What Value is an External Consultant?
Most companies holding a certification to ISO9001 have done so for many years and although the standard call for 'Continual Improvement' this is often product or service based and often reflects the normal organic growth. While there is nothing intrinsically wrong with this approach, Directors are not always taking advantage of the latest techniques and processes.
Many companies certified over five or six years may have a fairly large quality manual and processes to match; some of these will have been expanded as a result of auditors' comments and some by customers complaints or observations, but not all will add any value to the company's operation.
What is a good idea is to have someone have a look with fresh eyes at what you are doing; get a real heads-up on the latest techniques and ways to reduce the administrative burden of Systems Management.
This not only applies to ISO9001 but to all the other standards, Environmental, Information Security, Health & Safety, individual Product standards and others.
Professional consultants have verifiable qualifications and accreditations plus Professional Indemnity Insurance. Also any consultant will be able to furnish you with a list of satisfied clients with whom you can obtain references.
A good consultant is worth his/or her weight in gold; not only can an MOT actually save money it can result in greater efficiency. Remember an experienced consultant will have been involved with a number of organisations and will be able to use that experience to help you. Cherry picking the best practices and techniques while retaining strict confidentiality will add real value to your business.
There are other advantages, such as no holidays to pay for, no sickness or other absence to factor in and the best bit is you only pay for actual work performed.
Many companies certified over five or six years may have a fairly large quality manual and processes to match; some of these will have been expanded as a result of auditors' comments and some by customers complaints or observations, but not all will add any value to the company's operation.
What is a good idea is to have someone have a look with fresh eyes at what you are doing; get a real heads-up on the latest techniques and ways to reduce the administrative burden of Systems Management.
This not only applies to ISO9001 but to all the other standards, Environmental, Information Security, Health & Safety, individual Product standards and others.
Professional consultants have verifiable qualifications and accreditations plus Professional Indemnity Insurance. Also any consultant will be able to furnish you with a list of satisfied clients with whom you can obtain references.
A good consultant is worth his/or her weight in gold; not only can an MOT actually save money it can result in greater efficiency. Remember an experienced consultant will have been involved with a number of organisations and will be able to use that experience to help you. Cherry picking the best practices and techniques while retaining strict confidentiality will add real value to your business.
There are other advantages, such as no holidays to pay for, no sickness or other absence to factor in and the best bit is you only pay for actual work performed.
Labels: Professional Consultants in Quality Management systems
Posted: Monday, 5 May 2008
OHSAS 18001 Health & Safety Management Standard
OHSAS 18001 has become one of the most widely recognised standard in the world. Last year the standard was adopted as a British Standard and can be formally assessed and certified.
What is OHSAS 18001?
18001 or more correctly BS OHSAS 18001:2007 (in the UK) is a registration scheme where an organisation's Health & Safety Management is assessed against a set of rules; if successful the organisation can use the logo to endorse the management system incorporated in the organisation. The logo along with the 'tick and Crown from UKAS' means that the company can demonstrate full compliance with the standard.
What does OHSAS 18001 cover?
The standard covers all elements of Health & Safety in the organisation and ensures that the Safety at Work legislation is fully implemented. With the ever increasing regulation and legislation it is important to have any internal systems validated. It may prevent inadvertent breaches of the Law and the prosecutions that may follow.
In short, all the health and safety activities normally carried out within a well ordered organisation.
Below is the BS OHSAS 18001 model which is designed to turn OH&S Policy, through planning and implementation into continual improvement of the Health & Safety system employed by the company.
The information gathered at every stage is fed to top management to allow for continual improvement. In this way the organisation is able to make decisions based on fact and so develop and evolve.
Many companies are opting for a fully integrated approach of Quality, Environmental and H&S in one management system.
What is OHSAS 18001?
18001 or more correctly BS OHSAS 18001:2007 (in the UK) is a registration scheme where an organisation's Health & Safety Management is assessed against a set of rules; if successful the organisation can use the logo to endorse the management system incorporated in the organisation. The logo along with the 'tick and Crown from UKAS' means that the company can demonstrate full compliance with the standard.
What does OHSAS 18001 cover?
The standard covers all elements of Health & Safety in the organisation and ensures that the Safety at Work legislation is fully implemented. With the ever increasing regulation and legislation it is important to have any internal systems validated. It may prevent inadvertent breaches of the Law and the prosecutions that may follow.
In short, all the health and safety activities normally carried out within a well ordered organisation.
Below is the BS OHSAS 18001 model which is designed to turn OH&S Policy, through planning and implementation into continual improvement of the Health & Safety system employed by the company.
The information gathered at every stage is fed to top management to allow for continual improvement. In this way the organisation is able to make decisions based on fact and so develop and evolve.
Many companies are opting for a fully integrated approach of Quality, Environmental and H&S in one management system.
Posted: Monday, 21 April 2008
ISO14001 Environmental Management Standard
What is ISO14001?
