update as the new Standard is published.

Monday, 18 September 2017

Transitions to ISO 9001, ISO 14001 , AS 9100, AS 9110 & AS9120

The deadline for transition to ISO 9001:2015, ISO 14001:2015 and the Aircraft, Space and Defence Standards AS 9100D, AS9110C and AS 9120B is 15 September 2018.

While this may seem a long way off it is important to remember that the transition and correction and acceptance of any corrective action identified by an assessor must be completed satisfactorily by the deadline date.

Both UKAS for the quality and environmental standards and IAQG for the Aircraft, Space and Defence standards have made it very clear that there can be no extensions or relaxation of the deadlines for any reason.  Any organisation missing the deadline will be deregistered.  There is no appeal mechanism.  The organisation will lose certification and will have to start from scratch to regain certification.  There is a fairly big cost involved in this and loss of certification in the intervening period may result in inadmissibility for tenders and/ or cancellation of contracts requiring one or more of the standards as a mandatory requirement.

The revised Standards are quite different in their approach and require more involvement from Senior Directors and Managers.  This can be a problem where the requirement for understanding and operating the standards has, historically, been delegated to others lower down the organisation.

We at Quality Matters have helped a number of Clients to effect the transition and while we have sought to make it simple to use there have been a number of top management who have been  forced to become engaged in the systems.

The Aircraft, Space and Defence Standards were issued at the end of 2016 but the transition dates have been aligned with the ISO standards. I.E.  15 September 2018 ; a fairly tight schedule.

We urge all holders of certification that are affected by these changes to ensure that their transition is carried out in good time to avoid loss of certification.  Remember you may be ready, but assessors are committed to the stage one for transition followed by stage two on site.  Availability may be a governing factor.

Monday, 4 September 2017

GDPR (General Data Protection Regulation).

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

Many organisations are ill-prepared for the EU Regulation which comes into force on
25 May 2018.

Does this Regulation apply to all businesses? 
The simple answer is yes.  All businesses that  hold personal data on a living person will  be affected.  Data held for personal or domestic use is excluded.

The Sun newspaper reported that it could affect a gardener, (for instance) who sends out email to drum up work without getting informed consent from the recipient.  We shall see if this is enforced at this level.

This EU Regulation puts into place a number of additional requirements from the UK Data Protection Act 1998:

Strengthening of existing rights - includes the right to erasure of data or right to be forgotten
  • Consent for use of data must be “opt in “ not “opt out”
  • Breach reporting
  • Data Protection Impact Assessments
  • Higher penalties for non-compliance.

This regulation applies to all EU States but there is a provision to allow individual States to produce their own Data Protection Act. 

Our own Data Protection Act is to be updated and put before Parliament in September 2017.
There will be a move to get the EU to rule on the compliance of the UK Law in relation to the GDPR.

If you need additional information on this you can contact us or look at the ICO (Information Commissioners Office) web-site.

Tuesday, 15 August 2017

ISO 45001 OH&S Standard: And so the Saga Continues

The  2nd stage of the process to ratify this  Standard suspected to be accepted however the vote failed by a small  margin.  There was dissent on the wording of “worker”. This has now meant that a final draft version will be required.

The FDIS (final draft for discussion) in destined for November this year with a published Standard in February 2018.  We are not going to hold our breath over this as we have been disappointed over publication dates  on and off since 2015.

We have known all along that getting countries across the world to agree on the an Occupational Health & Safety Standard  was going to be challenging, but it is getting a bit silly when they are not able to agree on the term “worker”.

Our recommendation to organisations is to continue with OHSAS 18001:2007 and then to transition to 45001 at the end of the transition period, which is expected to be 3 years from publication.

A reminder that organisations holding 9001 and 14001 must transition to ISO 9001:2015 and ISO 14001:2015 by 14 September 2018 or risk automatic loss of certification.

Monday, 31 July 2017

Internal auditors need to update to the Annex SL Standards

It is a requirement that auditors of management systems  update their knowledge to be able to audit to the new standards using the annex SL format; these include ISO 9-001:2015, ISO 14001: 2015 and the proposed ISO 45001.

