Governance, Risk and Compliance Blog

Using EQMS Audit Manager? We've made some really useful improvements... [Video]

Posted by Marc Gardner on Wed, Sep 20, 2017

Improvement is a huge part of everything we do at Qualsys. It's in our culture. We're constantly improving as a business and as people, and we're always aiming to provide products and services that meet the highest possible standards.

We never stop developing and refining the functionality of our EQMS software. Recently we've made a host of improvements to our Audit Manager module, and we've put together a short video to introduce them to you.

Watch this five-minute video, hosted by Declan Webster, one of our Service Implementation Managers, or read the full transcript that follows.


Hello and welcome to the latest video on EQMS by Qualsys. I know you're all busy people so I’ll aim to keep the agenda nice and short. I’ll begin by talking about some of Audit Manager’s functions, and then I’ll take you through a few of the module’s practical uses. Then I’ll use the rest of the session to show you some of Audit Manager’s new features in more detail.

So to start off, what does Audit Manager allow you to do?

It allows you to schedule and plan your audits and inspections quickly and easily, and gives you a calendar view of your entire programme, filtered how you want. It can check an auditor’s availability before it assigns them responsibility for carrying out an audit, and it can notify those being audited that they have an audit looming. If you want to set milestone dates, or have audits that automatically recur after a set period of time, then the module can do all that for you as well.

Questions in Audit Manager are arranged into checklists. You can specify what type of response you need for each question. For example, it could be a date, a number, a selection from a drop-down list or simply a text field. You can make questions mandatory or optional, and you can determine which checklists apply to which type of audit.

It can automate corrective and preventive action by setting deadlines for tasks to be completed and triggering escalation to senior managers when issues are still to be resolved. It can assign as many actions as you need, to as many users as you need, so problems or potential problems are always identified and dealt with. And it can generate automated messages or emails to alert people when they need to take action.

It allows you to control security permissions for your audit records so responsibilities are clearly defined and records can’t be tampered with. You can restrict viewing to certain users or groups of users, or by audit type. You can enforce settings so auditors have read/write access to the appropriate records. And you can define your audit managers – in other words, those people who manage all audit activity for their area of responsibility – and set administrator privileges.

Like all our EQMS modules, we’ve built Audit Manager to be customisable and allow for a range of uses. Probably the most common use is the internal quality audit, where it helps avoid duplication of effort and allows much clearer and comprehensive data to be recorded.

A lot of clients also find it invaluable for their safety inspections, where it can be used to keep a full, detailed record of all safety activity.

But it’s not just handy for audits. Some of our clients use Audit Manager when new employees join the business, to keep track of paperwork, safety certificates, inductions and access to systems.

And those of our clients working in heavily regulated environments such as labs or medical device manufacturing facilities like to use the module to plan, schedule and carry out their cleaning reviews.

And now on to some of the latest features for Audit Manager.

First off, we have a new report, 494, which includes details of all questions, answers, comments, findings and more. The report adopts a similar style to many of the newer reports in the other EQMS modules, giving you the ability to rearrange, sort and filter the data to your requirements.

You can also save the filters and arrangement you apply to be able to retrieve a new report in the same format at a later date. Additionally, you can export to Microsoft Excel.

Another new feature is this small quality of life enhancement, deleting unrequired checklists. This can save a lot of time when making changes to new audits that use an existing template. Instead of having to remove each section separately, you can now remove the whole checklist in one action.

One of the biggest new features for Audit Manager is the .ICS Outlook integration. Email notifications sent out by the system regarding scheduling audits in EQMS now contain an attached .ics file. When the .ics file is opened in Microsoft Outlook it'll create an entry in your default Outlook calendar. When rescheduling, the notification email will also include an updated .ics file.

And the last new feature that I'd like to talk to you about today is the Auto-Start Audit. If enabled at an Audit Type level, required audits will automatically be updated from 'Planned' or 'Scheduled' to 'Ongoing' when the start date is reached. This ensures it's readily available for auditors to carry out the audit via the app or their web browser without the need for an administrator to update the status manually.


What you should do now

Our iEQMS Auditor app for iPad makes the entire audit process planning, producing reports and following up actions – far more efficient and effective. Click the image below to request a demonstration.

