Integrated Management Systems Manual
Short Description
HSE IMS Manual...
Description
Integrated Management Systems Manual. PAS99 Comprising of requirements from Quality Management System ISO 9001:2008 Environmental Management System ISO 14001:2004 Health & Safety Management System OHSAS 18001:2007 Information security Management System ISO 27001:2005
Smart Metering Systems plc 2nd Floor 48 St Vincent Street Glasgow G2 5TS
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
1
Copy Holder
Copy Holder: Management Systems Representative Copy Number 1 The Quality input comprises of standard requirement to ISO 9001:2008 and covers the functions performed by operating areas to achieve product and service realisation through process control The Environmental input comprises of the standard requirements to ISO 14001:2004 to demonstrate a positive view of environmental issues and the impact on the environment by controlled processes. The Health & Safety Management input meets requirements of the OHSAS 18001:2007 series to enhance, control and manage all Health & Safety requirements. The Information Security reference acknowledges the requirements of ISO 27001:2005, Information technology-Security techniquesInformation Security Systems. The service scope definition is: The provision of Gas Metering Infrastructure Services to the & Commercial sector The provision of Meter Asset Management Services to Domestic and Industrial & Commercial Gas Suppliers
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
2
Distribution The integrated Management Systems Manual is distributed as follows:
Copy Number 1 Smart Metering Systems plc Copy Number 2 - QAS International (uncontrolled)
This document approved for use by Andy Ritchie on behalf of Smart Metering Systems plc
Position: Head of Business Risk and Compliance Date: 1st June 2012
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
3
Page 5-6 7-11 12 13-14 16-29 30-134
Title Company Profile Management System Policies Organisation Chart Amendments Systems Requirements Procedures
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
4
Smart Metering Systems plc (SMS) Company Profile The business of SMS plc is Meter Asset Management (MAM) and to provide, install and maintain, Domestic, Commercial and Industrial Metering and Automatic Metering Technology (AMR) across the UK to gas consumers. SMS plc is made up of three organisations: • UK Gas Connection • UK Meter Assets • UK Data Management Where this document refers to SMS plc , the term shall apply equally to the three organisations within the group The (MAM) code of practice (MAMcop) is the industry scheme which manages the accreditation of Meter Asset Managers. UKEM have been accredited by Lloyds Register since July 2004 and are regularly audited to ensure compliance with regulations. SMS plc is proud to announce that currently they have over 150,000 gas meters and Automatic Meter Reading (AMR) units installed throughout the UK. Our services include: • Management of Siteworks projects for gas suppliers and consumers • Third Party Meter Management for gas suppliers • Own portfolio meter management for asset owners • Pre-pay meter solutions for domestic gas suppliers and independent gas transporters. • Smart metering services We manage the installation through an automated management system using contracted OAMI’s, providing SMS plc with UK wide coverage. Assets are sourced from contracted UK meter providers. The meters provided are badged accordingly. SMS plc is based in Glasgow Scotland. The business of SMS plc is to offer a complete outsourcing service of Gas Siteworks and Metering based Project Management Business Processes to the gas suppliers, utilising bespoke ecommerce software solutions. SMS plc has over twelve years experience of getting your gas, electricity or water connection and meter installed on time every time. We already manage the entire gas connection requirement for Shell, Gas Direct, Gaz De France and BP. We also manage portfolios of utility connection requests for the Metropolitan Police and the Lidl Group. As a demonstration of its commitment to a better , SMS plc have introduced Environmental Management System ISO 14001:2004.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
5
Site Evaluation SMS plc has its offices in the centre of Glasgow. The area mainly comprises of high rise office and retail units, much of the architecture dating back several hundreds of years with old colonial type designs. Situated on the 5th & 6th floor of an office block on St Vincent Street, the offices invite a wonderful view of the busy streets below and into the far distance. There are no residential areas in close proximity, though several hotels are within easy walking distance. The offices are open plan with a board room at one end. There are also separate offices for executive personnel and financial management. For staff there is a small rest room and kitchen. Lighting is provided by florescent bulbs while heating is provided by gas boiler central heating. The water supply is direct from the tap and waste water is dispersed into the city sewer and drain system.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
6
Quality Policy SMS plc recognises that the disciplines of quality, health and safety and environmental management are an integral part of its management function. SMS plc views these as primary responsibilities and to be the key to good business in adopting appropriate quality standards. The SMS plc Quality Policy calls for continuous improvement in its quality management activities and business will be conducted according to the following principals: We will:Comply with all applicable statutory laws and statutory regulations. Follow a concept of continuous improvement and make best use of its management resources in all quality matters. Communicate its quality objectives and its performance against these objectives throughout SMS plc and to interested parties. Take due care to ensure that activities are safe for employees, associates and subcontractors and others who come into contact with our work. Work closely with our customers and suppliers to establish the highest quality standards establishing, implementing and controlling procedures for corrective and preventative action to ensure at all times customer requirements are met under controlled environments and product realisation procedures are adhered to, protecting the integrity and reputation of the business. Adopt a forward-looking view on future business decisions which may have quality impacts. Train our staff in the needs and responsibilities of quality management, keeping training records and through continuous measuring, monitoring and analysis, ensure that training needs of all staff are identified and implemented.
Signed: -
Date: 1st July 2012
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
7
Quality Management System Targets & Objectives To achieve consistently high standards To have competent, motivated and rewarded work force. To provide training for the development for all members of staff. To provide a competent and professional approach to all sizes and types of projects. To be a profitable company yet customer driven. To complete projects on time and within budget. To provide a safe but enjoyable working environment throughout our processes.
The above objectives and targets will be monitored on a regular basis and reviewed during our Internal Audi program and at the Management Review Meeting.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
8
Environmental Policy SMS plc commits itself to and endorses the need to protect the environment. SMS plc also acknowledges and accepts its responsibility to conduct its business in compliance with applicable environmental laws and regulations. To accomplish the foregoing, Top Management has the responsibility to:Establish an internal review procedure to identify environmental impacts of all functions within the organisation and to assess levels of compliance with applicable laws and regulations pertaining to the environment. Develop a program aimed at safe-guarding the quality of the environment and achieving compliance. Establish and maintain appropriate training programs designed to make every employee competent to carry out his or her responsibilities with respect to this policy. Report annually on regulatory compliance, issues and improvements. Environmental Statement SMS plc has a vital interest in ensuring a clean, healthy environment. SMS plc also relies on a healthy environment so that you, the customer, can enjoy the standard of living and healthy lifestyle that means so much to us today. As technology advances and regulations change, SMS plc will continue to improve systems, reduce waste and efficiently utilise resources to meet the environmental challenges of the next century. SMS plc will make available to interested parties, its environmental program and its environmental control activities.
Signed :-
Date: 1st July 2012
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
9
Health & Safety Management Policy SMS plc recognises that the disciplines of health and safety are an integral part of its management function. The organisation views these as a primary responsibility and to be the key to good business in adopting appropriate Health & Safety Standards. The organisations Health & Safety policy calls for continuous improvement in its Health & Safety management activities and business will be conducted according to the following principals: We will:• • • • •
•
• • • • • • • •
Comply with all applicable laws and regulations Follow a concept of continuous improvement and make best use of its management resources in all matters of Health & Safety. Communicate its objectives and its performance against these objectives throughout the organisation and to interested parties. Take due care to ensure that activities are safe for employees, associates and subcontractors and others who come into contact with our work, including the general public. Work closely with our customers and suppliers to establish the highest Health & Safety standards. Adopt a forward-looking view on future business decisions that may have Health & Safety consequences. Train our staff in the needs and responsibilities of Health & Safety management Support all those who refuse to undertake work on the grounds of Health and Safety
Signed: -
Date: - 1st July 2012
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
10
Information Security Policy SMS plc recognises that the disciplines of confidentiality, integrity, and availability, are an integral part of its management function. SMS plc views these as primary responsibilities and to be the key to good business in adopting appropriate Information Security Controls along the lines laid down by ISO 27001:2005. The SMS plc Information Security Policy calls for continuous improvement in its activities and business will be conducted according to the following principals: We will:Comply with all applicable statutory laws and statutory regulations. Follow a concept of continuous improvement and make best use of its management resources in all quality matters. Communicate its Information Security objectives and its performance against these objectives throughout SMS plc and to interested parties. Take due care to ensure that activities are safe for employees, associates and subcontractors and others who come into contact with our work. Work closely with our customers and suppliers to establish the highest quality standards establishing, implementing and controlling procedures for corrective and preventative action to ensure at all times customer requirements are met under controlled environments and product realisation procedures are adhered to, protecting the integrity and reputation of the business. Adopt a forward-looking view on future business decisions which may have quality impacts. Train our staff in the needs and responsibilities of Information Security keeping training records and through continuous measuring, monitoring and analysis, ensure that training needs of all staff are identified and implemented.
Signed: -
Date: - 1st July 2012
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
11
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
1
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
2
Table of Amendment – Quality Document Number
Page Number
Issue
Date
Description of Change
Authorisation
Amendments All copies of this Integrated Manual must be kept under strict control to prevent the system from becoming unreliable. The following procedures will ensure that the system remains current and valid. All copies of the manual will be clearly numbered and the holder recorded. Each page in the manual will carry its own number. The Management Systems Representative will be responsible for all revisions and additions being recorded. Changes can be suggested by any employee but must receive signed approval before being entered into the manual. All changes must be recorded on the Amendments List.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
1
Integrated Management System Requirements Part 1 General Requirements for ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 & ISO 27001:2005 4.1 General The ethos of the management of SMS plc is to show commitment to maintaining an effective Integrated Management System. This manual has been prepared to satisfy the requirements of ISO 9001:2008, ISO 14001 and OHSAS 18001 and ISO 27001:2005 for SMS plc for the activities carried out at the site. The effective implementation of the Management System will be verified by regular inspections, reviews and audits which will compare management practice against the requirements of the written procedures on Management System standards. Corrective action will be taken where necessary and will be subsequently reviewed for effectiveness. 4.2 Documentation (4.2 9001) (4.4.4 14001 & 18001) (4.3.1 & 4.3.3 27001) SMS plc has written in its systems manual, a quality policy, Environmental Policy and Health & Safety Management Policy and procedures as appropriate to its size, type and complexity and it is available to all employees. SMS plc have prepared and maintain a controlled Integrated Systems manual that defines the scope of its activities and justifies any exclusions supported by referenced documented procedures and how the procedures operate. Records are maintained. A documented procedure ensures that all relevant documentation is controlled and adequate and is reviewed, updated and approved as necessary. The status of the documents is identified and they are legible and retrievable and located where required within SMS plc . Relevant documents from outside SMS plc are identified and their distribution controlled. Obsolete documents are clearly identified to prevent unintended use. Records will be legible, identifiable and retrievable. Procedures are in place for the identification, storage, retrieval, protection, retention time and disposition of Integrated Management System records. 4.2.1 Planning for hazard identification, risk assessment & risk controls (18001 & 27001) The organisation has established and maintains procedures for the ongoing identification of hazards, the assessment of risks, and the implementation of necessary control measures. These include: • • • • •
•
•
Routine and non-routine activities. Activities of all personnel having access to the workplace (including subcontractors and visitors). Facilities at the workplace, whether provided by the organisation or others. Consideration of human behaviour, capabilities and other human factors. Identification of hazards originating outside the workplace capable of adversely affecting the health and safety of persons under the control of the organisation within the workplace. The control of hazards created in the vicinity of the workplace by work-related activities that are controlled by the organisation. These maybe assessed as an environmental aspect. Control of infrastructure, equipment and materials at the workplace, whether provided by the organisation or others. ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
2
• • •
The management of change or proposed change in the organisational structure, activities or materials. That processes exist to manage any modifications to the OH&S management system, including temporary changes, and their impacts on operations, processes, and activities. That processes exist to manage any applicable legal obligations relating to risk assessment and implementation of necessary controls.
The design of work areas, processes, installations, machinery/equipment, operating procedures and work organisation, including their adaptation to human capabilities is controlled by the organisations procedures. The organisation ensures that the results of these risk assessments and the effects of these controls are considered when setting its OH&S objectives. The organisation has documented and keeps this information up to date. The organisation’s methodology for hazard identification and risk assessment:• • • • •
Is defined with respect to its scope, nature and timing to ensure it is proactive rather than reactive. Has provided for the classification of risks and identification of those that are to be eliminated or controlled. Is consistent with the operating experience and the capabilities of risk control measures employed. Has provided input into the determination of facility requirements, identification of training needs and/or development of operational controls. Has provided for the monitoring of required actions to ensure both the effectiveness and timeliness of their implementation.
For the management of change the organisation identifies the OH&S hazards and OH&S risks associated with the changes in the organisation, the OH&S management system, or its activities, prior to the introduction of such changes. The organisation ensures that the results of these assessments are considered when determining the controls to be used. When determining controls, or considering changes to existing controls, consideration is given to reducing the risks according to the following hierarchy: • • • •
Elimination Substitution Engineering controls Signage/warnings and/or administrative controls
To be taken into account for Risk Assessment/Risk Evaluation for Information Security Define the risk assessment approach of UK Metering Group Ltd that identifies a risk assessment methodology that is suited to the Information Security Management System and the identified business information security, it’s legal and regulatory requirements. Should develop criteria for accepting risks and to identify the acceptable levels of risk. Risk assessments should produce comparable and reproducible results. Assessments should identify ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
3
• • • •
Identify the assets within the scope of the information security management system and the owners of these assets Identify the threats to those assets Identify the vulnerabilities that might be exploited by the threats. Identify the impacts that losses of confidentiality, integrity and availability may have on the assets.
Also, risks should be evaluated and analysed • To assess the business impacts upon the organisation that might result from security failures, taking into account the consequences of a loss of confidentiality, integrity or availability of the assets. • To assess the realistic likelihood of security failures occurring in the light of prevailing threats and vulnerabilities and impacts associated with these assets and the controls currently implemented. • To estimate the levels of risk. • To determine whether the risks are acceptable or require treatment using the criteria for accepting risks. Identifying options for the treatment of risks could include • Applying appropriate controls • Knowingly and objectively accepting risks as long as they clearly satisfy the organisations policies and criteria for acceptance of such risks. • Transferring the associated business risks to other parties for example insurers or suppliers. Control objectives and controls should be selected and implemented to meet the requirements identified by risk assessments and the risk treatment process. Taken into account should be the criteria for accepting risks as well as legal, regulatory and contractual requirements. A Statement of Applicability should be prepared that provides a summary of decisions concerning risk treatment. Senior management approval should be obtained for proposed residual risks. 4.2.3 Monitor and Review the Information Security Management System(27001 only) UK Metering Group Ltd will carry out monitoring and reviewing procedures and necessary controls to: • Promptly detect errors in the results of processing • Promptly identify attempted and successful security breaches and incidents • Enable management to determine whether the security activities delegated to people or implemented by information technology are performing as expected • Help detect security events and thereby prevent security incidents by the use of indicators • Determine whether the actions taken to resolve a breach of security were effective. • Measure the effectiveness of controls to verify that security requirements have been met. • Review risk assessments at planned intervals and review the residual risks and the identified acceptable levels of risks taking into account changes to the UK Metering Group Ltd, changes in technology, changes to business objectives and processes, changes to identified threats, changes to controls and changes to the legal or regulatory environment, contractual obligations and social climate.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
4
4.3.3 Legal & Other requirements (14001 & 18001) SMS plc has established and maintains a procedure to identify legal requirements and maintains records of those legal requirements 4.5.2 Evaluation of compliance (14001 & 18001 only) SMS plc , consistent with it’s commitment to compliance; the organisation shall establish, implement and maintain a procedure(s) for periodically evaluating compliance with applicable legal requirements. The organisation shall keep records of the results of the periodic evaluations. The organisation shall evaluate compliance with other requirements to which it subscribes. The organisation may wish to combine this evaluation with the evaluation of legal compliance or establish a separate procedure. The organisation shall keep records of the results of the periodic evaluations. 4.5.3.1 Incident investigation (18001 0nly) The organisation has established and maintains procedures for: • Determining underlying OH&S deficiencies and other factors that might be causing or contributing to the occurrence of incidents. • Identify the need for corrective action. • Identify opportunities for preventive action. • Identify opportunities for continual improvement • Communicate the results of such investigations. • To ensure that the investigations are preformed in a timely manner. The organisation has implemented and records any changes in the documented procedures resulting from corrective and preventive action.
