Governance, Risk and Compliance Blog

Marc Gardner

Recent Posts

Using EQMS to manage risk

Posted by Marc Gardner on Mon, Oct 09, 2017

To stay competitive in today's market, it's vital you have a good strategy to manage risk. In recent times, some high-profile organisations have learned the hard way that neglecting risk can not only be costly, but undo years of work building a strong brand and reputation.

If your organisation is ISO-certified, or in the process of becoming certified, you'll already be familiar with risk-based thinking and embedding this way of working across the business. ISO standards now require a risk-based approach, where risk is less an isolated part of your quality management system (QMS) and more a feature of the QMS as a whole. With this approach, you can handle risk much more proactively instead of merely reacting when things go wrong.

ISO 27001, for example, requires you to document how you'll assess and treat risk as you implement your information security management system. And while ISO 9001 doesn't formally say you must do a full risk assessment, it does say you must monitor, measure, analyse and evaluate the risks and opportunities.

A commonly used tool for assessing risk is the risk assessment matrix. You've probably seen one before. A grid of reds, ambers and greens telling you what risks are likely to occur and how severe their impact could be.

Manually creating a risk assessment matrix takes a lot of time – you need to identify what risks apply to your business, decide how you'll evaluate them ('likelihood' and 'impact' tend to be the most common) and then assess them based on the criteria you've chosen.

EQMS Risk Manager

Features

EQMS Risk Manager gives you a framework for identifying, evaluating, managing and monitoring risk. By bringing together data into one integrated, central system, EQMS Risk Manager takes away the problem of business units and departments all working in isolation, without transparency or any knowledge of each other's processes.

Identifying risk Any user can log in and suggest a risk. The system directs the suggestion to your Risk Manager, who then decides whether to log the suggestion as a risk to be further assessed, or reject it. The system records the Risk Manager's response and feeds it back to the user who made the suggestion.
Evaluating risk The system keeps a full list of all the risks your business faces. It assesses each risk against the data provided (including likelihood and impact) and uses a formula to calculate a risk level and risk class.  
Managing risk If the risk class and risk level are unsatisfactory, the Risk Manager may take action to lessen the risk (and perhaps lower its class and level) until it becomes acceptable. For higher risks, the Risk Manager may define which action should be taken when a related incident occurs so its impact can be limited.
Monitoring risk The system has powerful risk analysis and monitoring tools such as configurable risk calculators and risk traffic lights. It provides easy access to a bank of assessments so users can see what controls were tested and the results of the assessments. Risk Managers can access a range of reports to analyse metrics, and apply a number of parameters to help with their decision-making.


Benefits

EQMS Risk Manager saves you time and money by allowing you to assess risks quickly, efficiently and consistently. Its workflow functionality enables you to assign responsibilities and set deadlines to ensure risks are dealt with promptly and never ignored. Your employees know exactly who's responsible for doing what when it comes to limiting risk, which in turn allows you to better demonstrate compliance.

 

What you should do now

If you'd like to know more about how EQMS Risk Manager can help your organisation manage risk easily, arrange a demonstration by clicking the following link.

Request your EQMS Software demonstration

Tags: Risk Management, Risk Based Thinking

Using EQMS Audit Manager? We've made some really useful improvements... [Video]

Posted by Marc Gardner on Wed, Sep 20, 2017

Improvement is a huge part of everything we do at Qualsys. It's in our culture. We're constantly improving as a business and as people, and we're always aiming to provide products and services that meet the highest possible standards.

We never stop developing and refining the functionality of our EQMS software. Recently we've made a host of improvements to our Audit Manager module, and we've put together a short video to introduce them to you.

Watch this five-minute video, hosted by Declan Webster, one of our Service Implementation Managers, or read the full transcript that follows.

Transcript

Hello and welcome to the latest video on EQMS by Qualsys. I know you're all busy people so I’ll aim to keep the agenda nice and short. I’ll begin by talking about some of Audit Manager’s functions, and then I’ll take you through a few of the module’s practical uses. Then I’ll use the rest of the session to show you some of Audit Manager’s new features in more detail.

So to start off, what does Audit Manager allow you to do?

It allows you to schedule and plan your audits and inspections quickly and easily, and gives you a calendar view of your entire programme, filtered how you want. It can check an auditor’s availability before it assigns them responsibility for carrying out an audit, and it can notify those being audited that they have an audit looming. If you want to set milestone dates, or have audits that automatically recur after a set period of time, then the module can do all that for you as well.