14001 is an externally assessed scheme where an organisations declared environmental practices are checked against a set of rules; if successful the organisation can use the logo to endorse the environmental management system incorporated in the organisation.
An additional advantage is that cost savings brought about by reductions in gas, electricity and fossil fuels can be significant.
What does ISO14001 cover?
The standard covers the impact on the environment made by the product (or service) from customer's order through order acceptance, design and development if appropriate, planning, production or service delivery and control of calibration devices. Also included is training and the selection of suppliers that are able to meet the organisation's environmental needs, together with controls on energy usage and waste generation.
The activities are those carried out by most 'Green' companies.
Below is the ISO14001 model which is designed to allow for continual improvement through planned and operated policy.
As is the case with ISO9001 (Quality Management Standard) the information gathered from the processes is fed to top management to allow for continual improvement. In this way the organisation is able to make decisions based on fact and so develop and evolve.
The two standards 9001 and 14001 are often integrated into a single management system.
Labels: iso14001, quality management standard
Posted: Monday, 7 April 2008
ISO9001 Quality Management Standard
ISO9001 has become the most widely recognised standard in the world. In the UK the 'Crown and Tick' logo alongside the Certification Body shows that the certificate of registration is valid worldwide.
9001 or more correctly BS EN ISO9001:2000 (in the UK) is a registration scheme where an organisation is assessed against a set of rules; if successful the organisation can use the logo to endorse the management system incorporated in the organisation.
The standard covers all stages of a product (or service) from customer's order through order acceptance, Design and development if appropriate, planning, production or service delivery and quality control checks such as inspection, and control of calibration devices. Also included are the selection of suppliers and purchase of goods, together with control of customer complaints and the measurement of customer satisfaction.
In short, all the activities normally carried out within a well ordered organisation. There is no rocket science involved.
Below is the ISO9001 model which is designed to turn customer enquiries into customer satisfaction:
The information gathered from the processes is fed to top management to allow for continual improvement. In this way the organisation is able to make decisions based on fact and so develop and evolve.
What is ISO9001?
9001 or more correctly BS EN ISO9001:2000 (in the UK) is a registration scheme where an organisation is assessed against a set of rules; if successful the organisation can use the logo to endorse the management system incorporated in the organisation.
What does ISO9001 cover?
The standard covers all stages of a product (or service) from customer's order through order acceptance, Design and development if appropriate, planning, production or service delivery and quality control checks such as inspection, and control of calibration devices. Also included are the selection of suppliers and purchase of goods, together with control of customer complaints and the measurement of customer satisfaction.
In short, all the activities normally carried out within a well ordered organisation. There is no rocket science involved.
Below is the ISO9001 model which is designed to turn customer enquiries into customer satisfaction:
The information gathered from the processes is fed to top management to allow for continual improvement. In this way the organisation is able to make decisions based on fact and so develop and evolve.
Posted: Monday, 24 March 2008
Encryption and ISO27001
What is encryption?
Encryption is a method of scrambling a message or other data so that is cannot be read by an unauthorised person. Sadly it has become too easy to intercept messages and use them for illegal purposes. Encryption protects that data.
A simple encryption might be to use the alphabet In reverse:
| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z |
| Z | Y | X | W | V | U | T | S | R | Q | P | O | N | M | L | K | J | I | H | G | F | E | D | C | B | A |
'Please reply to this message' becomes KOVZHV IVKOB GL NVHHZV
Unfortunately this code would be broken very easily. A more secure system would use the shift method where the table is used but each letter is shifted to the right by 3 boxes.
'Please reply to this message' Now becomes SOSWVS FSHLE DI DPOE KSEEWQS. This is better but relies on the person receiving the message knowing the key (what method was used). This type of encryption would be broken in second by an experienced cracker.
Modern computers rely on even more secure methods:
The first of these is the SYMMETRIC KEY where the sender and the receiver know the key and the message is decrypted. Anyone else will see a jumble of letters.
The second method is known as PUBLIC KEY, a typical system uses PGP (pretty good privacy) and relies on a public key which is available in the message and a private key which is know to only to the sender and the receiver. Again anyone else will see gibberish.
The third method is known as DIGITAL CERTIFICATE where the certificate acts as a middleman, checking the identity of both the sender and the receiver; if both are genuine the certificate allows the message to be decrypted.
Additionally financial transactions use a secure system know as SSL (Secure Sockets Layer) the user will notice that the usual http:// is replaced by https:// and a small padlock is normally present on the web-site to show that SSL is in use. Credit Card transactions use this very secure method of encryption.
The Information Security Standard ISO27001 recommends the user of encryption to protect data.
Labels: information security, ISO27001
Posted: Sunday, 9 March 2008
ISO27001 Information Security
Data security, or lack of it is in the news almost daily and the news is pretty alarming. Report after report reveals, the often casual way, the shortfalls in care of our data.
Every cloud has a silver lining however; we have seen a huge increase in enquiries for consultancy in setting up ISO27001 systems. It seems that industry and commerce are taking data security very seriously, unlike the Revenue.
