Goodbye 2020 Hello 2021

As we say goodbye and good riddance to 2020 and welcome in 2021 when we hope that Covid-19 will be beaten and Brexit fears will be unfounded.

Quality Matters has never Been closed but some audits have been carried out remotely to comply with Government regulations. Some audits have been carried out on site where it is safe to do so.

Our focus in 2021 is to deliver consultancy services to meet out client’s requirements in a quick and effective manner.

Standards covered include

  • AS9100/AS9120 Aerospace and defence quality Management systems
  • ISO 9001 quality Management systems
  • ISO 14001 Environment Management systems
  • ISO 45001 Occupational Health & Safety Management systems
  • ISO 27001 Information Security Management systems
  • ISO 20000 IT Service Management systems
  • ISO 22001 HACCP Food safety Management systems
  • BRC (British Retail Consortium) quality Management systems
  • ATEX ( quality management systems in explosive atmospheres

We ‘re here to help you achieve certification to any of these standards.

Call 01621 868767 or look at our web-site

The Quality Matters website has been very successful for many years but is now in need of a facelift.

Debbie Harrison of DVH Design is beavering away at the redesign and my brief to her was to give it a modern look with eye catching qualities. Debbie did our original website back in the day and then carries out SEO each month; a service we value.

The template is being worked on now and I hope to see some preliminary results shortly.

Any company website is a shop window and an information portal. It is vital that the search engines pick them up and index the various pages. There are essential elements that are required for the likes of Google to index the pages. Get this wrong and the impact on the internet could be lost.

Our main service is of course consultancy in the major management standards with the aerospace standards AS9100 and AS9120 together with the civilian counterpart ISO 9001. We also cover the environmental standard ISO 14001 as well as Information security ISO 27001. The Health and Safety standard ISO 45001 and Medical devices ISO 13485 and other major standards make up our portfolio.

In addition, we provide training in Internal auditing both as a public course and a bespoke offering.

Watch this space for our new website in due course.

Following our exit from the EU there has been a return to confidence in our economy.

One of the bellwethers to confidence is the number of organisations looking to ISO 9001. This Quality Management Standard is now the most popular standard in the world, but in the last couple of years applications were put on hold as organisations were unsure about the additional expenditure and controls necessary for this standard.

The CBI have reported a return to confidence and this is reflected in the number of enquiries received in our office.

ISO 9001 is an outward sign that an organisation is committed to quality and is prepared to allow an external body to examine their quality management system. A system which meets the strict criteria will be awarded a certificate of compliance. A certificate which is awarded by an accredited certification body (UKAS in the UK) is recognised worldwide.

More and more ISO9001 is seen as a prerequisite for tender entry. If an organisation does not have 9001 then any tender application is likely to fail at the first hurdle.

We can help organisations to achieve the requirements of ISO 9001 with ease of use and minimal paperwork as a requirement. Our services are guaranteed, of course, and with the company in its 29th year we can back up our claims.

It normally takes a minimum, of six months from the start of a project, to achieve formal certification. The system must be capable of audit and any assessor must audit what is being done rather than what is planned.

The UK left the European Union, single market and customs union on 31 January 2020.

There is a transition period where not much will change, expiring in December 2020, however British business should be prepared as some regulatory requirements will cease to be mirrored between UK and Europe.

I am often asked about the ISO Standards and how the UK will be affected; put simply there will be no change in application or compliance.

The main Standards are marked to ensure International acceptance: e.g BS EN ISO 9001:2015Where BS means that the Standard is adopted as a British Standard

  • EN means that it is adopted as a European Standard
  • ISO means that it is adopted as an International Standard

We will continue to have Certification Bodies in the UK accredited by UKAS (United Kingdom Accreditation Service).

The one area that will change is the CE marking of products. There will be a transition period but in the long-term products sold in the UK will need to be certified to the UKCA (UK Conformity Assessed) Marking standard.

However, products destined for European markets will still need to be CE marked as Europe will not accept the UKCA mark. It is likely that as the CE and UKCA requirements will be the same, most products destined for UK and EU markets will need to be dual marked UKCA & CE.

The following rules will apply:

  • UKCA markings must only be placed on a product by the manufacturer or authorised representative;
  • When attaching the UKCA marking the manufacturer takes full responsibility for the products conformity with the requirements of the relevant legislation;
  • The UKCA marking must only be used to show product conformity with the relevant UK legislation;
  • Any UKCA marking must not misconstrue the meaning or form of the mark to third parties;
  • No other markings may be attached which affect the visibility, legibility or meaning of the UKCA marking;
  • The UKCA marking cannot be placed on products unless there is a specific requirement to do so in the legislation.