Questions in Audit Manager are arranged into checklists. You can specify what type of response you need for each question. For example, it could be a date, a number, a selection from a drop-down list or simply a text field. You can make questions mandatory or optional, and you can determine which checklists apply to which type of audit.

It can automate corrective and preventive action by setting deadlines for tasks to be completed and triggering escalation to senior managers when issues are still to be resolved. It can assign as many actions as you need, to as many users as you need, so problems or potential problems are always identified and dealt with. And it can generate automated messages or emails to alert people when they need to take action.

It allows you to control security permissions for your audit records so responsibilities are clearly defined and records can’t be tampered with. You can restrict viewing to certain users or groups of users, or by audit type. You can enforce settings so auditors have read/write access to the appropriate records. And you can define your audit managers – in other words, those people who manage all audit activity for their area of responsibility – and set administrator privileges.

Like all our EQMS modules, we’ve built Audit Manager to be customisable and allow for a range of uses. Probably the most common use is the internal quality audit, where it helps avoid duplication of effort and allows much clearer and comprehensive data to be recorded.

A lot of clients also find it invaluable for their safety inspections, where it can be used to keep a full, detailed record of all safety activity.

But it’s not just handy for audits. Some of our clients use Audit Manager when new employees join the business, to keep track of paperwork, safety certificates, inductions and access to systems.

And those of our clients working in heavily regulated environments such as labs or medical device manufacturing facilities like to use the module to plan, schedule and carry out their cleaning reviews.

And now on to some of the latest features for Audit Manager.

First off, we have a new report, 494, which includes details of all questions, answers, comments, findings and more. The report adopts a similar style to many of the newer reports in the other EQMS modules, giving you the ability to rearrange, sort and filter the data to your requirements.

You can also save the filters and arrangement you apply to be able to retrieve a new report in the same format at a later date. Additionally, you can export to Microsoft Excel.

Another new feature is this small quality of life enhancement, deleting unrequired checklists. This can save a lot of time when making changes to new audits that use an existing template. Instead of having to remove each section separately, you can now remove the whole checklist in one action.

One of the biggest new features for Audit Manager is the .ICS Outlook integration. Email notifications sent out by the system regarding scheduling audits in EQMS now contain an attached .ics file. When the .ics file is opened in Microsoft Outlook it'll create an entry in your default Outlook calendar. When rescheduling, the notification email will also include an updated .ics file.

And the last new feature that I'd like to talk to you about today is the Auto-Start Audit. If enabled at an Audit Type level, required audits will automatically be updated from 'Planned' or 'Scheduled' to 'Ongoing' when the start date is reached. This ensures it's readily available for auditors to carry out the audit via the app or their web browser without the need for an administrator to update the status manually.

 

What you should do now

Our iEQMS Auditor app for iPad makes the entire audit process planning, producing reports and following up actions – far more efficient and effective. Click the image below to request a demonstration.

Auditing on the iPad


 

Tags: iEQMS Auditor, Audit Management Software

Good practice (GxP) in the pharmaceutical industry

Posted by Marc Gardner on Fri, Sep 08, 2017

If your business operates in a heavily regulated industry such as pharmaceuticals, you're likely to know all about the concept of good practice (GxP).

GxP guidelines – the 'x' stands for the particular field, whether that's manufacturing (GMP), distribution (GDP), laboratory (GLP) etc. – were established in the US by the Food and Drug Administration (FDA). They aim to ensure that businesses working in regulated industries make products that are safe and fit for use and have met strict quality standards throughout the entire process of production.

The guidelines are generally similar from country to country, and each country has its own regulator. However, many manufacturers aim to meet the FDA's requirements so they can sell to the US market, which is the world's biggest market and so the most profitable.

The five Ps of GxP

GxP is no different to any other quality standard in that it's often complex to interpret and difficult to put into practice. Frequently, it involves implementing some kind of quality management system. But we can boil GxP down to five main elements – the 'five Ps'.

People
  • Have clear roles and responsibilities
  • Follow all procedures
  • Fully trained and assessed for the work they do
Procedures
  • Documented and recorded
  • Cover all critical processes
  • Ensure deviations are fully investigated
    and reported
Products
  • Specifications for raw materials, components, intermediate and finished product
  • Methods for manufacture and packing, testing, sampling, status control, stability testing and records
Premises and equipment
  • Designed to allow effective cleaning and prevent cross-contamination
  • Validated and calibrated, have procedures, schedules and records
Processes
  • Clearly defined, consistent and documented
  • Critical steps identified
  • Any required changes must follow the change control procedures


GxP and the pharmaceutical industry

Good manufacturing practice (GMP)

Any company that wants to make human medicines needs a manufacturer licence issued by the industry regulator – in the UK, this is the Medicines and Healthcare Products Regulatory Agency (MHRA). MHRA will only issue a licence when the company can show it complies with GMP and passes regular inspections.