IRCA registered auditors were advised that they must attend a two day transition course to requalify or would be deregistered.

I had to attend one of these courses (In December 2015) and this now allows me to audit to the new Standards.

The Annex SL Standards are quite different in their approach and require risks and opportunities to be addressed.  There are requirements to monitor and measure processes (key performance indicators).  Testing organisations top management leadership is also required.

We hold certificated internal audit courses meeting the requirements for the new Standards; our next course is to be held on 18+19 October 2017 in Colchester in Essex.

Delegates passing all the course elements will be qualified to undertake internal audits in their own workplace.

The course content:

  • Hi level format and Annex SL
  • ISO 9001:2015, ISO 14001:2015 and ISO 45001:2017
  • Management system documented information
  • ISO 19011:2011 - Auditing Standard
  • Responsibilities of planning an audit programme
  • Selecting auditors and competence
  • The audit cycle and schedules
  • Preparation and planning of an audit
  • Conducting an audit
  • Documented evidence
  • Auditing Top Management
  • Reporting non-conformances
  • Qualifications and training of auditors
  • Evaluating auditor performance
  • Non-verbal communications and body language
  • Live audit practice
  • Written tests of competence of delegates

The Course costs £395.00 + VAT 

Details on our web-site and booking form

Monday, 10 July 2017

When is ISO 9001 Certificated but of no value?

Hardly a day goes by without some organisation announcing that they can get you through ISO 9001 or other Standards cheaply and in double quick time.

There is a single accreditation body in the UK, this is UKAS, the UK Government decided that there should be only one body tasked with authorising certification bodies.  There are a good number of these and the certificates they issue bear the UKAS tick and crown logo.

These certification bodies must reach, and maintain a high standard to continue to claim that they are in fact an accredited certification body.   Regular and strict audits are carried out.  One principle is that no certification body can offer consultancy; this would be a conflict of interest and is prohibited.

On the other side non accredited organisations issue certificates claiming to meet the requirements of which ever standard is covered.  Some even show a logo claiming to be accredited by some other accreditation agency.  This is designed to fool anyone gullible enough to believe it.

UKAS is not a regulator and has no powers to stop these organisations carrying on.

A good number of these non accredited organisations have sprung up; some offer consultancy and certification as a package.  I often say to people who contact me “how can they fail to certify you when they have set up the system?   The sad truth daws on these people when they submit a certificate claiming to show compliance with a Standard only to find that it is not recognised, except by the issuing authority.

One other fact is clear; you cannot set up a system and get it certificated in 30 days (or less in one case) as clearly an assessor must be able to audit what you have done not what you are planning to do.  Evidence is just not there under these timescales.

Beware of non accredited organisations.  If it seems too good to be true it probably isn’t any good.

Monday, 26 June 2017

Another Cyber attack warning

It seems that cyber attacks are a bit like buses: Nothing for a period of time and then three come along at once.

This one is slightly unusual as it aimed at people who use USB sticks.  The criminals leave USB sticks at places where there are lots of people.  The sticks, some of which are branded, launch a ransomware or other virus once plugged into a laptop or other device.  If the device is part of a domain then the virus is transferred to the domain as well.

The one I have seen looks like a blank USB stick but the virus works in the background and in one instance the virus is not activated for up to 48 hours. This could allow an infected set of data to be backed up.  This could prevent a restore of good data in the event of a ransomware attack.

USB sticks are so cheap nowadays it is sheer folly to plug an unknown stick into your system.

Monday, 12 June 2017

EternalRocks Worm

If you thought the Wannacry Ransomeware worm which brought a vast number of computer systems to their knees was a major disaster, then watch out for this next one.  EternalRocks uses 7 leaked NSA hacking tools.  These were developed by the American Security Agency to hack into enemy systems, however the leaked versions are now being used to extort money worldwide.

This new one doesn’t alert the user that the system is infected until 24 hours later, hoping that a backup of the infected system will have been made and make restore more difficult.
The worm does not have a ‘kill switch’ which halted the spread of Wannacry.  It is looking for systems to infect and then demand a fee for the decrypt key. The vulnerability uses unpatched SMB ports.