Auditing on the iPad


Tags: iEQMS Auditor, Audit Management Software

Good practice (GxP) in the pharmaceutical industry

Posted by Marc Gardner on Fri, Sep 08, 2017

If your business operates in a heavily regulated industry such as pharmaceuticals, you're likely to know all about the concept of good practice (GxP).

GxP guidelines – the 'x' stands for the particular field, whether that's manufacturing (GMP), distribution (GDP), laboratory (GLP) etc. – were established in the US by the Food and Drug Administration (FDA). They aim to ensure that businesses working in regulated industries make products that are safe and fit for use and have met strict quality standards throughout the entire process of production.

The guidelines are generally similar from country to country, and each country has its own regulator. However, many manufacturers aim to meet the FDA's requirements so they can sell to the US market, which is the world's biggest market and so the most profitable.

The five Ps of GxP

GxP is no different to any other quality standard in that it's often complex to interpret and difficult to put into practice. Frequently, it involves implementing some kind of quality management system. But we can boil GxP down to five main elements – the 'five Ps'.

  • Have clear roles and responsibilities
  • Follow all procedures
  • Fully trained and assessed for the work they do
  • Documented and recorded
  • Cover all critical processes
  • Ensure deviations are fully investigated
    and reported
  • Specifications for raw materials, components, intermediate and finished product
  • Methods for manufacture and packing, testing, sampling, status control, stability testing and records
Premises and equipment
  • Designed to allow effective cleaning and prevent cross-contamination
  • Validated and calibrated, have procedures, schedules and records
  • Clearly defined, consistent and documented
  • Critical steps identified
  • Any required changes must follow the change control procedures

GxP and the pharmaceutical industry

Good manufacturing practice (GMP)

Any company that wants to make human medicines needs a manufacturer licence issued by the industry regulator – in the UK, this is the Medicines and Healthcare Products Regulatory Agency (MHRA). MHRA will only issue a licence when the company can show it complies with GMP and passes regular inspections.

When we buy medicines, we have no way to check their quality, and so we trust that they're safe, effective and produced to rigorous standards. Ultimately, GMP sets out best-practice methods for manufacturers to ensure their products are packaged and labelled correctly, are uncontaminated and have the ingredients and strength they claim to have.

Basic overview of the drug development process

The guidelines concern all aspects of production, requiring, for example, that:

  • Facilities are of the proper size and kept in good condition
  • Equipment is properly calibrated and maintained
  • Employees have the appropriate qualifications and training
  • Processes are reliable and consistent
  • The correct materials, containers and labels are used

GMP is just one element of what the EU guidelines call quality management, which, along with quality control and quality risk management, forms part of an overall pharmaceutical quality system. An EU directive makes it mandatory for medicines manufacturers to implement such a system. Done correctly, it lessens the risk of contamination, mix-ups, deviations and errors.

Good distribution practice (GDP)

No person or company can legally sell, supply, import or export human medicines without holding a wholesale distribution authorisation (also known as a wholesale dealer licence). And being issued such authorisation means complying with GDP.

GDP helps distributors navigate an increasingly complex supply chain involving suppliers, factories, warehouses, distribution centres and retailers. The guidelines ensure that a medicine's quality is maintained throughout all stages of the supply chain, from when it's first produced by the manufacturer to when a pharmacy or medical professional provides the product to the public.

The guidelines concern aspects of distribution such as:

  • Purchasing
  • Storage
  • Transportation
  • Repackaging and relabelling
  • Documentation and record-keeping

One major aim of GDP is to protect public health and safety by preventing counterfeit, illegal or substandard medicines from entering onto the market.

Image credit:

Good laboratory practice (GLP)

GLP was devised to promote the development of quality test data, both to help protect human health and the environment and to allow reliable scientific data to be shared between countries.

The guidelines cover the safety testing of items contained in:

  • Medicines
  • Pesticides
  • Cosmetics
  • Veterinary drugs
  • Food additives and feed additives
  • Industrial chemicals

These items could be man-made chemicals, naturally occurring substances or living organisms. The items are tested so data can be gathered on what exactly they contain, and whether they pose any risk to human health and/or the environment.

Wherever the tests are conducted – a laboratory, a greenhouse or out in the field – the facility must meet strict standards in terms of procedures, equipment and personnel. And every study must be planned, performed, monitored, recorded, archived and reported under the proper conditions.