4.4.6 Operational control (18001 only) The organisation has identified those operations and activities that are associated with identified hazards where control measures are needed to manage the OH&S risks. The organisation has planned these activities, including maintenance, in order to ensure that they are carried out under specified conditions by: a) Having operational controls that are applicable to the organisation and its activities and these controls are integrated into the overall OH&S management system. b) Establishing and maintaining controls related to the identified OH&S risks of goods, equipment and services purchased and/or used by the organisation and communicating relevant controls and requirements to suppliers and contractors. c) Establishing and maintaining documented procedures to cover situations where their absence could lead to deviations from the OH&S policy and the objectives. d) Stipulated operating criteria where their absence could lead to deviations from the OH&S policy and objectives. e) Establishing and maintaining procedures for the design of workplace, process, installations, machinery, operating procedures and work organisation, including their adaptation to human capabilities, in order to eliminate or reduce OH&S risks at their source. 4.4.7 Emergency, preparedness and response (14001 & 18001 0nly) SMS plc has established and maintains procedures to identify the potential for and the response to accidents and emergency situations, and for preventing and mitigating the environmental impacts that may be associated with them.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
5
SMS plc reviews and revises, where necessary, its emergency preparedness and response procedures. 5. Management Responsibility 5.1 Commitment (9001 14001 18001 27001) Top management of SMS plc ensure that all employees are aware of the need to meet customer and regulatory requirements and that the necessary resources are available. The currency of the Quality, Environmental and Health & Safety policies and objectives are maintained by regular management reviews. 5.2 Customer Focus (9001) Customer needs and expectations are determined and fulfilled to meet customer satisfaction. Due consideration is given to product, service regulatory and legal requirements. 5.3 Policy (9001) (4.2 14001 & 18001) SMS plc has established, through its quality policy, the need to meet requirements and continually improve its products and services. Quality objectives are reviewed for continuing suitability and communicated as appropriate throughout SMS plc . Through its Environmental Policy it is committed to doing its very best to protect the environment through training, assessment of its activities and measuring and monitoring of targets and objectives. Through its Health & Safety Policy it commits to ensure best Health & Safety practice through risk assessment, training and measuring and monitoring of all Health & safety issues at regular intervals. The H&S Policy should be/include: a) Appropriate to the nature and scale of our OH&S risks. b) Includes a commitment to prevention of injury and ill health and continual improvement in OH&S management and OH&S performance. c) Provides the framework for setting and reviewing OH&S objectives. d) Includes a commitment to continual improvement. e) Includes a commitment to at least comply with current applicable OH&S legislation and with other requirements to which the organisation subscribes. f) Is documented, implemented and maintained. g) Is communicated to all persons working under the control of the organisation with the intent that they are made aware of their individual OH&S obligations. h) Is available to interested parties; and i) Is reviewed periodically to ensure that it remains relevant and appropriate to the organisation. 5.4 Planning (9001) (4.3 14001 & 18001) Objectives & Targets SMS plc has established that all relevant functions and levels within SMS plc have clear, measurable quality Environmental & Health & Safety objectives that are consistent with the policies and product requirements. Adequate resources are available and output is planned in a controlled manner as is required by the Management System, being mindful of the process and the need for continual improvement. SMS plc has established and maintains environmental objectives and targets and programmes. The following are considered in establishing and reviewing these. • Designation of responsibility for achieving objectives and targets at relevant functions and levels of the organisation • The means and time-frame by which they can be achieved. ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
6
When establishing and reviewing its objectives, the organisation considers it’s legal and other requirements, its OH&S hazards and risks, its technological options, its financial, operational and business requirements, and the views of interested parties. The objectives are consistent with the OH&S policy, including the commitment to continual improvement. Environmental Aspects (4.3.1 14001 only) SMS plc has established and maintains procedures for identifying the environmental aspects of our activities and products in order to determine those which have or can have significant impacts on the environment. The procedure to identify the significant environmental impacts includes normal operating conditions, shut down and start up conditions and potential emergency situations. The procedure to identify the significant environmental impacts considers, where relevant: • emissions to air • releases to water • waste management • contamination of land • impact on communities • use of raw materials and natural resources • other local environmental issues. SMS plc maintains records of all environmental impacts and considers significant impacts in setting its environmental objectives. 5.5 Responsibility, authority and communication (4.4.1 14001 & 18001) Elements of the Integrated Management System have been defined and communicated wherever quality/environmental or Health & Safety is affected. Representatives from within SMS plc have been appointed who have the authority and responsibility to ensure that the Management System is established and maintained and that reports on the performance of the system and any needs for improvement are made available to the respected representative. The significance of meeting customer requirements is understood. Employees will consider protecting the environment when taking decisions such as determining service and maintenance schedules, selecting parts and consumables, and disposing of waste. Managers will ensure that the environmental requirements are observed in order to minimise adverse environmental effects. All employees are responsible for ensuring that Quality, Environmental and Health & Safety issues arising from their own activities are managed according to legal requirements, the SMS plc environmental policy and procedures, and good management practice. The roles, responsibilities and authorities of personnel who manage, perform and verify activities having an effect on the OH&S risks of the organisation’s activities, facilities and processes, are defined, documented and communicated in order to facilitate OH&S management. Accountabilities and authorities are documented and communicated Communication SMS plc has established and maintains procedures relating to internal and external communicating regarding its environmental aspects and environmental management system. It responds to and documents all communications and will decide its level of communication to third parties on environmental issues ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
7
5.6 Management Review (4.6 14001 & 18001) (7.1 27001) The complete Management System is reviewed at planned intervals to ensure its continuing suitability, adequacy and effectiveness to evaluate the need for change. The review includes the evaluation of current performance and improvement opportunities related to audits, customer feedback, process and product performance, follow up from previous meetings, and any changes that could affect product or service quality. The review addresses the need for changes to policy, objectives and other elements of environmental issues in the light of the audit results, changing circumstances and the commitment to continual improvement. The management review has addressed the possible need for changes to policy, objectives and other elements of the OHSAS in the light of audit results, changing circumstances and the commitment to continual improvement. All results of management review activity are recorded. 6. Resource Management Provision of Resources (4.4.1 14001 & 18001) SMS plc has ensured that the necessary resources needed to implement and improve the Integrated Management System are available. Human Resources (6.2 9001) (4.4.1 14001 & 18001) (5.2 27001) Where personnel are assigned responsibilities affecting product conformity, Environmental and Health & Safety issues, SMS plc has ensured that they are competent on the basis of applicable education, training, skills and experience. SMS plc has identified the training needs for Quality, Environmental and Health & Safety related activities and provides training to satisfy these needs. Performance is evaluated and appropriate training records are maintained. 6.3 Facilities Suitable equipped workplaces with appropriate hardware and software with supporting services are provided. 6.4 Work Environment All aspects of the human and physical factors of the working environment that effect conformity of product or service, environmental and health & safety issues have been identified and are managed. 7. Product Realisation 7.1 Planning of realisation process The production process for SMS plc products and services is planned and documented as defined in the Management System. Quality objectives, resources, processes and documentation needs are defined and acceptable criteria for verification and validation. Records appropriate to the level of confidence required for the process and the product or service are maintained.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
8
7.2 Customer related processes (4.3.3 14001 & 18001) Communication The needs of the customer in respect of availability, delivery and support are considered against the products’ intended use and regulatory and legal requirements are determined and implemented. SMS plc reviews its customers’ requirements and determines any additional requirements for each contract or order. Where no customer requirements are documented details are confirmed before acceptance. Any changes to contracts or quotations are resolved before proceeding and the company’s ability to meet the defined requirements is confirmed. The customer is kept informed of product information, enquiries, order changes or amendments and progress on customer complaints. SMS plc has established and maintains procedures relating to internal and external communicating regarding its environmental aspects and environmental management system. It responds to and documents all communications and will decide its level of communication to third parties on environmental issues 7.3 Design and development There may be occasions when a customer requires a specific design. The Organisation shall plan and control the design and development of product. The Organisation shall determine the design and development stages, review, validate as appropriate each design and development stage and determine responsibilities and authorities for the design and development. 7.4 Purchasing SMS plc controls its purchasing function to ensure that the purchased product conforms to requirement. Suppliers are selected against defined criteria and are subject to planned review and evaluation. The results of evaluations and follow up actions are recorded. Purchasing documents are reviewed before release for the adequacy of information on product, procedures, processes, equipment and personnel. SMS plc verifies it’s purchased products and where verification takes place at the supplier’s premises, details of the arrangements and the method of release are specified 7.5 Production and Service operations. Production and services are controlled through product specifications and work instructions. Suitable equipment is used and properly maintained with the use of specified measuring and monitoring equipment and activities. Product release and post delivery and delivery processes are defined. Where verification of product or service cannot be ensured during the process by measuring and monitoring, control is exercised by qualification of the process, equipment and personnel through defined methods procedures and records and re-validation if required. Where appropriate, SMS plc identifies the product throughout the production and service activities and identifies its status with respect to measuring and monitoring activity throughout product realisation. Where traceability is required, the unique identification of the product is controlled and recorded. Where customer property for inclusion in the product comes within SMS plc control, it is identified, verified, maintained and protected with details of adverse condition reported to the customer. SMS plc preserves the conformity of the product or service from receipt of order to delivery. ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
9
7.6 Control of measuring and monitoring equipment Measuring and monitoring equipment and software are identified throughout SMS plc where quality is affected and the equipment used is controlled to appropriate standards for consistency. The equipment is protected against random adjustments, damage and deterioration and the results of calibrations are recorded. 8. Measurement, analysis and improvement 8.1 Planning (9001) The requirement for defining methods and equipment for measurement and monitoring products and processes, and the method of use has been determined. 8.2 Measurement and Monitoring (4.5.1 14001 7 18001) (6 27001) Clear methods have been established to audit customer satisfaction and any failures to meet SMS plc standards. Suitably trained and impartial personnel conduct periodic independent internal audits on a planned basis. All aspects of internal audits are recorded and reviewed and timely corrective action taken where necessary. Processes effecting customer requirements are periodically reviewed to ensure that the intended purpose is being met. Measuring and monitoring of the product throughout the process is designed to ensure the finished item meets specification and authorised personnel control its release. 8.3 Control of nonconformity (4.5.3 14001) (4.5.3.2 18001) (8.3 27001) Documented procedures are in place to identify and isolate non-conforming products and before repaired product is returned to the process it is re-checked. In the event of non-conforming product reaching the customer appropriate corrective action is taken. For Environmental issues actions taken should be appropriate to the magnitude of the problems and the environmental impacts encountered. For Health & safety issues where the corrective or preventive action(s) identifies new or changes hazards or the need for new or changed controls, the procedure requires that a risk assessment be carried out prior to implementation. 8.4 Analysis of data Data referring to product quality problems is collected and analysed and where changes to the Management System offer improvements these changes are introduced. Areas for attention when considering Quality are customer complaints, meeting the customer’s needs, product characteristics and supplier performance. 8.5 Improvements (9001) (8.1 27001) The Management System is managed in a manner to offer continual improvement having regard to statements in its quality policy, Environmental Policy and Health & Safety Management Policy, objectives, audit results, data analysis, corrective and preventative action and management review. Appropriate action is taken to rectify faults and prevent their recurrence and the procedure is documented. Requirements for identifying faults and determining their cause with appropriate corrective action recorded and results reviewed for effectiveness. ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
10
SMS plc identifies preventative actions to prevent the recurrence of non-conformities and the results of such actions are recorded and reviewed for effectiveness.
HIERARCHY OF HEALTH & SAFETY MANAGEMENT The organisation’s management appointee has defined roles, responsibilities and authority for: a) Ensuring that OH&S management system requirements are established, implemented and maintained in accordance with this OHSAS specification; b) Ensuring that reports on the performance of the OH&S management system are presented to top management for review and as a basis for improvement of the OH&S management system. All those with management responsibility can demonstrate their commitment to the continual improvement of OH&S performance. Responsibilities of the Managing Director The Top Management of the company is ultimately responsible for everyone's health, safety and welfare at work (including the public) and responsible for ensuring that: • Adequate and effective planning, organisation, control and monitoring for safety are implemented in accordance with relevant legislation. • Sufficient financial, labour resources and time are available to meet statutory requirements • Employees are fully aware of this policy and their duties in relation to health and safety. • All reported health and safety issues are reviewed and remedial action applied when necessary. Everyone working for the company receives adequate instruction, information, training and supervision to achieve the requirements of this policy. Equipment used by the company is suitable for the job and regularly inspected and maintained. Contractors are competent and have adequate health and safety arrangements. Risk assessments are undertaken to assist in the implementation of safe systems of work. Employees are consulted and their views considered prior to implementing changes that may affect their health and safety. Responsibilities of Safety Co-ordinator The Safety Coordinator of the company, shares responsibility for ensuring there are effective arrangements, planning, organisation, control and monitoring for safety within the company and that preventative measures are maintained and legal requirements met. His /her specific responsibilities as Safety Coordinator includes: • Supporting the Top Management in his/her general duty to ensure the health and safety and welfare of employees and others. • Acting on reports from employees and others on matters of health and safety and reporting back to the Top Management • Ensuring that health and safety is taken fully into account in all dealings with the company and using the competent advice available.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
11
• •
Implementing the arrangements set out in this policy and monitoring the safety performance across the company. Ensuring that employees and self-employed subcontractors are aware of their health and safety responsibilities and comply with the requirements of the policy.
Responsibilities of the competent person The Competent Person is responsible for the implementation of the OH&S policy and has been clearly allocated responsibility. This is a mandatory legal requirement with few exceptions Competent Person(s) have been given authority and resources, including time, to carry out their responsibilities. Accountability rests with the Competent Person to discharge his/her responsibilities Reporting relationships are clear and unambiguous. Where personal appraisal systems are in place for Competent Person, performance of the OH&S management system is included in the appraisal system. Specific responsibilities: • Identifying employee training needs in respect of health and safety, arranging health and safety training and keeping suitable records. • Ensuring new employees receive suitable and adequate induction training. • Ensuring suitable health and safety information is provided to employees. • Ensuring that risk assessments are undertaken in the premises concerned. • Ensuring that equipment procured by the company is suitable for the intended task, complies with statutory safety standards, is CE marked and is accompanied by statutory documentation and manuals. • Ensuring that contractors are competent and have adequate health & safety arrangements. • Ensuring there is adequate first aid provision in the company. • Ensuring all accidents are entered in the accident book • Ensuring that fire precautions are inspected and maintained and records retained. • Ensuring materials are stored safely and all areas are areas safe and tidy. Responsibilities of employees and self employed sub contractors All employees and sub contractors have a duty to ensure they abide by the Health & Safety regulations of the country in which they are working. Any employee responsibilities detailed in the policy are also applicable to self-employed subcontractors. All employees and self-employed subcontract employees will therefore: • Comply with the company safety policy, site health and safety plan, risk assessments and method statements, and office rules. • Co-operate with both employer and managers and follow instructions. • Use the appropriate equipment for the job and not misuse it • Keep equipment in good condition and report defects. • Report any accident, dangerous occurrence, ill health or condition to the safety cocoordinator or the appointed responsible person. • Take all reasonable steps to ensure the safety of him/her and others.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
12
• • • • • •
Raise any Health & Safety concerns with the safety Coordinator or the appointed responsible Person. Avoid improvised arrangements and suggest safe ways of reducing risks. Observe all warning notices and follow instructions Not interfere with or misuse anything provided for them in the interests of health, safety and welfare Report defective equipment to the safety Coordinator or the appointed responsible person and do not use until it is repaired. Inform the Top Management if they suffer from any allergy, health problem or are receiving medication likely to affect their work ability to do normal tasks.
Any breach of these requirements is treated, as a breach of contract and appropriate disciplinary action will be taken. The taking of any reasonable action to safeguard the Health, Safety and welfare of themselves and others will not result in any form of disciplinary action.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
13
Procedures Manual Copy Holders: SMS plc QAS International (uncontrolled)
Registered Holder Signature ____________________________________ Date_______________________
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
14
Quality Document Register Document Number
Description
QMF 01
Management Review Agenda
QMF 02
Training Record
QMF 03
Training Plan
QMF 04
Internal Audit Programme
QMF 05
Internal Audit Report
QMF 06
Customer Complaint Form
QMF 07
Complaints Register
QMF 08 QMF 09 QMF 10 QMF 11 QMF 12 QMF 13 QMF 14 QMF 15 QMF 16 QMF 17 QMF 18 QMF 19 QMF 20 QMF 21 QMF 22 QMF 23 QMF 24
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
15
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
16
Environmental Document Register
EN 01
Management Review
Ref: QMF 01 QMS 9001:2008
EN 02
Training Records
Ref: QMF 02 QMS 9001:2008
EN 03
Training Plan
Ref: QMF 03 QMS 9001:2008
EN 04
Audit Program
EN 05
Audit Report
EN 06
Residential Complaints Form
EN 07 EN 09
Residential Complaints Register Aspects and Impacts Report
EN 10
Objectives and Targets Record
EN 11
Fire Evacuation Procedures
EN 12
Emergency Preparedness Procedures Non-Conformance/Near Miss Report
EN 13
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
17
Health & Safety Document Register SMF 01
Management Review
SMF 02
Training Plan
SMF 03
Training Record
SMF 04
Induction Form
SMF 05
Competent Persons List
SMF 06
Internal Audit Plan
SMF 07
Internal Audit Report
SMF 08
Risk Assessment.
