ISO Certification Service

ISO 9001:2015
Introduction

ISO 9001:2015 Quality Management System certification enables you to demonstrate your commitment to quality and customer satisfaction, as well as continuously improving your company’s operations. The 2015 version represents the best practices in quality management and the standard is the preferred solution for organisations worldwide.

 

Basic Requirements

ISO 9001:2015 continues to require documented procedures or references to them. Documentation requirements are much less prescriptive and left more to the organisation to define its own needs. Overall, the effect of the requirements of the standard is to reduce the instances where documented procedures are mandatory and to allow the organisation the freedom to determine the type and extent of documentation needed to support the operation of the processes that make up the quality management system.

 

Key Benefits of ISO 9001:2015
What it does:

> Establishes and streamlines processes through process documentation
> Improves and establishes training processes
> Defines roles and responsibilities
> Greatly increases operational efficiency
> Increases ability to troubleshoot
> Develops and builds relationships that help to retain existing customers
> Provides advantages over competitors that aren’t certified ISO 9001:2015
> Builds opportunities for global commerce with international recognition
> Improves customer relations
> Improves relationships with suppliers due to clear, concise production standards· Provides basis for consistent and fact-based decision making
> Carefully planned improvements, based on documentation and analysis
> Provides for regular audits/reviews of performance

 

Benefits:

> Increases productivity
> Maximizes quality
> Increases revenue
> Improves employee morale and satisfaction
> Saves time and money
> Enhances ability to attract new customers that have adopted requirements for certification
> Improves accountability of management
> Increases employees’ understanding of their roles in success of their work and the company

ISO 14001:2015 (EMS)
Introduction

 

In September 2015 ISO published the revised version of ISO 14001. It has a higher level of compatibility with other management system standards, such as ISO 9001:2015 and ISO 27001:2013 as a result of a new common structure which also makes integrating into a single management system far easier than before.

The Standard provides guidance to organisations for determining those environmental issues and ‘aspects’ associated with their activities, to manage them most effectively and measure Environmental Management performance. The standard contains no specific performance requirements as benchmarks.

 

Key concepts of the standard

ISO 14001:2015 contains the core elements for an effective Environmental Management System. It can be applied to both service and manufacturing businesses. The standard requires a company to define environmental objectives and targets, and the management system necessary to attain these targets. The standard requires that the company adheres to that system’s processes, procedures, and activities. Some key concepts of the standard are:

> Context of the Organization
> Leadership
> Strategic Environmental Management
> Risks and Opportunities
> Life-Cycle Perspective


Elements of an effective environmental system can be integrated with other management requirements to assist organisations to achieve their environmental and business-specific goals. ISO 14001 requires companies to commit to prevention of pollution and continuous improvement as part of the normal management cycle.

 

U&T Standardization Marks Services

> Certification – We provide assessment and certification to ISO 14001.
> Gap Analysis – We offer gap analysis and preliminary assessments to prepare you for certification.
> Training – We will help you interpret the new concepts and understand the changes. U&T provides on-site introduction and internal audit
    training which will prepare you and your staff prior to and after the ISO 14001 certification process.

OHSAS 18001:2007

Introduction

 

OHSAS 18001, developed in 1999 and revised in 2007, is a comprehensive Occupational Health and Safety (OH&S) management system specification, deigned to enable an organization to control OH&S risks and improve its performance. OHSAS 18001 Certification demonstrates that a safety oriented approach has been integrated into the company’s processes, a company’s commitment to a safe working environment and to protecting employees against injury at work.

 

OHSAS 18001 has been developed to be compatible with ISO 9001 and ISO 14001 management systems standards, in order to facilitate the integration of quality, environmental and OH&S management systems by organizations. Legislative & regulatory commitment and continual improvement are two important aspects of OHSAS 18001. The standard is in two sections; OHSAS 18001 is the specification against which certification is awarded. OHSAS 18002 provides guidance on implementing an occupational health and safety management system and corresponds directly to the specification.