Good clinical practice (GCP)

GCP is an international standard for designing, conducting, recording and reporting clinical trials in which human subjects take part. By complying with the standard, organisations that conduct clinical trials are able to give assurance that they're protecting the subjects' rights, safety and wellbeing, and producing reliable, credible data.

The guidelines specify:

  • Before a clinical trial is set in motion, the possible risks must be measured against the expected benefits. The trial must only go ahead if the benefits outweigh the risks.
  • The trial must be based on sound scientific knowledge and its procedure must have been approved by the relevant review board or ethics committee before the trial proceeds.
  • All personnel involved in conducting a trial should have the proper education, training and experience to perform his or her role. All subjects must have given consent freely and based on full information about what they're consenting to.
  • Any medical care subjects receive must be given by a qualified medical professional.
  • All data should be recorded, handled, and stored in a way that allows it to be accurately reported, interpreted and verified.
  • Any records in which subjects could be identified should be kept confidential.


What you should do now

Does your business manufacture medical devices? Download our ISO 13485 toolkit to learn more about the standard and implementing quality management systems.

ISO 13485

Tags: Pharmaceutical Regulation, GAMP

Can we make quality interesting? Mark Eydman, Six Pillar Consulting, believes we can

Posted by Emily Hill on Wed, Aug 30, 2017


One of the most in-demand quality skills is leadership. There is a dearth of quality professionals who are able to integrate quality metrics into a business strategy, and then inspire others to actually make the necessary changes to drive success.  

We recently caught up with Mark Eydman, Founder and Managing Director of Six Pillars Consulting. Mark has mark eydman.jpghad a hugely successful career in quality, rising to Global VP of Quality (Americas and EMEA) at Schneider Electric before establishing his own quality consultancy in 2015.


"My dream is for the Quality Review meeting to be the most exciting business event of the year," said Mark. "Instead, reviews tend to be bolted on at the end of a general meeting when time allows. Rather than defining the agenda, quality is at the bottom of the list. The review involves a generic slide deck which no one remembers. The executives probably aren't listening as they are all tapping away on their phones or laptops. No one knows what the review was about, let alone what they have to do or why. This can and must change!"

Mark Eydman.png

Mark says the reason employees aren't engaged is because quality isn't selling the function. "The quality function can easily become inward looking and obsessed with "standards". Don't get me wrong, standards such as ISO 9001:2015 are incredibly important. They provide essential guidance and a framework for your management systems. But when you are talking to everyone else in the business, they don't care about what the clauses say. They want to know why it matters to them. You need to be asking youself, what makes them tick and how can I help?"

"Quality has the potential to be the most interesting business function. We need to be talking about vision, business strategy, customer loyalty, effectiveness and consistency. Quality needs to engaging with the bigger picture!"

Storytelling to create purpose

"One example I have used to engage managers and leadership with quality is by talking about the process of getting  chips from a chippy. Demonstrating the proces, they soon realise it takes much more than simply frying a potato. You have to source the right sort of potato. You have to make sure the equipment is safe. The potatoes need to be peeled and cut to the right size. There needs to be the right amount of oil for the fryer. Employees need to know how to make the chips. All these processes require quality. Every process needs to work effectively in order to make the chips." 

Mark said that at the end of the meeting, he gave everyone plastic potatoes and plastic chips, many of which (10 years on) still sit on their desks.

Two cultivars of potatoes grown in northern Illinois on display at farmers' market.jpeg

Mark said that at the end of the meeting, he gave everyone in that meeting plastic potatoes and plastic chips, which to this day (10 years on) still sits on their desks. 


Struggling to give quality a voice? 

From working with large global organisations and smaller companies as a non-executive director, Mark has many proven strategies for getting quality heard. 

Mark has an extensive training profile, including 6 Sigma and Net Promoter System Certification. His career has been founded on successful management roles within Building Automation in Sales, Operations and Service over a 20 year period providing practical experience now used when working with teams of all types at all business levels.

His recent senior leadership roles in Quality & Customer Loyalty supported the delivery of outstanding Customer Experiences within complex, international networks and matrix management environments.

Mark does not consider Customer Loyalty in isolation or as an “end” in its own right. Instead, he works holistically also taking account of Employee Engagement and Operational Effectiveness in equal measure. Typically, if measures to reduce cost and contractual risk can be aligned with a positive work environment and outstanding experiences for Customers, sustainable and profitable growth will be secured.

