Goodbye 2020 Hello 2021

As we say goodbye and good riddance to 2020 and welcome in 2021 when we hope that Covid-19 will be beaten and Brexit fears will be unfounded.

Quality Matters has never Been closed but some audits have been carried out remotely to comply with Government regulations. Some audits have been carried out on site where it is safe to do so.

Our focus in 2021 is to deliver consultancy services to meet out client’s requirements in a quick and effective manner.

Standards covered include

  • AS9100/AS9120 Aerospace and defence quality Management systems
  • ISO 9001 quality Management systems
  • ISO 14001 Environment Management systems
  • ISO 45001 Occupational Health & Safety Management systems
  • ISO 27001 Information Security Management systems
  • ISO 20000 IT Service Management systems
  • ISO 22001 HACCP Food safety Management systems
  • BRC (British Retail Consortium) quality Management systems
  • ATEX ( quality management systems in explosive atmospheres

We ‘re here to help you achieve certification to any of these standards.

Call 01621 868767 or look at our web-site www.quality-matters.com

We are not immune to the vagaries of computers. Last week our main office computer suffered a problem during a windows update; it froze and then started to carry out a full reboot.  We managed to power it down but then it failed to start.

We do, of course, have full backups of data and programmes but it soon became apparent that our emergency boot disk was of no use as the machine does not have a CD/DVD drive fitted.

This is increasingly the norm as most programmes are on line and do not require a DVD drive to install.

We tried a number of quick fixes but gave up after an hour.  I took the computer to our friends at Tiptree Computers and the following day it was back up and running, as good as new.  The cost £49.99 + VAT, a real bargain.

We then ran a comparison to the back-up and apart from one minor issue the computer was fully functional.  The issue was that the favourites had been reset.  This was corrected fairly quickly.

We do go on emphasising the requirements about ensuring that backups are taken regularly and then tested to ensure everything is protected.  In this case our backups and Tiptree Computers made sure our workflow was uninterrupted.

A disaster averted.

We later learned that the Microsoft update of windows defender had been the cause of this glitch and it is receiving attention from Redmond. We weren’t alone.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

To meet the exacting standards  in aerospace the major aircraft manufacturers and IAQG (International Aerospace Quality Group) developed AS9100; based on ISO9001:2008 this standard fills the gap between military standards and the commercial ISO9001 quality management standard.  It makes good sense to have one aerospace standard for conformity to best practice; AS9100 is that standard.

AS9100  v  ISO 9001

Manufacturing an item as complicated and critical as an aircraft or space vehicle requires special attention during all the production processes.  A great deal of attention is placed on documentation and drawing control to ensure that the current revision of engineering drawings, part lists and test and inspection specifications is being used.  This ‘configuration control’  is covered in far more depth than ISO9001,  as is identification and traceability.  The paperwork trail is vital following an incident or accident and these documents are always quarantined immediately by an accident or incident board of enquiry.

The AS9100 standard provides guidance for key characteristic management in both material, and process control. Clearly there is a good deal of emphasis on the design and development of the final structure as well as components used in that structure, the AS9100 standard includes additional references in design and development functions.   Explanatory notes are included for both design and development verification and validation highlighting traditional areas of emphasis. Additionally,  AS9100 provides information on areas of verification documentation and validating testing and results.

One area which receives greater attention is the inspection area, particularly the first off in a batch of items.  This is called first article inspection in AS9100.  The standard also gives guidelines for actions to be taken when it all goes wrong.  Any faulty part, which is scrap, must be put beyond use before disposition.

This standard can be applied in the following forms:

  • AS 9100 – Quality Management System requirements for Design and/or manufacture of aerospace products
  • AS 90110 – Quality Management System requirements for maintenance and repair operations
  • AS 9120 – Quality Management System requirements for Stockists and distributors 

Assessment and certification is carried out by properly accredited and competent assessors. The assessment is of necessity, more in depth than ISO9001 and the reporting is far stricter.  The assessor scores each item against a prepared score card; at the end of the assessment the scores are totalled and a decision to pass or require additional work to be carried out is made.  One major difference in the assessment is that no corrective action may take place during the assessment, unlike ISO9001.  Any CAP (corrective action plan) must take place afterwards.

Inevitably main suppliers who achieve certification to AS9100 will then require their sub-contractors and suppliers to achieve the standard as well.

Once accredited these organisations are featured in OASIS (the IAQG  Online Aerospace Supplier Information System).

Quality Matters can assist organisations to achieve certification to these standards

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

The revised Environmental Standard ISO14001 has now been released as a DIS (Discussion document) but still has some way to go before it is finally published in 2015.