The Government will clarify the situation in due course.

IS0 27001 is a Model for information security management systems. It is an information security system registration scheme where a company’s information security procedures and processes are assessed to an information security management Standard. This Standard has been agreed in this country, the European Union and Internationally.

27001 is the working standard and it contains 7 main sections:

  1. Scope
  2. Normative References
  3. Terms and definitions
  4. Context of the Organisation
  5. Leadership
  6. Planning
  7. Support
  8. Operation
  9. Performance Evaluation
  10. Improvement

Put very simply, ISO 27001 is a declaration of an organisations ability to demonstrate its capability to consistently protect information security and to satisfy its customers’ information security needs.

27002 is the code of practice and it is normal to use this to set up a comprehensive Information Security Management System (ISMS). There are 15 main sections 4.0 to 18.0:


Section 0: Introduction

Starting from ‘What is information security?’, the introduction explains about information and how to make use of the standard.

Section 1: Scope

The Standard gives information on the extent of cover for an ISMS.

Section 2: Normative References.

Reference is made to documents that are referenced within 27002 and are indispensable for operation of the Information Security Management System.

Section 3: Terms and Definitions

Including ISO 27000, which is a set of terms and definitions

Section 4: Structure of the Standard

This page simply explains that the standard contains 14 security control clauses containing a total of 35 main security categories and 113 controls.

Section 5: Information Security Policies

A set of policies for information security defined, approved by management, published and communicated to employees and relevant external parties.

Management should define a policy to clarify their direction and support for information security, meaning a short, high-level information security policy statement laying down the key information security directives and mandates for the entire organisation.

Normally it will spell out the three main criteria

C – Confidentiality
I – Integrity
A – Availability

This is normally supported by a comprehensive set of more detailed corporate information security policies, typically in the form of an information security policy manual. The policy manual in turn is supported by a set of information security procedures and guidelines.

This policy is normally signed by the most senior person and displayed.

Section 6: Organisation of Information Security

A management framework should be designed and implemented to initiate and control the implementation of information security within the organisation. Responsibilities for information security risk management and in particular for acceptance of residual risks.

A Forum, made up of a cross section of people in the organisation should meet regularly.

6.1 Information Security Roles and Responsibilities

The organisation should have a management structure for information security. Senior management should provide direction and commit their support, for example by approving information security policies. Roles and responsibilities should be defined for the information security function. Other relevant functions should cooperate and coordinate their activities.

IT facilities should be authorised.

Confidentiality agreements should reflect the organisation’s needs. Contacts should be established with relevant authorities (e.g. law enforcement) and special interest groups. Information security should be independently reviewed.

6.2 Mobile Devices and Teleworking

Mobile devices are being used extensively within organisations and it is vital that the security of business information is protected. This is particularly important when working outside the organisation in unprotected environments.

Mobile devices should be protected from theft and where possible should have the ability to be remotely wiped of information when needed.

Section 7: Human Resources Security

The organisation should manage system access rights etc. for ‘new starters, promotion and leavers’, and should undertake suitable security awareness, training and educational activities.

7.1 Prior to Employment

Background verification checks should be carried out in accordance with relevant laws, regulations and ethics and should be proportionate to the business requirements, the classification of the information to be accessed and the perceived risks.

Security responsibilities should be taken into account when recruiting permanent employees, contractors and temporary staff through adequate job descriptions, pre-employment screening and included in contracts (e.g. terms and conditions of employment and other signed agreements on security roles and responsibilities).

7.2 During Employment

The organisation should ensure that employees, contractors and third party users are properly briefed about information security threats and concerns and their responsibilities regarding information security should be defined. Employees and (if relevant) third party IT users should be made aware, educated and trained in security procedures. A formal disciplinary process is necessary to handle security breaches.

7.3 Termination and Change of Employment

Security aspects of a person’s exit from the organisation are managed (e.g. the return of company assets and removal of access rights, change of access codes or passwords). Clearly some of the controls are different if the person has been dismissed and must leave the premises immediately.

Changes in roles should be managed and the termination of current responsibility or employment combined with the start of new responsibility or employment.

Section 8: Asset Management

Assets associated with information and information processing should be identified and appropriate protection responsibilities defined.

8.1 Responsibility for Assets

The organisation should identify assets relevant in the lifecycle of information and document their importance. The lifecycle information should include creation, processing, storage, transmission, deletion and destruction. Documentation should be maintained in dedicated or existing inventories as appropriate.

