Yellow font on Black background Black font on White background Black font on Cream background
Call us today 01621 857841 or Email us
Quality Matters Logo

"Quality Matters in your Business"

Monday, 23 January 2017

A detailed look at ISO 27001: Part 1

IS0 27001 is a Model for information security management systems. It is an information security system registration scheme where a company’s information security procedures and processes are assessed to an information security management Standard.  This Standard has been agreed in this country, the European Union and Internationally

ISO 27001 is the working standard and it contains 7 main sections

  1. Scope
  2. Normative References
  3. Terms and definitions
  4. Context of the Organisation
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance Evaluation
  10. Improvement

Put very simply, ISO 27001 is a declaration of an organisations ability to demonstrate its capability to consistently protect information security and to satisfy its customers’ information security needs.

Risk Assessments

Risk assessments must be carried out on important parts of the organisation; risks evaluated and a risk treatment plan established to mitigate the risk.  Where medium risks cannot be reduced then it is permitted to accept the risk based on certain criteria.

Risk assessments have been carried out on each asset.

The methodology used identifies the Asset Value:

  1. Low value to the business
  2. Moderate importance to the business
  3. Highly important to the business

Following the risk assessment the results are reviewed at an ISMS Forum meeting.

Scores are either confirmed or adjusted as necessary.

Items which are seen as high risk are addressed with the highest priority.

Risk assessments are revisited and actions taken as necessary.  Issues which are identified in the interim as high risk will be addressed immediately if, in the opinion of management, delay would be detrimental to the company.

 Statement of Applicability

The Statement of Applicability (S.O.A) is a document that is available to the public and is attached to the Certificate of compliance issue by the Certification Body. It details all the elements of the standard that are applicable, and those which are excluded and a justification for exclusions.
Annex A of ISO 27001 contains all the controls applicable to an application.

Clearly not all organisations will apply all elements of the Standard and this document details which are used.

The S.O.A is version controlled and any change must be notified to the Certification Body.

Monday, 9 January 2017

ISO 14001:2015 Part 5: Operation & Performance Evaluation


9.1  Monitoring, measurement, analysis and evaluation

Details the requirements for the organisation to monitor, measure, analyse and evaluate its environmental performance.   The organisation must determine:

  • What needs to be monitored and measured?
  • The methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results;
  • The criteria against which the organisation will evaluate its environmental performance, and appropriate indicators;
  • When monitoring and measurement must be performed?
  • When the results from monitoring and measurement must be analysed and evaluated?

The organisation must ensure that calibrated or verified monitoring and measurement equipment is used and maintained, as appropriate.

The organisation must evaluate its environmental performance and the effectiveness of the environmental management system.

The organisation must communicate relevant performance information both internally and externally, as identified in its communication process(es) and as required by its compliance obligations.

The organisation must retain appropriate documented information as evidence of the monitoring, measurement analysis and evaluation results.

9.2  Evaluation of compliance

Details the requirement for the organisation to establish, implement and maintain the processes needed to evaluate fulfilment of its compliance obligations.

The organisation must:

  • Determine the frequency that compliance will be evaluated;
  • Evaluate compliance and take action if needed;
  • Maintain knowledge and understanding of its compliance status.

The organisation must retain documented information as evidence of the compliance evaluation result(s).

9.3 Internal audit programme

Details the requirement for the organisation to establish, implement and maintain and internal audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting of internal audits.

When establishing the audit programme, the organisation must take into consideration the environmental importance of the processes concerned, changes affecting the organisation and the results of previous audits.

The organisation must:

  • Define the criteria and scope of each audit;
  • Select auditors and conduct audits to ensure objectivity and impartiality of the audit process;
  • Ensure that the results of the audits are reported to relevant management.

The organisation must retain documented information as evidence of the implementation of the audit programme and the audit results.

9.4 Management review

Details the requirement that the organisation’s top management must review its environmental management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness.

The management review must include:

  • The status of actions from previous management reviews;
  • Changes in:

    • External and internal issues that are relevant to the environmental management system;
    • The needs and expectations of interested parties, including compliance obligations;
    • It’s significant environmental aspects;
    • Risks and opportunities;
  • The extent to which environmental objectives have been achieved;
  • information on the organisation’s environmental performance, including trends on:

    • nonconformities and corrective actions;
    • monitoring and measuring results;
    • fulfilment of its compliance obligations;
    • audit results;
  • Adequacy of resources;
  • Relevant communication(s) from interested parties, including complaints;
  • Opportunities for continual improvement.

The outputs of the management review must include;

  • Conclusions on the continuing suitability, adequacy and effectiveness of the environmental management system;
  • Decisions related to continual improvement opportunities;
  • Decisions related to any need for changes to the environmental management system, including resources;
  • Actions, if needed, when environmental objectives have not been achieved;
  • Opportunities to improve integration of the environmental management system with other business processes, if needed;
  • Any implications for the strategic direction of the organisation.

The organisation must retain documented information as evidence of the results of management reviews.


10.1 General

Details the requirements that the organisation must determine opportune tries for improvement and implement necessary actions to achieve intended out comes of its environmental management system.

10.2 Nonconformity and corrective action

Details the requirement that the organisation must;

  • React to the nonconformity and, as applicable:

    • Take action to control, and correct it;
    • Deal with the consequences, including mitigating adverse environmental impacts;
  • Evaluate the need for action to eliminate the causes of the nonconformity, in order that it does not recur or occur elsewhere by:

    • Reviewing the nonconformity;
    • Determining the cause of the nonconformity;
    • Determining if similar nonconformities exist, or could potentially occur;
  • Implement any actions needed;
  • Review the effectiveness of any corrective action taken;
  • Make changes to the environmental management system, if necessary.
Corrective action must be appropriate to the significance of the effects of the nonconformities encountered, including the environmental impact(s).

The organisation must retain documented information as evidence of:

  • The nature of the nonconformities and any subsequent actions taken;
  • The results of any corrective action.

10.3 Continual improvement

Details the requirement that the organisation must continually improve the suitability, adequacy, and effectiveness of the environmental management system to enhance environmental performance.

Quality Matters

P.O.Box 5479

T: 01621 857841
F: 01621 856016
M: 07702 193788

© 2015 Quality Matters Ltd. All rights reserved. Responsive Design