However the format has been agreed and this is shown on the table, which shows the comparison of the old with the new.  We recommend that preparation can be made but readers should not prepare documents and processes before the Standard is released.

Comparison of existing & proposed ISO 14001 (click to zoom)

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

The new standard was published on 25 September 2013 and it was anticipated that a 12 month transition would be applied to existing certificate holders.  All the CBs (Certification Bodies) would have to train their auditors and then submit to a re-accreditation to the new standard  by UKAS before any third party auditing could take place; this will take some time and some of the CBs anticipate that they will be ready to carry out audits by about late spring.   Bearing this in mind and the short time remaining to upgrade, it has been decided to extend the deadline to 24 September 2015.

New applicants for 27001 can choose to have either the 2005 or the 2013 standard assessed up to September 2014.  All of us have heaved a sigh of relief as the previous time-scale was seen as very tight.  We hope that this extension will allow an orderly upgrade to the revised standard with time to plan and implement the changes.

We have started to plan our Client visits to allow the revision of documents and processes for the transition to take place.  More help is available if required.

This is our last blog before Christmas so we wish our Clients and readers of our Blog a very Merry Christmas and a Happy New Year.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

ISMS Light touch Directors’ Brief

Executive Summary

It is generally accepted that information is the greatest asset any organisation has under its control. Directors are aware that the supply of complete and accurate information is vital to the survival of their organisations.

Today more and more organisations are realising that information security is a critical business function. It is not just an IT function but covers:

  1. Governance;
  2. Risk Management;
  3. Physical Security;
  4. Business Continuity;
  5. Regulatory and Legislative Compliance.

With increasing reliance on data, it is clear that only organisations able to control and protect this data are going to meet the challenges of the 21st century.

ISO27001:2005 which was formally BS7799 is the International Standard for Information Security Management (ISMS) and provides a definitive reference to developing an information security strategy. Moreover a successful certification to this standard is the confirmation that the system employed by the organisation meets internationally recognised standards.

However reduced resources may cause problems when planning and implementing a full ISMS; this can be resolved by using a reduced scope. This does allow for extension at some time in the future.

The Statement of Applicability which accompanies the application can be tailored to meet the specific requirements of the organisation.

Information Security

Business has been transformed by the use of IT systems, indeed it has become central to delivering business efficiently. The use of bespoke packages, databases and email have allowed businesses to grow while encouraging remote communication and innovation.

Most businesses rely heavily on IT but critical information extends well beyond computer systems. It encompasses knowledge retained by people, paper documents as well as traditional records held in a variety of media. A common mistake when incorporating an information security system is to ignore these elements and concentrate only on the IT issues.

Information security is a whole organisation matter and crosses departmental boundaries. It is more than just keeping a small amount of information secret; your very success is becoming more dependent upon the availability and integrity of critical information to ensure smooth operation and improved competitiveness.

C I A

  1. Confidentiality
  2. Integrity
  3. Availability

These are the three requirements for any ISMS.

Directors’ Perspective

Your vision is central to organisational development; driving improvements in all areas of the business to create value. With information technology being key to so many change programmes, effective information security management systems are a prerequisite to ensuring that systems deliver on their business objectives. Your leadership can help create the appropriate security culture to protect your business.

Organisations are increasingly being asked questions about ISO 27001, particularly by national or local government, professional and the financial sector. This is being driven by adoption of the standard as part of their legal and regulatory obligations. In some areas this is becoming a tender requirement.

Others are seeing a competitive advantage in leading their sector and using certification in information security management to develop customer/client confidence and win new business. With public concern over security issues at an all time high, there is a real need to build effective marketing mechanisms to show how your business can be trusted.

You will certainly be aware of your responsibilities for effective governance, and be answerable for damaging incidents that can affect organisational value. The risk assessment, which is the foundation of the standard is designed to give you a clear picture of where your risks are and to facilitate effective decision making. This translates into risk management, not simply risk reduction and therefore replaces the feeling many directors have of risk ignorance in this area. This will help you understand the potential risks involved with the deployment of the latest information technologies and will enable you to balance the potential downside with the more obvious benefits.

CFO Scrutiny

Whether, as part of compliance, such as required by Professional Bodies, Sarbanes Oxley, Data Protection Act, or as part of an effective governance, information security is a key component of operational risk management. It enables the formulation of effective risk analysis and measurement, combined with transparent reporting of ongoing security incidents to refine risk decisions.