When we buy medicines, we have no way to check their quality, and so we trust that they're safe, effective and produced to rigorous standards. Ultimately, GMP sets out best-practice methods for manufacturers to ensure their products are packaged and labelled correctly, are uncontaminated and have the ingredients and strength they claim to have.

Basic overview of the drug development process

The guidelines concern all aspects of production, requiring, for example, that:

  • Facilities are of the proper size and kept in good condition
  • Equipment is properly calibrated and maintained
  • Employees have the appropriate qualifications and training
  • Processes are reliable and consistent
  • The correct materials, containers and labels are used

GMP is just one element of what the EU guidelines call quality management, which, along with quality control and quality risk management, forms part of an overall pharmaceutical quality system. An EU directive makes it mandatory for medicines manufacturers to implement such a system. Done correctly, it lessens the risk of contamination, mix-ups, deviations and errors.

Good distribution practice (GDP)

No person or company can legally sell, supply, import or export human medicines without holding a wholesale distribution authorisation (also known as a wholesale dealer licence). And being issued such authorisation means complying with GDP.

GDP helps distributors navigate an increasingly complex supply chain involving suppliers, factories, warehouses, distribution centres and retailers. The guidelines ensure that a medicine's quality is maintained throughout all stages of the supply chain, from when it's first produced by the manufacturer to when a pharmacy or medical professional provides the product to the public.

The guidelines concern aspects of distribution such as:

  • Purchasing
  • Storage
  • Transportation
  • Repackaging and relabelling
  • Documentation and record-keeping

One major aim of GDP is to protect public health and safety by preventing counterfeit, illegal or substandard medicines from entering onto the market.

Image credit: www.pharmpro.com

Good laboratory practice (GLP)

GLP was devised to promote the development of quality test data, both to help protect human health and the environment and to allow reliable scientific data to be shared between countries.

The guidelines cover the safety testing of items contained in:

  • Medicines
  • Pesticides
  • Cosmetics
  • Veterinary drugs
  • Food additives and feed additives
  • Industrial chemicals

These items could be man-made chemicals, naturally occurring substances or living organisms. The items are tested so data can be gathered on what exactly they contain, and whether they pose any risk to human health and/or the environment.

Wherever the tests are conducted – a laboratory, a greenhouse or out in the field – the facility must meet strict standards in terms of procedures, equipment and personnel. And every study must be planned, performed, monitored, recorded, archived and reported under the proper conditions.

Good clinical practice (GCP)

GCP is an international standard for designing, conducting, recording and reporting clinical trials in which human subjects take part. By complying with the standard, organisations that conduct clinical trials are able to give assurance that they're protecting the subjects' rights, safety and wellbeing, and producing reliable, credible data.

The guidelines specify:

  • Before a clinical trial is set in motion, the possible risks must be measured against the expected benefits. The trial must only go ahead if the benefits outweigh the risks.
  • The trial must be based on sound scientific knowledge and its procedure must have been approved by the relevant review board or ethics committee before the trial proceeds.
  • All personnel involved in conducting a trial should have the proper education, training and experience to perform his or her role. All subjects must have given consent freely and based on full information about what they're consenting to.
  • Any medical care subjects receive must be given by a qualified medical professional.
  • All data should be recorded, handled, and stored in a way that allows it to be accurately reported, interpreted and verified.
  • Any records in which subjects could be identified should be kept confidential.

 

What you should do now

Does your business manufacture medical devices? Download our ISO 13485 toolkit to learn more about the standard and implementing quality management systems.

ISO 13485

Tags: Pharmaceutical Regulation, GAMP

Good Distribution Practice (GDP) – How enlisting a consultant can ensure compliance

Posted by Marc Gardner on Thu, Aug 17, 2017

EU guidelines revised in 2013 set out best-practice methods for how medicines and other pharmaceutical products should be stored, transported and handled. These Good Distribution Practice (GDP) guidelines have gained real traction, and the regulator, MHRA, is putting more and more pressure on businesses to ensure they're compliant.

Qualsys recently partnered with long-standing GDP consultants PJH Logistics Solutions. PJH have years of expertise in helping a wide range of businesses – from global pharmaceutical giants to regional transport firms – to understand and adapt to GDP.

We spoke to Pelleren Hodges, PJH's owner and director, about the benefits of enlisting a consultant, and why any company required to meet GDP should consider doing so.