Mark has enjoyed significant success in transforming Customer Loyalty, restoring damaged Customer relationships, driving Sales Effectiveness, managing cost/risk, implementing Quality Systems and directly achieving business unit growth.

Through Six Pillars Consulting, Mark now works with a variety of businesses and contributes actively to learning and debate in topics including Quality, Customer Loyalty, Employee Engagement and Strategy.

Mark is available to answer your questions, advise you and help you get your message across. 

mark eydman.jpg

Contact Mark 

Telephone: +44 (0) 7548 917722








Good Distribution Practice (GDP) – How enlisting a consultant can ensure compliance

Posted by Marc Gardner on Thu, Aug 17, 2017

EU guidelines revised in 2013 set out best-practice methods for how medicines and other pharmaceutical products should be stored, transported and handled. These Good Distribution Practice (GDP) guidelines have gained real traction, and the regulator, MHRA, is putting more and more pressure on businesses to ensure they're compliant.

Qualsys recently partnered with long-standing GDP consultants PJH Logistics Solutions. PJH have years of expertise in helping a wide range of businesses – from global pharmaceutical giants to regional transport firms – to understand and adapt to GDP.

We spoke to Pelleren Hodges, PJH's owner and director, about the benefits of enlisting a consultant, and why any company required to meet GDP should consider doing so.

Vast knowledge of what GDP involves

GDP is no different to many other quality standards and guidelines in that it's complex to interpret and often difficult to implement. It might be new to you, but a GDP consultant has been down that road many times before.

"Most of what we do revolves around GDP, particularly in relation to the pharmaceutical business," Pelleren says. "Part of it is sub-contracting for other consultancy firms, and the other part is direct work with our own clients. 

"It could be a project to get a company up and running in applying for a Wholesale Distribution Authorisation (WDA). It could be a pre-inspection audit or a customer inspection. We might act as Responsible Persons for WDA licences, or set up quality management systems. Our work is extensive."

Experience of implementing quality management systems (QMS)

Complying with GDP means taking a consistent, organised, systematic approach. There's no better way to do this than by implementing a QMS throughout your business. A GDP consultant will know how that implementation process should unfold, and consider questions like:

  • What kind of product do you provide?
  • Do you store the product yourself or do you outsource it to someone else?
  • Are your suppliers complying with what you want them to do?
  • What are your premises like? What equipment do you use?

"Gathering this kind of information means we can start to form the structure of what the QMS will look like," Pelleren says. "We can then draft the documentation, fine-tune it and get it approved by the necessary people within the company. Then we can provide general and more detailed procedural GDP training with all the staff who are going to be involved in GDP activity."

Understanding of how quality management software can help

Quality management can be made simpler and much more effective with the use of software. A GDP consultant will understand the part software can play in strengthening an organisation's QMS.

"Software is crucial, particularly when it comes to maintaining an audit trail, for example," says Pelleren. "It makes the task so difficult when you have bits of paper flying around, some of it's lost and it's impossible to track.

"We work with a lot of smaller companies, some of which don't employ a quality assurance person. They might assign that responsibility to two or three different people, which can cause difficulties in terms of who's doing what, when and how. So a software package such as EQMS gives us the tools to manage that."

Experience of dealing with all levels of staff and getting leadership buy-in

Complying with any sort of regulation or standard, implementing a quality management system – these can be initially disruptive to a business that's traditionally operated with a very fixed mindset. Changing a company culture can unsettle and attract resistance from employees at all levels. A GDP consultant will be familiar with this and have the skills to persuade people to buy in to the new ways of working.

"Some companies do see getting a WDA as a tick-box exercise, and once they have it, that's it," Pelleren says. "It could be that the senior managers have been told they have to do it, and even then it's only lip service. For us, it's about understanding that and tackling it.

"We'll look to provide the right metrics so that the very top manager in the business knows they're responsible for ensuring the managers below them hit their targets. They're the targets that MHRA will be looking for in their inspections.

"Other companies are more willing but pharmaceuticals might not be their core activity. So in those cases, we need to account for the staff not having that familiarity with GDP and getting that continual experience of handling it."


Are you a consultancy firm?

Michael Ord, New Business and Marketing Director, says: "Here at Qualsys we work to a set of core values centred around the idea of making other businesses fitter, faster and stronger. When we form partnerships we always look for organisations who share those values.