Giving values to the impact security incidents can have on your business is vital. Analysis of where you are vulnerable allows you to measure the probability that you will be hit by security incidents with direct financial consequences.

An added benefit of the risk assessment process is that it gives you a thorough analysis of your information assets, how they can be impacted by attacks on their confidentiality, integrity and availability, and a measure of their real value to your business.

Although the detail within the risk assessment process can be complex, it is also possible to translate this into clear priorities and risk profiles that the Board can make sense of, leading to more effective financial decision making. Basic risk assessment is a preferred method when smaller organisations are starting on the road to an ISMS.

Business Continuity

How well would you cope if a disaster affected your business?

This could be from some natural cause such as flood, storm or worse from fire, terrorism or other civil unrest. The areas not often considered are sickness, failure of utilities or technology breakdown.

Business continuity planning in advance of a disaster can mean the difference between survival or extinction of the business.

Many of the businesses affected by the Bunsfield Fuel Depot disaster never recovered. Those with an effective business continuity plan have emerged like the phoenix from the ashes.

Many businesses claim to have a plan but if the plan is untested or ill prepared then it is bound to fail. ISO27001 states that a fully planned and tested BCP should be in place to prepare for and be able to deal with, such an emergency.

ISO 27001/2 Sections

  • Risk assessment and treatment – Assessing the risks to the company’s assets, devising a risk treatment plan and finally accepting those risks that cannot be mitigated.
  • Security policy – This provides management direction and support for information security.
  • Organisation of information security – To help manage information security within the organisation.
  • Asset management – To help identify assets and protect them appropriately.
  • Human resources security – To reduce the risks of human error, theft, fraud or misuse of facilities.
  • Physical and environmental security – To prevent unauthorised access, damage and interference to business premises and information.
  • Communications and operations management – To ensure the correct and secure operation of information processing facilities.
  • Access control – To control access to information
  • Information systems acquisition, development and maintenance – To ensure that security is built into information systems.
  • Information security incident management – To deal effectively with any identified security incident.
  • Business continuity management – To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.
  • Compliance – To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement.

CONCLUSIONS

A light touch ISMS can be very effective in providing confidence to customers/clients if careful selection of the elements, incorporated in the ISMS, is made. The Statement of Applicability details which parts are included/excluded.

Many organisations have benefited from this approach and with assistance from Quality Matters have maximised the use of resources while providing good levels of data protection.  

This brief has been prepared by Chris Eden of Quality Matters Limited. Chris Eden FIC, MISSA, ACQI, A director of Quality Matters Limited with over 20 years experience in setting up, auditing and evaluation of systems. He is a Registered QMS2008 Internal Auditor (IRCA).

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

There have been a number of scare stories in the past, remember the millennium bug which promised to bring down every computer in the world, but this one seems far more plausible.

The notification came through the FBI in the USA and has the potential to bring down the entire internet.  This would dwarf any attempts so far to disrupt business worldwide.

This bug affects only Windows and Mac machines (at the moment) Linux, android and IOS are ok.  Essentially this Trojan infects machines and alters the way that computers resolve internet addresses.

When you type in a web address  for example www.quality-matters.com  DNS servers  look up the internet reference, in this case it resolves it to 92-15-193-76  and connects the user to our web-site.  The bug changes the way this is done and directs the user to a criminals web site.  It may be that the site looks similar to the original and in the case of financial institutions will prompt the user for username and password.  The bug also disables antivirus and anti malware software so that the user is pretty defenceless.

The FBI have arrested a number of the criminals (Six Estonian Nationals) already and have used their own resources to set up web addresses that the criminals have used.

Will this affect me?  There is a way to test your own system to see if it is infected.

Type in http://www.dcwg.org/detect/ If your machine is OK then it will show a green background; if not it will be red.

The one thing I haven’t mentioned yet is the date on which this will all happen;
MARK THIS DATE IN YOUR DIARIES  9 July 2012.

Let us hope that it was all a hyped up issue and the date passes without incident. I am  prepared – are you?

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

We, at Quality Matters,  wish all our Clients  and blog readers a happy Christmas and a prosperous New Year.

I think it fair to say that 2011 has been a challenging year;  the economic upturn hasn’t quite made it; the currency markets, particularly the Euro have been trying and inflation has been felt throughout the UK. 

Never the less we have achieved 100% success again for all our clients who were assessed against various Standards and those already certificated and reassessed have retained their certifications.