SMF 09
Emergency Response Procedures
SMF 10
COSHH Register
SMF 11
First Aid Assessment Chart
SMF 12
Display Screen Equipment Checklist
SMF 13
Accident Investigation Form
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
18
PRM 01
DOCUMENT CONTROL AND RECORDS 1.0
Introduction
To demonstrate that SMS plc stated quality, objectives have been satisfied, a detailed system of control for quality related documentation and records needs to be maintained. This applies to Environmental and Health & Safety documentation and Information Security documentation. 2.0 Scope SMS plc will produce and maintain adequate documentation to detail the requirements of the management system and to ensure that the requirements are met records must be maintained for this purpose. This procedure also applies to all records generated under the other procedures in the management system. 3.0 Responsibility It is the responsibility of the Systems Representative to ensure: • The management system is adequately documented. • Documents are properly controlled and approved and are readily available to those personnel that need to use them. • Sufficient records are maintained and these are legible and readily found. 4.0 4.1
Procedure Document and Data Control
All documentation must carry a unique identification number, an issue number and the date from which the document becomes effective. Documents must be formally approved for use. All documents must be clearly identified by their title or other reference, traceable from the document master register. A master register will be available and must carry the current issue of each document. The master register will be the only source for copies. An electronic copy, if available must be controlled. Obsolete documents will be withdrawn from the system and a retention time should be agreed and document securely stored. External documentation must be adequately controlled to ensure that it is not damaged or lost. All forms must be periodically assessed under the Internal Audit procedures for currency and fitness for use. Any changes required to documentation must be processed through the Management Review meeting. 4.2 Records All completed system documentation and records must be retained for at least three years unless specified in other regulations or by legislation. ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
19
Records must be correctly filed under suitable headings, in files, folders etc such that they can be readily found. Adequate security must be maintained to ensure that records are not lost or damaged. Records must be legible identifiable and retrievable. Records kept on computer or on other electronic media must be backed up on a regular basis such that the information can be recovered if necessary. Records may be destroyed at the end of their retention period. Documents and Records Management (Environmental) To ensure that environmental documentation is made available to relevant site personnel, it is maintained in a controlled manner and is kept up-to-date and relevant to the site’s activities and environmental policy. The environmental objectives, targets and action plans must be reviewed through the Procedure Reviewing and Updating Objectives and Targets. All personnel may suggest modifications to the Environmental Representative who must discuss any proposals with relevant personnel. The Environmental Representative is responsible for approving all changes to the documentation and for authorising relevant personnel to approve changes on his behalf. The Environmental Representative is responsible for signing-off any changes to the site on policy. The Environmental Representative is responsible for making the agreed changes to the manual and for re-issuing the modified documentation to the manual and for ensuring that all documentation in this manual is in legible form and is appropriately authorised, dated, marked with a revision number and readily identifiable with procedure/program number. The Environmental Representative is responsible for ensuring that all procedures are written and provide clear instructions and responsibilities. The Environmental Representative is responsible for ensuring that obsolete documents are promptly removed and destroyed to prevent re-introduction into the system unless subject to specific record retention requirements. The Environmental Representative is responsible for maintaining a master copy of all superseded documents for a period of three years beyond the date of the superseding revisions. Document retention, as referred to in the various sections of this manual, is the minimum to meet the respective requirements. All documentation must be legible, dated and referenced. The Environmental Representative is responsible for updating this procedure when necessary. Records Management (Health & Safety) To demonstrate that the Organisation’s stated safety objectives have been satisfied, a detailed system of control for Health & Safety related documentation and records needs to be maintained. The Organisation will produce and maintain adequate documentation to detail the requirements of the Health & Safety management system. Adequate records must be maintained. This procedure also applies to all records generated under the other procedures in the Integrated management system. ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
20
It is the responsibility of Health &Safety Manager to ensure that the Health &Safety aspect is adequately documented. • Documents are properly controlled and approved and are readily available to those personnel that need to use them. • Sufficient records are maintained and these are legible and readily found. All Health &Safety manual documentation must carry a unique identification number, an issue number and the date from which the document becomes effective Documents must be formally approved for use. All forms must be periodically assessed under the Health &Safety Audit procedures for currency and fitness for use. All completed Health &Safety documentation and records must be retained for at least three years unless specified in other regulations or by legislation. To ensure that Health & Safety documentation is made available to appropriate personnel, it is maintained in a controlled manner and is up to date and relevant to the Organisation’s activities and Health & Safety policy. Control of Records (Information Security) All records shall be maintained as is generic to all management systems in order to provide evidence of conformity to requirements and the effective operation of the information security management system. These documents must be protected and controlled. They must be legible, identifiable and retrievable and should take into account all legal and regulatory and contractual requirements. All documents shall be current issue and any changes identified in the amendment table.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
21
PRM 02 MANAGEMENT REVIEW Introduction The quality/environmental and Health & Safety management system needs periodic review to ensure that it meets the requirements in respect of policy, objectives, effectiveness, resources, planning and is kept up to date. Minutes should be recorded and copies distributed to relevant personnel. 2.0 Scope The Management Review must cover the operation of the Management System throughout SMS plc . 3.0 Responsibility It is the responsibility of the Systems Representative to ensure: • The management system is reviewed at least annually to ensure its continued suitability and effectiveness. • The minutes of the meeting are recorded. • Any actions are identified and corrected. • Opportunities for improvement are identified and implemented. 4.0 Procedure The Management Review must be held at least once per year to address all parts of SMS plc quality/environmental and Health & Safety management system: • To determine whether it is operating effectively to the benefit of SMS plc • To identify opportunities for improvement in all three disciplines. • To determine whether the SMS plc is continuing to meet the customer requirements. • To prevent nonconformity. • To address results of Aspects and Impacts • To measure and monitor environmental performance The meeting must address the following topics: Health & Safety To evaluate the continuing appropriateness and effectiveness of the Health & Safety Policy (inclusive of objectives) and supporting Health & Safety Management System and to ensure that necessary modification takes place. The Health & Safety representative is responsible for collating all the necessary information for Health & Safety input including: • • • • • •
Health & Safety manual Register of significant Health & Safety effects Register of requirements Overall performance against objectives and targets Health & Safety Audit Reports New and emerging Health & Safety issues of relevant to the site.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
22
The Health & Safety representative is responsible for monitoring the implementation of the recommended actions. Actions from previous meeting. The aim is to ensure that any actions from the previous meeting have been corrected. Review of the Quality, Environmental and Health & Safety Policies and their Targets and Objectives The policies must be reviewed to check that they are still suitable for SMS plc . Any objectives must be reviewed to check whether they are still appropriate and are being achieved. New objectives/targets must be set where necessary. Environmental Targets should be analyised and results measured and recorded. Improvement The meeting must address methods of improvement to the system. Where areas for improvement are identified, appropriate objectives and methods of monitoring will be agreed. Any of the topics addressed during the meeting may be considered for improvement initiatives. Non-conformance and customer complaints Non-conformances and customer complaints must be reviewed to check that the underlying cause has been addressed. Their effect on customer satisfaction must be addressed. Near misses, Accidents, Incidents Reports, Risk Assessments These should be discussed and reviewed and any applicable paper work should be brought to the meeting. Environmental Aspects and Impacts The Environmental Representative should bring results of Aspect/Impact assessments to the meeting and these should be analyised. Corrective and preventative action Corrective and preventative actions must be reviewed to check that they have been effective in achieving an improvement in the management system. Internal and external audits Audit results must be reviewed to check that any non-conformances were corrected within an acceptable time scale. The frequency of auditing may be reviewed based on the audit results. Planning and future resource requirements (long term planning) Any changes to the business that could affect the customer or the quality management system should be addressed. This will include changes related to personnel, equipment or other resources. Training Training needs must be reviewed together with any proposals for carrying out training. Supplier performance Any need for changes to the suppliers used by SMS plc must be addressed.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
23
Customer satisfaction The meeting must address whether SMS plc is meeting or if possible exceeding the Customers requirements and expectations. Where complete customer satisfaction is not being achieved SMS plc must plan and allocate suitable resources to resolve the problem. Any other business. This may include any initiatives for improvement, reduction in rework or waste etc. The review must cover as a minimum the period since the last Management Review. The person responsible for any actions identified at the meeting must be recorded together with target dates for completion where appropriate. SMS plc must allocate the necessary personnel and resources for these corrective actions.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
24
Guide to the Management Review Meeting
Start
Corrective & preventative action
Customer Feedback / complaints Collect information
Outside influences
Training records Analyse
Aims and objectives
External Externalaudit Audit reports Reports
Input from members of the meeting
Internal quality audit reports
Prepare and distribute
Discuss and document inputs/outputs
Non-conformance reports
Review action from previous meetings
Agree actions Management Review minutes
Check effectiveness of actions and report Set date of next meeting
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
25
PRM 03 RESOURCES 1.0 Introduction To meet the requirements of the customer, Environmental commitments and Health & Safety requirements SMS plc ensures that there are adequate resources in the form of personnel, plant and equipment. This may include additional resources from outside SMS plc where necessary. 2.0 Scope This procedure covers the systems and operations necessary to ensure that SMS plc has adequate resources to meet the requirements of its customers and operate the business in and efficient and safe manner. 3.0 Responsibility It is the responsibility of ‘Top Management’’ to ensure that: • SMS plc resource requirements are reviewed on a regular basis. • Training needs are identified. • Suitable training is carried out and checked for effectiveness. 4.0 Procedure 4.1 General The review of resources must be formally carried out as part of the Management Review process but is also part of the day to day management of SMS plc . See PRM 02 Management Review. Records associated with personnel and training are maintained in accordance with PRM 01 Document Control and Records. These records must be reviewed at least once per year. 4.2 Human Resources As part of the general planning and management process, SMS plc must identify the personnel needed to ensure that it operates effectively and safely. The general structure of SMS plc is shown in the SMS plc organisation chart in the Quality Manual. Specific responsibilities and authorities are defined in the SMS plc structure. New personnel will be selected by management interview. SMS plc policy of recruiting and procuring personnel with the required level of skills, experience and education is reviewed in the light of labour availability and also changes in the nature of SMS plc work. The training needs of all personnel will be identified by assessment on an ongoing basis. Where possible, measurable objectives will be set to assist in continual improvement. All personnel must be given induction training including an explanation of the management system and the health and safety requirements when they start work with SMS plc . The training and experience of each employee will be assessed against defined objectives and any changes that have taken place, or are about to take place, to ensure that personnel are adequately trained and experienced to carry out their duties. Where a specific training need is identified, this must be arranged and included on the Training Plan. (Form QMF03) Training will be by means of ‘on the job’ or ‘on course’ training. ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
26
All training must be assessed by the relevant department head. Personnel records must be maintained to show all qualifications, experience and training undertaken. (Form QMF02) Where appropriate copies of certificates or other evidence to show that training has been carried out will be maintained. The Environmental Representative is responsible for preparing and providing general environmental training including the contents of the Environmental Manual and the Environmental Procedures. All Managers are responsible for identifying specific training needs for all employees in their department and advising the Environmental Representative All Managers, with assistance from the Environmental Representative, are responsible for developing specific environmental training that should include, in addition to the procedures, waste management, energy conservation at close down and incident reporting Health & Safety The standard requires that all staff are properly instructed and trained in Health & Safety matters and that specific training requirements are identified. The Health & Safety Representative has overall responsibility for the implementation of this procedure and must provide the necessary technical input. However, a contribution from supervisors is needed to identify the needs Personnel will be competent to perform tasks that may impact on OH&S in the workplace. Competence is defined in terms of appropriate education, training and/or experience. The Organisation has established and maintained procedures to ensure that its employees working at each relevant function and level are aware of:• The importance of conformance to the OH&S policy and procedures and to the requirements of the Integrated Management System • The OH&S consequences, actual or potential, of their work activities and the OH&S benefits of improved personal performance; • Their roles and responsibilities in achieving conformance to the OH&S policy and procedures and to the requirements including emergency preparedness and response requirements. • The potential consequences of departures from specified operating procedures. Training procedures shall take into account differing levels of: •
Responsibility, ability, literacy and risk
The Organisation has effective procedures for ensuring the competence of personnel to carry out their designated functions. Typical inputs include the following items:• • • • •
Definitions of roles and responsibilities; Job descriptions (including details of hazardous tasks to be performed); Hazard identification, risk assessment and risk control results; Procedures and operating instructions; OH&S policy and OH&S objectives; ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
27
• OH&S programmes The following elements should be included in the process: A systematic identification of the OH&S awareness and competencies required at each level and function within the Organisation ; • Arrangements to identify and remedy any shortfalls between the levels currently processed by the individual and the required OH&S awareness and competency. • Provision of any training identified as being necessary in a timely and systematic manner. • Assessment of individuals to ensure that they have acquired and that they maintain the knowledge and competency required; • Maintenance of appropriate records of an individual’s training and competency An OH&S awareness and training program has been established and maintained to address the following areas: •
• •
• • •
An understanding of the Organisation’s OH&S arrangements and individual specific roles and responsibilities for them; A systematic program of induction and ongoing training for employees and those who transfer between divisions, sites, departments, areas, jobs or tasks within the Organisation; Training in local OH&S arrangements and hazards, risks, precautions to be taken and procedures to be followed, this training being provided before work commences; Training for performing hazard identification, risk assessment and risk control. Training for all individuals who manage employees, contractors and others (e.g temporary workers), in their OH&S responsibilities. This is to ensure that both they and those under their control understand the hazards and risks of the operations for which they are responsible, wherever they take place.
4.3 Facilities Top Management must ensure that all buildings, plant and equipment are regularly maintained in accordance with manufacturers or recognised good practice. Records of maintenance will be maintained showing details of the work carried out. Where appropriate copies of certificates or other evidence of maintenance work will be maintained. 4.4 Work Environment All employees must maintain a good standard of housekeeping within the work area. Waste materials must be cleared away regularly to maintain a safe working environment. Any faulty plant or equipment must be reported to senior management. When working at a client’s site, (if applicable) all due care and attention must be afforded to the client’s property and where possible logistical layouts must not be affected without prior permission.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
28
PRM 04 CUSTOMER REQUIREMENT (ISO 9001:2008) 1.0 Introduction Meeting the customers’ requirements is the principal objectives of SMS plc Their needs must be fully understood and agreed and SMS plc must establish that it is in a position to meet these requirements in an effective manner. 2.0 Scope The nature of the business is such that all orders and contracts are reviewed to ensure that requirements are adequately defined and documented through means including phone, fax, email and direct mailing. The scope of this procedure includes: • Identification and documentation of the customer requirements. • Review of these requirements. • Methods of communication with the customer. • Outline planning of the work. 3.0 Responsibility It is the responsibility of Top Management to ensure that: • All verbal or written enquiries, orders and contracts are reviewed to ensure that the requirements together with any changes are adequately defined and understood by both parties. • These requirements together with any changes are adequately documented. • Adequate planning is carried out to ensure that SMS plc has or can obtain the necessary resources to fulfill the order or contract. • Effective lines of communication are set up between the customer and SMS plc • Sufficient records are kept to show that the above requirements have been achieved. 4.0
Procedure
4.1 General Customer requirements will be dealt with in stages: • Receipt and understanding of the customer requirements. • Review of SMS plc capability to meet these requirements. • Confirmation of acceptance to the customer. • Enquiries, requests for quotations, invitations to tender and orders are generally received by telephone, letter, fax, e-mail. • Where SMS plc is unable to meet the customer’s requirements they will be advised accordingly. 4.2 Customer Requirements (Receipt) All enquiries and tenders for business will be handled by the designated staff chosen by senior management. The details will be recorded and may include: • Customer name, address and telephone number. • Details of requirement. • Delivery details/dates. ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
29
• • • • • •
Customer contact (name, telephone number). Date of enquiry or order. Customer supplied documents, drawings, specification etc. Supporting services, spares, service contracts etc. Regulatory or legislative requirements. Any special requirements for product validation or verification.
4.3 Order Fulfillment When the details of the Customers requirements have been clearly identified, SMS plc ability to carry out the work must be formally reviewed. This must be based on the documents or other information provided by the Customer or SMS plc own documentation defining the requirements. The review of SMS plc capability of carrying out the work must address the following: • • • • • • • • • • •
Can SMS plc carry out the work in accordance with the customers’ requirements without any additional resources or changes to the normal SMS plc operations? Is the organisation a new or existing customer? Are any additional resources required? Is there a need for additional investigation or research? Is any additional staff training needed? What goods, materials or services need to be obtained from outside suppliers? Does the work involve any special process not usually carried out by SMS plc Are there any special legal or regulatory requirements? E.g. national standards, health and safety etc. Are any support services required or specifically called for? E.g. spares, maintenance support? Can the design requirements be met? Is any specific documentation needed?
Where any queries or discrepancies are found during this review process they must be resolved with the customer. Where the enquiry or order is from a new customer the requirements will be reviewed. 4.4 Communication Clear lines of communication must be established and maintained between the customer and SMS plc . This will be by means of telephone, fax, letter and e-mail. Orders must be checked to ensure that they agree with any quotations or previous agreements. Any differences must be resolved. Communication within SMS plc will be by means of e-mail, phone and verbally. All communications that could significantly affect SMS plc ability to fulfill the order or contact must be recorded. Any customer complaints must be dealt with in accordance with Procedure PRM09 and PRM10. 4.5 Planning As part of the process of review of the Customers requirements, SMS plc must plan how the work is to be carried out to ensure that sufficient resources are available to achieve the specified requirements and quality. Planning will take into account: ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
30
• • • •
The customer’s delivery or other critical dates. Any specific product verification or checking requirements. Availability of resources - both staff and plant and equipment. Any longer term planning will be dealt with at the Management Review. The Quality Representatives will provide feedback where problems have arisen with a view to improvement in the quality system.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
31
PRM 05 PROCESS CONTROL (ISO 9001:2008) 1.0 Introduction It is essential that the work carried out by SMS plc is adequately controlled to ensure that it meets the requirements of the customer. This is achieved by good planning, the provision of adequate resources, properly trained and experienced personnel, clearly defined standards and methods of working and correct monitoring and product verification. 2.0 Scope The work carried out by SMS plc is “The provision of Gas Metering Infrastructure Services to the & Commercial sector The provision of Meter Asset Management Services to Domestic and Industrial & Commercial Gas Suppliers” Including: Planning of the work process (including validation that it is effective). Control of the work process. Validation of the work. Identification and traceability. Customer property. Control of associated activities including handling, packing, storage, preservation and delivery. 3.0 Responsibility It is the responsibility of ‘Top Management’ of SMS plc to ensure that: All work carried out by SMS plc is adequately defined and controlled. Appropriate instructions are provided and maintained to ensure that the quality of work is satisfactory and these are readily available. Standards of workmanship and criteria for acceptance are defined. Suitable personnel are assigned for the work process and for product verification and checking activities. Adequate resources are provided in the form of personnel, equipment and a suitable working environment. 4.0
Procedure
4.1 General All work carried out by SMS plc must take into account any applicable Health and Safety requirements and statutory legislation. Good standards of housekeeping will be maintained at all times. All records associated with the work process are kept in accordance with PRM 01 Document Control and Records. All personnel carrying out work will be suitably trained and experienced in accordance with PRM 03 Resources. Measuring equipment where applicable, will be controlled in accordance with PRM 07 Measuring and Monitoring Equipment. All equipment will be maintained regularly in accordance with the manufacturers or suppliers instructions. Process capability will be addressed in accordance with procedure PRM 11 Measurement and Improvement. 4.2
Planning ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
32
Work will be planned and controlled by due delivery date and material availability. Planning must take into consideration: Inputs and outputs required. Allocation of responsibilities. Resources required. Validation of the process and analysis of any risks. Legal or regulatory requirements. Procurement of goods, materials or services. Procedures, methods and work instructions. Product validation, product verification and other validation processes. Control of changes and modifications. Targets for the completion of the work. Records. Other requirements as appropriate to meet the quality objectives.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
33
PLANNING Inputs and outputs required
Allocation of responsibilities
Resources required
Validation of processes & analysis of risks
Procurement Of Goods & Services
Legal Requirements
Control of changes
Validation of product and all processes
Targets for completion
Control of records and all requirements to meet ‘quality objectives’
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
34
4.3 Work Control The work will be carried out with plant and equipment specific to SMS plc needs. This will be regularly maintained in accordance with the manufacturers or suppliers instructions. The following should be addressed where applicable Procedure and criteria for release of the product or service Training or qualification Special processes 4.4 Validation/Inspection The procedure for receipt and product verification is detailed in PRM 06 Purchasing. In-process and final product verification must be carried out in accordance with the specified requirements so that SMS plc shall demonstrate the ability of their processes to achieve planned results. Work will be checked at regular intervals to ensure customer satisfaction. Non-conforming work will be dealt with in accordance with PRM 09 Control of Non-conformance. 4.5 Identification and Traceability All products and materials delivered to SMS plc must carry identification from the supplier unless this is obvious by appearance. If there is a specific requirement for traceability this will be maintained throughout the work process. Where traceability is a specified requirement, the requirements will be made available to the purchasing department who will ensure that purchased items are traceable. Goods or materials not meeting the specified requirements will be dealt with in accordance with PRM 09. Control of non-conformance. 4.6 Customer Property Customer property will be handled with care Customer’s property must be clearly identified. SMS plc undertakes to advise the customer if the customer’s property is damaged at any time during the process, so that agreement can be arranged for replacement or repair. 4.7 Associated Activities Handling Goods and materials must be handled in a manner that does not cause any damage or deterioration. Where necessary mechanical handling equipment will be used. E.g. for heavy loads. • Due consideration will be given to Health and Safety requirements for manual handling or for hazardous goods and materials. Storage and preservation if necessary Storage will be within designated areas where conditions are appropriate for the products and materials. Packing, to ensure no damage to goods Goods and materials must be packed in a manner that ensures that they are not damaged during storage or transport. • Storage areas will be checked periodically to ensure that no changes have occurred that may affect the goods or materials. Transport and Delivery ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
35
Where materials are required to be moved they will be dispatched by courier or own transport. When carriers are used the product will be packed to specifications developed by the trade to ensure safe transit. Packages and containers will be marked to indicate contents and transit care requirements if necessary.