The Asset inventory should be accurate, up to date, and consistent and aligned with other inventories.

Ownership of assets and their classification should be defined

8.2 Information Classification

Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.

It is usual to apply the test of analysis of the effect on Confidentiality, Integrity and Availability.

Examples can be based on four levels:

  • Disclosure causes no harm – Public domain
  • Disclosure causes minor embarrassment or minor operational inconvenience – Restricted
  • Disclosure has a significant short term impact on operational or tactical objectives – Confidential
  • Disclosure has a serious impact on long term strategic objectives or puts the survival of the organisation at risk – Secret

Section 8.3 Media

To prevent unauthorised disclosure, modification, removal or destruction of information stored on media

Removable media should be protected and stored in accordance with the organisation’s security classifications.

Media contents no longer required should be made unrecoverable.
If data confidentiality or integrity are important considerations then cryptography techniques should be considered.

Registration of removable media should be considered to limit the opportunity for data loss.

Removable media drives should only be enabled if there is a business case for doing so.

Media that is no longer required should be disposed of securely. Audit trails of these media should be maintained.

Section 9: Access Control

Logical access to IT systems, networks and data must be suitably controlled to prevent unauthorised use.

9.1 Business Requirement for Access Control

The organisation’s requirements to control access to information assets should be clearly documented in an access control policy, including for example job-related access profiles (role based access control). [This is an important obligation for information asset owners.]

9.2 User Access Management

Formal procedures for the allocation of access rights to users should be controlled through user registration and administration procedures (from initial user registration through to removal of access rights when no longer required), including special restrictions over the allocation of privileges and management of passwords, and regular access rights reviews.

9.3 User Responsibilities

Users should be made accountable for safeguarding their authentication information. e.g. keeping their secret authentication confidential and not divulging to any other parties, including those in authority. SSO (Single Sign On and other secret authentication information management tools reduce the amount of secret authentication information that users are required to protect and this can increase the effectiveness of this control. However, these tools can also increase the impact of disclosure of secret authentication information.

9.4 System and Application Access Control

Access to information and application system functions should be restricted in accordance with the access control policy.

The following may be considered:

  • Providing menus to control access to application systems function;
  • Controlling which data can be accessed by a particular user;
  • Controlling read, write, delete and execute functions;
  • Controlling the access rights of other applications;
  • Limiting information contained in outputs;
  • Providing physical or logical access controls for the isolation of sensitive applications or applications data or systems.

Password management systems should be employed to ensure that secure log-on procedures are followed, including the use of strong passwords and regular changing of these passwords.

Section 10: Cryptography

A cryptography policy should be developed and implemented. This should include:

  • The required level of protection required;
  • The type, strength, and quality of the encryption algorithm to be used;
  • Key management;
  • Integrity/authenticity of using digital signature or message authentication codes;

Section 11: Physical and Environmental Security

Critical or sensitive information processing facilities should be physically protected against malicious or accidental damage or loss, overheating, loss of mains power etc. It should also be sited to prevent unauthorised viewing of confidential matter.

There is a need for concentric layers of physical controls including barriers, walls, card controlled entry gates or manned reception desks (rather like an onion) to protect sensitive IT facilities from unauthorised access.

A secure area may be a lockable office, a computer room or several rooms surrounded by a continuous internal physical security barrier.

Critical IT equipment, cabling and other assets should be protected against physical damage, fire, flood, theft, and interception etc., both on and off-site.
Power supplies and cabling should be secured. IT equipment should be maintained properly and disposed of securely.

Access to and within application systems should be controlled in accordance with a defined access control policy. Particularly sensitive applications may require dedicated (isolated) platforms, and/or additional controls if run on shared platforms.

The application of physical controls should be adapted to the technical and economic circumstances of the organisation.

11.2 Equipment

To prevent loss, damage, theft or compromise of assets and interruption to the organisation’s operations.

This includes the siting of equipment to reduce the risks from environmental threats and hazards, and opportunities for unauthorised access.

Supporting utilities should be inspected regularly to detect damage and malfunction.

Cabling should be protected and checked for unauthorised interception.

Clear desk and clear screen policies should be in use.

Section 12: Operations Security

This is a big clause and it covers all aspects of operations security.

To ensure correct and secure operations of information processing facilities.

Documented operating procedures should be available to all users who need them.

Change control procedures should be used to record and authorise changes to the organisation, business processes, information processing facilities and systems that can affect information security.

Capacity management should be monitored, tuned and projections made of future capacity requirements to ensure the required system performance,

12.2 Protection from malware

To ensure that information and information processing facilities are protected from Viruses and other malware.