We understand that systems which have the latest operating systems and are patched should be ok.    Certificated users with ISO 27001 will be aware of the requirements for this.

It is vital that organisations have good backups of data and that these backups are fully verified so that they can be installed in case of a problem. It is too late when a restore fails through an unverified backup or the backup is corrupted.

Cyber Crime is fast becoming the number one risk.

Tuesday, 30 May 2017

Latest news about ISO 45001 Occupational Health & Safety Standard

The latest draft of this Standard has been issued and is due to be voted on at the end of May 2017.  This is an important vote as it will determine if the revised draft can go through to publication or will need to be further amended and then move to a final draft.

There have been some serious changes since the last effort which resulted in an avalanche of objections.  The main areas were the involvement of workers and their representatives at every step.  Many countries thought that this was really over the top and would hamper operation of businesses.   Clearly there needs to be input from workers, usually in the form of H&S works committees and safety is paramount.

The implementation of Health & Safety across the world  is significantly different and producing a Standard to satisfy all these was always going to be challenging.  An example I saw was in Belgium where road works were in progress; they didn’t close off vast stretches of the road to effect these roadworks as we do in this country, but merely put cones around the actual work.
If the latest draft is accepted without significant changes required it could be published as soon as September.  If however it requires amendment and moves to a final draft then it is unlikely to be published this year.

I know that a  number of organisations planning to incorporate OHSAS system are trying to decide whether to go for OHSAS 18001 or wait until ISO 45001 is published.

We will keep you up to date with developments

Tuesday, 16 May 2017

One good reason for good Computer back-up

The current Ransomware attack has paralysed many organisations around the world and many more may follow.

Ransomware is a worm that infects a computer system; it identifies critical files and documents and then encrypts them.  The first indication is a notice that your system is infected and your files are unavailable.  The crook then demands a payment in Bitcoin (usually £250) to supply the decryption key.  Sadly there is no guarantee that paying the ransom will result in regaining access to your files.

There are two ways to protect your systems from this type of attack:

  • Take regular and comprehensive back-ups of your systems and ensure that these are validated. In the worst case you can wipe the system and then reinstall everything from the backup. Many organisations take “an image” and this enables the entire system to be restored in the event of a malfunction.
  • Ensure that your systems are kept up to date with all patches and updates incorporated. It is a false economy to keep old computer equipment which will not allow newer operating system to be used.  I have seen Microsoft Windows XP, and in one case Microsoft Windows Millennium being used.  Microsoft has not been supporting these systems for some time and it is these which have been most vulnerable to attack.

I know that it is very clever in hindsight but cyber security should be high on the agenda for everyone.  Too often capital expenditure is cut and computer equipment and software purchases are put off.

There WILL be further attacks of this kind and the gossip suggests that financial organisations will be next.    This is a wake-up call to industry, lets hope it is heeded.

Thursday, 4 May 2017

More scams

We have all been used to the telephone call which tells us that our computer is infected by a virus and if we give the caller access to our system then he/she will fix it free of charge but the newest one is purportedly from BT saying that a virus has infected the broadband and it will be cut off if we don’t react within twenty minutes.  All false of course but it pays to be vigilant.

A new one on me was an email saying that my car had been parked in a prohibited place and a fine was due to be paid.  If I paid within 24 hours I could deduct 50%, but if it was not paid in 7 days it would double.  We have all had genuine parking fines and the one thing they have in common is the Registration Number of the car; this was not present on the email.  The secure payment portal was also false so any money would go straight to the scammer.

As the crooks get smarter and they receive funds from those taken in they will continue to try and compromise as many people as possible.

Don’t let them get away with it.  If in doubt don’t pay.

Wednesday, 19 April 2017

The Clock is Ticking

The revised standards for Quality and Environment, ISO 9001 and ISO 14001 were published in September of 2015 and it was decided that there would be a three-year transition period for organisations certificated to the old standards. 

September 2018 seems a long way off but it is important to remember that the systems must be transitioned and a period of operation allowed before the actual transition can be carried out.  This means that any organisation leaving it all to the last-minute risks having their certification cancelled if the transition assessment stages are not complete and any non-conforming elements corrected and accepted by the certification body. 