Vast knowledge of what GDP involves

GDP is no different to many other quality standards and guidelines in that it's complex to interpret and often difficult to implement. It might be new to you, but a GDP consultant has been down that road many times before.

"Most of what we do revolves around GDP, particularly in relation to the pharmaceutical business," Pelleren says. "Part of it is sub-contracting for other consultancy firms, and the other part is direct work with our own clients. 

"It could be a project to get a company up and running in applying for a Wholesale Distribution Authorisation (WDA). It could be a pre-inspection audit or a customer inspection. We might act as Responsible Persons for WDA licences, or set up quality management systems. Our work is extensive."

Experience of implementing quality management systems (QMS)

Complying with GDP means taking a consistent, organised, systematic approach. There's no better way to do this than by implementing a QMS throughout your business. A GDP consultant will know how that implementation process should unfold, and consider questions like:

  • What kind of product do you provide?
  • Do you store the product yourself or do you outsource it to someone else?
  • Are your suppliers complying with what you want them to do?
  • What are your premises like? What equipment do you use?

"Gathering this kind of information means we can start to form the structure of what the QMS will look like," Pelleren says. "We can then draft the documentation, fine-tune it and get it approved by the necessary people within the company. Then we can provide general and more detailed procedural GDP training with all the staff who are going to be involved in GDP activity."

Understanding of how quality management software can help

Quality management can be made simpler and much more effective with the use of software. A GDP consultant will understand the part software can play in strengthening an organisation's QMS.

"Software is crucial, particularly when it comes to maintaining an audit trail, for example," says Pelleren. "It makes the task so difficult when you have bits of paper flying around, some of it's lost and it's impossible to track.

"We work with a lot of smaller companies, some of which don't employ a quality assurance person. They might assign that responsibility to two or three different people, which can cause difficulties in terms of who's doing what, when and how. So a software package such as EQMS gives us the tools to manage that."

Experience of dealing with all levels of staff and getting leadership buy-in

Complying with any sort of regulation or standard, implementing a quality management system – these can be initially disruptive to a business that's traditionally operated with a very fixed mindset. Changing a company culture can unsettle and attract resistance from employees at all levels. A GDP consultant will be familiar with this and have the skills to persuade people to buy in to the new ways of working.

"Some companies do see getting a WDA as a tick-box exercise, and once they have it, that's it," Pelleren says. "It could be that the senior managers have been told they have to do it, and even then it's only lip service. For us, it's about understanding that and tackling it.

"We'll look to provide the right metrics so that the very top manager in the business knows they're responsible for ensuring the managers below them hit their targets. They're the targets that MHRA will be looking for in their inspections.

"Other companies are more willing but pharmaceuticals might not be their core activity. So in those cases, we need to account for the staff not having that familiarity with GDP and getting that continual experience of handling it."

 

Are you a consultancy firm?

Michael Ord, New Business and Marketing Director, says: "Here at Qualsys we work to a set of core values centred around the idea of making other businesses fitter, faster and stronger. When we form partnerships we always look for organisations who share those values.

"It was clear right away that PJH Logistics Solutions believe in the same ideas, and then some, and we're delighted to partner with them to benefit both our customers and theirs."

If you're a consultancy firm, request more information about our partnership programme here:

 

Tags: Partnerships

ISO 17025 explained – Management and technical requirements

Posted by Marc Gardner on Thu, Aug 03, 2017

ISO 17025 is the international standard for testing and calibration laboratories. It's a set of requirements those laboratories use to show that they operate a quality management system and that they're technically competent to do the work that they do.

The standard is set out in five clauses:

  1.    Scope
  2.    Normative references
  3.    Terms and definitions
  4.    Management requirements
  5.    Technical requirements

(However, as ISO 17025 is currently being revised – it's at the approval stage at the time of writing – the format of the standard will be changing to adopt the Annex SL structure. Read more about Annex SL here.)

The scope means a clear statement of everything the lab does for which it wants to be accredited. A testing lab will set out its specific methods for conducting its tests. A calibration lab will list the specific measurements and associated uncertainty it uses in its calibration work. Defining the scope means the lab can identify suitably skilled staff and give clients confidence in its tests and measurements.

The two main sections of ISO 17025 are clauses 4 and 5, which cover the two types of requirements.