ISO27001 sets up a number of steps that protect data and other information from unauthorised access and release. It also ensures compliance with the Data Protection Act and ensures that companies are protected from litigation concerning data.
Surely it cannot be long before the Information Commissioner takes action or failing that litigation against those who loose or act in a cavalier manner with data under their care.
Every organisation employing ISO27001 can claim that they have used best practice and have taken all reasonable steps to ensure that the elements of Data Security have been employed. This is a valid defence in a Court of Law (if it should go that far).
C. I. A. are the main requirements:
Confidentiality
Integrity
Availability
If we all carry this out then there is hope for us yet.
At the moment, I for one, am unwilling to trust my valuable data to any organisation not complying fully with ISO27001.
Every cloud has a silver lining however; we have seen a huge increase in enquiries for consultancy in setting up ISO27001 systems. It seems that industry and commerce are taking data security very seriously, unlike the Revenue.
ISO27001 sets up a number of steps that protect data and other information from unauthorised access and release. It also ensures compliance with the Data Protection Act and ensures that companies are protected from litigation concerning data.
Surely it cannot be long before the Information Commissioner takes action or failing that litigation against those who loose or act in a cavalier manner with data under their care.
Every organisation employing ISO27001 can claim that they have used best practice and have taken all reasonable steps to ensure that the elements of Data Security have been employed. This is a valid defence in a Court of Law (if it should go that far).
C. I. A. are the main requirements:
Confidentiality
- To ensure that data is not compromised or released
Integrity
- To ensure that data is protected from unauthorised alteration
Availability
- To ensure that data is available when and where required
If we all carry this out then there is hope for us yet.
At the moment, I for one, am unwilling to trust my valuable data to any organisation not complying fully with ISO27001.
Labels: information security management, ISO27001
Posted: Monday, 25 February 2008
Social Engineeering
Social engineering is the name given to attempts to gain secure information by gaining the trust of the person holding such information.
With Valentine's Day fast approaching, I recall methods used in the past to gain entry to some of London's most secure buildings.
Imagine the scene, a pretty girl with a teddy bear and a box of chocolates presents herself at reception, "It's a surprise for Jason Brown from his girlfriend and the bear, chocolates and message have to be delivered in person". The Receptionist says that security policies will not allow her in, but she pleads that this is an emergency, and trusting the girl, just this once, lets her in. Of course she isn't delivering a Valentines Gift, she has been sent to test the company security.
Imagine the second scenario, the telephone rings and the person on the other end explains that he is one of the IT engineers testing the company intranet and has foolishly gone to the data centre without taking his book of secure passwords, if he is found out he will probably be sacked; can the person please help him out this once and give him log in and password information. The result can be scary.
The third scenario is even more worrying; on a train station the offer is a free pen if the person will simply write their log in and password on a slip of paper. Each person so doing will be entered into a draw with the chance to win a holiday, one million pounds, or some other prize. Sadly too many people take up this offer and compromise their security systems.
This year with February 29 being the day when traditionally ladies can propose to their men it will be entirely possible that many secure buildings will be penetrated by women claiming to want to propose, and it must be surprise mustn't it?
And finally the smoking ban has had a very detrimental effect on security; the fire doors at the back of the building are left open to allow smokers to go out for a cigarette, and get back in afterwards. The social engineer will simply mingle with the smokers and follow them in. Security breached.
With Valentine's Day fast approaching, I recall methods used in the past to gain entry to some of London's most secure buildings.
Imagine the scene, a pretty girl with a teddy bear and a box of chocolates presents herself at reception, "It's a surprise for Jason Brown from his girlfriend and the bear, chocolates and message have to be delivered in person". The Receptionist says that security policies will not allow her in, but she pleads that this is an emergency, and trusting the girl, just this once, lets her in. Of course she isn't delivering a Valentines Gift, she has been sent to test the company security.
Imagine the second scenario, the telephone rings and the person on the other end explains that he is one of the IT engineers testing the company intranet and has foolishly gone to the data centre without taking his book of secure passwords, if he is found out he will probably be sacked; can the person please help him out this once and give him log in and password information. The result can be scary.
The third scenario is even more worrying; on a train station the offer is a free pen if the person will simply write their log in and password on a slip of paper. Each person so doing will be entered into a draw with the chance to win a holiday, one million pounds, or some other prize. Sadly too many people take up this offer and compromise their security systems.
This year with February 29 being the day when traditionally ladies can propose to their men it will be entirely possible that many secure buildings will be penetrated by women claiming to want to propose, and it must be surprise mustn't it?
And finally the smoking ban has had a very detrimental effect on security; the fire doors at the back of the building are left open to allow smokers to go out for a cigarette, and get back in afterwards. The social engineer will simply mingle with the smokers and follow them in. Security breached.
Labels: ISO27001, social engineering
Posted: Monday, 11 February 2008
0 Comments:
Post a Comment