"It was clear right away that PJH Logistics Solutions believe in the same ideas, and then some, and we're delighted to partner with them to benefit both our customers and theirs."

If you're a consultancy firm, request more information about our partnership programme here:


Tags: Partnerships

Pharmaceutical Development Company Nanopharm Opt for EQMS by Qualsys

Posted by Emily Hill on Thu, Aug 03, 2017

Qualsys are delighted to welcome pharmaceutical development company Nanopharm as a new EQMS customer. Nanopharm will be implementing a full suite of EQMS modules to support scalable quality and compliance management systems. 

Nanopharm are the leading provider of tailored analytical and product development of orally inhaled and nasal drug products (OINDPS). They'll be using EQMS to manage all their documentation, audits, corrective and preventive actions.

Susanne Durie, Head of Quality at Nanopharm, said the team are excited to see how the system will grow within their organisation. "We’re looking forward to exploring the software and finding out how we can make the most of it." 

EQMS by Qualsys is the preferred solution for many pharmaceutical development companies, as the software helps connect data, processes, business systems, assets and people in a central, unified solution. The system helps organisations to meet standards such as ISO 17025, ISO 13485 and ISO 14971, and robust controls required for MHRA and FDA.

Welcome cake sent to Nanopharm

Alex Swan, New Business Manager at Qualsys, has seen many lifescience and medical device manufacturers discover more hidden value in EQMS during the implementation process.

"The Qualsys implementation team take a best-practice approach to implementing EQMS," Alex said. "This is the best opportunity most quality professionals get to take a deep look at their processes and, with our help, make them more streamlined, efficient and compliant.

"After the implementation process, not only do our customers see considerable cost savings, they find their organisations are more agile and faster to adapt to change. We help other businesses to become fitter, faster and stronger.

EQMS KPI Dashboard

For more information about using EQMS for pharmaceutical, medical device and lifescience quality management systems, download our customer case studies here. 

Download EQMS Case Study Booklet

Tags: FDA, ISO 13485, ISO 17025, MHRA

ISO 17025 Explained – Management and Technical Requirements

Posted by Marc Gardner on Thu, Aug 03, 2017

ISO 17025 is the international standard for testing and calibration laboratories. It's a set of requirements those laboratories use to show that they operate a quality management system and that they're technically competent to do the work that they do.

The standard is set out in five clauses:

  1.    Scope
  2.    Normative references
  3.    Terms and definitions
  4.    Management requirements
  5.    Technical requirements

(However, as ISO 17025 is currently being revised – it's at the approval stage at the time of writing – the format of the standard will be changing to adopt the Annex SL structure. Read more about Annex SL here.)

The scope means a clear statement of everything the lab does for which it wants to be accredited. A testing lab will set out its specific methods for conducting its tests. A calibration lab will list the specific measurements and associated uncertainty it uses in its calibration work. Defining the scope means the lab can identify suitably skilled staff and give clients confidence in its tests and measurements.

The two main sections of ISO 17025 are clauses 4 and 5, which cover the two types of requirements.

Management requirements (clause 4)


What it covers

4.1 – Organisation

Legal status

Facilities (permanent, temporary or mobile)

Responsibilities of key staff

How confidential information is handled

Management – structure; deputies; appointment of quality manager; supervision of staff

4.2 – Management system

Establishing, implementing and maintaining a QMS appropriate to the scope

Issuing a quality manual and quality policy

Commitment to professional practice and complying with the standard

Staff familiarising themselves with the QMS

Responsibility and authority of quality manager

4.3 – Document control

Procedures for:

  • Controlling all documents (internal and external) relating to the QMS – regulations, normative reference documents, drawings, specifications, instructions, manuals etc.
  • Approving and issuing documents (including maintaining a master list)
  • Changing/correcting documents
4.4 – Reviewing requests, tenders and contracts Policy and procedure for reviewing requests, tenders and contracts
4.5 – Subcontracting tests and calibrations Policy and procedure for subcontracting testing and calibration work
4.6 – Purchasing services and supplies Policy and procedure for choosing and buying services and supplies that, when used, may affect the quality of tests and/or calibration
4.7 – Service to the client