UKAS have stated clearly that any organisation not completing all the stages by 14 September 2018 will automatically be de-registered.   There can be no extension and no grace period will be permitted.

Organisations not meeting the deadline will lose their certification and will have to make a fresh application for assessment and certification; this will take a considerable time to achieve and of course there would be a break in certification.  Organisations that need ISO9001 and/or ISO14001 as a prerequisite for tenders or contracts may find that business is lost.

Organisations holding the Aerospace Standards, AS 9100, AS 9110 and AS 9120 will also need to transition to the latest Standards, but these were published at the end of 2016.  Sadly the drop dead date for these Standards has been aligned with the ISO Standards and will require all the transition to be completed in under two years for 14 September 2018.  In addition, no assessment or surveillance may be carried out to the old Standards after June 2017.

We all have a busy time ahead.

Monday, 3 April 2017

ISO 45001 Occupational Health and Safety Management Standard

Back in June 2015 we advised readers that the replacement for OHSAS 18001 had been refused at the final draft stage; there were some 3000 comments raised and this meant that it was not possible for the Standard to proceed in that format.  It was back to the drawing board.

We now understand that a rewrite of the Standard has taken plane and we are awaiting release of the final draft again.  If it is accepted by all signatories then it will be published towards the end of 2017.  Some optimists think it may be as early as September 2017.

The Standard will follow the Annex SL format with ten sections:

  1. Scope
  2. Normative references
  3.  Terms and definitions
  4. Context of the Organisation
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance Evaluation
  10. Improvement
Naturally there will be sub-sections to suit the new  Standard.

We will of course keep you posted.

Monday, 20 March 2017

Transitions to ISO 9001, ISO 14001, AS 9100, AS 9110 & AS9120

The deadline for transition to ISO 9001:2015, ISO 14001:2015 and the Aircraft, Space and Defence Standards AS 9100D, AS9110C and AS 9120B is 15 September 2018.

While this may seem a long way off it is important to remember that the transition and correction and acceptance of any corrective action identified by an assessor must be completed satisfactorily by the deadline date.

Both UKAS for the quality and environmental standards and IAQG for the Aircraft, Space and Defence standards have made it very clear that there can be no extensions or relaxation of the deadlines for any reason.  Any organisation missing the deadline will be deregistered.

There is no appeal mechanism.  The organisation will lose certification and will have to start from scratch to regain certification.  There is a fairly big cost involved in this and loss of certification in the intervening period may result in inadmissibility for tenders and/ or cancellation of contracts requiring one or more of the standards as a mandatory requirement.

The revised Standards are quite different in their approach and require more involvement from Senior Directors and Managers.  This can be a problem where the requirement for understanding and operating the standards has, historically, been delegated to others lower down the organisation.
We at Quality Matters have helped a number of Clients to effect the transition and while we have sought to make it simple to use there have been a number of top management who have been  forced to become engaged in the systems.

The Aircraft, Space and Defence Standards were issued at the end of 2016 but the transition dates have been aligned with the ISO standards. I.E.  15 September 2018 ; a fairly tight schedule.

We urge all holders of certification that are affected by these changes to ensure that their transition is carried out in good time to avoid loss of certification.  Remember you may be ready, but assessors are committed to the stage one for transition followed by stage two on site.  Availability may be a governing factor.

Monday, 6 March 2017

A detailed look at ISO 27001: Part 4

Section 10:  Cryptography 


A cryptography policy must be developed and implemented.  This must include:

  • The required level of protection required;
  • The type, strength, and quality of the encryption algorithm to be used;
  • Key management;
  • Integrity/authenticity of using digital signature or message authentication codes; 


Section 11:  Physical and Environmental Security 


Critical or sensitive information processing facilities must be physically protected against malicious or accidental damage or loss, overheating, loss of mains power etc.  It must also be sited to prevent unauthorised viewing of confidential matter.

There is a need for concentric layers of physical controls including barriers, walls, card controlled entry gates or manned reception desks (rather like  an onion) to protect sensitive IT facilities from unauthorised access.