Management requirements (clause 4)

Clause

What it covers

4.1 – Organisation

Legal status

Facilities (permanent, temporary or mobile)

Responsibilities of key staff

How confidential information is handled

Management – structure; deputies; appointment of quality manager; supervision of staff

4.2 – Management system

Establishing, implementing and maintaining a QMS appropriate to the scope

Issuing a quality manual and quality policy

Commitment to professional practice and complying with the standard

Staff familiarising themselves with the QMS

Responsibility and authority of quality manager

4.3 – Document control

Procedures for:

  • Controlling all documents (internal and external) relating to the QMS – regulations, normative reference documents, drawings, specifications, instructions, manuals etc.
  • Approving and issuing documents (including maintaining a master list)
  • Changing/correcting documents
4.4 – Reviewing requests, tenders and contracts Policy and procedure for reviewing requests, tenders and contracts
4.5 – Subcontracting tests and calibrations Policy and procedure for subcontracting testing and calibration work
4.6 – Purchasing services and supplies Policy and procedure for choosing and buying services and supplies that, when used, may affect the quality of tests and/or calibration
4.7 – Service to the client

Good communication and co-operation with clients

Protecting clients' confidentiality

4.8 – Complaints Policy and procedure for recording and resolving complaints
4.9 – Controlling non-conforming testing and/or calibration work Policy and procedure for dealing with non-conforming work or problems with the QMS, testing and/or calibration
4.10 – Improvement Continually improving the QMS by using the quality policy, auditing, data analysis, corrective and preventive action and management review
4.11 – Corrective action Policy and procedure for taking corrective action when non-conforming work or faults in the QMS or technical operations have been identified
4.12 – Preventive action Policy and procedure for identifying and taking preventive action
4.13 – Controlling records Procedure for controlling records (identification, collection, indexing, access, filling, storage, maintenance and disposal of quality and technical records)
4.14 – Internal audits Policy and procedure for conducting internal audits and implementing findings
4.15 – Management reviews Procedure for management reviews of policies and procedures, audit findings, corrective and preventive action, customer feedback etc.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Technical requirements


Clause

What it covers

5.1 – General

Factors affecting results of testing or calibration

5.2 – Personnel

Ensuring all laboratory staff are properly skilled and qualified

5.3 – Accommodation and environmental conditions

Policy and procedure on monitoring, controlling and recording accommodation and environmental conditions so testing and calibration is done correctly

5.4 – Test and calibration methods and method validation Policy and procedure for choosing methods of testing and calibration (which covers sampling, transport, storage, uncertainty, control of data etc.)
5.5 – Equipment Policy and procedure for ensuring equipment used for testing and/or calibration is available, suitable and properly maintained
5.6 – Measurement traceability Procedure for choosing, using, calibrating, checking and maintaining measurement standards, reference materials used as measurement standards, and equipment used for testing and calibration
5.7 – Sampling

Plan and procedure for sampling

5.8 – Handling test and calibration items Policy and procedure for recording and resolving complaints
5.9 – Assuring the quality of test and calibration results Procedure for monitoring the validity of testing and calibration
5.10 – Reporting results Ensuring results of testing and calibration are reported clearly and objectively

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Using EQMS for ISO 17025 

Many medical device manufacturers and life science research facilities use EQMS to meet ISO 17025. EQMS helps integrate data, processes, business systems, assets and people in an extended enterprise. The integrated modules enable you to easily maintain all procedures, sampling records and audits in a centralised, unified system. 

What you should do now

Download our case study booklet to learn how global brands like Diageo, Sodexo and BT and hundreds of SMEs across the UK use EQMS to transform the role of quality and compliance in their organisation.

Download EQMS Case Study Booklet

Tags: ISO 17025

ISO 27001:2013 – Free gap analysis spreadsheet tool

Posted by Marc Gardner on Wed, Aug 02, 2017

Time to sharpen up your information security management system? Thinking of using ISO 27001:2013 as a framework? 

Richard Green, founder of Kingsford Consultancy Services, recommends getting to grips with the standard, talking to your certification body and doing a thorough gap analysis before making any dramatic changes to your processes.

It may be that you actually already have many of the required processes in place. Or, if you've neglected your information security management practices, you may have a mammoth project ahead of you which will require fundamental changes to your operations, product or services. 

To access the Gap Analysis Tool, download the ISO 27001 Toolkit. Read on to find out how to use it.  

 

Download ISO 27001 Toolkit

 

What is a gap analysis?

Think of the gap analysis as simply looking for gaps. That's it. You're analysing the ISO 27001 standard clause by clause and determining which of those requirements you've implemented as part of your information security management system (ISMS).

Take clause 5 of the standard, which is "Leadership". There are three parts to it. The first part's about leadership and commitment – can your top management demonstrate leadership and commitment to your ISMS? It might be that you've already covered this in your information security policy (see #2 here), and so to that question you can answer 'Yes'.