4.8
Associated Activities
There are a number of relationships which contribute to the activities of SMS plc : The Gas Industry Regulator; OFGEM, who provides licenses to the Gas Shipper, Gas Supplier and Gas Transporter and also regulates the processes of SMS plc in its role as Meter Asset Manager. The Gas Shipper, who arranges with the Transporter for the entry of gas into the Network. The Gas Supplier, who arranges a contract with a Consumer for the supply of gas to that consumer The Transporter is the owner of the pipes who arranges contracts with the supplier for the transportation of gas around the network. The Consumer (or their Agent) who contracts with the Supplier for the use of gas The Meter Asset Manager (MAM) who contracts with the gas supplier or the consumer (or their agent) for the provision and use of a gas meter for the registration of the use of gas
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
36
SMS plc
UK Meter Assets (a MAM)
UK Gas Connection
Gas Consumer (Domestic)
Gas Consumer or Agent (Industrial & Commercial)
Gas Supplier Shipper Domestic
UK Data Management
Industrial & Commercial
Gas Transporter (Owner of pipe (gas mains and gas services))
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
OFGEM Regulate Suppliers, Shippers and Transporters
37
PRM 06 PURCHASING 1.0 Introduction To ensure that the quality of SMS plc products or services is maintained it is essential that products or services bought in are of a high standard. Suppliers will be selected on their ability to consistently meet SMS plc requirements. 2.0 Scope All purchased products and services used by SMS plc fall within the scope of this procedure. 3.0 Responsibility It is the responsibility of the Technical & Quality Manager to ensure that: • Suppliers are formally assessed to confirm that they can meet the Organisation’s requirements. • The requirements for purchased products or services are clearly defined. • Purchased products or services are inspected or checked. 4.0 Procedure 4.1 Supplier Approval All suppliers of products or services are reviewed to ensure that they can meet the SMS plc requirements. This review includes (as appropriate): • Past history and performance. • Evaluation of a trial order, samples or activity. • Evidence of registration by a recognised authority. • On site assessment of their capability and quality system. • Comparative test results with the same or similar products. • Recommendation or references from other users. • 100% product verification of all services/products supplied. • Financial viability. • The record of approved suppliers takes the form of a printed list of proven historical supply. • Supplier approval is reviewed at least once per year. This is based on their performance when meeting orders placed with them over the previous year. The results of the review are addressed at the Management Review. • Any problems must be investigated and where they cannot be resolved the supplier will no longer be used. 4.2 • • • • • • • • •
4.3
Purchasing Items effecting Organisation products or services must be purchased from the Preferred Suppliers List. Purchase orders must clearly define the product or service required. They will address: Product or service required. Any relevant standards or regulations that is applicable. Delivery requirements. Any documentation to be supplied. E.g. Certificates of conformity. Price and payment details. Purchase requirements will be detailed and recorded with purchase order number where applicable. The supplier is required to supply to the specification, quantity and price as specified on the purchase order. Verification/Inspection
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
38
All goods and services must be checked against the purchase order and where appropriate the delivery note. The purchase order or delivery note will be signed to confirm the product verification. Any discrepancies will be resolved with the supplier. Any discrepancies must be recorded as part of the supplier assessment process. Where verification is to be carried out at the suppliers’ premises, this will be arranged at the time of placing the order. This will not absolve the supplier of their responsibility to provide an acceptance.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
39
PRM 07 Measuring and Monitoring Equipment
1.0 Introduction If equipment is used to check that the product meets the Customers requirements, then it needs to be properly controlled and maintained. It should be the correct equipment and be capable of making the required measurements to the specified accuracy. Where test software is used, it should be checked on commissioning and rechecked at specific intervals. 2.0 Scope The scope is applicable to UK Gas Connection only. This procedure covers all product verification, product validation and measuring equipment owned by the Organisation, rented, on loan, owned by employees or provided by the Customer. It also covers test hardware and software. 3.0 Responsibility It is the responsibility of the Technical & Quality Manager, where applicable to: • Identify the measurement and tests to be carried out together with the accuracy required and the equipment to be used. • Ensure that all measuring, test and product verification equipment is identified, maintained, controlled, and checked or calibrated at defined intervals. • Ensure that test software is validated to ensure its capabilities and accuracy and is released in controlled manner. • Maintain adequate records. 4.0 • • •
• • • • • • • •
Procedure Measuring and product validation equipment used throughout the organisation will be identified and logged. Feeler gauges, steel rules and steel tapes will be subject to regular product verification by their owner and changed when deterioration is apparent. All other measuring and product validation equipment will have a calibration record noting acceptance criteria, identification marking, location, checking frequency, calibration dates and results. The method of calibration will be identified e.g. by a calibration laboratory or in house against calibrated standards. Equipment failing to meet the required standard must be identified for repair or discarded and the record amended. New equipment will be checked or calibrated before issue and the calibration record prepared if necessary. After completion of the calibration, the details will be amended on the calibration label on the equipment. All measuring and product validation equipment, whether organisation or employee owned will be stored in conditions to ensure accuracy and fitness for use. Test software will be validated by senior management to ensure that it is capable of achieving the specified standard of accuracy and repeatability. Existing software is approved on the basis of previous satisfactory performance. Release of software including changes will be controlled.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
40
PRM 08 INTERNAL AUDIT 1.0 Introduction SMS plc Integrated Management System needs to be audited on a systematic basis to ensure that the planned arrangements are being met in practice. 2.0 Scope This procedure details the method of planning and carrying out the internal audit to check that SMS plc procedures are being followed. 3.0 Responsibility It is the responsibility of the Management System Representative to ensure that: • An internal audit program is prepared to cover all elements of the management system. • Suitable personnel are allocated to carry out the internal audits. It is the responsibility of the Internal Auditor to carry out the audits, identify any nonconformances and follow them up to ensure that they are corrected. 4.0 Procedure 4.1 Planning An internal audit program must be prepared covering all elements of the quality management system. (QMF04). The program will be structured in such a manner as to ensure each procedure is audited at least annually. Suitably trained auditors must be assigned to carry out the audit of each element of the system. Note that the auditor should be independent of the work or area being audited. Additional audits may be scheduled where problems or deficiencies have been found. 4.2 Conducting the Audit The Internal Auditor(s), will carry out the audits in accordance with the programme. Using the procedure itself as the guide, each element will be checked to ensure that its requirements are being met and that the overall purpose of the procedure is being fulfilled. Written notes on variances, non-conformance and omissions will be taken (QMF05) and circulated for action to appropriate personnel. Supplementary notes will be taken of supporting information and records checked.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
41
Internal Audits Internal Audit Plan
Internal Audit carried out
Write Audit Report on QMF 05
No Noncompliance found Write
During Audit identify noncompliance
Forward to Top Management
Write Audit Report on QMF 05
File Audit Report
Forward Audit Report onto relevant Department for action.
Complete corrective action and write report on QMF 05
Forward to Department Head
Discuss Audit results at Management Review Meeting including any corrective and preventative action taken
File Audit Report
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
42
PRM 08 CONTROL OF NON-CONFORMING PRODUCT (Quality) (ISO 9001:2008) 1.0 Introduction In the event of defective or substandard work being produced, the nonconforming product or service needs to be identified and corrected to prevent potential customer complaints. The causes need to be reviewed to prevent recurrence, if possible. 2.0 Scope This procedure addresses non-conforming products and services at all stages in SMS plc work process. 3.0 Responsibility It is the responsibility of the following personnel to ensure that non-conformances are identified and corrected, the root causes are addressed and the necessary records are maintained. Customer complaints – Head of Operations Product/service non-conformances – Technical & Quality Manager Quality system non-conformances Technical & Quality Manager 4.0 Procedure Routine product verification and monitoring at all stages in the work process should be aimed at identifying any nonconforming or defective products or services. All personnel must report nonconformances. Non-conformances must be identified by labels and segregation. All nonconforming products or services must be dealt with promptly to prevent the deficiency becoming worse or affecting the Customer. The non-conformance will be corrected by the most appropriate and cost effective method. Non-conformances must be recorded together with the action taken to correct them. They must be reviewed to allow identification of the root causes and trends. Non-conforming product will be discussed at the Management Review Meeting.
PRM 09 CORRECTIVE AND PREVENTATIVE ACTION 1.0 Introduction A documented procedure needs to be established and maintained to ensure that faulty products or services are identified and corrected. It is also important that causes of such faults are determined and that action is taken to reduce or eliminate the possibility of a recurrence. 2.0 Scope This procedure details the method of dealing with corrective and preventative actions in order to correct or prevent non-conformance including customer complaints. 3.0 Responsibility It is the responsibility of the following personnel to ensure that non-conformances and customer complaints are corrected or prevented from happening. Customer complaints Senior Management ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
43
Product/service non-conformances – Senior Management Quality system non-conformances Quality Representative 4.0 Procedure 4.1 General When implementing corrective or preventative action, the amount of time and effort will take into account the significance of the problem. The potential impact on the product or service, the process, the customer and on safety will be evaluated. Sources of information for corrective and preventative action will include customer complaints, non-conformance records, management review and other management system records, internal audits, customer satisfaction records and process measurements. Corrective and preventative action and customer complaints will be addressed at the Management Review. Records will be maintained to document the non-conformance or preventative action planned, the corrective or preventative action taken and the confirmation that it was effective. 4.2 Corrective Action All non-conformances requiring corrective action must be clearly identified. The root cause of non-conformance must be determined and suitable corrective action will be planned and carried out to eliminate or reduce the cause.
Checks must be carried out to ensure that the corrective action was effective and has eliminated or reduced the risk of the non-conformance occurring again. 4.3 Customer Complaints On receipt of a customer complaint the details must be recorded on the Customer Complaint form (QMF06). The form will then be allocated a reference and entered to the complaints register. (QMF07) 4.4 Preventative Action All potential non-conformances requiring preventative action must be clearly identified. The preventative action must be planned and carried out to remove or reduce the risk. Checks must be carried out to ensure that the preventative action was effective and has eliminated or reduced the risk of the potential non-conformance occurring.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
44
PRM 10 MEASUREMENT AND IMPROVEMENT 1.0 Introduction To ensure that high quality standards are maintained and improved, SMS plc monitors the work process to ensure the highest standards of customer satisfaction. Measurement is aimed at added value and benefit to the customer and SMS plc . This process involves all personnel. 2.0 Scope The scope of this procedure includes: • Planning and control of all processes. • Collection and analysis of data and information. • Measurement of customer satisfaction and dissatisfaction. • Monitoring and improvement of process capability. • Continual improvement. 3.0 Responsibility It is the responsibility of Top Management to ensure: • Procedures and initiatives are put in place to measure the SMS plc performance. • The quality management system is continually improved. • Customer satisfaction is measured and deficiencies addressed. 4.0 Procedure 4.1 General The measurement and improvement process must be planned in the same way as other activities carried out by the SMS plc This will include: • Deciding what to address. • Setting priorities and objectives. • Deciding on the methods to be used. • Allocating resources. e.g. time and personnel. • Carrying out the measurements. • Analysing the results. • Communicating the results to the appropriate personnel such that it is clearly understood. • Implementing the appropriate action. • Checking that it was effective.
Other sources of information for the improvement process are covered in: PRM 02 Management Review PRM 07 Internal Audit PRM 08 Control of Non-conformance PRM 09 Corrective and Preventative Action The main discussion point for this process will be the Management Review meeting. 4.2 Collection and analysis of data In order to measure performance, a certain amount of data and information needs to be collected. This will address: ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
45
Meeting Customer requirements and measurement of Customer satisfaction and dissatisfaction. • Performance of suppliers. • Assessment of process and product characteristics and trends. This includes reject rates, delivery problems, information on supplier performance, assessment of customer satisfaction and dissatisfaction, and data on process control such as down time and rework. SMS plc must decide what the data is needed for, any specific methodology to be used and the frequency of collection. The aim will be to improve the efficiency and performance of SMS plc . 4.3 Customer satisfaction and dissatisfaction Customer satisfaction and dissatisfaction will be measured to ensure that: •
• • • •
The The The The
product or service has the required characteristics. price is satisfactory. delivery process is satisfactory. customer feels they are receiving good value for money.
Customer satisfaction and dissatisfaction will be measured by: • Feedback from customers and complaints. • Feedback from the customer during sales and ordering activities. • Direct communication during the course of business. • Market trends. • Evaluation of the competition. • Questionnaires or surveys. • Analysis of repeat orders. • Returns and repairs. The information obtained must be analysed and the appropriate action taken to improve customer satisfaction or eliminate the reason for dissatisfaction. 4.4 Monitoring the process The work process must be monitored to ensure that it is effective and to identify areas for improvements, or savings, and should include review of equipment or new processes and monitoring achievement of targets, down time and reduction in costs. 4.5 Planning for continual improvement The overall quality management system will be improved by: • Setting objectives. • Monitoring these by means of audits, analysis of corrective and preventative action and customer complaint information. • Evaluation of effectiveness of each process. • Taking the appropriate corrective action. The improvement process will be reviewed and monitored at the Management Review. New objectives will be set when the current objectives have been achieved.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
46
ENVIRONMENTAL Table of Amendment – Environmental Manual Document Number
Page Number
Issue
Date
Description of Change
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
Authorisation
47
Aspects & Impacts Introduction and Scope Environmental impacts are identified, evaluated and registered and the scope of this section is to cover all activity within the company that has an environmental aspect.
Responsibilities Though the most senior manager in the company has the overall responsibility for the implementation of this procedure, the environmental representative must cover day to day operation and the maintenance of records of impacts.
Procedure The environmental representative must develop and maintain the Impacts Record using the chart. High ratings must be considered significant. The environmental impacts of all SMS plc activities are entered to the ‘Impact Records’ chart (high, medium, low) under the following main headings: • emissions to air • releases to water • waste management • contamination of land • impact on communities • use of raw materials and natural resources • other local environmental issues
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
48
All Employees review their impacts annually and inform the environmental representative of any changes The environmental representative in conjunction with the relevant employee is responsible for ensuring that agreed targets are met and appropriate procedures developed and for reviewing new and modified projects. Documentation The Impacts Records must be maintained by the Environmental Representative until updated. Targets & Objectives Introduction and Scope This procedure is to define new objectives and targets, and to review and update existing objectives and targets. Targets are quantifiable where possible and refer back to the environmental policy. Responsibilities The Environmental Representative is responsibility for the implementation of this procedure. Procedure The Environmental Representative is responsible for annually coordinating the objectives and targets set out in the environmental procedures and ensuring that:• Targets are set for reducing waste, water consumption, and energy use • The introduction of new procedures and better management of impacts. • Targets are set for maintenance activities. • Friendly alternatives for hazardous materials are looked for • Objectives and targets are set. Addition objectives and target setting may be suggested by employees to the Environmental Representative who must also be responsible for their evaluation and for developing and communicating appropriate documentation e.g. incidents or new legislation. The Environmental Representative is responsible for reviewing progress of implementation of targets at the Management meetings and defining corrective actions or modifying targets, if appropriate. The Environmental Representative is responsible for following up agreed corrective actions. ENVIRONMENTAL TARGETS AND OBJECTIVES FIRST YEAR RECORDINGS Form EN 10 ACTIVITY
USEAGE 2010
USEAGE 2011
REDUCTION % TARGET ACTUAL
GAS ELECTRIC WATER FUEL GENERAL WASTE INK/ CARTRIDGES ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
49
PAPER USEAGE
SMS plc will, in conjunction with it’s ‘Environmental Policy’, (targets & objectives) endeavor to establish a process of reduction for the above elements. The reduction shall be monitored and recorded annually and results filed for review. Waste Management
Introduction and Scope All wastes generated by the site must be managed and disposed of in an environmentally safe and correct manner in accordance with statutory requirements. This procedure details the system to be followed in order to achieve this objective. As a waste producer, the company’s responsibilities do not cease once waste has been removed by a waste contractor. Under the Duty of Care Environmental Protection Act, the company has a statutory responsibility to ensure contractors are competent, that waste is disposed of properly and that adequate records are kept.
Responsibilities It is the responsibility of the Environmental Representative to ensure compliance with this procedure. It covers:• General commercial and industrial waste and special waste • Household waste ( No administrative requirement, local authority collection) • On site waste temporary storage and waste container identification • Periodic review of the procedure • Employee awareness of waste disposal provisions and regulations
Definitions The definition of waste: • Any substance which constitutes a scrap material or an effluent or otherwise unwanted surplus substance arising from the application of any process • Any substance or article which requires to be disposed of as being broken, worn out, contaminated or otherwise spoiled (except explosives) • Anything which is discarded or otherwise dealt with as if it were waste Household waste: waste from a domestic property, caravan, residential home, educational establishment, hospital or nursing home; Industrial waste: waste from a factory etc., and includes construction and demolition wastes; Commercial: waste from premises used for a trade or business or for the purposes of sport, recreation or entertainment; Special: comprising wastes which may be dangerous to life or health as fully defined by the Special Waste Regulations 1996
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
50
Procedure Identification and Labeling All wastes must be identified and classified correctly, in accordance with the definitions provided above. Where further clarification is needed, consult legislative sources and request guidance from waste contractors. Never dispose of waste if not clear of the classification. All waste storage areas on site must be clearly identified. Where appropriate, waste storage areas should be secure, covered and contained. All waste storage areas must be marked and labeled on a site plan. All waste must be clearly and correctly classified. If in doubt consult the company’s legal index or seek guidance from the waste contractor. General Waste General waste is often such things as cardboard/ paper/ and general office waste. All general waste types are disposed of by a licensed waste carrier. General containers are for the disposal of general, non-hazardous wastes only and must not be used for: • chemical wastes • solvent wastes • waste paints etc. General waste containers (bin liners) must be removed for disposal when necessary. At SMS plc paper is recycled. Hazardous Waste (Where Applicable) Hazardous waste storage is controlled with the use of special areas where specialist containers will be used as necessary. Special wastes must be identified and stored separately from other wastes. Employees must be responsible for ensuring the correct classification and management of special wastes. Inspection of Waste Storage Containers The Environmental Representative must conduct weekly inspections of the waste storage areas, and of the site in general, to identify any wastes stored improperly and not in accordance with regulatory requirements and this procedure. Management of Waste Contractors Where Waste Contractors are used, SMS plc will continue to monitor waste carrier performance Waste Targets and Minimisation Opportunities The Environmental Representative must:Use the information in the database to identify performance targets and opportunities to reduce waste. Report at the Management Review on waste management performance, in terms of: • sources of waste • types of wastes • monthly volumes of waste, according to source/type/disposal route • • • monthly costs of waste disposal according to source/type/disposal route • achievement of performance targets. Awareness and Training
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
51
The Environmental Representative must ensure that:Training is provided to employees and refresher courses given annually. General awareness training is provided to all appropriate employees. The training records are maintained and future needs are identified (e.g. refresher training, employee induction). Changes in legislative requirements are communicated to staff as soon as practicable Documentation All special waste shipments where applicable, must be accompanied by completed Transfer Note and where necessary a certificate of disposal must be kept on record. Air Pollution Control/Objectives & Target Introduction and Scope To ensure that all atmospheric emissions if discharged by SMS plc are minimised and managed in a safe and correct manner in accordance with statutory and company requirements and promote continued improvement. Responsibilities The Environmental Representative will be responsible for ensuring compliance with this procedure and monitoring, controlling and minimising atmospheric emissions should they occur other than emissions from the water heating. Atmospheric emissions comprise any discharge of pollutant to the air and include odours. Direct Emissions are those emanating from process equipment/operations and are planned and routed through vents or chimneys etc. Fugitive emissions are those relating to discharges which escape from process equipment or containers and dissipate to atmosphere. Procedures Identification and Characterisation All atmospheric emissions must be identified and characterized. This includes direct and fugitive emissions. Definitions All emission points must be marked on a plan of the site and each point allocated a reference. Each emission point must be cross-referenced to the source and nature of the emission.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
52
Monitoring of Emissions (Where applicable) Each atmospheric emission must be quantified on an annual service basis and rectification of any variance must be corrected by the sub-contractors. All emissions from the site must be managed so as to minimise quantities and/or environmental impact. The Environmental Representative must also conduct periodic inspections of the facility to check operation practices conform to controlling emissions. Targets and Objectives The Environmental Representative must report annually on emissions management performance, in terms of: • • • • •
sources of emissions types of emissions quantities of emissions according to source and type costs of managing emissions (e.g. monitoring and air pollution control equipment) achievement of regulatory requirements.
Awareness and Training The Environmental Representative must:• Arrange comprehensive in-house training and annual refresher courses for all employees. • Arrange general awareness training for all appropriate employees. • Maintain training records and coordinating future needs. • Communicate changes in legislative requirements to employees as soon • as practical Documentation All monitoring, inspection and reporting records must be maintained properly and for the statutory length of time, as appropriate, by the Environmental Representative. Rationales for non-implementation of an emission reduction measure must also be maintained on file.
Water Pollution Control Introduction and Scope All wastewater discharged by the SMS plc must be minimised and managed in a safe and correct manner in accordance with statutory and company requirements. The site discharges non-contact washing and domestic water to the trade sewer and storm water run-off to the storm water sewers. This procedure manages both these wastewater discharges. Responsibilities The Environmental Representative must ensure compliance with this procedure and must have the overview management responsibility for monitoring, controlling and minimising wastewater discharges and are aware of the relevant procedures. All Employees have responsibilities for day to day management of wastewater discharges and that the correct disposal systems are used. Procedures Identification and Characterisation
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
53
All wastewater discharges must be identified and characterised. This includes storm water discharges. A drainage plan must be established and maintained which shows: • the route of all trade sewers and storm water sewers • referenced discharge points/surface drains to sewers The destination of the trade and storm water sewers must also be identified and referenced on the plan. Monitoring of Discharges All discharges from the site must be managed so as to minimise quantities and/or environmental impact. Ways of reducing discharges in both volume and contaminant loading must be identified by: • identifying alternative process • implementing washing area awareness Managing and Minimising Discharges No chemicals (if used) are to be disposed of down surface water or sewer drains. No hazardous materials are to be stored close to storm-water drains. The water runs off into to the sewer drains. Inspections The Environmental Representative must conduct monthly inspections of the facility to check operation practices conform to controlling wastewater discharges.
Targets and Objectives The Environmental Representative must set performance targets for controlling wastewater discharges based on regulatory requirements and on the need for continuous improvement. These may comprise targets for reducing/eliminating a sources process or material, or for reducing discharges by improvement management or control of operations. The Environmental Representative must report at the Management Review on wastewater discharge.
