integrated management systems manual

8/13/2019 Integrated Management Systems Manual

http://slidepdf.com/reader/full/integrated-management-systems-manual 1/117



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005

Issue 1 Effective from the date of certification2

Copy Holder

Copy Holder: Management Systems RepresentativeCopy Number 1

The Quality input comprises of standard requirement to ISO 9001:2008 and covers the functionsperformed by operating areas to achieve product and service realisation through process control

The Environmental input comprises of the standard requirements to ISO 14001:2004 todemonstrate a positive view of environmental issues and the impact on the environment by

controlled processes.

The Health & Safety Management input meets requirements of the OHSAS 18001:2007 series to

enhance, control and manage all Health & Safety requirements.

The Information Security reference acknowledges the requirements of ISO 27001:2005,

Information technology-Security techniques-Information Security Systems.

The service scope definition is:

The provision of Gas Metering Infrastructure Services to the & Commercial sectorThe provision of Meter Asset Management Services to Domestic and Industrial & Commercial GasSuppliers



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Distribution

The integrated Management Systems Manual is distributed as follows:

Copy Number 1 Smart Metering Systems plcCopy Number 2 - QAS International (uncontrolled)

This document approved for use by Andy Ritchie on behalf of Smart Metering Systems plc

Position: Head of Business Risk and Compliance

Date: 1st June 2012



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Page Title

5-6 Company Profile

7-11 Management System Policies12 Organisation Chart

13-14 Amendments

16-29 Systems Requirements

30-134 Procedures



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Smart Metering Systems plc (SMS) Company Profile

The business of SMS plc is Meter Asset Management (MAM) and to provide, install and maintain,Domestic, Commercial and Industrial Metering and Automatic Metering Technology (AMR) across

the UK to gas consumers.

SMS plc is made up of three organisations:

• UK Gas Connection• UK Meter Assets• UK Data Management

Where this document refers to SMS plc , the term shall apply equally to the three organisationswithin the group

The (MAM) code of practice (MAMcop) is the industry scheme which manages the accreditationof Meter Asset Managers. UKEM have been accredited by Lloyds Register since July 2004 and areregularly audited to ensure compliance with regulations.

SMS plc is proud to announce that currently they have over 150,000 gas meters and AutomaticMeter Reading (AMR) units installed throughout the UK.

Our services include:• Management of Siteworks projects for gas suppliers and consumers• Third Party Meter Management for gas suppliers

• Own portfolio meter management for asset owners

• Pre-pay meter solutions for domestic gas suppliers and independent gas transporters.• Smart metering services

We manage the installation through an automated management system using contracted OAMI’s,

providing SMS plc with UK wide coverage.

Assets are sourced from contracted UK meter providers. The meters provided are badgedaccordingly.

SMS plc is based in Glasgow Scotland.

The business of SMS plc is to offer a complete outsourcing service of Gas Siteworks andMetering based Project Management Business Processes to the gas suppliers, utilising bespoke e-commerce software solutions.

SMS plc has over twelve years experience of getting your gas, electricity or water connection

and meter installed on time every time.

We already manage the entire gas connection requirement for Shell, Gas Direct, Gaz De France

and BP. We also manage portfolios of utility connection requests for the Metropolitan Police andthe Lidl Group.

As a demonstration of its commitment to a better , SMS plc have introduced EnvironmentalManagement System ISO 14001:2004.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Site EvaluationSMS plc has its offices in the centre of Glasgow.

The area mainly comprises of high rise office and retail units, much of the architecture datingback several hundreds of years with old colonial type designs.

Situated on the 5th & 6th floor of an office block on St Vincent Street, the offices invite awonderful view of the busy streets below and into the far distance. There are no residential areasin close proximity, though several hotels are within easy walking distance.

The offices are open plan with a board room at one end. There are also separate offices for

executive personnel and financial management. For staff there is a small rest room and kitchen.Lighting is provided by florescent bulbs while heating is provided by gas boiler central heating.

The water supply is direct from the tap and waste water is dispersed into the city sewer anddrain system.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Quality Policy

SMS plc recognises that the disciplines of quality, health and safety and environmentalmanagement are an integral part of its management function. SMS plc views these as primaryresponsibilities and to be the key to good business in adopting appropriate quality standards.

The SMS plc Quality Policy calls for continuous improvement in its quality management activitiesand business will be conducted according to the following principals:

We will:-

Comply with all applicable statutory laws and statutory regulations.

Follow a concept of continuous improvement and make best use of its management resources inall quality matters.

Communicate its quality objectives and its performance against these objectives throughout SMSplc and to interested parties.

Take due care to ensure that activities are safe for employees, associates and subcontractors andothers who come into contact with our work.