  • ISO9001 Quality Management
  • ISO14001 Environmental Management
  • AS9100 Aerospace Quality Management
  • ISO27001 Information  Security Management
  • OHSAS 18001 Health and Safety Management
  • ISO20000 IT  Service Management
  • ISO22000 Food Safety Management
  • ATEX  Explosive Atmosphere Safety Standard
  • BBA British Board of Agreement  for building products

We conducted a number of internal audits on behalf of our Clients, where those Clients  chose not to carry out their own internal audits. We also held two public Internal Quality/Environmental Auditing courses and all those attending are now certificated auditors.

2012 will, I am sure, be rewarding in all sorts of ways; our existing Clients can rely on us to provide the very best support, and they know help is an email or phone call away, where required.

We look forward to finalising the quotations recently issued and getting those new Clients established into the chosen Standards, and of course maintain our 100% pass rate at the first attempt.

Since we started in 1991 we have seen many changes in both the Standards and the way the UK has fared;  some good, some not so good but as we move towards a new year we are confident that the trust and reputation we have developed over then years will be maintained and enhanced.

Our very best wishes for 2012

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

It is generally accepted that information is the greatest asset any organisation has under its control.   Managing Directors are aware that the supply of complete and accurate information is vital to the survival of their organisations

Today more and more organisations are realising that information security is a critical business function.  It is not just an IT function but covers:

  1. Governance;
  2. Risk Management;
  3. Physical Security;
  4. Business Continuity;
  5. Regulatory and Legislative Compliance.

With increasing reliance on data, it is clear that only organisations able to control and protect this data are going to meet the challenges of the 21st century.

ISO27001:2005 which was formally BS7799 is the International Standard for Information Security Management (ISMS) and provides a definitive reference to developing an information security strategy.  Moreover a successful certification to this standard is the confirmation that the system employed by the organisation meets internationally recognised standards.

Information Security

Business has been transformed by the use of IT systems, indeed it has become central to delivering business efficiently. The use of bespoke packages, databases and email have allowed businesses to grow while encouraging remote communication and innovation.

Most businesses rely heavily on IT but critical information extends well beyond computer systems.  It encompasses knowledge retained by people,  paper documents as well as traditional records  held in a variety of media.   A common mistake when incorporating an information security system is to ignore these elements and concentrate only on the IT issues.

Information security is a whole organisation matter and crosses departmental boundaries.  It is more than just keeping a small amount of information secret; your very success is becoming more dependent upon the availability and integrity of critical information to ensure smooth operation and improved competitiveness.

C     I     A
1.    Confidentiality
2.    Integrity
3.    Availability

These are the three requirements for any ISMS.

Managing Directors’ Perspective

Your vision is central to organisational development; driving improvements in all areas of the business to create value. With information technology being key to so many change programmes, effective information security management systems are a prerequisite to ensuring that systems deliver on their business objectives.  Your leadership can help create the appropriate security culture to protect your business.

Organisations are increasingly being asked questions about ISO 27001, particularly by national or local government, professional and the financial sector.  This is being driven by adoption of the standard as part of their legal and regulatory obligations.  In some areas this is becoming a tender requirement.

Others are seeing a competitive advantage in leading their sector and using certification in information security management to develop customer/ client confidence and win new business.  With public concern over security issues at an all time high, there is a real need to build effective marketing mechanisms to show how your business can be trusted.

You will certainly be aware of your responsibilities for effective governance, and be answerable for damaging incidents that can affect organisational value.  The risk assessment, which is the foundation of the standard is designed to give you a clear picture of where your risks are and to facilitate effective decision making.  This translates into risk management, not simply risk reduction and therefore replaces the feeling many directors have of risk ignorance in this area.  This will help you understand the potential risks involved with the deployment of the latest information technologies and will enable you to balance the potential downside with the more obvious benefits.

CFO Scrutiny

Whether, as part of compliance, such as required by Professional Bodies, Sarbanes Oxley, Data Protection Act, or as part of an effective governance, information security is a key component of operational risk management.  It enables the formulation of effective risk analysis and measurement, combined with transparent reporting of ongoing security incidents to refine risk decisions.

Giving values to the impact security incidents can have on your business is vital.  Analysis of where you are vulnerable allows you to measure the probability that you will be hit by security incidents with direct financial consequences.

An added benefit of the risk assessment process is that it gives you a thorough analysis of your information assets, how they can be impacted by attacks on their confidentiality, integrity and availability, and a measure of their real value to your business.

Although the detail within the risk assessment process can be complex, it is also possible to translate this into clear priorities and risk profiles that the Board can make sense of, leading to more effective financial decision making.