Good communication and co-operation with clients

Protecting clients' confidentiality

4.8 – Complaints Policy and procedure for recording and resolving complaints
4.9 – Controlling non-conforming testing and/or calibration work Policy and procedure for dealing with non-conforming work or problems with the QMS, testing and/or calibration
4.10 – Improvement Continually improving the QMS by using the quality policy, auditing, data analysis, corrective and preventive action and management review
4.11 – Corrective action Policy and procedure for taking corrective action when non-conforming work or faults in the QMS or technical operations have been identified
4.12 – Preventive action Policy and procedure for identifying and taking preventive action
4.13 – Controlling records Procedure for controlling records (identification, collection, indexing, access, filling, storage, maintenance and disposal of quality and technical records)
4.14 – Internal audits Policy and procedure for conducting internal audits and implementing findings
4.15 – Management reviews Procedure for management reviews of policies and procedures, audit findings, corrective and preventive action, customer feedback etc.



















































Technical requirements


What it covers

5.1 – General

Factors affecting results of testing or calibration

5.2 – Personnel

Ensuring all laboratory staff are properly skilled and qualified

5.3 – Accommodation and environmental conditions

Policy and procedure on monitoring, controlling and recording accommodation and environmental conditions so testing and calibration is done correctly

5.4 – Test and calibration methods and method validation Policy and procedure for choosing methods of testing and calibration (which covers sampling, transport, storage, uncertainty, control of data etc.)
5.5 – Equipment Policy and procedure for ensuring equipment used for testing and/or calibration is available, suitable and properly maintained
5.6 – Measurement traceability Procedure for choosing, using, calibrating, checking and maintaining measurement standards, reference materials used as measurement standards, and equipment used for testing and calibration
5.7 – Sampling

Plan and procedure for sampling

5.8 – Handling test and calibration items Policy and procedure for recording and resolving complaints
5.9 – Assuring the quality of test and calibration results Procedure for monitoring the validity of testing and calibration
5.10 – Reporting results Ensuring results of testing and calibration are reported clearly and objectively



























Using EQMS for ISO 17025 

Many medical device manufacturers and life science research facilities use EQMS to meet ISO 17025. EQMS helps integrate data, processes, business systems, assets and people in an extended enterprise. The integrated modules enable you to easily maintain all procedures, sampling records and audits in a centralised, unified system. 

What you should do now

Download our case study booklet to learn how global brands like Diageo, Sodexo and BT and hundreds of SMEs across the UK use EQMS to transform the role of quality and compliance in their organisation.

Download EQMS Case Study Booklet

Tags: ISO 17025

ISO 27001:2013 – Free Gap Analysis Spreadsheet Tool

Posted by Marc Gardner on Wed, Aug 02, 2017

Time to sharpen up your information security management system? Thinking of using ISO 27001:2013 as a framework? 

Richard Green, founder of Kingsford Consultancy Services, recommends getting to grips with the standard, talking to your certification body and doing a thorough gap analysis before making any dramatic changes to your processes.

It may be that you actually already have many of the required processes in place. Or, if you've neglected your information security management practices, you may have a mammoth project ahead of you which will require fundamental changes to your operations, product or services. 

To access the Gap Analysis Tool, download the ISO 27001 Toolkit. Read on to find out how to use it.  


Download ISO 27001 Toolkit


What is a gap analysis?

Think of the gap analysis as simply looking for gaps. That's it. You're analysing the ISO 27001 standard clause by clause and determining which of those requirements you've implemented as part of your information security management system (ISMS).

Take clause 5 of the standard, which is "Leadership". There are three parts to it. The first part's about leadership and commitment – can your top management demonstrate leadership and commitment to your ISMS? It might be that you've already covered this in your information security policy (see #2 here), and so to that question you can answer 'Yes'.

Find the ISO 27001:2013 Gap Analysis Template Checklist in the ISO 27001 Toolkit


Gap analysis vs. risk assessment

Doing a gap analysis for the main body of the standard (clauses 4–10) isn't compulsory but very much recommended. It'll help to have first defined your ISMS's scope (see #1 here), because any ISO 27001 auditor will want to know exactly what information your ISMS intends to secure and protect. Having a clear idea of what the ISMS excludes means you can leave these parts out of your gap analysis.

A gap analysis is compulsory for the 114 security controls in Annex A that form your statement of applicability (see #4 here), as this document needs to demonstrate which of the controls you've implemented in your ISMS.