12.3 Backup

Systems should be backed up to protect against data loss.

12.4 Logging and monitoring

To record events and generate evidence.

12.5 Control of operational software

To ensure the integrity of operational systems.

12.6 Technical vulnerability management

To prevent exploitation of technical vulnerabilities.

12.7 Information systems audit considerations

To minimise the impact of audit activities on operational systems.

Section 13: Communications security

This is a big clause and covers all aspects of communications security

To ensure the protection of information in networks and its supporting information processing facilities.

Section 14: Information Systems acquisitions, development and Maintenance

To ensure that information security must take into account the Systems Development Lifecycle (SDLC) processes for specifying, building/acquiring, testing, implementing and maintaining IT systems.

14.1 Information Security Requirements analysis and specifications

Automated and manual security control requirements should be analysed and fully identified during the requirements stage of the systems development or acquisition process, and incorporated into business cases.

Purchased software should be formally tested for security, and any issues risk-assessed.

14.2 Security in development and support processes

To ensure that information security is designed within the development lifecycle of information systems.

14.3 Test data

To ensure the protection of data used for testing.

Section 15: Supplier relationships

This new section deals with the protection provided in supplier agreements.

Section 16: Information Security Incident Management

Information security events, incidents and weaknesses (including near-misses) should be promptly reported and properly managed.

16.1 Reporting Information Security Events and Weaknesses

A formal incident/weakness reporting procedure is required, plus the associated response and escalation procedures. There should be a central point of contact, and all employees, contractors etc. should be informed of their incident reporting responsibilities. Feedback to the person reporting an incident should take place.

16.2 Management of Information Security Incidents and Improvements

Responsibilities and procedures are required to manage incidents and weaknesses effectively, to implement continuous improvement (learning the lessons), and to collect evidence in accordance with legal requirements.

Section 17: Information Security Aspects of Business Continuity Management

This section describes the objective to counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. A business continuity management process should be implemented to minimise the impact on the organisation and recover from the loss of information assets.

The relationship between IT disaster recovery planning, business continuity management and contingency planning, ranging from analysis and documentation through to regular exercising/testing of the plans. These controls are designed to minimize the impact of security incidents that happen despite the preventive controls noted elsewhere in the standard.

Section 18: Compliance

18.1 Compliance with Legal and Contractual Requirements

The organisation must comply with applicable legislation such as copyright, data protection, protection of financial data and other vital records, cryptography restrictions, rules of evidence etc.

18.2 Information Systems Reviews

System audits should be carefully planned to minimise disruption to operational systems. Powerful audit tools/facilities must also be protected against unauthorised use.

The Christmas break is over and we are all ready to face the new year.

The future as regards Brexit seems to be decided with our exit now taking place on 31 January 2020 with the transition period due to end in December 2020. The uncertainty over the last three years is now at an end and we can all plan for the future. No doubt there will be some bumps in the road, as stated by the Queen in her Christmas message but the signs in business confidence are reasonably high.

We are now in our 29th year and our experience, expertise and client care remain our top priority.

Our services which are still available are:

  • Consultancy and audits of systems in AS 9100, AS 9120 (aircraft, space, & defence);
  • Consultancy and audits of systems in ISO 9001, ISO 14001, ISO 45001;
  • Consultancy and audits of systems in ISO 27001 (Information Security);
  • Consultancy and audits of systems in ISO20000 (IT service management);
  • Consultancy and audits of systems in ISO 13485 (Medical Devices);
  • Consultancy and audits of systems in ATEX (Explosive atmospheres);
  • Consultancy and audits of systems in ISO 22000 (Food safety).
  • We also carry our system audits of your management standards,

Please contact us for a quotation or simply for advice. 01621 857841

Or email us at

Or through our website

This will be our final blog for 2019. Our offices will be closed from midday on Friday 20 December and will reopen on 6th January 2020 Our email will be monitored but may take longer for us to respond during this period.

This year has been unsettling for everyone with the uncertainty over BREXIT and companies delaying investment until our status within the EU was clearer. This has also meant a contraction in the economy and nervousness from our European neighbours.

Now that the General Election result is known and that the Government will be able to guarantee our exit from the EU, we can all make plans for 2020.

We wish our Clients, Suppliers and readers of our blog a very Merry Christmas and a Happy and prosperous New Year.

2019 year end and onwards and upwards to 2020.

The unsettling news from Boeing recently may call into question the effectiveness of the aerospace and defence standard AS9100. It could be that assessors and internal auditors did not spot the trends being exhibited or it could be simply that the sample audited did not throw up the deficiencies which came to light after the incidents.