A secure area may be a lockable office, a computer room or several rooms surrounded by a continuous internal physical security barrier.

Critical IT equipment, cabling and other assets must be protected against physical damage, fire, flood, theft, and interception etc., both on and off-site.

Power supplies and cabling must be secured. IT equipment must be maintained properly and disposed of securely.

Access to and within application systems must be controlled in accordance with a defined access control policy. Particularly sensitive applications may require dedicated (isolated) platforms, and/or additional controls if run on shared platforms.

The application of physical controls must be adapted to the technical and economic circumstances of the organisation.

11.2 Equipment

To prevent loss, damage, theft or compromise of assets and interruption to the organisation’s operations.

This includes the siting of equipment to reduce the risks from environmental threats and hazards, and opportunities for unauthorised access.

Supporting utilities must be inspected regularly to detect damage and malfunction.
Cabling must be protected and checked for unauthorised interception.

Clear desk and clear screen policies must be in use.

Section  12:  Operations Security

This is a big clause and it covers all aspects of operations security.

To ensure correct and secure operations of information processing facilities.

Documented operating procedures must be available to all users who need them.

Change control procedures must be used to record and authorise changes to the organisation, business processes, information processing facilities and systems that can affect information security.

Capacity management must be monitored, tuned and projections made of future capacity requirements to ensure the required system performance,

12.2 Protection from malware


To ensure that information and information processing facilities are protected from Viruses and other malware.

12.3  Backup


Systems  must be backed up to protect against data loss.

12.4    Logging and monitoring


To record events and generate evidence.

12.5    Control of operational software


To ensure the integrity of operational systems.

12.6  Technical vulnerability management


To prevent exploitation of technical vulnerabilities.

12.7   Information systems audit considerations


To minimise the impact of audit activities on operational systems.

Section 13: Communications security


This is a big clause and covers all aspects of communications security

To ensure the protection of information in networks and its supporting information processing facilities.

Section 14: Information Systems acquisitions, development and Maintenance


To ensure that information security must take into account the Systems Development Lifecycle (SDLC) processes for specifying, building/acquiring, testing, implementing and maintaining IT systems.

14.1 Information Security Requirements analysis and specifications


Automated and manual security control requirements must be analysed and fully identified during the requirements stage of the systems development or acquisition process, and incorporated into business cases. Purchased software must be formally tested for security, and any issues risk-assessed.

14.2 Security in development and support processes


To ensure that information security is designed within the development lifecycle of information systems.

14.3 Test data


To ensure the protection of data used for testing.

Section  15:  Supplier relationships


This new section deals with the protection provided in supplier agreements.

Section 16: Information Security Incident Management


Information security events, incidents and weaknesses (including near-misses) must be promptly reported and properly managed.

16.1 Reporting Information Security Events and Weaknesses 


A formal incident/weakness reporting procedure is required, plus the associated response and escalation procedures. There must be a central point of contact, and all employees, contractors etc. must be informed of their incident reporting responsibilities.  Feedback to the person reporting an incident must take place.

16.2 Management of Information Security Incidents and Improvements 


Responsibilities and procedures are required to manage incidents and weaknesses effectively, to implement continuous improvement (learning the lessons), and to collect evidence in accordance with legal requirements.

Section 17: Information Security Aspects of Business Continuity Management          


This section describes the objective to counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. A business continuity management process must be implemented to minimise the impact on the organisation and recover from the loss of information assets.

The relationship between IT disaster recovery planning, business continuity management and contingency planning, ranging from analysis and documentation through to regular exercising/testing of the plans. These controls are designed to minimize the impact of security incidents that happen despite the preventive controls noted elsewhere in the standard.

Section 18: Compliance


18.1 Compliance with Legal and Contractual Requirements         


The organisation must comply with applicable legislation such as copyright, data protection, protection of financial data and other vital records, cryptography restrictions, rules of evidence etc.

18.2  Information Systems Reviews


System audits must be carefully planned to minimise disruption to operational systems. Powerful audit tools/facilities must also be protected against unauthorised use.

Monday, 20 February 2017

A detailed look at ISO 27001: Part 3

Section 8:  Asset Management

Assets associated with information and information processing must be identified and appropriate protection responsibilities defined.