ENVIRONMENTAL TARGETS AND OBJECTIVES FIRST YEAR RECORDINGS Form EN 10 ACTIVITY
USEAGE 2010
USEAGE 2011
REDUCTION % TARGET ACTUAL
GAS
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
54
ELECTRIC WATER FUEL GENERAL WASTE INK/ CARTRIDGES PAPER USEAGE
SMS plc will, in conjunction with it’s ‘Environmental Policy’, (targets & objectives) endeavor to establish a process of reduction for the above elements. The reduction shall be monitored and recorded annually and results filed for review.
Spill Response Introduction and Objectives To ensure that, in the event of a major spillage, (Where applicable) SMS plc is able to call upon suitably trained personnel and have in place procedures to prevent and mitigate the effects of the spillage on the environment If there is spillage of any type on the premises of SMS plc or on site spillage action procedures are in place. Spill Kits are available for use by suitably trained personnel. The Environmental Representative has overall responsibility for the implementation of this procedure. In the event of spillage SMS plc will consider: • Disposal of contaminated materials afterwards by registered carrier. • Advise Environmental Agency • Possible disposal through foul sewer with sewage undertakings advice. • Fire fighting The Environmental Representative must be responsible for the development and monitoring of the spillage response and the posting of notices where applicable.
Definitions For OHSAS 18001 Scope This Occupational Health and Safety Assessment Series (OHSAS) specification gives requirements for an occupational health and safety (OH&S) management system, to enable an organisation to
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
55
control its OH&S risks and improve its performance. It does not state specific OH&S performance criteria, nor does it give detailed specifications for the design of a management system. This OHSAS specification has assisted the organisation to: a) Establish an OH&S management system to eliminate or minimize risk to employees and other interested parties who may be exposed to OH&S risks associated with its activities; b) Implement, maintain and continually improve an OH&S management system; c) Assure itself of its conformance with its stated OH&S policy; d) Demonstrate such conformance to others; e) Seek certification/registration of its OH&S management system by an external organisation. f) Make a self-determination and declaration of conformance with this OHSAS specification. g) This Health & Safety Manual covers the activities and functions performed by operations included in the scope. Input to this Integrated System is based on OHSAS 18001:2007 Management System This OHSAS specification is intended to address occupational health and safety rather than product and services safety. Reference publications Other publications that provide information or guidance are available from HSE Books. It is advisable that the latest editions of such publications be consulted. 3.0 Terms and definitions For the purposes of this OHSAS specification the following terms and definitions apply. 3.1 Acceptable risk Risk that has been reduced to a level that can be tolerated by the organisation having regard to its legal obligations and its own OH & S Policy. 3.2 Audit Systematic, independent and documented process for obtaining “audit evidence” and evaluating it objectively to determine the extent to which “audit criteria” are full filled.
Note: Independent does not necessarily mean external to the organisation. In many cases, particularly in smaller organisations, independence can be demonstrated by the freedom from responsibility for the activity being audited. Further guidance on audit evidence and audit criteria can be found in ISO 19011. 3.3 Accident An undesired, unplanned event giving rise to death, ill health, injury, damage or other loss. 3.4 Continual improvement A process of enhancing the OH&S management system, to achieve improvements in overall occupational health and safety performances, in line with the organisation’s OH&S policy. 3.5 Corrective Action Action to eliminate the cause of a detected nonconformity or other undesirable situation. Note: There can be more than one cause for nonconformity. Note: Corrective action is taken to prevent recurrence whereas preventive action is taken to prevent occurrence. 3.6 Document ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
56
Information and its supporting medium Note: The medium can be paper, magnetic, electronic or optical computer disc, photograph or master sample, or a combination thereof. 3.7 Hazard A source or situation, or act with a potential for harm in terms of human injury or ill health, damage to property, damage to the workplace environment, or a combination of any of these. 3.8 Hazard identification A process of recognizing that a hazard exists and defining its characteristics 3.9 Ill Health Identifiable, adverse physical or mental condition arising from and/or made worse by a work activity and /or work related situation. 3.10 Incident A work related event(s) in which an injury or ill health (regardless of severity) or fatality occurred, or could have occurred. Note: An accident is an incident, which has given rise to injury, ill health or fatality. Note: An incident where no ill health, injury, or fatality occurs may also be referred to as a “nearmiss”, “near –hit”, “close Call” or dangerous occurrence” Note: An emergency situation is a particular type of incident. 3.11 Interested parties An individual or groups inside or outside the workplace concerned with or affected by the OH&S performance of an organisation. 3.12 Non-conformity Non-fulfilment of a requirement Note: Nonconformity can be any deviation from:
• Relevant work standards, practices, procedures, legal requirements, etc. • OH&S management system requirements. 3.13 Occupational health and safety (OH&S)The conditions and factors that affect, or could affect the health and safety of employees, or other workers (including temporary workers, contractor personnel), visitors and any other person in the workplace. Note: Organisations can be subject to legal requirements for the health and safety of persons beyond the immediate workplace, or who are exposed to the workplace activities. 3.14 OH&S management system Part of an organisations management system used to develop and implement its OH&S policy and to manage its OH&S risks. Note: A management system is a set of interrelated elements used to establish policy and objectives and to achieve those objectives. Note: a management system includes organisational structure, planning activities (including for example risk assessment and the setting of objectives), responsibilities, practises, procedures, processes and resources. 3.15 OH&S Objective These are goals, in terms of OH&S performance, that an organisation sets itself to achieve. Note: Objectives should be qualified wherever practicable. Note: 4.3.3 requires that OH&S objectives are consistent with the OH&S policy. 3.16 OH&S performance Measurable results of an organisations management of its OH&S risks. Note: OH&S performance measurement includes measuring the effectiveness of the organisations controls. Note: In the context of OH&S management systems results can also be measured against the organisations OH&S policy, OH&S objectives and other OH&S performance requirements. 3.17 OH&S policy ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
57
Overall intentions and direction an organisation related to its OH&S objectives as formally express by top management. Note: The OH&S policy provides a framework for action and for the setting of OH&S objectives. 3.18 Organisation A company, corporation, operation, firm, enterprise, institution, authority or association, or part or combination thereof, whether incorporated or not, public or private, that has its own functions and administration. 3.19 Preventive Action The action to eliminate the cause of a potential nonconformity or other undesirable potential situation. Note. There can be more than one cause for a potential nonconformity. Note: Preventive action is taken to prevent occurrence. Where as corrective action is taken to prevent recurrence
3.20 Procedure A specified way to carry out an activity or a process. 3.21 Record A document stating results achieved or providing evidence of activities preformed. 3.22 Risk A combination of the likelihood of an occurrence of a hazardous event or exposure(s) and the severity of injury or ill health that can be caused by the event or exposure(s). 3.23 Risk assessment The overall process of evaluating the risk(s) from a hazard(s) taking into account the adequacy of any existing controls and deciding whether or not the risk(s) is acceptable. 3.24 Safety Freedom from unacceptable risk of harm. 3.25 Workplace Any physical location in which work related activities are preformed under the control of the organisation. Note: When giving considerations to what constitutes a workplace, the organisation should take into account the OH&S effects on personnel who are, for example travelling or in transit (e.g. Driving, flying, on boats and trains), working at the premises of a client or customer, or working at home.
Table of AMENDMENTS Document Number
Page Number
Issue
Date
Description of Change
Authorisation
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
58
Accidents & Incidents 1. Introduction and Scope The organisation ensures that all safety measures and risks that affect the workplace are fully understood and that the workforce are fully aware of Health & Safety legislative requirements and compliance to reduce accidents, incidents and hazards at all times. 2. Responsibilities The Health & Safety representative and the Management Appointee have overall responsibility for the implementation of this procedure. 3. Procedure The Organisation has established and maintained procedures for defining responsibility and authority for:a) The handling and investigation of: • Accidents; • Incidents; • Non-conformances b) taking action to mitigate any consequences arising from accidents, incidents or nonconformances; c) the initiation and completion of corrective and preventive actions; d) confirmation of the effectiveness of corrective and preventive actions taken. These procedures require that all proposed corrective and preventive actions shall be reviewed through the risk assessment process prior to implementation.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
59
Any corrective or preventive action taken to eliminate the causes of actual and potential nonconformances shall be appropriate to the magnitude of problems and commensurate with the OH&S risk encountered. The Organisation shall implement and record any changes in the documented procedures resulting from corrective and preventive action. 4. Process The organisation has prepared documented procedures to ensure that accidents, incidents and non-conformances are investigated and corrective and/or preventive actions initiated. Progress in the completion of corrective and preventive actions should be monitored and the effectiveness of such actions reviewed. 5. Procedures The procedures should include consideration of the following items:• define the responsibilities and authority of the persons involved in implementing, reporting, investigating, follow-up and monitoring of corrective and preventive actions; • require that all non-conformances, accidents, incidents and hazards be reported; • apply to all personnel (i.e, employees, temporary workers, contractor personnel, visitors and any other person in the work place). • take into account property damage; • • • • ensure that no employee suffers any hardship as a result of reporting a nonconformance, accident or incident; • clearly define the course of action to be taken following non-conformances identified in the OH&S management system. 6. Immediate action Immediate action to be taken upon observation of non-conformances, accidents, incidents or hazards should be known to all parties. The procedures should:• Define the process for notification; • Where appropriate, include co-ordination with emergency plans and procedures; • Define the scale of investigative effort in relation to the potential or actual harm (e.g include management in the investigation for serious accidents). 7. Recording Appropriate means should be used to record the factual information and the results of the immediate investigation and the subsequent detailed investigation. The Organisation should ensure that the procedures are followed for:Recording the details of the non-conformance, accident or hazard; Defining where the records are to be stores and responsibility for the storage. 8. Investigation The procedures define how the investigation process should be handled. The procedures should identify:• The type of events to be investigated (e.g incidents that could have led to serious harm); • The purpose of investigations; • Who is to investigate, the authority of the investigators, required qualifications (including line management when appropriate); • The root cause of non-conformance; • Arrangements for witness interviews; • Practical issues such as availability of cameras and storage of evidence; • Investigation reporting arrangements including statutory reporting requirements.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
60
Investigatory personnel should begin their preliminary analysis of the facts while further information is collected. Data collection and analysis should continue until an adequate and sufficiently comprehensive explanation is obtained. 9. Follow-up Corrective or preventive action taken as permanently and effectively as practicable. Checks should be made on the effectiveness of corrective/preventive action taken. Outstanding/overdue actions should be reported to top management at the earliest opportunity.
10.Non-conformance, accident and incident analysis Identified causes of non-conformances, accidents and incidents should be classified and analysed on a regular basis. Accident frequency and severity ratings should be calculated in accordance with accepted industrial practice for comparison purposes. Classification and analysis should be carried out of the following items:• Reportable or lost-time injury/illness frequency or severity rates; • Location, injury type, body part, activity involved, agency involved, day, time of day (whichever is appropriate); • Type and amount of property damage; • Direct and root causes. Due attention should be given to accidents involving property damage. Records relating to repair of property could be an indicator of damage caused by an unreported accident/incident. Accident and illness data/information is vital as they can be a direct indicator of OH&S performance. However, caution in their use should be exercised as the following points need to be considered: • Most Organisations have too few injury accidents or cases of work-related illness to distinguish real trends from random effects; • If more work is done by the same number of people in the same time, increased workload alone can account for an increase in accident rates; • The length of absence from work attributed through injury or work-related illness can be influenced by factors other than the severity of injury or occupational illness; • Accidents are often under-reported (and occasionally over-reported). Levels of reporting can change. They can improve as a result of increased workforce awareness and better reporting and recording systems; • A time delay will occur between OH&S management system failures and harmful effects. Moreover, many occupational diseases have long latent periods. It is not desirable to wait for harm to occur before judging whether OH&S management systems are working. Valid conclusions are drawn and corrective action taken. At least annually, this analysis is circulated to top management and included in the management review. Monitoring and communicating results The effectiveness of OH&S investigations and reporting are assessed. The assessment will be objective and will yield a quantitative result if possible. The Organisation, having studied the investigation, will:• Identify the root causes of deficiencies in the OH&S management system and general management of the Organisation where applicable; • Communicate findings and recommendations to management and relevant interested parties. • Include relevant findings and recommendations from investigations;
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
61
Participation Communication and Consultation 1. Introduction and Scope This procedure is to ensure that pertinent new information is communicated to and from employees and all other interested parties. 2. Responsibilities The Health & Safety Representative is responsible for the implementation of this procedure. 3. Procedure Employee involvement and consultation arrangements shall be documented and interested parties informed. Employees will be: • Involved in the development and review of policies and procedures to manage risks; • Consulted where there are any changes that affect workplace health And safety. • Represented on health and safety matters; and • Informed as to who is their employee OH&S representative(s) and Specified management attendee 4. Intent The Organisation encourages participation in good OH&S practices and support for its OH&S policy and OH&S objectives from all those affected by its operations by a process of consultation and communication. 5. Typical Inputs Typical inputs include the following items: • OH&S policy and OH&S objectives; • relevant OH&S management system documentation • hazard identification, risk assessment and risk control procedures; • definitions of OH&S roles and responsibilities; • results of formal employee OH&S consultations with management; • information from employee OH&S consultations, review and improvement activities in the workplace (these activities can be either reactive or proactive in nature); 6. Process The Organisation documents and promotes the arrangements by which it consults on and communicates pertinent OH&S information to and from its employees and other interested parties (e.g contractors, visitors). This includes arrangements to involve employees in the following processes:• consultation over the development and review of policies, the development and review of OH&S objectives and decisions on the implementation of processes and procedures to manage risks, including the carrying out of hazard identification and in reviewing risk assessments and risk controls relevant to their own activities; • • • • consultation over changes affecting workplace OH&S such as the introduction of new or modified equipment, materials, chemicals, technologies, processes, procedures or work patterns. Employees are represented on OH&S matters and are informed as to who is their employee representative and the specified management appointee. 7. Typical Outputs • Formal management and employee consultations through OH&S committee and similar bodies; ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
62
• • • •
Employee involvement in hazard identification, risk assessment and risk control; Initiatives to encourage employee OH&S consultations, review and improvement activities in the workplace and feedback to management on OH&S issues; Notice board and poster information; Employee OH&S representatives with defined roles and communication mechanisms with management, including, for example, involvement in an accident and incident investigations, site OH&S inspections etc
Purchasing and Sub-contractor Control 1. Introduction and Scope A system of instructions is needed for specifying Health & Safety requirements for purchased products and services and for evaluating and monitoring suppliers and sub-contractors 2. Responsibilities The Health & Safety Representative must identify purchased products and services associated with significant Health & Safety aspects and with Health & Safety objectives and targets and the purchasing officer must evaluate the supplier’s ability to meet these requirements. 3. Procedure The Health & Safety representative must develop and maintain the Accidents/Incidents records. High ratings must be considered significant.The Health & Safety requirements may be:• An OH&S policy from the supplier • Material safety data sheets • Chemical analysis reports • Specific life cycle elements • Packaging requirements • Performance and reliability requirements • Recycling considerations The purchasing Officer must ensure that all specified Health & Safety requirements are included in the purchase order or contract. When a product or service is seen not to meet its Health & Safety specification it will be reported to the Health & Safety representative who will evaluate the problem and, if necessary, reports are the appropriate documentation. In the case of a failure to meet the company specification, the non-conformance will be completed and processed through the corrective and preventive action procedure.
Risk Assessment - Hazard Control 1. Introduction and Scope The OHSAS requires that Health & Safety impacts are identified, evaluated and registered and the scope of this section is to cover all activity within the company that has a Health & Safety system. (a risk is an element of the Organisation’s activities, products or services which can interact with the safe working systems). 2. Responsibilities Though the most senior manager in the company has the overall responsibility for the implementation of this procedure, the Health & Safety representative must cover day to day operation and the maintenance of records of impacts. 3. Procedure Intent The Organisation has a total appreciation of all significant OH&S hazards in its domain, after using the processes of hazard identification, risk assessment and risk control.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
63
The hazard identification, risk assessment and risk control processes and their outputs is the basis of the whole OH&S system. It is important that the links between the hazard identification, risk assessment and risk control processes and the other elements of the OH&S Management System are clearly established and apparent. 4. Risk Assessment and Risk Control The hazard identification, risk assessment and risk control processes enables the Organisation to identify, evaluate and control its OH&S risks on an ongoing basis. In all cases, consideration is given to normal and abnormal operations within the Organisation and to potential emergency conditions. The Organisation has included (but not limited itself to) the following items: • • • •
Legislative and regulatory requirements; Identification of OH&S risks faces by the Organisation. An examination of all existing OH&S management practices, processes and procedures; An evaluation of feedback from the investigation of previous incidents, accidents and emergencies.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
64
5. Typical Inputs (include the following items):• • • • • • • • • • • • • • • 6.
OH&S legal and other requirements. OH&S policy. Records of incidents and accidents. Non-conformances. OH&S Management System audit results. Communications from employees and other interested parties. Information from employee OH&S consultations, review and improvement activities in the workplace (these activities can be either reactive or proactive in nature); Information on best practice, typical hazards related to the Organisation, incidents and accidents having occurred in similar Organisations; Details of change control procedures; Site plans; Process flow charts; Inventory of hazardous materials (raw materials, chemicals, wastes, products and sub products); Toxicology and other COSHH data. Monitoring data; Workplace environmental data Review of hazard identification, Risk Assessment and Risk Controls
• • • • • • • • • • • • • •
Provision for the classification of risks and identification of those that are to be eliminated or controlled. Is consistent with operating experience and the capabilities of risk control measures employed; Provides input into the determination of facility requirements, identification of training needs and/or development of operational controls; Provision for the monitoring of required actions to ensure both the effectiveness and timeliness of their implementation; Nature of the hazard Magnitude of the risk Changes from normal operation; Changes in raw materials, chemicals etc; Typical outputs; Level of risk, tolerable or not tolerable; Measures and monitoring to control the risk; Actions to monitor and reduce the risk; Training requirements to implement control measures; Data recording as generated.
Emergency Preparedness & Response Introduction and Objectives
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
65
To ensure that the site minimises the risk, injury and damage in the event of an emergency, fire being the major identified effect and is therefore the focus of this procedure. Responsibilities 2.1 The Health & Safety Representative/Competent person has overall responsibility for the implementation of this procedure. 2.2 The Managing Director has the ultimate responsible for the entire Organisation’s Health & Safety both staff and the company’ premises. 2.3 The Safety Representative/Competent person is to ensure fire safety plan is drawn up Procedure To ensure that the Organisation is able to respond in the case of a fire it reviews the potential for such an occurrence and the most appropriate actions to take. To determine if these actions are appropriate and understood they are tested from time to time. Process The following precautions shall be instigated in order to reduce the risk of uncontrolled fires:• Suitable fire extinguishers shall be stationed in Offices, Stores and Canteens etc., in positions where they can be easily seen and reached. The position of fire extinguishers shall be clearly indicated with appropriate signs. • Consideration shall be given to the type of extinguisher issued bearing in mind the most likely use to which it may be put. For example:WATER TYPE EXTINGUISHERS - general use on materials where no special risks are involved. NOT to be used on live electrical or flammable liquid fires. FOAM TYPE EXTINGUISHERS - suitable for flammable liquids but NOT to be used on live electrical fires. DRY POWDER EXTINGUISHERS - suitable for most materials including live electrical and flammable liquid fires. CARBON DIOXIDE EXTINGUISHERS suitable for most materials including live electrical and flammable liquid fires. It should be noted that carbon dioxide expels the oxygen and therefore in small confined spaces there is a risk of asphyxiation. In addition, when these extinguishers are used in the open air their effectiveness can be reduced if the weather conditions are windy. Where any process being carried out involves a special risk of fire e.g. Hot work then suitable extinguishers shall be stationed nearby All extinguishers shall be regularly checked and re-charged as necessary. Access routes, stairwells and Fire Exits must be kept clear of rubbish and obstructions.