The risk assessment (see #3 here) is an essential document for ISO 27001 certification, and should come before your gap analysis. You can't identify the controls you need to apply without first knowing what risks you need to control in the first place. Once you've determined those risks and controls, you can then do the gap analysis to identify what you're missing.

Gap analysis

Tells you what you're missing to comply with ISO 27001.

Doesn't tell you which controls to apply to address the risks you've identified.

Risk assessment 

Tells you what controls you should apply.

Doesn't tell you what controls you already have.


When to do a gap analysis 

Complete the ISO 27001 Gap Analysis Questionnaire

When you do your gap analysis depends on how far along you are with implementing your ISMS. 

  • If you have no real system to speak of, you already know you'll be missing most, if not all, of the controls your risk assessment deemed necessary. So you might want to leave your gap analysis until further into your ISMS's implementation.
  • If your implementation's underway but still in its infancy, your analysis will still show lots of gaps, but you'll have a much better understanding of how much work you have ahead of you.
  • If you have a fairly established system in place, you can use the gap analysis to determine just how strong your system is. So you might want to do it towards the end of your implementation.

After completing the ISO 27001:2013 Gap Analysis Checklist, you'll be given an ISMS Gap Analysis Report, detailing where you need to make changes 


What you should do now

There's no prescribed method for doing your gap analysis, but we've made it really easy with our free Gap Analysis Checklist. Download the Gap Analysis Tool from the ISO 27001 Toolkit

 Download ISO 27001 Toolkit

Tags: ISO 27001

Synexus Launch Enterprise Document Management System

Posted by Emily Hill on Wed, Aug 02, 2017

Qualsys are delighted to announce that Synexus, the world's leading site management organisation, have recently launched EQMS Document Manager across their entire company. 

Synexus engage, recruit and manage patients for clinical trial research. The company have grown significantly both in the UK and abroad, and have been recognised by The Sunday Times HSBC International Track 200 as one of Britain's private companies with the fastest-growing international sales.  

As the company continued to grow, Synexus sought a solution which would enable all their employees to access controlled information. After a competitive tendering process, they opted for EQMS by Qualsys

"Synexus have grown 400% in the past few years. Currently, all employees have a very high understanding of compliance and quality requirements. However, as we continue to grow to 5,000 employees by 2020, we needed a system which would give managers better visibility into issues and challenges."

EQMS workflows

Robert Oakley, Commercial Director at Qualsys and account manager for Synexus, said: "We're really excited about our partnership with Synexus. Our Customer Success Team have been working closely with Synexus to train, implement and engage their employees with EQMS. So far, it's been a huge success with almost all employees logging into the system over the past few weeks."

To drive engagement with EQMS, Synexus asked their employees to choose a name for EQMS.
EQMS has been rebranded to eQual.


Is your organisation growing? 

For more information about implementing EQMS in your company, arrange a discovery call with one of our experts. They'll ask you a series of exploratory questions to see if EQMS might be a good fit for you. 
Request your EQMS Software demonstration

Tags: Document Manager, New Customers

ISO 27001:2013 – Why is information security important?

Posted by Marc Gardner on Mon, Jul 31, 2017

Information in this day and age has become currency, driving business and commerce across the world. It could be your organisation's most important and valuable asset, and so it demands to be properly protected.

Protecting information means managing risk, just as you'd manage the risk of any other type of hazard occurring. Yet the risks around information security are all too often overlooked or brushed off  the mindset being that only the huge multinational corporations suffer data breaches and "it'll never happen to us".

But it can happen to any business – and does.

More than 1,500 UK businesses took part in the UK Government's Cyber Security Breaches Survey 2017 and virtually all were found to have been exposed to cyber security risks in some way. Once you have a website and social media, use cloud services, or hold electronic data on your customers, you become a potential target, regardless of size, wealth or reputation.

Yes, larger organisations are routinely hit, for various reasons. It might be that their security measures aren't integrated but operating in isolation, creating vulnerabilities for calculating hackers to exploit. Or perhaps their systems are outdated, unfit for purpose in staving off sophisticated cyber threats.

Nearly 70% of all medium (50 to 249 staff) to large (250+) businesses surveyed by the UK Government said they'd suffered some kind of cyber breach or attack in the previous year. For micro (2 to 9 staff) and small (10 to 49) businesses, it was a not-insignificant 45%.