Work closely with our customers and suppliers to establish the highest quality standardsestablishing, implementing and controlling procedures for corrective and preventative action toensure at all times customer requirements are met under controlled environments and productrealisation procedures are adhered to, protecting the integrity and reputation of the business.

Adopt a forward-looking view on future business decisions which may have quality impacts.

Train our staff in the needs and responsibilities of quality management, keeping training records

and through continuous measuring, monitoring and analysis, ensure that training needs of allstaff are identified and implemented.

Signed: - Date: 1st July 2012



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Quality Management System Targets & Objectives

To achieve consistently high standards

To have competent, motivated and rewarded work force.

To provide training for the development for all members of staff.

To provide a competent and professional approach to all sizes and types of projects.

To be a profitable company yet customer driven.

To complete projects on time and within budget.

To provide a safe but enjoyable working environment throughout our processes.

The above objectives and targets will be monitored on a regular basis and reviewed during ourInternal Audi program and at the Management Review Meeting.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Environmental Policy

SMS plc commits itself to and endorses the need to protect the environment.

SMS plc also acknowledges and accepts its responsibility to conduct its business in compliancewith applicable environmental laws and regulations.

To accomplish the foregoing, Top Management has the responsibility to:-

Establish an internal review procedure to identify environmental impacts of all functions withinthe organisation and to assess levels of compliance with applicable laws and regulations

pertaining to the environment.

Develop a program aimed at safe-guarding the quality of the environment and achievingcompliance.

Establish and maintain appropriate training programs designed to make every employeecompetent to carry out his or her responsibilities with respect to this policy.

Report annually on regulatory compliance, issues and improvements.

Environmental Statement

SMS plc has a vital interest in ensuring a clean, healthy environment.

SMS plc also relies on a healthy environment so that you, the customer, can enjoy the standardof living and healthy lifestyle that means so much to us today.

As technology advances and regulations change, SMS plc will continue to improve systems,reduce waste and efficiently utilise resources to meet the environmental challenges of the next

century.SMS plc will make available to interested parties, its environmental program and itsenvironmental control activities.

Signed :- Date: 1st July 2012



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Health & Safety Management Policy

SMS plc recognises that the disciplines of health and safety are an integral part of itsmanagement function. The organisation views these as a primary responsibility and to be the keyto good business in adopting appropriate Health & Safety Standards.

The organisations Health & Safety policy calls for continuous improvement in its Health & Safety

management activities and business will be conducted according to the following principals:

We will:-

• Comply with all applicable laws and regulations

• • Follow a concept of continuous improvement and make best use of its management

resources in all matters of Health & Safety.

• • Communicate its objectives and its performance against these objectives throughout the

organisation and to interested parties.

• Take due care to ensure that activities are safe for employees, associates andsubcontractors and others who come into contact with our work, including the generalpublic.

• • Work closely with our customers and suppliers to establish the highest Health & Safety

standards.• • Adopt a forward-looking view on future business decisions that may have Health & Safety

consequences.• • Train our staff in the needs and responsibilities of Health & Safety management

• • Support all those who refuse to undertake work on the grounds of Health and Safety

Signed: - Date: - 1st July 2012



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Information Security Policy

SMS plc recognises that the disciplines of confidentiality, integrity, and availability, are anintegral part of its management function. SMS plc views these as primary responsibilities and tobe the key to good business in adopting appropriate Information Security Controls along the lineslaid down by ISO 27001:2005.

The SMS plc Information Security Policy calls for continuous improvement in its activities andbusiness will be conducted according to the following principals:

We will:-Comply with all applicable statutory laws and statutory regulations.

Follow a concept of continuous improvement and make best use of its management resources inall quality matters.

Communicate its Information Security objectives and its performance against these objectivesthroughout SMS plc and to interested parties.

Take due care to ensure that activities are safe for employees, associates and subcontractors andothers who come into contact with our work.

Work closely with our customers and suppliers to establish the highest quality standardsestablishing, implementing and controlling procedures for corrective and preventative action toensure at all times customer requirements are met under controlled environments and productrealisation procedures are adhered to, protecting the integrity and reputation of the business.

Adopt a forward-looking view on future business decisions which may have quality impacts.

Train our staff in the needs and responsibilities of Information Security keeping training recordsand through continuous measuring, monitoring and analysis, ensure that training needs of allstaff are identified and implemented.

Signed: - Date: - 1st July 2012



ISO 9001:200

Issue 1

ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005

Effective from the date of certification



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Amendments

All copies of this Integrated Manual must be kept under strict control to prevent the system frombecoming unreliable. The following procedures will ensure that the system remains current and

valid.

All copies of the manual will be clearly numbered and the holder recorded.

Each page in the manual will carry its own number.

The Management Systems Representative will be responsible for all revisions and additions beingrecorded.

Changes can be suggested by any employee but must receive signed approval before beingentered into the manual.