Find the ISO 27001:2013 Gap Analysis Template Checklist in the ISO 27001 Toolkit

 

Gap analysis vs. risk assessment

Doing a gap analysis for the main body of the standard (clauses 4–10) isn't compulsory but very much recommended. It'll help to have first defined your ISMS's scope (see #1 here), because any ISO 27001 auditor will want to know exactly what information your ISMS intends to secure and protect. Having a clear idea of what the ISMS excludes means you can leave these parts out of your gap analysis.

A gap analysis is compulsory for the 114 security controls in Annex A that form your statement of applicability (see #4 here), as this document needs to demonstrate which of the controls you've implemented in your ISMS.

The risk assessment (see #3 here) is an essential document for ISO 27001 certification, and should come before your gap analysis. You can't identify the controls you need to apply without first knowing what risks you need to control in the first place. Once you've determined those risks and controls, you can then do the gap analysis to identify what you're missing.

Gap analysis

Tells you what you're missing to comply with ISO 27001.

Doesn't tell you which controls to apply to address the risks you've identified.

Risk assessment 

Tells you what controls you should apply.

Doesn't tell you what controls you already have.

 

When to do a gap analysis 

Complete the ISO 27001 Gap Analysis Questionnaire


When you do your gap analysis depends on how far along you are with implementing your ISMS. 

  • If you have no real system to speak of, you already know you'll be missing most, if not all, of the controls your risk assessment deemed necessary. So you might want to leave your gap analysis until further into your ISMS's implementation.
  • If your implementation's underway but still in its infancy, your analysis will still show lots of gaps, but you'll have a much better understanding of how much work you have ahead of you.
  • If you have a fairly established system in place, you can use the gap analysis to determine just how strong your system is. So you might want to do it towards the end of your implementation.

After completing the ISO 27001:2013 Gap Analysis Checklist, you'll be given an ISMS Gap Analysis Report, detailing where you need to make changes 

 

What you should do now

There's no prescribed method for doing your gap analysis, but we've made it really easy with our free Gap Analysis Checklist. Download the Gap Analysis Tool from the ISO 27001 Toolkit

 Download ISO 27001 Toolkit

Tags: ISO 27001

ISO 27001:2013 – Why is information security important?

Posted by Marc Gardner on Mon, Jul 31, 2017

Information in this day and age has become currency, driving business and commerce across the world. It could be your organisation's most important and valuable asset, and so it demands to be properly protected.

Protecting information means managing risk, just as you'd manage the risk of any other type of hazard occurring. Yet the risks around information security are all too often overlooked or brushed off  the mindset being that only the huge multinational corporations suffer data breaches and "it'll never happen to us".

But it can happen to any business – and does.

More than 1,500 UK businesses took part in the UK Government's Cyber Security Breaches Survey 2017 and virtually all were found to have been exposed to cyber security risks in some way. Once you have a website and social media, use cloud services, or hold electronic data on your customers, you become a potential target, regardless of size, wealth or reputation.

Yes, larger organisations are routinely hit, for various reasons. It might be that their security measures aren't integrated but operating in isolation, creating vulnerabilities for calculating hackers to exploit. Or perhaps their systems are outdated, unfit for purpose in staving off sophisticated cyber threats.

Nearly 70% of all medium (50 to 249 staff) to large (250+) businesses surveyed by the UK Government said they'd suffered some kind of cyber breach or attack in the previous year. For micro (2 to 9 staff) and small (10 to 49) businesses, it was a not-insignificant 45%.

Click the image to read findings from the Government's surveyClick the image to read findings from the Government's survey

Click the images to read findings from the UK Government survey


With technology only becoming more commonplace in business and industry, information security simply can't be ignored. Still, m
icro/small businesses are less likely than medium and large firms to have implemented cyber security measures (formal policies or staff training, for example) or sought advice on how to do it. 35% of micro/small businesses that had identified a breach still considered security a low priority. Some businesses thought themselves too small or insignificant to consider security measures at all.

While the big firms are hit with the highest costs in monetary terms, the financial impact of cyber attacks is disproportionately high for firms with fewer than 100 employees, as a report commissioned by insurance provider Hiscox found.

Click to read the Hiscox Cyber Readiness Report 2017

However, not all data breaches are hacks, and information security involves more than your company's website and IT network. The physical security of your buildings; your employees' use of electronic devices like laptops, smartphones and tablets; your handling of confidential documents – these are considerations that affect all businesses, regardless of size.