Click the image to read findings from the Government's surveyClick the image to read findings from the Government's survey

Click the images to read findings from the UK Government survey

With technology only becoming more commonplace in business and industry, information security simply can't be ignored. Still, m
icro/small businesses are less likely than medium and large firms to have implemented cyber security measures (formal policies or staff training, for example) or sought advice on how to do it. 35% of micro/small businesses that had identified a breach still considered security a low priority. Some businesses thought themselves too small or insignificant to consider security measures at all.

While the big firms are hit with the highest costs in monetary terms, the financial impact of cyber attacks is disproportionately high for firms with fewer than 100 employees, as a report commissioned by insurance provider Hiscox found.

Click to read the Hiscox Cyber Readiness Report 2017

However, not all data breaches are hacks, and information security involves more than your company's website and IT network. The physical security of your buildings; your employees' use of electronic devices like laptops, smartphones and tablets; your handling of confidential documents – these are considerations that affect all businesses, regardless of size.

So organisations need to be heeding the warnings about data security, and recognising that it's vital to their reputation, brand and the continuity of their business. An increasing number of companies are adopting international standards like ISO 27001 and 27002 to demonstrate their commitment in this area. And many firms are devoting more budget and manpower to keeping their information secure.

Consider your own organisation. How committed to information security are you? Is there more you can be doing to protect yourself? 

If you're doing it right, you'll have built information security into everything you do – it'll be reflected in your corporate strategy and objectives, your company culture. You'll have planned and implemented an information security management system (ISMS). And every employee, from top-level management down, will know what's required and what they need to do to achieve it.


What you should do now

For more information about ISO 27001, download our toolkit.

ISO 27001 Toolkit - Updating ISMS

Tags: ISO 27001

ISO 27001:2013 – How EQMS can help with certification

Posted by Marc Gardner on Fri, Jul 21, 2017

Many organisations find themselves in a digital storm of relentless and continuous change, often brought on by rapidly evolving technology. For this reason, information security can no longer be a once-in-a-while project – it must be central to all your projects and processes.

ISO 27001 provides a framework for managing information security. Based on regular risk assessments that consider ever-changing scenarios, it's at its most effective with a robust and flexible electronic management system working alongside it.

And so to EQMS, Qualsys's solution for managing ISO 27001 documentation, audits, risk and suppliers simply, securely and efficiently.

EQMS Document Manager

Planning an information security management system (ISMS) is a crucial requirement of ISO 27001 accreditation.

ISO 27001 sets out a nine-stage process for doing so. The documentation you generate through this process will define your system's scope (i.e. what information it intends to protect), your organisation's context, and your detailed approach to keeping your information secure. This process needs to be embedded throughout your entire organisation.

With EQMS Document Manager, you can easily share compulsory documents (such as your information security policy, risk assessment methodology and statement of applicability) with the relevant members of your team. EQMS ensures only the most recent version of the documents will be seen and read.

Disseminating information too widely can expose your company to unnecessary risk. With EQMS, you can really lock down your data by reducing to the barest minimum the number of roles that have higher access privileges or levels of authorisation.

And EQMS uses electronic signatures to ensure that your employees confirm they've read and understood your latest operating procedures. This limits the risk of your company being liable for data breaches.

Download the EQMS Document Manager datasheet here

EQMS Risk Manager

Risk assessment is a complex part of ISO 27001 implementation – and the most important step.

EQMS Risk Manager is configured to your risk assessment methodology. How you treat those risks you've identified in your assessment can be managed through a workflow which is traceable at every stage. You'll be able to view real-time risk assessment reports in the KPI Dashboard, allowing you to proactively manage risk from a central system.

Download the EQMS Risk Manager datasheet here

EQMS Audit Manager

EQMS Audit Manager can be configured for both systematic and closed-loop auditing. And you can associate your audits with whatever regulations or standards (such as ISO 27001) might apply to your business.

iEQMS Auditor is an iPad application for mobile auditing. The application works without an internet connection and gives your top-level management complete visibility of how well your information security processes are working.

Download the EQMS Audit and Inspection Manager datasheet here

Request a demo of iEQMS Auditor here


What you should do now

For more information about ISO 27001, download our toolkit.

ISO 27001 Toolkit - Updating ISMS


Tags: ISO 27001