In areas where a special risk of fire exists i.e. gas bottle stores, paint stores, fuel delivery areas and fuel stores etc., suitable warning signs designating them as "NO SMOKING AREAS" must be displayed Fire points with suitable extinguishers and signs to indicate their position will be provided to protect the structure from fire risks. Employees will not place themselves at risk by fighting fires and shall only tackle fires that pose them no direct risk. Special care shall be taken to ensure that the passive fire protection arrangements for premises are not breached by our works. For example, fire doors will not be wedged or propped open. Where necessary to ensure the safety of persons on site emergency exit routes to a safe location shall be established and clearly sign posted 5.0 Fire Drills And Fire Alarms
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
66
The Organisation has effective measures to warn personnel in the event of fires. Alarms will be regularly maintained and tested at intervals no greater than 3 months and a record of these kept. The Safety Representative/Competent person will appoint fire marshals who will take charge in the event of an outbreak of fire or during fire drills. Marshals will receive training. Fire notices shall be posted on notice boards to instruct staff on the measures to be taken in the event of fire Designated assembly points in suitable-locations will be provided and indicated with signs. Employees shall be advised which is their appropriate assembly point to attend in the event of fire. Full evacuation fire drills should be conducted once, preferably twice per year.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
67
Objectives and Targets 1. Introduction The Organisation has established and maintained documented occupational Health & Safety objectives at each relevant function and level within the Organisation. Objectives should be quantified wherever practicable. When establishing and reviewing its objectives, the Organisation has considered its legal and other requirements, its OH&S hazards and risks, its technological options, its financial, operational and business requirements and the views of interested parties. The objectives be consistent with the OH&S policy including the commitment to continual improvement. It is necessary to ensure that, throughout the Organisation, measurable OH&S objectives are established to enable the OH&S policy to be achieved. 2. Typical Inputs
• • • • • • • • • • •
Typical inputs include the following items:Policy and objectives relevant to the Organisation’s business as a whole; Results of hazard identification, risk assessment and risk control. Legal and other requirements. Technological options; Financial operational and business requirements; Views of employees and interested parties. Information from employee OH&S consultations, reviews and improvement; Activities in the workplace (these activities can be either reactive or proactive in nature); Analysis of performance against previously established OH&S objectives; Past records of OH&S non-conformances, accidents, incidents and property damage; Results of the management review.
3. Process Using information or data from the “Typical Inputs” described above, appropriate levels of OH&S objectives are set. During the establishment of OH&S objectives, particular regard should be given to information or data from those most likely to be affected by individual OH&S objectives, as this assists in ensuring that they are reasonable and more widely accepted. It is also useful to consider information or data from sources external to the Organisation, e.g from contractors or other interested parties. Meetings by the appropriate levels of management for the establishment of OH&S objectives are held regularly (at least on an annual basis).
The OH&S objectives will address both broad corporate OH&S issues and OH&S issues that are specific to individual functions and levels within the Organisation. There should be clear links between the various levels of goals and OH&S objectives. Examples of types of OH&S objectives include: • The introduction of additional features into the OH&S management system; • The steps taken to improve existing features, or the consistency of their application The OH&S objectives should be communicated (e.g via training or group briefing sessions to relevant personnel and be deployed through the OH&S management program Typical outputs include documented, measurable OH&S objectives for each function in the Organisation.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
68
Operational Control and Calibration 1. Introduction and Scope A system of instructions is needed for specifying operations associated with significant Health & Safety aspects, to assign responsibilities and provide systems for their control. 2. Responsibilities The Health & Safety representative must identify operational activity associated with significant Health & Safety risks with Health & Safety objectives and targets and the operation’s supervisors must ensure that these requirements are carried out as specified. 3. Procedure The Health & Safety representative must develop and maintain a Risk Assessment Record. High ratings must be considered significant. The supervisors responsible for operational areas and activities will evaluate the need for controls and consider the following:• • Legal and regulatory needs • Any history of Health & Safety incidents • Impact of the Organisation’s Health & Safety policy • Potential severity of Health & Safety impacts that may arise • Use of available technology • Balancing the control of impact on productivity and cost Where the absence of written work instructions may lead to deviation from the Health & Safety policy, they should be in written form. The work instructions need not be issued and controlled as a part of the Health & Safety Management System when adequate written control is available in other areas such as departmental or Health &Safety management systems. The maintenance of equipment and systems associated with significant risk is considered and must be implemented where it is not covered by other departmental or Health &Safety management systems.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
69
Information Security ISM 01
Organisational Security
ISM 02
Asseset Clarification and Control
ISM 03
Personnel Security
ISM 04
Physical & Environmental Security
ISM 05
Access Control
ISM 06
Acquisitions, Development & Maintenance.
ISM 07
Incident Management
ISM 08 Compliance
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
70
Information Security Master Forms Register Number
Standard Operating Procedure Title Document Register Asset Register Statement of Applicability Information Security Training Record Information Security Skills Matrix Visitor Log Feedback / Incoming Communications Action Form Information Security Internal Audit programme Information Security Internal Audit Report Information Security Management Review Meeting Report Competent Person Register Competent Person Detail Sheet Information Processing Equipment Problems, Maintenance & Repair Record Email and Internet Employee Policy Password Security Policy Confidentiality Agreement System Fault, Security Incident & Software Malfunction Log Software Register Mobile Computing Policy Network Activity Log Information Security Legislation (UK) Feedback / Incoming Communications Action Log Non-Disclosure Agreement IT Infrastructure Schematic System Vulnerability Log Disaster Recovery Plan Confidentiality Agreement (Employee) Server Maintenance Policy Disciplinary Procedure-Contract of Employment Contract of Employment Data protection Registration Physical Security Perimeter Schematic Backup, Anti Virus, Spyware Routines
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
71
Organisational Security ISM 01 Introduction A management framework needs to be established to manage and control the implementation of information security within the Organisation Scope The Organisation should produce and maintain adequate documentation to establish, and provide appropriate management to control information security within the organization. Specialist advice should be available when required and external contacts developed to ensure the Organisation is up to date with information security practices and a multi disciplined approach should be used when circumstances require it. Responsibility It is the responsibility of the Information Security Management Representative to ensure: the Information Security Management System is adequately managed; documents are properly controlled and approved and are readily available to those personnel that need to use them; specialist advice is available through the competent person(s) when required; a multi-disciplined approach is adopted where significant benefits can be achieved. Procedure The objective is to manage information security within the organization. Where the organisation believes that input to a specific project would benefit from the establishment of a multi-disciplined forum, it will convene a forum under the responsibility of a chairman. However, it is the firm belief of the Senior Management that this requirement would not be of value in the organisation at its present size and level of staffing and activity, except for the formal Information Security Management Review Meetings. The situation will be reviewed as activity and staffing levels grow. Specialist Advice To meet its requirement to provide specialist advice when required, the organisation will identify a Competent Person to provide this service and contact will be made through the Information Security Management Representative. Initial contact may be made verbally but the details of the request for advice, and the response, will always be confirmed in writing. There may be more than one Competent Person identified at any one time, where differing specialities are required. A Competent Person may be a member of the organisation’s own staff or the resource may be obtained from an external source. Information security co-ordination In the event of the organisation’s interests being best served by the formation of a management forum, other than that convened for the formal Management Review Meetings a detailed specification for its terms of reference will be developed. Allocation of responsibilities
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
72
Responsibilities will be clearly defined for the protection of individual information security assets as required in the Information Security Policy. Additional requirements for specific situations may be added and may include business continuity planning. The overall responsibility for development and implementation of the information security management system rests with Information Security Management Representative but this is not intended to take control of resourcing and implementing the agreed Information Security Controls away from individual functional managers. Areas of responsibility for each functional manager are specified with consideration given to: clear identification of each information asset and its allocation to an individual; documentation of each asset and who is responsible for it; authorisation levels being clearly defined.
Authorisation process for information processing facilities New facilities will be approved by Top Management and all relevant information security policies and requirements will be checked by the Information Security Representative. Compatibility checks will be undertaken where necessary and personal information processing will require authorisation and will be kept under strict control. Co-operation between organisations The organisation has established channels to appropriate external legal authorities, regulatory bodies, information service providers and telecommunications operators to enable rapid resolution of security incidents. Confidentiality is protected in all these dealings. Independent review of information security Policy documents will be reviewed at least annually by internal audit procedures and an independent third party audit will be conducted and reported on at least annually.
External parties The objective is to maintain the security of the company’s information and information processing systems where they are accessed, processed, communicated to, or managed by external parties. When the organisation requires third party access to its information processing facilities there are potential threats to security. Procedures must be put in place to protect against this threat. The Organisation will control access to its information processing facilities through its established risk assessment procedures and these Controls will be agreed and defined in contractual form with each applicable third party. It is the responsibility of the Information Security Representative to ensure that the contract is agreed and signed by both parties before access to the facility is permitted. Details within the contract should be checked by Top Management and control of on-site contractors may be delegated to an identified manager. Identification of risks from third party access The type of access will be defined as either physical access to premises or logical access to databases or information systems. The reason for access permission will be defined, including off-site contractors supplying a service, which may present an information security threat. Such reasons may include: • hardware & software support staff; ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
73
• customers; • trading partners & joint ventures exchanging information when applicable Addressing security when dealing with customers Should a customer require access to the company’s information or assets, Top Management will ensure the terms of such access is contained in a written contractual agreement, either in their Order or agreed in separate supporting documentation. The contractual requirements will include the identification of security requirements and all such requirements will have been addressed and in place prior to the customer being given access. Addressing security in third party agreements All on-site third party contractors working for a defined period requiring contractual control may include: • hardware and software maintenance support services • casual and short term appointments; • consultants. Consideration should be given to the inclusion of confidentiality and non-disclosure clauses in the contract. The indemnity of the third party contractor should be checked and the following terms should be considered for inclusion in all contracts as appropriate and applicable: • the Organisation’s information security policy; • procedures to determine whether assets have been compromised; • destruction or return of assets including information and software to an agreed plan; • integrity and availability; • disclosure of information provisions and copying restrictions; • a description of the services to be made available; • levels of service denoting the range of acceptability from that “required” to the “unacceptable”; • provisions for staff transfer; • respective liabilities; • legal responsibilities, national and, where required, international; • intellectual property rights, copyright and collaborative work protection; • asset control agreements covering access methods, unique identifiers and the authorisation process for them with a listing of the individuals concerned and their rights and privileges; • the definition of verifiable performance criteria and reporting; • the right to monitor and revoke user activity; • the right to third party audit of the contractual responsibilities; • escalation clauses and contingency arrangements; • maintenance responsibilities for hardware and software; • clear reporting structure, including the procedure for Change Management and reporting processes; • controls and mechanisms for physical protection; • user and administrator training covering methods, procedures and security; • malicious software protection; • reporting of security incident and breaches and their investigation; • involvement of third party with subcontractors.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
74
Assets Classification & Control ISM 02 Introduction The organisation’s information assets need to be protected and in order to achieve this, an asset register has to be compiled and used as a basis for classification. ‘Owners’ need to be allocated to key assets for maintenance and control Scope All information assets need to be reviewed and the significant items need to be identified and subjected to the organisation’s risk assessment procedures. This applies to assets within the organisation and to those with subcontractors and outsources processors. Responsibility It is the responsibility of Top Management to: • ensure that the asset register is completed; • approve the Asset Register and the Classification levels applied. It is the responsibility of the Information Security Representative to: • ensure that the classification exercise and risk assessment follows the process as laid out in the organisation’s procedures. Responsibility for assets The objective is to achieve and maintain appropriate protection of the company’s information assets. Inventory of assets The Information Security Management Representative will liaise with all Functional Managers to ensure an Asset Register is generated with a complete inventory of information assets. Information assets include: • items such as databases, data files system documentation, user manuals, training course material, operation and support material, continuity plans, fallback arrangements, archive information; • software assets such as applications software, system software, development tools and utilities; • • physical assets such as computers (laptops, modems, monitors, processors etc.) communications equipment (routers, PABXs, faxes, answer machines etc.), magnetic media, furniture, accommodation, power supplies, air conditioning units. Each entry on the Asset Register will be allocated a unique Asset Register Number made up of the Category Item Number with a numeric extension for each asset in the Category. Ownership of assets For each information asset identified, the Information Security Management Representative will ensure an owner is designated and recorded against the entry on the Asset Register. The term “owner” will identify an individual or entity that has been given approved management responsibility for controlling the production, development, maintenance, use and security of an asset. If the name of the owner does not clearly define the location of the asset, this will also be noted in the entry. ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
75
Acceptable use of assets The company has established rules for the acceptable use of information assets and these will apply to employees, contractors and third parties. Acceptable use rules cover: • emails; • internet usage; • mobile devices, such as laptops, PDAs, and telephones. Information classification The objective is to ensure that information receives an appropriate level of protection.
Classification guidelines Asset Classification provides a means of determining how information is to be handled and protected after taking in to account business needs for sharing and restricting the information. Information outputs may be classified according to value, sensitivity, integrity and availability. Consideration will be given to “over classification” and an understanding that the value of information can change with time, for example when it is made public. The number of categories will be limited to three to avoid uneconomic and unenforceable controls and a clear nomenclature will be used to prevent confusion with other classification systems. The Classification definition of each item of information will rest with the nominated owner and will be checked by the Information Security Management Representative and approved by Top Management. Information asset classification levels An extension to the Asset Number, as appropriate to the type of asset, will be used to define the sensitivity level of the information itself: • First Level: highly Confidential & restricted to top level management; • Second Level: restricted & available only to senior and specified management; • Third Level: private & will cover everything else that has value and will be accessible to Company personnel. Information labelling and handling Information will be labelled in accordance with the appropriate procedure and the following types of information processing activity are included: • copying; • storage; • transmission by fax, post and electronic mail; • transmission by spoken word, mobile phone, voicemail and answering machines; • Destruction. Documentation and inputs to classified information systems will carry the applicable designated Classification Level and examples would include printed report, screen displays, recorded media, (tapes, discs, CD’s, cassettes) electronic messages and file transfers. Where possible, physical labelling will be used but it is acceptable to use electronic labelling when physical labelling is clearly not possible.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
76
Personnel Security ISM 03 Introduction There is the need to reduce the risk of human error, theft, fraud or misuse of facilities. To minimise the prospects of such occurrences, security screening is introduced at the recruitment or procurement stage and requirements included in contracts. Scope All personnel and third parties with access to information security assets will be screened at the recruitment or procurement stage and required to sign confidentiality and / or non-disclosure agreements as appropriate. Responsibility It is the responsibility of Top Management to: • ensure that clear controls are in place for the recruitment of employees and other third party users such as contractors or temporary staff; • sign, on behalf of the Company, all contracts generated; • ensure that the contracted requirements are observed. Security in job definition and resourcing The objective is to ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities. Including security in job responsibilities All security roles and responsibilities are documented as laid down in the organisation’s Information Security Policy. The specification will include general and specific requirements. Personnel screening and policy Prior to confirming an appointment of a job applicant, the following controls will be introduced; • satisfactory character references, normally, at least one business and one personal; • check on the applicant’s CV, and all other documentation in the application form and supporting documentation, for completeness and accuracy; • confirmation of academic and professional qualifications where information security risk analysis requires it; • independent identity check (passport or similar document); • credit check where appropriate.
The same process will be required for contractors or temporary staff and where an agency is involved, they should be made aware of the need to follow these procedures and the results will need to be reviewed. The levels of supervision required for new staff should be determined and a continual awareness is encouraged of changes in the lifestyle and personal circumstances of employees. Terms and conditions of employment Terms and conditions of employment will state the employee’s responsibility for information security and will define the period of cover on termination of employment including action to be taken if the security requirements are disregarded.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
77
During employment The objective is to ensure that all employees, contractors and third party users are: • aware of information security threats and concerns; • their responsibilities and liabilities; • are equipped to support the company’s Information Security Policy in the course of their normal work; • the need to reduce the risk of human error. Users of information will be made aware of threats and concerns and be equipped to support the organisation in the fulfilment of its security policy. Management responsibilities Top Management and senior management will have the overall responsibility to ensure employees, contractors and third party users of the company’s information and information processing systems are aware of the company’s information security policies and procedures. Information security awareness, education and training All employees, and contractors or third party users where relevant, will receive appropriate training and updates in security requirements, legal responsibilities, and business controls. They will also be formally trained in the use in the correct use of information processing facilities such as log on and use of software packages before access is granted. Disciplinary process There is a formal disciplinary process in place and noted in the contract of employment for employees who violate the organisation’s information security policies. Termination or change of employment The objective is to ensure that employees , contractors, and third party users leave the company or change employment in an orderly manner.
Termination responsibilities Top Management, in consultation with the applicable manager or supervisor, will ensure that all termination aspects of an employment contract have been complied with, including hand over of responsibilities and ongoing assignments. Top Management will liaise with the representatives of a contractor or other third party user of the company’s systems to ensure that all termination aspects of a service or other contract have been complied with. All termination requirements will be satisfactorily completed prior to the individuals finally leaving the company, or will be the subject of a separate formal agreement. Return of assets Prior to leaving the company, all assets owned by the company will be returned upon termination of employment or contract. Assets will include: • financial, such as credit cards; • human resource and fixed assets, such as cars etc.
The termination interview will include coverage of all the above asset classifications, particularly with regard to documentation containing classified information.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
78
Top Management will ensure a risk assessment is performed prior to the completion of the termination action to identify any knowledge that should be retained and to plan methods for retaining it, particularly in the case of someone being unwillingly terminated.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
79
Physical & Environmental Security ISM 04 Introduction Unauthorised access to the organisation’s premises may result in information and its processing being compromised. Scope All critical or sensitive business information processing facilities are housed in the server room with appropriate access controls. The protection provided is commensurate with the classification levels of the assets. Responsibilities It is the responsibility of Top Management to: ensure that clear controls are in place for the physical security of the premises within the defined secure premises. Secure areas The objective is to prevent unauthorised physical access, damage and interference to the organisation’s premises and information. •
Physical security perimeter In the development of the secure perimeter the following guidelines will be considered: • • • • • •
the perimeter needs to be defined; the perimeter defences should be strong and external walls and doors should be of solid construction; control mechanisms should be in place to protect against unauthorised access such as bars, alarms and locks; physical control of access to the site should be by via a controlled reception point and all visitors should be authorised; physical barriers should be from real floor to real ceiling to prevent unauthorised entry and damage from fire or flood; fire doors through the secure perimeter should be alarmed and should have automatic closure.
• Physical entry controls The following procedures will be followed when using entry controls to secure • • • • • • • •
areas:
the entry codes for each designated controlled access point will be issued to authorised personnel only; Top Management will ensure entry codes are regularly changed and re-issued; all visitors will be checked in and checked out using an entry in the Visitor Log visitors will be made aware of existing security and emergency procedures; sensitive information processing areas and sensitive information will be controlled and restricted to authorised persons only; visitors will carry identification badges and staff should be encouraged to challenge unidentified strangers; a regular review of access rights to secure areas.