 

The elements of OHSAS 18001 include:
> Policy and commitment
> Hazard identification, risk assessment & risk controls
> Legal requirements
> Objectives & Programs
> Organization & personnel
> Training, Communication & Consultation
> Documentation & records Operational Controls
> Emergency Readiness
> Measurement & monitoring
> Accident & incident investigation, corrective & preventive action Audit & Review

 

 

U&T Standardization Services


> Certification – We provide assessment and certification to OHSAS 18001 and HACCP.
> Gap Analysis – We offer gap analysis and preliminary assessments to prepare you for certification.
> Training – We will help you interpret the new concepts and understand the impact on your organization. U&T Marks provides on-site introduction and internal audit training which will prepare you and your staff prior to and after the OHSAS 18001 and/or HACCP certification process.

ISO/IEC 27001:2013

Introduction

The rising value of information to organizations combined with recent high profile information security breaches, are highlighting the ever mounting requirement for organizations to protect their information. In order to ensure the continuity of your operations and the safety of your data and systems, the security of information systems and critical business information must be constantly and actively managed. Unprotected systems are vulnerable to many threats, including computer-assisted fraud, sabotage and viruses. These threats can be internal or external, accidental or malicious. Breaches in information security can allow vital information to be accessed, stolen,
corrupted or lost. It is crucial that every company institutes appropriate controls and procedures in place to avoid such incidents. The internationally recognized information security management system ISO 27001 (known as ISO/IEC 27001) is suitable for any organization, large or small, in any sector or part of the world where managing sensitive company information and keeping it secure from outsiders is important. The standard is particularly suitable where the protection of information is critical, such as in the finance, health, public and IT sectors.

 

Background:

The 2013 standard puts more emphasis on measuring and evaluating how well an organization’s ISMS is performing and there is a new section on outsourcing, which reflects the fact that many organizations rely on third parties to provide some aspects of IT. More focus is on the organizational context of information security and risk assessment has changed. Overall, 27001:2013 is designed to fit better alongside other management standards such as ISO 9001, ISO 14001 and ISO/IEC 20000 and the structure has more in common with other standards.

The IT department is the main focus of ISO 27001 implementation, but the standard involves areas in the entire company as well. The main driver, sponsor, and promoter of the change must be the company’s management, while its IT is mainly responsible for its execution. In addition to management and IT, the departments that must be involved include HR, Training and Education, Building Security, Building Maintenance, Legal Department as well as suppliers, outsourcing and, last but not least, employees. ISO 27001 is also highly effective for organizations that manage information on behalf of others, such as IT outsourcing companies. This standard requires an organization to assure customers that their information is being protected. ISO 27001:2013 looks very different to ISO 27001:2005. There are no duplicate requirements, and the requirements are phrased in a way, which allows greater freedom of choice on how to implement them. A good example of this is that the identification of assets, threats and vulnerabilities is no longer a prerequisite for the identification of information security risks. The standard now makes it clearer that controls are not to be selected from Annex A, but are determined through the process of risk treatment. Nevertheless, Annex A continues to serve as a cross-check to help ensure that no necessary controls have been overlooked.

 

ISO 27001 helps the organization to:

> Analyze risks related to information security
> Define specific and optimal security goals (the standard requires a company to specify its own security goals which an auditor verifies)
> Define defined and documented methods which all activities should follow
> Document all risks, goals, and methods
> Implement measures to mitigate and manage risks
> Assign accountability for risk management
> Measure information security
> Embed continuous improvement approach What Certification Does
> Demonstrates the integrity of your data and systems and your commitment to information security
> Transforms the organization’s culture both internally and externally
> Allows enforcing information security and reducing the possible risk of fraud, information loss and disclosure
> Demonstrates the independent assurance of your internal controls
> Meets corporate governance and business continuity requirements
> Independently demonstrates that applicable laws and regulations are observed
> Provides a competitive edge
> Meets contractual requirements
> Demonstrates to your customers that the security of their information is paramount
> Verifies that your organizational risks are properly identified, assessed and managed, while formalizing information security processes, procedures and documentation Benefits
> Enhances the credibility of your organization
> Opens up new business opportunities with security conscious customers
> Improves employee ethics
> Strengthens the climate of confidentiality throughout the workplace
> Provides a competitive advantage over companies that aren’t certified against ISO/IEC 27001:2005
> Reduces the risks associated with unsecured data and information
> Formalizes your corporate information system structure (infrastructure, buildings, cabling, environment, alarms, fire and flood prevention, access control, etc.)
> Effectively organizes all existing and necessary company IT security processes
> Protects vital business assets with regular backups
> Provides design of ongoing system optimization
> Potentially reduces insurance premiums with proven compliance
> Reduces the potential for law suits


U&T Standardization Marks Services

> Certification – We provide assessment and certification to ISO 27001.
> Gap Analysis – We offer gap analysis and preliminary assessments to prepare you for certification.
> Training – We will help you interpret the new concepts and understand the changes. U&T Marks provides on-site introduction and internal audit training which will prepare you and your staff prior to and after the ISO 27001 certification process.

ISO 20000 (ITSMS)

ISO/IEC 20000 Auditor Workshop

ISO/IEC 20000 is the international standard for IT Service Management Excellence. The ISO/IEC 20000 Auditor course from QAI is for professionals who are/aspire to be in the role of an auditor in an ISO 20000 assessment or interested in learning how to conduct the ISO 20000 audit.

 

Workshop Benefits

> Recognise and understand the key concepts of ISO/IEC 20000
> The structure, requirements, objectives and application of ISO/IEC 20000- ‐1:2011 (service management system requirements)
> Eligibility, applicability and scoping principles and how to apply them to a typical ITSM service provider
> Extensive references to real life scenarios
> Prepare participants for the it SMF ISO/IEC 20000 Auditor exam
> One ISO/IEC 20000 Clinic (webinar) per month (for three months) on ISO 20000 audit issues and solutions with our in-house experts

 

U&T Standardization Marks Services

> Certification – We provide assessment and certification to ISO 20000.
> Gap Analysis – We offer gap analysis and preliminary assessments to prepare you for certification.
> Training – We will help you interpret the new concepts and understand the changes. U&T Marks provides on-site introduction and internal audit training which will prepare you and your staff prior to and after the ISO 20000 certification process.

ISO 27001(ISMS)

What is ISO 27001?

ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.

According to its documentation, ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."

ISO 27001 uses a topdown, risk-based approach and is technology-neutral.

 

The specification defines a six-part planning process:

1. Define a security policy.
2. Define the scope of the ISMS.
3. Conduct a risk assessment.
4. Manage identified risks.
5. Select control objectives and controls to be implemented.
6. Prepare a statement of applicability.

 

The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organisation.

The 27001 standard does not mandate specific information security controls, but it provides a checklist of controls that should be considered in the accompanying code of practice, ISO/IEC 27002:2005. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.

 

ISO 27002 contains 12 main sections:

1. Risk assessment
2. Security policy
3. Organization of information security
4. Asset management
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Information systems acquisition, development and maintenance
10. Information security incident management
11. Business continuity management
12. Compliance

 

Organisations are required to apply these controls appropriately in line with their specific risks. Third-party accredited certification is recommended for ISO 27001 conformance.

 

Other standards being developed in the 27000 family are:

> 27003 – implementation guidance.
> 27004 - an information security management measurement standard suggesting metrics to help improve the effectiveness of an ISMS.
> 27005 – an information security risk management standard. (Published in 2008)
27006 - a guide to the certification or registration process for accredited ISMS certification or registration bodies. (Published in 2007)
> 27007 – ISMS auditing guideline