8.1  Responsibility for Assets


The organisation must identify assets relevant in the lifecycle of information and document their importance.  The lifecycle information must include creation, processing, storage, transmission, deletion and destruction. Documentation must be maintained in dedicated or existing inventories as appropriate.

The Asset inventory must be accurate, up to date, and consistent and aligned with other inventories.
Ownership of assets and their classification must be defined

8.2 Information Classification


Information must be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.
It is usual to apply the test of analysis of the effect on Confidentiality, Integrity and Availability.
Examples can be based on four levels:

  • Disclosure causes no harm   -   Public domain
  • Disclosure causes minor embarrassment or minor operational inconvenience  - Restricted
  • Disclosure has a significant short term impact on operational or tactical objectives – Confidential
  • Disclosure has a serious impact on long term strategic objectives or puts the survival of the organisation at risk - Secret

Section 8.3 Media 


To prevent unauthorised disclosure, modification, removal or destruction of information stored on media.

Removable media must be protected and stored in accordance with the organisation’s security classifications.

Media contents no longer required must be made unrecoverable.
If data confidentiality or integrity are important considerations then cryptography techniques must be considered.

Registration of removable media must be considered to limit the opportunity for data loss.
Removable media drives must only be enabled if there is a business case for doing so.
Media that is no longer required must be disposed of securely. Audit trails of these media must be maintained.

Section 9: Access Control

Logical access to IT systems, networks and data must be suitably controlled to prevent unauthorised use.

9.1 Business Requirement for Access Control


The organisation’s requirements to control access to information assets must be clearly documented in an access control policy, including for example job-related access profiles (role based access control). [This is an important obligation for information asset owners.]

9.2  User Access Management


Formal procedures for the allocation of access rights to users must be controlled through user registration and administration procedures (from initial user registration through to removal of access rights when no longer required), including special restrictions over the allocation of privileges and management of passwords, and regular access rights reviews.

9.3 User Responsibilities


Users must be made accountable for safeguarding their authentication information. e.g. keeping their secret authentication confidential and not divulging to any other parties, including those in authority. SSO (Single Sign On and other secret authentication information management tools reduce the amount of secret authentication information that users are required to protect and this can increase the effectiveness of this control. However, these tools can also increase the impact of disclosure of secret authentication information.

9.4  System and Application Access Control


Access to information and application system functions must be restricted in accordance with the access control policy.

The following may be considered:

  • Providing menus to control access to application systems function;
  • Controlling which data can be accessed by a particular user;
  • Controlling read, write, delete and execute functions;
  •  Controlling the access rights of other applications;
  • Limiting information contained in outputs;
  • Providing physical or logical access controls for the isolation of sensitive applications or applications data or systems.

Password management systems must be employed to ensure that secure log-on procedures are followed, including the use of strong passwords and regular changing of these passwords.

Monday, 6 February 2017

A detailed look at ISO 27001: Part 2

27002 is the code of practice and it is normal to use this to set up a comprehensive Information Security Management System (ISMS).  There are 15 main sections 4.0 to 18.0:


Section 0:  Introduction

Starting from ‘What is information security?’ the introduction explains about information and how to make use of the standard.

Section 1: Scope 

The Standard gives information on the extent of cover for an ISMS.

Section 2:  Normative References. 

Reference is made to documents that are referenced within 27002 and are indispensable for operation of the Information Security Management System.

Section 3: Terms and Definitions

Including ISO 27000, which is a set of terms and definitions

Section 4:  Structure of the Standard

This page simply explains that the standard contains 14 security control clauses containing a total of 35 main security categories and 113 controls. 

Section 5: Information Security Policies

A set of policies for information security defined, approved by management, published and communicated to employees and relevant external parties.

Management must define a policy to clarify their direction and support for information security, meaning a short, high-level information security policy statement laying down the key information security directives and mandates for the entire organisation.

Normally it will spell out the three main criteria
C -  Confidentiality
I  -  Integrity
A -  Availability

This is normally supported by a comprehensive set of more detailed corporate information security policies, typically in the form of an information security policy manual. The policy manual in turn is supported by a set of information security procedures and guidelines.