AS9100 was designed meet the exacting standards in aerospace, the major aircraft manufacturers and IAQG (International Aerospace Quality Group) developed AS9100; based on ISO9001:2008 this standard fills the gap between military standards and the commercial ISO9001 quality management standard. It makes good sense to have one aerospace standard for conformity to best practice; AS9100 is that standard.

Any failure in the operation of this Standard can have devastating consequences as in the two aircraft that crashed killing all the occupants.

AS9100 v ISO 9001

Manufacturing an item as complicated and critical as an aircraft or space vehicle requires special attention during all the production processes. A great deal of attention is placed on documentation and drawing control to ensure that the current revision of engineering drawings, part lists and test and inspection specifications is being used. This ‘configuration control’ is covered in far more depth than ISO9001, as is identification and traceability. The paperwork trail is vital following an incident or accident and these documents are always quarantined immediately by an accident or incident board of enquiry as was the case of the 737 Max aircraft.

The AS9100 standard provides guidance for key characteristic management in both material, and process control. Clearly there is a good deal of emphasis on the design and development of the final structure as well as components used in that structure, the AS9100 standard includes additional references in design and development functions. Explanatory notes are included for both design and development verification and validation highlighting traditional areas of emphasis. Additionally, AS9100 provides information on areas of verification documentation and validating testing and results.

One area which receives greater attention is the inspection area, particularly the first off in a batch of items. This is called first article inspection in AS9100.

The standard also gives guidelines for actions to be taken when it all goes wrong. Any faulty part, which is scrap, must be put beyond use before disposition.

This standard can be applied in the following forms:

  • AS 9100 – Quality Management System requirements for Design and/or manufacture of aerospace products
  • AS 90110 – Quality Management System requirements for maintenance and repair operations
  • AS 9120 – Quality Management System requirements for Stockists and distributors

Assessment and certification is carried out by properly accredited and competent assessors. The assessment is of necessity, more in depth than ISO9001 and the reporting is far stricter. The assessor scores each item against a prepared score card; at the end of the assessment the scores are totalled and a decision to pass or require additional work to be carried out is made.

One major difference in the assessment is that no corrective action may take place during the assessment, unlike ISO9001. Any CAP (corrective action plan) must take place afterwards.

Inevitably main suppliers who achieve certification to AS9100 will then require their sub-contractors and suppliers to achieve the standard as well.

Once accredited these organisations are featured in OASIS (the IAQG Online Aerospace Supplier Information System).

Quality Matters can assist organisations to achieve certification to these standards

The approaching General Election and new Government will set the scene for 2020.

If there is a Labour Government then we are in for more delay and uncertainty, further delays and the prospect of another referendum will mean that business is unwilling to invest in plant, machinery and staff given that we will not know whether we are leaving or staying in the EU.

If there is a Conservative Government then it is possible that we will leave the EU in January 2020, but the long-term trading with the EU is still to be determined. However, we will be able to negotiate trade deals with countries outside the EU.

There is much speculation on the outcome of both the Election and our future relationship with Europe and the rest of the world. All we can hope is that some degree of future planning will enable business to plan ahead.

I am often asked about the future of our management standards, including ISO 9001, ISO 14001, ISO 45001, ISO 27001 and others after we leave the EU; the answer is simple, the standards are British, European and International and will continue to apply throughout the world regardless of our status within the EU. Once certificated, companies will have their credentials recognised worldwide, as they are now.

Let us keep our fingers crossed and hope that some common sense will prevail following the Election results.

We are sure that you are as fed up as we are with the daily, and sometimes more frequent, telephone calls that are either silent and short-lived or are from someone claiming to be from BT, Virgin, Microsoft etc offering to help with virus removal or warning that interment connection is about to be disconnected.

Recently the same Indian sounding woman called our office claiming to be from BT, then again from Virgin and later the same day from TalkTalk.

When I said I recognised her voice she rang off only to call again later claiming to be from O2. I usually try to be polite but on this occasion I was pretty rude. I know they are only doing their job and for a very low wage but it is very irritating.

The good news is that the Indian Police have raided a number of call centres where these scam calls originate and have arrested people, seized computer equipment and closed down a good number of these call centres.

We think that stopping these scam calls should be treated as a priority as well as outlawing the cloning of UK telephone numbers to make it look as though the call is coming from the UK.

Our ICO (Information Commissioners Office) is looking at ways to stop calls originating from within the UK but is powerless to stop calls from the rest of the world.

This unnecessary drain on time and resources that businesses are having to expend is placing a strain on already difficult times.