Securing offices, rooms and facilities
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
80
In designing secure areas, the organisation will take into consideration the possibilities of damage from flood, fire, explosion, civil unrest and other forms of man made disasters. The following points will also be considered as appropriate: • • • • • • • • •
key facilities should be sited to avoid public access, including being overlooked if appropriate; no outward signs of the purpose of the building should be present; support functions and equipment such as photocopiers and fax machines should be in the secure areas to reduce unnecessary journeys through the controlled access point; doors and windows should be locked when unattended and external protection should be considered for windows, particularly at ground level; intruder alarms should be installed to appropriate standards and unoccupied areas alarmed at all times; there should be separate secure areas for the organisation’s information processing facilities and those of third parties; internal directories should not be publicly available; hazardous and combustible materials will be stored outside secure areas; fallback equipment and back-up media should be stored off site.
Protecting against external and environmental threats Controls are in place to limit, as far as is practical, damage to the company’s premises, and in particular any areas designated as secure areas, from external and environmental threats, including: • • • •
fire; flood; lightning strike; explosion.
The controls for the above threats are contained in the company’s procedures covering health and safety and fire precautions. Other forms of natural or man-made disasters such as an earthquake, terrorism and civil unrest are currently regarded as a very low or non-existent threat and therefore no active controls are in place. However, the need for such controls will be regularly reviewed through monitoring local and national conditions, government advice and the formal Management Review Cycle. Working in secure areas Additional controls for third parties and third party activities working in secure areas will include: awareness of activity in a secure area should be on a need to know basis; activity in secure areas should always be supervised; vacant secure areas should be locked and checked from time to time; there should be monitoring and authorised access of third parties to secure areas and this only when required; • the necessity to ensure that a logical grouping of secure activities takes place to avoid confusion in access permissions; • it is prohibited to take video, audio or other recording equipment into secure areas without permission. Equipment security The objective is to ensure equipment is protected against threats and environmental hazards to prevent loss, damage or compromise of assets and interruption to business activities. • • • •
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
81
Equipment siting and protection The following controls will be considered: • siting of the equipment to avoid unnecessary access; • Sensitive processing and storage facilities should be sited to avoid being overlooked; • special items should be isolated; • controls to minimise the risk from theft, fire, explosives, smoke, water, dust, vibration, chemicals, electrical supply interference, or electromagnetic radiation; • eating, drinking and smoking are restricted; • environmental conditions should be monitored for extreme conditions; • special protective methods for equipment in difficult environments; • disaster situations arising in adjacent facilities.
Information backup Back-up copies of essential business information and software should be taken regularly. Back up facilities should be sufficient to ensure all business and software can be recovered following a disaster and they should be regularly tested for meeting the business continuity plans. The following controls will be considered: • a minimum level back-up with all necessary details logged should be kept in an off-site location; • at least three generations should be maintained; • an appropriate level of protection is required consistent with the main site standards; • back-up media should be regularly tested for reliability; • • restoration procedures should be regularly checked; • the retention period for essential business information should be determined. • Network security management The objective is to ensure networks, either fully within the facilities or those that span the boundaries of the facility, are safeguarded together with the supporting infrastructure. Network control Controls are necessary to achieve and maintain the security of data in networks and the following will be considered: • separation of network and computer responsibility; • clear responsibility for managing remote equipment; • controls to maintain the confidentiality of data passing over public networks; • close co-ordination within management to optimise consistency. Security of network services A wide range of private network services is available which may have unique or complex security characteristics. It is necessary to provide clear descriptions of the security attributes of services used. Media handling The objective is to prevent unauthorised disclosure, modification, removal or destruction of assets, and interruption of business activities. Steps need to be taken to protect documents, computer media, input/output data and system documentation from damage, theft and unauthorised access. Management of removable media
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
82
The management of removable computer media will include: • the need to erase previous content; • authorisation of all media removed from the premises; • safe storage of media as specified by the manufacturer. Disposal of media Items to be considered for secure disposal will include: • paper documents; • voice and other recordings; • carbon paper; • printer ribbons; • output reports; • magnetic tapes, removable discs and cassettes and optical storage media; • programme listings; • test data; • system documentation. To ensure the safe disposal of media the following will be considered: • • • • •
sensitive media will be stored safely and securely; items will be disposed of in bulk rather than individually; control of contractors subcontracted for disposal; audit trails for sensitive items; avoidance of disposal of related documents together.
Information handling procedures To protect information from unauthorised disclosure or misuse the following will be considered: • handling and labelling of all media; • access restriction; • handling by authorised personnel according to the applicable Classification Level; • ensuring input data is complete, correctly entered and validated; • protection of spooled data awaiting output; • correct storage; • minimum distribution; • clearly marked with recipients for distribution; • distribution list review. Security of system documentation System documentation may contain sensitive information and should be stored securely, accessed only by a minimum of authorised personnel and if held on a public network it should have appropriate protection. Exchange of information The objective is to maintain the security of information and software exchanged within the company and with any external party. Procedures are needed to prevent the loss, modification or misuse of information exchanged between organisations. Information exchange policies and procedures Where information is being exchanged internally and with external parties, the communication processes require control, including: • letter; • email;
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
83
• • •
voice; facsimile; and video communication.
Communication methods may compromise information security, such as: • personnel need to be aware that postal mail and email can go astray; • verbal communication on mobile telephones in public places may be overheard; • answering machines may be overheard by someone other than the intended recipient; • unauthorised access to dial-in voice mail and teleconference systems is prevalent; • • faxes may be sent to the wrong number or person; • mobile phones and other equipment may be stolen. Employees should be aware of good practice and the controls required when using any of the above communication methods, including: • prevention of interception, copying, modification, misrouting and destruction; • protection against malware; • retention and disposal of information; • use of dedicated fax machines or printers etc. as necessary; • awareness of the dangers inherent in wireless communication; • awareness of eavesdropping possibilities and confidential information should only be revealed from secure locations; • not to have confidential conversations in public places; • avoid being overheard on business phone calls by external parties visiting the facility or other personnel where the classification level or sensitivity warrants it; • discrete use of mobile phones; • a reminder not to reveal sensitive information on faxes, as messages, voicemail or on answering machines; • checking fax numbers prior to transmission; • unauthorised access to fax machines built-in message store; • programming of fax machines to deliver to specific number. Controls and methods of protection will be implemented based on the classification level of the information being exchanged. Electronic messaging Controls will be implemented to reduce the risk created by the use of electronic mail. Controls for protection against security risks include: • unauthorised access, modification and denial of service; • vulnerability to error; • impact of changes of communication media; • legal considerations; • publication of staff lists; • control of remote user access to electronic mail accounts. Controls will cover: • Attacks such as viruses and interception; • Protection of electronic mail attachments; • Guidelines on when not to use electronic mail; • Employee duty of care; • Use of cryptographic techniques; • Retention of messages not helpful to the business; • Additional controls for message vetting to authenticate. ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
84
All employees will be required to acknowledge acceptance of the Company’s policies by signing the Email and Internet Employee Policy statement retaining a copy for their information and reference. Business information systems Consideration will be given to the following security implications: • vulnerability of information in office systems; • policy and controls to manage information sharing; • exclusion of sensitive business information that cannot be protected; • restriction of diary information on selected security involved individuals; • the suitability of systems support business applications; • categories of staff allowed to use the system and from where; • specific facilities for specific users; • retention and backup of information held on the system; • fallback requirements and arrangements. On-line transactions Online information should be protected so that it remains authentic, is complete, is not misrouted, altered, disclosed or duplicated and, in particular, is not stolen so that it can used in a fraudulent transaction elsewhere. Subject to cost-benefit analysis, these steps should be considered; • electronic signatures, especially for sensitive commercial transactions; • technical controls to verify user credentials to keep the transaction confidential and to protect privacy; • encrypted communications (possibly using the Microsoft Windows packages tools); • personal information storage not accessible from the Internet; • legal issues. Publicly available information Care is required to prevent unauthorised modification of publicly available systems. Data on a web server may need to comply with laws, rules and regulations and there should be formal authorisation before it is made available. Software, data and other information requiring a high level of integrity and made public should be protected. Electronic publishing systems should be carefully controlled so that: • data protection legislation is complied with; • information input, processing and output is published accurately and in time; • sensitive information is protected during collection during collection and storage; • access to the publishing system does not allow access to connected networks.
Monitoring The objective is to detect unauthorised activities and deviations from access control policy and to monitor and record events to provide evidence in case of security incidents. Audit logging
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
85
Audit logs record exceptions and other key events which can assist in future investigations and access control monitoring. Audit logs should also include :• Users Ids; • Dates and times of log-off and log-on; • Terminal identity or location if possible; • Records of rejected and successful system access attempts; • Records of successful and rejected data access attempts. Audit logs of system use will be maintained in manual format or by the system itself, and will subject to monitoring and review, and archive as necessary. Audit logs of security events will be maintained. Audit logs of Internal Audits will be recorded on Information Security Internal Audit Reports. Monitoring system use Procedures for monitoring will be established to ensure that users are only performing authorised activities and the level of monitoring should be determined by risk assessment. Areas that should be considered include: System use: • user ID; • date and time of key events; • type of event; • files accessed; • programmes/utilities used; • privileged use of supervisors account; • privileged system start-up and stop; • privileged I/O device attachment/detachment. Security events: • unauthorised access failed attempts; • unauthorised entry access policy violations and notifications for network gateways and firewalls; • unauthorised access alerts from proprietary intrusion detection systems • systems alert/failure console alerts or messages; • system alerts/failure system log exceptions; • network management alarms. The results of monitoring activities will be reviewed regularly and risk factors should be considered including: • criticality of the application process; • value, sensitivity or criticality of the information involved; • past experience of system infiltration and misuse; • extent of system interconnection (particularly on public networks).
Protection of log information Logging and reviewing events involves understanding threats faced by the system and the manner in which these may arise. Controls should aim to protect against unauthorised changes and operational problems including: • logging facility being deactivated; • alteration to the message types that are recorded; • log files being edited or deleted; • log file media becoming exhausted with failure to record or overwriting. Administrator and operator logs
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
86
Personnel responsible for the networked system resources (system administrator and designated network system operators) will maintain a log of their activities. The entries on the Log may include: • system or event start and finish time; • event information, including files handled, processes involved; • system errors and corrective action taken; • back-up timing with details of the back-up tapes etc. and other media handled; • each entry will be signed off by the person making the entry. Fault logging Faults and system errors in the operation and use of the Information Processing Systems, and arising from problems with information processing or communications, will be recorded. The corrective action will be determined and approved by Top Management or Information Security Management Representative. When the action programme has been completed it will be checked for satisfactory resolution of the problem and the entry will then be signed off. The Log will be the subject of further review during the Management Review cycle to confirm authorisation and that controls have not been compromised.
Access Control ISM 05 Introduction In order that the information processing facilities operate correctly, responsibilities and procedures are developed including the correct response to incidents. Scope All activities included in the information processing facility must be reviewed and formal instructions developed to ensure correct and secure operation. Consideration to the segregation of duties is included to reduce the risk of negligence or deliberate system misuse. Responsibility It is the responsibility of Top Management to: • ensure that clear controls are in place for the development and operation of procedures covering the secure and correct operation of information processing facilities. Procedure Business Requirements for access control The objective is to ensure access to information and business processes is controlled on the basis of business and security requirements. Access control policy Business requirements for access control and the rights and rules for users and service providers will include: • security requirements of individual business applications; • identification of all information related to business applications; • policies for information dissemination and authorisation; • consistency between the access control and information classification policies of different systems and networks;
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
87
relevant legislation and any contractual obligations regarding protection of access to data or services; • standard user access profiles for common job categories; • management of access rights in a distributed network environment which recognises all types of connections available. In specifying the access control rules, care should be taken to consider the following: • difference between mandatory and optional rules; • changes in information labels that happen automatically and those that are discretionary; • changes in user permissions that are system generated and those initiated by the administrator; • rules that require administrator approval and others. •
User access management The objective is to prevent unauthorised access to information systems. Unique user identifications (IDs) will ensure users can be linked to, and made responsible for, their actions. User registration Formal user registration will be required for granting access to multi user information systems and services including: • unique user IDs with strict limits to group IDs and preferably not permitted; • checks on authority from the system’s owner for system entry; • checks that the granted level of access is appropriate for purpose; • giving users a written statement of their access rights; • requiring statements from users to confirm understanding; • withholding access until authorisation is completed; • recording all persons registered for use of the service; • cancelling rights for leavers or those changing jobs; • periodic checks to remove redundant user account IDs. Staff contracts should include clauses specifying sanctions for failure to observe rules covering unauthorised access. Privilege management A “privilege” is any facility in a multi user system that enables one user to override system or application controls. The allocation of privileges should be should be restricted and controlled through a formal authorisation process that should consider the following: • privileges associated with each system product need to be identified; • privileges should be allocated on a need-to-use and event-by-event basis; • an authorisation process and record of privileges should be maintained ; • development and use of system routines should be promoted; • privilege identifiers should be different from that for normal business use. User password management Where passwords are used to validate a user’s personal identity for access to information systems or services, the allocation will be controlled through a formal management process that will consider: • requiring a signed statement of confidentiality;
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
88
• •
control of the issue of temporary passwords; issuing temporary passwords with a full level of security.
Passwords will not be stored on a computer system in an unprotected form. The issue, use and maintenance of Passwords will follow the Company policy defined in the latest issue of the Password Security Policy. Review of user access rights A formal process is required to maintain effective control over access rights to data and information services so that: • user access rights are reviewed at regular intervals and after changes; • • • special privilege access rights should be reviewed more frequently; • privilege allocations should be regularly checked User responsibilities The objective is to prevent access by unauthorised users, and the compromise or theft of information and information processing facilities. Password use Users will follow good security practice in password selection and the following should be considered: • keep passwords confidential; • avoid keeping paper records unless securely stored; • change passwords whenever security is threatened; • select passwords with a minimum of eight characters, are easy to remember, not based on anything easy to guess, free from consecutive characters or numbers; • regular changing of passwords and avoidance of using old passwords; • change temporary passwords at first log-on; • do not use passwords in an automated log-on process; • do not share individual passwords. Special consideration should go to users of multiple services or platforms with a view to using a single quality password. Unattended user equipment Users and contractors will ensure equipment left unattended, even temporarily, has appropriate protection by: • terminating active sessions when the session is finished; • logging off workstations, laptops, servers etc. when the session is finished; • ensuring the log off procedure has been completed when switching off or leaving the equipment unattended; • securing computers and terminals from unauthorised use. Clear desk and clear screen policy The following controls will be considered: • storage of paper and computer media in locked cabinets; • sensitive or critical business information will be locked away when not required; • personal computers and terminals will not be left logged on when not attended and should be protected by key locks, passwords and other appropriate controls; • in and out going mail and faxes should be protected; • photocopiers should be locked outside normal working hours;
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
89
•
sensitive or classified information will be overseen by authorised personnel during processing and cleared from printers immediately.
Network access control The objective is to protect network services and to control unauthorised access both internal and external network services. Policy on use of network services The policy concerning the use of networks and network services should be consistent with the business access control policy and covers: • which networks and network services are allowed to be accessed; • the authorisation procedures to determine who is allowed access; • the management controls and procedures to protect access to network connections and services. Enforced path Where the use of an enforced path is employed to force a user down a route between a user terminal and a computer service by control of access permissions risks can be reduced by selecting routeing options, such as: • allocating dedicated lines or telephone numbers; • automatic connection of ports to specified systems or gateways; • limiting menu and submenu options for individual users; • preventing unlimited network roaming; • enforcing specified system and security gateways for external users; • actively controlling allowed source to destination communications via security gateways; • restricting network access through use of separate logical domains. The requirement for an enforced path will be based on the business access control policy User authentication for external connections External connections provide potential for unauthorised access though dial-up methods and therefore need control based on a risk assessment. Authentication of remote users can be achieved by: • cryptographic based techniques; • hardware tokens; • challenge / response protocol; • dial back procedures and controls Where selected, controlled policies and instructions for the safe working of the above will be developed. A facility for automatic connection to a remote computer could provide a way of gaining unauthorised access to a business application and thus should be authenticated. Node authentication can serve as an alternative for authenticating groups of remote users where they are connected to a secure, shared computer facility. Equipment identification in networks Equipment identification in networks, should be considered, if it is important if a session can only be initiated from a particular location or computer terminal. An identifier attached to the terminal can be used and if so it may also be necessary to apply physical protection to the terminal to maintain security of the terminal identifier. Remote diagnostic and configuration port protection
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
90
Access to remote ports should be securely controlled, especially to control the activity of maintenance engineers using remote diagnostic facilities. Dial up facilities should be protected by a key lock or similar with a support procedure where access can only be achieved through arrangements between the Company and the hardware/software support personnel. Segregation of networks Where multiple networks exist, the introduction of controls within the network, to segregate groups of information services, users and information systems should be considered. Consideration should be given to: • separating networks into logical domains; • installation of a security gateway between networks ; • use of gateways to filter traffic; • use of gateways to Block unauthorised access between domains. Network connection control Where networks are shared, especially outside organizational boundaries, they may require controls to restrict the connection capabilities of the users. Such controls can be achieved through the use of network gateways that filter traffic. Examples of applications to which restrictions should apply are: • electronic mail; • one-way file transfer; • both-ways file transfer; • interactive access; • network access linked to time of day or date. Network routing control Shared networks may require the incorporation of routing controls to ensure that computer connections and information flows do not breach the access control policy of the business applications. This is often essential for networks shared with a third party. Routing controls should be based on positive source and destination address checking mechanisms. Network address translation is also useful for isolating networks and preventing routes to propagate from the network of one organisation into another. This can be implemented in software or hardware.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
91
Acquisitions, Development & Maintenance ISM 06 Introduction There is a need to ensure that security is built into information systems and that a programme to identify all requirements is considered at the project phase. Scope The requirement to build security into information systems applies to all aspects of information security with the level of security determined by appropriate risk assessment. Responsibility It is the responsibility of Top Management to: • initiate action at the project requirements phase and to ensure that all the necessary human, physical and financial elements are available. Procedure Security requirements of information systems The objective is to ensure that security is built into information systems including infrastructure, business applications and user-developed applications. Security requirements should be identified and agreed in advance. Security requirements analysis and specification Where a new system, or an enhancement to an existing, is required, the re should be a Statement of Requirements drawn up that specifies the business requirements and the information security controls required, including both incorporated automatic controls and supporting manual controls. The same consideration should be given whether the systems are being fully specified in-house or existing software packages are being evaluated. Note: Software packages may already have been independently evaluated and certified. Security requirements and controls should reflect the business value of the information assets involved, and the potential damage that might result from a failure or absence of security. Correct processing in applications The objective is to prevent errors, loss, unauthorised modification or misuse of information applications. Appropriate controls and audit trails or activity logs should be designed into application systems. These should include the validation of input data, internal processing and output data. Input data validation Data input, particularly transaction inputs, to application systems should be validated to ensure it is correct and appropriate. Controls should apply to data such as customer names and addresses, credit limits and reference numbers, as well as parameter tables such sales prices, currency conversion rates and tax rates. Controls include: • check for errors in, preferably automatically, out of range values, invalid • • characters, missing or incomplete data, exceeding upper or lower limits on data volumes, unauthorised or inconsistent use of control data; • check of the content of key field and data files to confirm their validity and integrity; • inspecting hard copy input documents for unauthorised changes to input data; • simple procedure in response to validation errors; • simple procedure to check the plausibility of the input data; • all people in the input process should have clearly defined responsibilities. Control of internal processing ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
92
Areas of risk should be identified based on validation exercises carried out to detect system corruption and should include consideration of the following: • use of add and delete functions in the programme to implement data changes; • procedures to prevent programmes running in the wrong order or after failure of prior processing; • protection against buffer overflow / overrun attacks; • use of correct programmes to recover from failure. Checks and controls will depend on the nature of the application and the business impact of any corruption and the following should be considered for inclusion: • session or batch controls to reconcile data file balances; • balancing controls to check opening balances against previous closing balances including run to run controls, file update totals and programme to programme controls; • validation of system generated data; • checks on the integrity of downloaded data or between computers; • hash totals of records and files; • checks to ensure application programmes are run at the correct time; • checks to ensure that programmes are run in the correct order and terminate in case of failure; • logging of the activities involved. Message integrity Is a technique used to detect unauthorised changes or corruption in the content of a transmitted electronic message. Cryptographic techniques can be used but it should be remembered that the authentication is not designed to prevent unauthorised disclosure. Message authentication should be considered for electronic funds transfer, specifications, contracts, proposals etc. with a high importance, etc. Output data validation Validation of output data from an application system may include: • plausibility checks to test if the data is reasonable; • reconciliation control counts to ensure processing of all data; • providing sufficient information for accuracy to be determined; • procedures for responding to output validation tests; • defining responsibilities for personnel on data output processing. Cryptographic controls The objective is to protect confidentiality, authenticity or integrity of information and should be used for information considered to be at risk and for which other controls do not provide adequate protection. Policy on the use of cryptographic controls The decision to employ cryptographic controls would be based on risk assessment and from this the type of cryptographic control that would be appropriate can be determined. A policy should consider the following: • management approach towards the use of cryptographic controls; • approach to key management; • roles and responsibilities; • key management; • how to determine appropriate levels of cryptographic protection; • the standards to be adopted for which business process. Key management
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
93
Protection of cryptographic keys (VPN) is essential to the use of cryptographic techniques and a management system should be in place to support the two types of cryptographic techniques which are: • Secret key techniques where two or more parties share the same key and the same key is used to encrypt and decrypt information. This key has to be kept secret. • Public key techniques where each user has a key pair, a public key Available to anyone) and a private key (which is kept secret). Public keys can be used for encryption and digital signatures. All keys should be protected against modification and destruction and secret and private keys need to be protected against unauthorised disclosure. Physical protection should be used to protect equipment used to generate, store and archive keys. Standard procedures and methods should be based on agreed standards, procedures and secure methods for: • generating keys for different cryptographic systems and applications; • generating and obtaining public key certificates; • distributing keys to intended users including using instructions; • storing keys including how authorised users obtain access; • changing or updating keys including rules on when and how; • dealing with compromised keys; • revoking keys including how to withdraw and deactivate; • recovering lost or corrupted keys; • archiving keys; • destroying keys; • logging and auditing of key management related activities. Keys should have defined activation and deactivation dates and the time should be dependant on usage circumstances and perceived risk. Procedures should be considered for the handling of legal requests for access to cryptographic keys and in addition the security of public keys should also be considered with the use of public key certificates. These certificates should be produced in a way that uniquely binds information related to the owner of the public/private key pair to the public key. This is normally carried out by a certification authority with suitable controls and procedures in place to provide the required degree of trust. Contracts with service level agreements or contracts with external suppliers should cover liability, reliability of service, and response times. Security of system files The objective is to ensure that information security projects and support activities are conducted in a secure manner with controlled access to system files. Responsibility should lie with the user function or development group to whom the application system software belongs. Control of operational software To minimise the risk of corruption the following controls should be considered: • updating of programme libraries should only be performed by a nominated person upon appropriate management authorisation; • if possible, operational systems should only hold executable code; • executable code should not be implemented on an operational system until evidence of successful testing and user acceptance is obtained and corresponding programme libraries updated; • an audit log should be maintained of all updates to the library; • previous versions of software should be retained for contingencies.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
94
• Vendor supplied software used in operational systems should be maintained at a level supported by the supplier and decisions to upgrade should take into account the security of the release. Physical or logical access should only be given for support services when necessary and with management approval. Protection of system data Test data should be protected and controlled and the use of operational databases with personal information should be avoided. The following controls should be applied to protect operational data when testing: • access to control procedures for operational systems should also apply to test application systems; • separate authorisation is required whenever operational information is used for test purposes; • operational information should be erased from test applications on completion of the tests; • copying and using of operational information logged to provide an audit trail.