This policy is normally signed by the most senior person and displayed.

Section 6: Organisation of Information Security

A management framework must be designed and implemented to initiate and control the implementation of information security within the organisation. Responsibilities for information security risk management and in particular for acceptance of residual risks.

A Forum, made up of a cross section of people in the organisation must meet regularly.

6.1 Information Security Roles and Responsibilities


The organisation must have a management structure for information security. Senior management must provide direction and commit their support, for example by approving information security policies. Roles and responsibilities must be defined for the information security function. Other relevant functions must cooperate and coordinate their activities. IT facilities must be authorised.

Confidentiality agreements must reflect the organisation’s needs. Contacts must be established with relevant authorities (e.g. law enforcement) and special interest groups. Information security must be independently reviewed.

6.2 Mobile Devices and Teleworking


Mobile devices are being used extensively within organisations and it is vital that the security of business information is protected. This is particularly important when working outside the organisation in unprotected environments.
Mobile devices must be protected from theft and where possible must have the ability to be remotely wiped of information when needed.

Section 7:  Human Resources Security

The organisation must manage system access rights etc. for ‘new starters, promotion and leavers’, and must undertake suitable security awareness, training and educational activities.

7.1 Prior to Employment


Background verification checks must be carried out in accordance with relevant laws, regulations and ethics and must be proportionate to the business requirements, the classification of the information to be accessed and the perceived risks. 

Security responsibilities must be taken into account when recruiting permanent employees, contractors and temporary staff through adequate job descriptions, pre-employment screening and included in contracts (e.g. terms and conditions of employment and other signed agreements on security roles and responsibilities).

7.2  During Employment


The organisation must ensure that employees, contractors and third party users are properly briefed about information security threats and concerns and their responsibilities regarding information security must be defined. Employees and (if relevant) third party IT users must be made aware, educated and trained in security procedures. A formal disciplinary process is necessary to handle security breaches.

7.3 Termination and Change of Employment


Security aspects of a person’s exit from the organisation are managed (e.g. the return of company assets and removal of access rights, change of access codes or passwords). Clearly some of the controls are different if the person has been dismissed and must leave the premises immediately.
Changes in roles must be managed and the termination of current responsibility or employment combined with the start of new responsibility or employment.

Monday, 23 January 2017

A detailed look at ISO 27001: Part 1

IS0 27001 is a Model for information security management systems. It is an information security system registration scheme where a company’s information security procedures and processes are assessed to an information security management Standard.  This Standard has been agreed in this country, the European Union and Internationally

ISO 27001 is the working standard and it contains 7 main sections

  1. Scope
  2. Normative References
  3. Terms and definitions
  4. Context of the Organisation
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance Evaluation
  10. Improvement

Put very simply, ISO 27001 is a declaration of an organisations ability to demonstrate its capability to consistently protect information security and to satisfy its customers’ information security needs.

Risk Assessments

Risk assessments must be carried out on important parts of the organisation; risks evaluated and a risk treatment plan established to mitigate the risk.  Where medium risks cannot be reduced then it is permitted to accept the risk based on certain criteria.

Risk assessments have been carried out on each asset.

The methodology used identifies the Asset Value:

  1. Low value to the business
  2. Moderate importance to the business
  3. Highly important to the business

Following the risk assessment the results are reviewed at an ISMS Forum meeting.

Scores are either confirmed or adjusted as necessary.

Items which are seen as high risk are addressed with the highest priority.

Risk assessments are revisited and actions taken as necessary.  Issues which are identified in the interim as high risk will be addressed immediately if, in the opinion of management, delay would be detrimental to the company.

 Statement of Applicability

The Statement of Applicability (S.O.A) is a document that is available to the public and is attached to the Certificate of compliance issue by the Certification Body. It details all the elements of the standard that are applicable, and those which are excluded and a justification for exclusions.
Annex A of ISO 27001 contains all the controls applicable to an application.

Clearly not all organisations will apply all elements of the Standard and this document details which are used.

The S.O.A is version controlled and any change must be notified to the Certification Body.