All changes must be recorded on the Amendments List.

Table of Amendment – Quality

DocumentNumber PageNumber Issue Date Description of Change Authorisation



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Integrated Management System Requirements Part 1 General Requirements for ISO9001:2008 ISO 14001:2004 OHSAS 18001:2007 & ISO 27001:2005

4.1 GeneralThe ethos of the management of SMS plc is to show commitment to maintaining an effective

Integrated Management System.

This manual has been prepared to satisfy the requirements of ISO 9001:2008, ISO 14001 and

OHSAS 18001 and ISO 27001:2005 for SMS plc for the activities carried out at the site.The effective implementation of the Management System will be verified by regular inspections,

reviews and audits which will compare management practice against the requirements of thewritten procedures on Management System standards. Corrective action will be taken wherenecessary and will be subsequently reviewed for effectiveness.

4.2 Documentation(4.2 9001) (4.4.4 14001 & 18001) (4.3.1 & 4.3.3 27001)

SMS plc has written in its systems manual, a quality policy, Environmental Policy and Health &Safety Management Policy and procedures as appropriate to its size, type and complexity and it isavailable to all employees.

SMS plc have prepared and maintain a controlled Integrated Systems manual that defines thescope of its activities and justifies any exclusions supported by referenced documentedprocedures and how the procedures operate. Records are maintained.

A documented procedure ensures that all relevant documentation is controlled and adequate andis reviewed, updated and approved as necessary. The status of the documents is identified andthey are legible and retrievable and located where required within SMS plc . Relevant documents

from outside SMS plc are identified and their distribution controlled. Obsolete documents areclearly identified to prevent unintended use. Records will be legible, identifiable and retrievable.

Procedures are in place for the identification, storage, retrieval, protection, retention time anddisposition of Integrated Management System records.

4.2.1 Planning for hazard identification, risk assessment & risk controls (18001 &27001)The organisation has established and maintains procedures for the ongoing identification of

hazards, the assessment of risks, and the implementation of necessary control measures.These include:

• Routine and non-routine activities.• Activities of all personnel having access to the workplace (including subcontractors and

visitors).

• Facilities at the workplace, whether provided by the organisation or others.• Consideration of human behaviour, capabilities and other human factors.• Identification of hazards originating outside the workplace capable of adversely affecting

the health and safety of persons under the control of the organisation within theworkplace.

• The control of hazards created in the vicinity of the workplace by work-related activities

that are controlled by the organisation. These maybe assessed as an environmentalaspect.

• Control of infrastructure, equipment and materials at the workplace, whether provided by

the organisation or others.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


• The management of change or proposed change in the organisational structure, activitiesor materials.

• That processes exist to manage any modifications to the OH&S management system,

including temporary changes, and their impacts on operations, processes, and activities.• That processes exist to manage any applicable legal obligations relating to risk

assessment and implementation of necessary controls.

The design of work areas, processes, installations, machinery/equipment, operating proceduresand work organisation, including their adaptation to human capabilities is controlled by the

organisations procedures.

The organisation ensures that the results of these risk assessments and the effects of these

controls are considered when setting its OH&S objectives. The organisation has documented andkeeps this information up to date.

The organisation’s methodology for hazard identification and risk assessment:-

• Is defined with respect to its scope, nature and timing to ensure it is proactive rather

than reactive.• Has provided for the classification of risks and identification of those that are to be

eliminated or controlled.• Is consistent with the operating experience and the capabilities of risk control measures

employed.• Has provided input into the determination of facility requirements, identification of

training needs and/or development of operational controls.• Has provided for the monitoring of required actions to ensure both the effectiveness and

timeliness of their implementation.

For the management of change the organisation identifies the OH&S hazards and OH&S risksassociated with the changes in the organisation, the OH&S management system, or its activities,

prior to the introduction of such changes.

The organisation ensures that the results of these assessments are considered when determining

the controls to be used.

When determining controls, or considering changes to existing controls, consideration is given toreducing the risks according to the following hierarchy:

• Elimination• Substitution• Engineering controls

• Signage/warnings and/or administrative controls

To be taken into account for Risk Assessment/Risk Evaluation for Information Security

Define the risk assessment approach of UK Metering Group Ltd that identifies a risk assessmentmethodology that is suited to the Information Security Management System and the identifiedbusiness information security, it’s legal and regulatory requirements.

Should develop criteria for accepting risks and to identify the acceptable levels of risk.

Risk assessments should produce comparable and reproducible results. Assessments shouldidentify



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


• Identify the assets within the scope of the information security management system andthe owners of these assets

• Identify the threats to those assets

• Identify the vulnerabilities that might be exploited by the threats.• Identify the impacts that losses of confidentiality, integrity and availability may have on

the assets.