So organisations need to be heeding the warnings about data security, and recognising that it's vital to their reputation, brand and the continuity of their business. An increasing number of companies are adopting international standards like ISO 27001 and 27002 to demonstrate their commitment in this area. And many firms are devoting more budget and manpower to keeping their information secure.

Consider your own organisation. How committed to information security are you? Is there more you can be doing to protect yourself? 

If you're doing it right, you'll have built information security into everything you do – it'll be reflected in your corporate strategy and objectives, your company culture. You'll have planned and implemented an information security management system (ISMS). And every employee, from top-level management down, will know what's required and what they need to do to achieve it.

 

What you should do now

For more information about ISO 27001, download our toolkit.

ISO 27001 Toolkit - Updating ISMS

Tags: ISO 27001

ISO 27001:2013 – How EQMS can help with certification

Posted by Marc Gardner on Fri, Jul 21, 2017

Many organisations find themselves in a digital storm of relentless and continuous change, often brought on by rapidly evolving technology. For this reason, information security can no longer be a once-in-a-while project – it must be central to all your projects and processes.

ISO 27001 provides a framework for managing information security. Based on regular risk assessments that consider ever-changing scenarios, it's at its most effective with a robust and flexible electronic management system working alongside it.

And so to EQMS, Qualsys's solution for managing ISO 27001 documentation, audits, risk and suppliers simply, securely and efficiently.

EQMS Document Manager

Planning an information security management system (ISMS) is a crucial requirement of ISO 27001 accreditation.

ISO 27001 sets out a nine-stage process for doing so. The documentation you generate through this process will define your system's scope (i.e. what information it intends to protect), your organisation's context, and your detailed approach to keeping your information secure. This process needs to be embedded throughout your entire organisation.

With EQMS Document Manager, you can easily share compulsory documents (such as your information security policy, risk assessment methodology and statement of applicability) with the relevant members of your team. EQMS ensures only the most recent version of the documents will be seen and read.

Disseminating information too widely can expose your company to unnecessary risk. With EQMS, you can really lock down your data by reducing to the barest minimum the number of roles that have higher access privileges or levels of authorisation.

And EQMS uses electronic signatures to ensure that your employees confirm they've read and understood your latest operating procedures. This limits the risk of your company being liable for data breaches.

Download the EQMS Document Manager datasheet here

EQMS Risk Manager

Risk assessment is a complex part of ISO 27001 implementation – and the most important step.

EQMS Risk Manager is configured to your risk assessment methodology. How you treat those risks you've identified in your assessment can be managed through a workflow which is traceable at every stage. You'll be able to view real-time risk assessment reports in the KPI Dashboard, allowing you to proactively manage risk from a central system.

Download the EQMS Risk Manager datasheet here

EQMS Audit Manager

EQMS Audit Manager can be configured for both systematic and closed-loop auditing. And you can associate your audits with whatever regulations or standards (such as ISO 27001) might apply to your business.

iEQMS Auditor is an iPad application for mobile auditing. The application works without an internet connection and gives your top-level management complete visibility of how well your information security processes are working.

Download the EQMS Audit and Inspection Manager datasheet here

Request a demo of iEQMS Auditor here

 

What you should do now

For more information about ISO 27001, download our toolkit.

ISO 27001 Toolkit - Updating ISMS

 

Tags: ISO 27001

ISO 27001:2013 – Context of the organisation

Posted by Marc Gardner on Thu, Jul 20, 2017

When it was revised back in 2013, ISO 27001 adopted the Annex SL format, a generic framework for ISO standards that uses several identical sections of wording and a lot of similar terminology.

One of the core Annex SL clauses is clause 4, which concerns the context of the organisation. It's an important part of the standard, and it requires you to consider the internal and external issues that can impact on your strategic objectives and how you plan your information security management system (ISMS).

Your organisation should focus particularly on factors and conditions that can affect your products, services, investments and on your interested parties. Context becomes an important consideration and helps to ensure that your ISMS is designed and adapted for your organisation rather than taking a 'one size fits all' approach.

Determining the context (step by step)

There's no prescribed method for determining the context of your organisation in relation to ISO 27001, but you could take this simple and pragmatic four-step approach:

  1. Identify the internal issues that can affect your organisation's products, services, investments and interested parties.
  2. Identify the external issues that can affect your organisation's products, services, investments and interested parties.
  3. Identify who are the interested parties and what are their requirements.
  4. Regularly review and monitor those internal issues, external issues and interested parties you have identified.

1 – Internal issues

Your organisation's internal context is the environment in which you aim to achieve your objectives. Internal context can include your approach to governance, your contractual relationships with customers, and your interested parties.