Business Continuity

How well would you cope if a disaster affected your business? 

This could be from some natural cause such as flood, storm or worse from fire, terrorism or other civil unrest.  The areas not often considered are sickness, failure of utilities or technology breakdown.

Business continuity planning in advance of a disaster can mean the difference between survival or extinction of the business. 

Many of the businesses affected by the Bunsfield Fuel Depot disaster never recovered.  Those with an effective business continuity plan have emerged like the phoenix from the ashes.

Many businesses claim to have a plan but if the plan is untested or ill prepared then it is bound to fail.
ISO27001 states that a fully planned and tested BCP should be in place to prepare for and be able to deal with, such an emergency.

ISO 27001 Elements

  • Risk assessment and treatment – Assessing the risks to the company’s assets, devising a risk treatment plan and finally accepting those risks that cannot be mitigated.
  • Security policy – This provides management direction and support for information security.
  • Organisation of information security – To help manage information security within the organisation.
  • Asset management – To help identify assets and protect them appropriately.
  • Human resources security – To reduce the risks of human error, theft, fraud or misuse of facilities.
  • Physical and environmental security – To prevent unauthorised access, damage and interference to business premises and information.
  • Communications and operations management – To ensure the correct and secure operation of information processing facilities.
  • Access control – To control access to information
  • Information systems acquisition, development and maintenance – To ensure that security is built into information systems.
  • Information security incident management –  To deal effectively with any identified security incident.
  • Business continuity management – To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.
  • Compliance – To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement.

The official blog for independent Management Training
Consultancy, Quality Matters Limited.

What is ISO 9001?

A Quality Management system  for turning customer requirements into customer satisfaction.
Provides the mechanism for continual improvement.  A set of common sense guidelines for running a successful business

What are the benefits of ISO 9001 Registration?

Internationally recognised quality mark.  Certificates awarded by independent accredited organisations.  Customers do not have to do their own checks on a supplier.

How many ISO 9001 Certificates have been issued?

Over  1 million worldwide.

The Model for ISO9001   

What is covered by ISO9001?

BS EN ISO 9001:2008  requires 5 main sections to be addressed, these are:
   

  1. Quality Management System;
  2. Management Responsibility;
  3. Resource Management;
  4. Product Realisation;
  5. Measurement, Analysis and Improvement

Each section is subdivided as required and covers all elements of the business having an impact on quality.

How long does it take to obtain certification?

This obviously varies from organisation to organisation, but the prime requirement is that the organisation must have three months of ‘track record’ from completion of  the document set.
As rough guide 9001 can be achieved in about 8-10 months.

What documentation is needed?

A Quality manual and procedures/processes for operating the systems.

Once the certificate is issued what happens next?

The certification authority will carry out surveillance visits each year to ensure continued compliance.

Sections of ISO9001:2008

  1. General Requirements
    1. Documentation Requirements
      1. General
      2. Quality Manual
      3. Control of Documents
      4. Control of Records
  2. Management Responsibility
    1. Management Commitment
    2. Customer Focus
    3. Quality Policy
    4. Planning
      1. Quality Objectives
      2. Quality Management System Planning
    5. Responsibility, Authority and Communication
      1. Responsibility and Authority
      2. Management Representative
      3. Internal Communication
    6. Management Review
      1. General
      2. Review Inputs
      3. Review Outputs
  3. Resource Management
    1. Provision of Resources
    2. Human Resources
      1. General
      2. Competence, Training and Awareness
    3. Infrastructure
    4. Work Environment
  4. Product Realisation
    1. Planning of Product Realisation
    2. Customer-Related Processes
      1. Determination of Requirements Related to the Product
      2. Review of Requirements Related to the Product
      3. Customer Communication
    3. Design and development
    4. Purchasing
      1. Purchasing Process
      2. Purchasing Information
      3. Verification of Purchased Product
    5. Product Provision
      1. Control of  Product Provision
      2. Validation of Processes for Product Provision
      3. Identification and traceability
      4. Customer Property
      5. Preservation of Product
    6. Control of Monitoring and Measuring Equipment
  5. Measurement, Analysis and Improvement
    1. General
    2. Monitoring and Measurement
      1. Customer Satisfaction
      2. Internal Audit
      3. Monitoring and Measurement Monitoring of Processes
      4. Monitoring and Measurement of Product
    3. Control of Nonconforming Product
    4. Analysis of Data
    5. Improvement
      1. Continual Improvement
      2. Corrective Action
      3. Preventive Action
The official blog for independent Management Training
Consultancy, Quality Matters Limited.