Access control to programme source code To reduce the potential for corruption of computer programmes, strict control should be maintained over access to programme source libraries as follows: • where possible, programme libraries should not be held in operational systems; • a programme librarian should be nominated for each application; • IT support staff should not have unrestricted access; • programmes under development should not be held in operational libraries; • updating programmes and issues to programmers should be authorised and issued by the librarian; • programme listings should be held in a secure environment; • an audit log should be maintained of all library accesses; • old programme versions should be timed, dated and archived with supporting software, job control, data definitions and procedures; • maintenance and programme copying should be strictly controlled to a change procedure. Security in development and support processes The objective is to maintain the security of application system software and information. Project and support environments should be strictly controlled. Change control procedures To minimise corruption of information systems there should be strict control of changes and formal change procedures should be enforced. They should ensure that security and control procedures are not compromised, that access to programmes is limited to need and formal agreement is obtained for any change. Where practicable, operation and application change control procedures should be integrated and the process should include: • maintaining a record of agreed authorisation levels; • ensuring changes are submitted by authorised users; • reviewing controls and integrity procedures to ensure that they will not be compromised by the change; • identify all computer software, information, database entities and hardware that require amendment;
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
95
• • • • • • • •
obtain formal approval for detailed proposals before work starts; ensuring that the authorised user accepts changes prior to implementation; ensuring that implementation is carried out with minimum disruption; ensuring that the system documentation set is updated on the completion of each change and that old documentation is archived or disposed of; maintain a version control for all software updates; maintain an audit trail for all change requests; ensuring that the operating documentation and user procedures are changed as necessary to be appropriate; ensuring that the implementation of changes takes place at the right time and is not disturbing the business processes involved.
Where possible new software should be tested in a separate environment from development and production environments. Technical review of applications after operating system changes When it is necessary to change the operating system the application system should be reviewed and tested to ensure that there is no adverse impact on operation or security. This review process should cover: • application control and integrity procedures to ensure they have not been compromised by the operating system changes; • ensuring that the annual support plan and budget will cover reviews and system testing resulting from the operating system changes; • ensuring notification of operating system changes is provided to allow appropriate reviews to take place before implementation; • ensuring that appropriate changes are made to the business continuity plans. Restrictions on changes to software packages Modifications to software packages should be discouraged, limited to necessary changes, and all changes will be strictly controlled. Where it is deemed essential the following should be considered: • risk of built in controls and integrity processes being compromised; • whether the consent of the vendor should be obtained; • possibility of obtaining vendor generated standard updates; • impact if the organization then becomes responsible for future maintenance because of the changes. If the changes are considered essential, the original software should be retained and changes applied to a clearly identified copy. All changes should be fully tested and documented. Information leakage Information leakage through a covert channel can expose information by some indirect and obscure means. Trojan code is designed to effect systems in a way that is not authorised and not readily noticed and not required by the recipient or user of the programme. Neither occurs by accident and where they are a concern the following should be considered: • buying programmes only from a reputable source; • buying programmes in source code so the code may be verified; • using evaluated products; • inspecting all source code before operational use; • controlling access to and modification of code once installed; • use staff of proven trust to work on key systems. Outsourced software development
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
96
Where software development is outsourced the following problems should be considered: • licensing agreements, code ownership and intellectual property rights; • certification of the quality and accuracy of work carried out; • • • •
escrow arrangements in the event of failure of the third party; rights of access for audit of the quality and accuracy of work done; contractual requirements for quality of code; testing before installation to detect Trojan code.
Technical vulnerability management The objective is to reduce risks resulting from exploitation of published technical vulnerabilities in software. Control of technical vulnerabilities The company will monitor publicly available details of newly discovered software vulnerabilities, either through the software vendor or other published data sites. The Information Security Management Representative will ensure regular checks of software vulnerabilities are made. The company will ensure, as far as is practical, the timely, systematic, comprehensive and reliable updating of systems with all patches and fixes issued by the software manufacturers. A list of all current authorised software, with serial numbers and version number, will be maintained on the Software Register Decisions on updating software in information processing systems should take the following into consideration: • identification, for each software package, the source of information on new vulnerabilities, and patch release such as the vendor website; • careful testing prior to formally updating the system; • review the risk assessment for each system asset; • allowance of emergency change requirement following a software malfunction of other security incident; • involve the Information Security Advisor (Competent Person).
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
97
Incident Management ISM 07 Introduction There is a need to ensure that events that relate to or might compromise information security, or weaknesses associated with the information systems, are communicated in a way that ensures timely identification of security incidents and appropriate corrective action. An event is not necessarily and incident, whereas an incident is always an event. There are a number of information security related events that, either because they are expected or unexpected, might not compromise the integrity, availability or confidentiality of the company’s information. Security related events will be reported, a determination will then be made to decide as to whether a security incident has occurred, that will then require an action programme. Scope The requirement to have an efficient security event reporting process, allied with a timely determination of incident occurrence and their corrective action, will apply to all aspects of the information security system. Responsibility It is the responsibility of Top Management to: • ensure that all security related events that may be determined as an incident are efficiently reported, reviewed, and a decision made as to whether corrective actions are required; • ensure that all corrective action programmes in response to information security incidents are dealt with in a timely manner and satisfactorily resolve the problem. Procedure Reporting information security events and weaknesses The objective is to ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken. Reporting information security events An information security event response control will be in place and all employees and contractors will be made aware of its content and notify the Information Security Management Representative, or Operations Manager, of events. Reporting software malfunctions Software malfunctions will be reported with the following actions taken into consideration: • any symptoms or screen messages should be noted; • • • •
the computer should be isolated and usage stopped and the incident reported; disconnection from network is essential before suspect computers are re-powered; diskettes should not be loaded to other computers; it should be left to appropriately trained staff to remove suspected software.
The Information Security Management Representative, or Operations Manager, will be notified immediately. The details of all information security events, including incidents and software malfunctions, will be recorded in the Department’s or Location’s System Fault, Security Incident and Software Malfunction Log
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
98
Reporting security weaknesses All users of the information services are required to note and report any observed or suspected security weakness in systems or services. Reporting should be to the Information Security Management Representative, or Operations Manager as quickly as possible and await a management decision on appropriate action. The Information Security Management Representative, or Operations Manager, will ensure an entry is made and maintained in the System Fault, Security Incident and Software Malfunction Log. Management of information security incidents and improvement The objective is to ensure a consistent and effective approach is applied to the management of information security incidents. Responsibilities and procedures The Information Security Management Representative, or Operations Manager, as appropriate, will ensure the matter is investigated promptly and the appropriate actions determined. The Information Security Management Representative, or Operations Manager, as appropriate, will determine whether to involve the Information Security Competent Person in the investigation and determination of whether an incident has occurred and the required actions. In determining whether an incident has occurred, the following are likely to be classified as incidents, and therefore subject to an incident response process and determination of appropriate corrective action: • malware infections; • excessive spam; • information system failures; • denial or loss of service; • business information errors resulting from errors in input data, such as incomplete or inaccurate; • breaches of confidentiality or integrity; • misuse of information systems.
An orderly, effective and swift response is required where a security incident has been identified, and the following will be considered as standard: • contingency plans analysis to ensure the company continues functioning while the incident is being dealt with; • immediate limiting or restricting of any further impact of the incident; • identification and cause of the incident, and of its seriousness; • tactics for containing the incident so that damage does not spread, allowing for prioritisation and cost-benefit analysis; • corrective action, including plans for its implementation; • prevention of recurrence; • communication to those affected, and with those involved in the corrective action and recovery process; • incident reporting, including through to the formal Management Review Cycle. The maintenance of an audit trail will be required for internal problem analysis, evidence of wrong doing, and negotiations for compensation. Any entry in the System Fault, Security Incident and Software Malfunction Log will be signed off when an incident is satisfactorily cleared. Learning from incidents
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
99
The organisation will respond to security incidents and malfunctions and through their analysis, will learn from the incidents. Reporting will be through defined channels and it is essential that this be done quickly. All employees and contractors will be trained to recognise an incident that may impact on the security of the organisation’s assets and where there is a breach of security by an employee or contractor they will be aware of the disciplinary actions available to the organization. The Information Security Management Representative will analyse the entries in the Security Incident and Software Malfunction Log to quantify volumes and costs of incidents. The information will be reported to the Management Review Meeting to enable improvements to be determined. Collection of evidence Should the follow-up from a security incident include action against a person or organization involving legal action, either civil or criminal, evidence will be collected, retained, and presented to conform with the rules of evidence laid down in the court in the jurisdiction in which the action will be held. To achieve compliance with published standards or codes of practice for the production of admissible evidence, there should be a reasonable prospect that the evidence produced will be both admissible and of adequate quality. The Company’s lawyers are likely to be involved at this juncture. The steps to be taken in the investigation process, include: • the collection of originals of all relevant documents; • details of who found the problem, where and when; • witness details if available;
• • •
records should be securely retained so that they can be accessed only by authorised persons and so that there is no tampering with them; copies of computer media should be retained in secure storage; copies of access logs should be retained, again in secure storage.
Rules of evidence should be observed to support an action against a person or organization. Where the action involves the law, either civil or criminal the evidence presented should conform to the applicable rules of evidence. In general these rules cover: • admissibility of evidence; • weight of evidence; • adequate evidence that controls that controls have operated correctly and consistently. Admissibility of evidence should be achieved if organisations ensure their information systems comply with a published code of practice for the production of admissible evidence. Quality and completeness of evidence is achieved by a strong evidence trail which can be established under the following conditions: •
• •
For paper documents: the original is kept securely and it is recorded who found it, where it was found, when it was found and who witnessed the recovery. Any investigation should ensure that the originals are not tampered with; For information on computer media: copies of any removable media, information on hard disc or in memory should be taken to ensure availability. A log of all actions during the copying process should be kept and the processes witnessed. One copy of the media and the log should be kept securely.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
100
When an incident is first detected, it may not be obvious that court action will follow and there is a danger that evidence may be destroyed. It is therefore advisable to involve a lawyer or the police early.
Compliance ISM 08 Introduction The organisation should take all practical steps to ensure that it meets the requirements of national and international law. Scope Applies to all information created in this country and also information created in another country and transmitted to this country and visa versa. Responsibility It is the responsibility of Top Management to ensure: • consideration is given to the legal obligations of the organization in the development of this information security management system; • specific legal advice is available from qualified legal practitioners should it be required. Procedure Compliance with legal requirements The objective is to avoid breaches of any civil or criminal law, statutory, regulatory or contractual obligations and of any security requirements. Identification of applicable legislation All relevant statutory, regulatory and contractual requirements should be explicitly defined and documented for each information system and the specific controls and individual responsibilities defined. The Information Security Management Representative will be responsible for monitoring publications and web-sites, and liaising with the Information Security Competent Person, for updates and additions to current legislation. Intellectual property rights (IPR) Copyright design rights and trade marks should all require consideration as infringement can lead to legal action which may involve criminal proceedings. Software copyright Software copyright usually applies to software products supplied under a licensing agreement that limits its use to specific machines and may limit copying to backups.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
101
All software in use in the Company and on information security assets, whether used in house or away from the company’s facility, will be listed on the Software Register The serial numbers and latest version numbers will be included in the listing. The Software Register will also list the software products that are authorised to be loaded for each particular asset. The Software Register will be approved by Top Management. Other controls that should be considered are: • publishing a software copyright compliance policy which defines legal use of software and information products; • issuing standards for the procedures for acquisition of software; • maintaining awareness of software copyright with disciplinary action for breaches;
• • • • • • •
maintaining proof and evidence of ownership; implementing controls to control maximum number of users; checks that only authorised software/licensed products are installed; providing a policy to maintain appropriate license conditions; providing a policy for disposal and transfer of software; using appropriate audit tools; complying with software/information conditions from public networks.
Protection of organisational records Important organisation records need to be protected from loss, destruction and falsification and some may need retained to meet statutory or regulatory requirements. The time period for retention may be set by law or regulation and should be checked. Records should be categorised into record types such as accounts, database records, transaction logs, audit logs and operation procedures each with its retention period and type of storage media (paper, microfiche, magnetic, optical) Any cryptographic keys associated with the records should be kept separate. The possibilities of degradation of media used for storage of records should be considered and storage and handling should be in accordance with manufacturer’s recommendations. When electronic storage media are chosen, procedures to allow access should be included bearing in mind the need that the retrieval manner should be acceptable to a court of law. Clear identification should be ensured and it should permit appropriate destruction of records after the statutory or regulatory period or their value to the organization. To meet these obligations the following steps should be taken: • guidelines should be issued on the retention, storage, handling and disposal of records and information; • a retention schedule identifying record types and retention periods should be drawn up; • an inventory of sources of key information should be maintained; • appropriate controls should be implemented to protect essential records and information from loss, destruction and falsification. Data protection and privacy of personal information Legislation is in place to control the processing of personal information (generally information on living individuals who can be identified from that information) and it imposes duties on those collecting, processing and disseminating that information. This may restrict the ability to transfer such data to other countries. The appointment of someone to act as the data protection officer may be required but it is the responsibility of the owner of the data to seek advice about any proposals to keep personal information in a structured file. ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
102
Prevention of misuse of information processing facilities Any use of information processing facilities for non-business purposes without management approval should result in disciplinary action. Employees should be advised of the monitoring of usage should or their agreement should be obtained. Legal advice should be taken before monitoring usage. Misuse of computers may carry legal penalties and it is essential that employees are aware of the of their permitted access and the consequences misuse. Employees should be made aware that no access is permitted except where authorised. Log-on screen warning messages with acceptance before entry. Regulation of cryptographic controls Control of cryptographic processes may include: • import and/or export of computer hardware and software which is designed to have cryptographic functions added; • import/export of computer hardware and software for performing cryptographic functionality; • Mandatory or discretionary methods of access by countries to information encrypted by hardware or software to provide confidentiality of content. Legal advice should be sought to ensure compliance with national law. Before encrypted information or controls are moved to another country, legal advice should be taken. Compliance with security policies and standards, and technical compliance The objective is to ensure compliance of systems with organizational security policies and standards. Regular reviews are required. Compliance with security policy Managers should ensure security policies in their areas are carried out correctly. In addition all areas within the organization should be considered for regular review to ensure compliance. These should include information systems, system providers, owners of information and information assets, users and management. Owners of information systems should support regular compliance reviews with appropriate policies and other security requirements. Technical compliance checking Information systems should be regularly checked for compliance with security implementation standards. Technical compliance checking involves all operational systems to see if hardware and software controls have been correctly implemented. Specialist technical assistance is required. Also covered by compliance checks should be penetration testing. All compliance checks should be carried out under the supervision of the authorised Competent Person. Information systems audit considerations The objective is to maximise the effectiveness of and to minimise interference to/from the system audit process. System audit controls The following should be observed: • audit requirements should be agreed with appropriate management; • the scope of the checks should be agreed and controlled; • the checks should be limited to read only access to software and data; ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
103
access other than read only should be allowed only for isolated copies of system files, which should be erased when the audit is complete; • IT resources for performing the checks should be explicitly defined and made available; • requirements for special or additional processing should be identified and agreed; • all access should be monitored and logged to produce a reference trail; • all procedures, requirements and responsibilities should be documented. The results of the system audit will be recorded. •
Protection of system audit tools Access to system audit tools should be prevented to prevent any possible misuse or compromise. Such tools should be separated from development and operational systems and not held in tape libraries or other user areas, unless given an appropriate level of additional protection.
ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005 Issue 1 Effective from the date of certification
104
View more...
Comments