Monday, 9 January 2017

ISO 14001:2015 Part 5: Operation & Performance Evaluation


9.1  Monitoring, measurement, analysis and evaluation

Details the requirements for the organisation to monitor, measure, analyse and evaluate its environmental performance.   The organisation must determine:

  • What needs to be monitored and measured?
  • The methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results;
  • The criteria against which the organisation will evaluate its environmental performance, and appropriate indicators;
  • When monitoring and measurement must be performed?
  • When the results from monitoring and measurement must be analysed and evaluated?

The organisation must ensure that calibrated or verified monitoring and measurement equipment is used and maintained, as appropriate.

The organisation must evaluate its environmental performance and the effectiveness of the environmental management system.

The organisation must communicate relevant performance information both internally and externally, as identified in its communication process(es) and as required by its compliance obligations.

The organisation must retain appropriate documented information as evidence of the monitoring, measurement analysis and evaluation results.

9.2  Evaluation of compliance

Details the requirement for the organisation to establish, implement and maintain the processes needed to evaluate fulfilment of its compliance obligations.

The organisation must:

  • Determine the frequency that compliance will be evaluated;
  • Evaluate compliance and take action if needed;
  • Maintain knowledge and understanding of its compliance status.

The organisation must retain documented information as evidence of the compliance evaluation result(s).

9.3 Internal audit programme

Details the requirement for the organisation to establish, implement and maintain and internal audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting of internal audits.

When establishing the audit programme, the organisation must take into consideration the environmental importance of the processes concerned, changes affecting the organisation and the results of previous audits.

The organisation must:

  • Define the criteria and scope of each audit;
  • Select auditors and conduct audits to ensure objectivity and impartiality of the audit process;
  • Ensure that the results of the audits are reported to relevant management.

The organisation must retain documented information as evidence of the implementation of the audit programme and the audit results.

9.4 Management review

Details the requirement that the organisation’s top management must review its environmental management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness.

The management review must include:

  • The status of actions from previous management reviews;
  • Changes in:

    • External and internal issues that are relevant to the environmental management system;
    • The needs and expectations of interested parties, including compliance obligations;
    • It’s significant environmental aspects;
    • Risks and opportunities;
  • The extent to which environmental objectives have been achieved;
  • information on the organisation’s environmental performance, including trends on:

    • nonconformities and corrective actions;
    • monitoring and measuring results;
    • fulfilment of its compliance obligations;
    • audit results;
  • Adequacy of resources;
  • Relevant communication(s) from interested parties, including complaints;
  • Opportunities for continual improvement.

The outputs of the management review must include;

  • Conclusions on the continuing suitability, adequacy and effectiveness of the environmental management system;
  • Decisions related to continual improvement opportunities;
  • Decisions related to any need for changes to the environmental management system, including resources;
  • Actions, if needed, when environmental objectives have not been achieved;
  • Opportunities to improve integration of the environmental management system with other business processes, if needed;
  • Any implications for the strategic direction of the organisation.

The organisation must retain documented information as evidence of the results of management reviews.


10.1 General

Details the requirements that the organisation must determine opportune tries for improvement and implement necessary actions to achieve intended out comes of its environmental management system.

10.2 Nonconformity and corrective action

Details the requirement that the organisation must;

  • React to the nonconformity and, as applicable:

    • Take action to control, and correct it;
    • Deal with the consequences, including mitigating adverse environmental impacts;
  • Evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere by:

    • Reviewing the nonconformity;
    • Determining the cause of the nonconformity;
    • Determining if similar nonconformities exist, or could potentially occur;
  • Implement any actions needed;
  • Review the effectiveness of any corrective action taken;
  • Make changes to the environmental management system, if necessary.
Corrective action must be appropriate to the significance of the effects of the nonconformities encountered, including the environmental impact(s).

The organisation must retain documented information as evidence of:

  • The nature of the nonconformities and any subsequent actions taken;
  • The results of any corrective action.

10.3 Continual improvement

Details the requirement that the organisation must continually improve the suitability, adequacy, and effectiveness of the environmental management system to enhance environmental performance.

Quality Matters

P.O.Box 5479

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design