Internal issues can include your:

  • regulatory requirements
  • strategies to conform to your policies and achieve your objectives
  • relationship with your staff and stakeholders, including partners and suppliers
  • resources and knowledge (e.g. capital, people, processes and technologies)
  • risk appetite
  • assets
  • product or service
  • standards, guidelines and models adopted by the organisation
  • information systems

2 – External issues

To understand your external context, consider issues that arise from your social, technological, environmental, ethical, political, legal and economic environment.

External issues may include:

  • government regulations and changes in the law
  • economic shifts in your market
  • your competition
  • events that may affect your corporate image
  • changes in technology

3 – Interested parties

Your interested parties include your customers, partners, employees and suppliers. When developing your ISMS, you only need to consider interested parties that can affect your:

  • ability to consistently provide a product or service that meets your customers' needs and any statutory requirements and regulations
  • continual improvement process
  • ability to enhance customer satisfaction through effectively applying your system
  • your process for ensuring you conform to your customers' requirements and any statutes or regulations that apply

4 – Regular reviews and monitoring

You must regularly review and monitor those internal or external issues you've identified. Understanding your internal context means your management can carry out a 'PEST' (political, economic, social and technological) analysis to determine which factors will affect how you operate.

While you have no control over external issues, you can adapt to them. PEST factors can be classified as 'risks' and 'opportunities' in a SWOT (strengths, weaknesses, opportunities, threats) analysis or other alternative methods.

 

What you should do now

ISO 27001 Toolkit - Updating ISMS
 
IMAGE CREDIT: http://www.e-lgs.sthk.nhs.uk/PublishingImages/Pages/Security-and-Information-/Fotolia_41908523_Subscription_Monthly_XL.jpg
 

Tags: ISO 27001

ISO 27001 and information security – An introduction

Posted by Marc Gardner on Thu, Jul 20, 2017

Simply put, ISO 27001 is about information security, and how you manage it in an ever-changing world. You're not only having to contend with the effects of digitisation, big data and the Internet of Things, but the growing demands of globalisation, regulation, and protection against cyber threats.

What ISO 27001 gives you is a best-practice method of implementing an information security management system (ISMS). Having this system in place, and achieving ISO certification, means you can demonstrate to your customers and partners that you're committed to information security. And you'll have an advantage when it comes to winning tenders with government clients or large corporate clients, who often demand that their suppliers comply with the standard.

Already in 2017, several large organisations – the NHS, Wonga and Three, to name a few – have fallen victim to serious security breaches. The Government's Cyber Security Breaches Survey revealed that 7 out of 10 large businesses had suffered some form of breach or attack, costing them, on average, around £20,000, and in many cases much, much more.

So how exactly does ISO 27001 help you to more effectively manage your information security? And what does implementing an ISMS actually entail?

Managing information security means preserving the confidentiality, integrity and availability of your information and the facilities you use to process it. That could be your IT systems, infrastructure, or the actual buildings in which your organisation is based.

Confidentiality Ensuring information isn't made available to people or organisations who don't have authorisation to see it
Integrity Ensuring the information is both accurate and complete
Availability Ensuring the information can be made available and used when an authorised person or organisation demands it


It might be that you've been so focused on keeping information confidential that you've overlooked integrity and availability. You're not alone! But now IT and digital data are – or are likely to become – such vital elements of your business, you need to be mindful of all three aspects

And this is where an ISMS comes in.

It's a system of processes, documents, technology and people that helps to manage, monitor, audit and improve your information security. With an ISMS you can manage all your security practices consistently and cost-effectively.

But it's important not to see information security as solely your IT team's responsibility – 'information' isn't just confined to your computer files and IT networks. Information security must be a concern of your entire organisation, embedded in all practices, policies and procedures and communicated clearly to every employee.

And as is the case with all quality management systems, without buy-in from top management and the people who'll implement and maintain the system, you'll likely struggle to reach the level of diligence you need to achieve certification to the ISO standard.

Bear in mind that it's neither a quick nor temporary process. Embedding ISO 27001 practices into your organisation is complicated, and involves making often substantial changes to your strategy, operations and company culture. If you're a small business, you may need 4–5 months to prepare for an audit; larger organisations might need more than a year. And don't rest on your laurels: you're operating in a rapidly changing business environment, and your ISMS must continually evolve and improve to remain effective.

 

What you should do now

For more information about ISO 27001, download our toolkit.

ISO 27001 Toolkit - Updating ISMS

 

Tags: ISO 27001