Also, risks should be evaluated and analysed• To assess the business impacts upon the organisation that might result from security

failures, taking into account the consequences of a loss of confidentiality, integrity oravailability of the assets.

• To assess the realistic likelihood of security failures occurring in the light of prevailing

threats and vulnerabilities and impacts associated with these assets and the controlscurrently implemented.

• To estimate the levels of risk.

• To determine whether the risks are acceptable or require treatment using the criteria foraccepting risks.

Identifying options for the treatment of risks could include• Applying appropriate controls

• Knowingly and objectively accepting risks as long as they clearly satisfy the organisations

policies and criteria for acceptance of such risks.• Transferring the associated business risks to other parties for example insurers or

suppliers.

Control objectives and controls should be selected and implemented to meet the requirementsidentified by risk assessments and the risk treatment process. Taken into account should be thecriteria for accepting risks as well as legal, regulatory and contractual requirements.

A Statement of Applicability should be prepared that provides a summary of decisions concerning

risk treatment. Senior management approval should be obtained for proposed residual risks.

4.2.3 Monitor and Review the Information Security Management System(27001 only)UK Metering Group Ltd will carry out monitoring and reviewing procedures and necessarycontrols to:

• Promptly detect errors in the results of processing• Promptly identify attempted and successful security breaches and incidents

• Enable management to determine whether the security activities delegated to people or

implemented by information technology are performing as expected• Help detect security events and thereby prevent security incidents by the use of

indicators

• Determine whether the actions taken to resolve a breach of security were effective.•

Measure the effectiveness of controls to verify that security requirements have been met.• Review risk assessments at planned intervals and review the residual risks and the

identified acceptable levels of risks taking into account changes to the UK MeteringGroup Ltd, changes in technology, changes to business objectives and processes,changes to identified threats, changes to controls and changes to the legal or regulatoryenvironment, contractual obligations and social climate.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


4.3.3 Legal & Other requirements (14001 & 18001)SMS plc has established and maintains a procedure to identify legal requirements and maintainsrecords of those legal requirements

4.5.2 Evaluation of compliance (14001 & 18001 only)SMS plc , consistent with it’s commitment to compliance; the organisation shall establish,

implement and maintain a procedure(s) for periodically evaluating compliance with applicablelegal requirements.The organisation shall keep records of the results of the periodic evaluations.

The organisation shall evaluate compliance with other requirements to which it subscribes. Theorganisation may wish to combine this evaluation with the evaluation of legal compliance or

establish a separate procedure.The organisation shall keep records of the results of the periodic evaluations.

4.5.3.1 Incident investigation (18001 0nly)The organisation has established and maintains procedures for:

• Determining underlying OH&S deficiencies and other factors that might be causing or

contributing to the occurrence of incidents.• Identify the need for corrective action.

• Identify opportunities for preventive action.

• Identify opportunities for continual improvement• Communicate the results of such investigations.• To ensure that the investigations are preformed in a timely manner.

The organisation has implemented and records any changes in the documented proceduresresulting from corrective and preventive action.

4.4.6 Operational control (18001 only)The organisation has identified those operations and activities that are associated with identifiedhazards where control measures are needed to manage the OH&S risks. The organisation has

planned these activities, including maintenance, in order to ensure that they are carried outunder specified conditions by:

a) Having operational controls that are applicable to the organisation and its activities

and these controls are integrated into the overall OH&S management system.b) Establishing and maintaining controls related to the identified OH&S risks of goods,

equipment and services purchased and/or used by the organisation and

communicating relevant controls and requirements to suppliers and contractors.c) Establishing and maintaining documented procedures to cover situations where their

absence could lead to deviations from the OH&S policy and the objectives.d) Stipulated operating criteria where their absence could lead to deviations from the

OH&S policy and objectives.

e) Establishing and maintaining procedures for the design of workplace, process,installations, machinery, operating procedures and work organisation, including theiradaptation to human capabilities, in order to eliminate or reduce OH&S risks at theirsource.

4.4.7 Emergency, preparedness and response (14001 & 18001 0nly)

SMS plc has established and maintains procedures to identify the potential for and the responseto accidents and emergency situations, and for preventing and mitigating the environmentalimpacts that may be associated with them.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


SMS plc reviews and revises, where necessary, its emergency preparedness and responseprocedures.

5. Management Responsibility

5.1 Commitment (9001 14001 18001 27001)

Top management of SMS plc ensure that all employees are aware of the need to meet customerand regulatory requirements and that the necessary resources are available. The currency of theQuality, Environmental and Health & Safety policies and objectives are maintained by regular

management reviews.

5.2 Customer Focus (9001)Customer needs and expectations are determined and fulfilled to meet customer satisfaction.Due consideration is given to product, service regulatory and legal requirements.

5.3 Policy (9001) (4.2 14001 & 18001)SMS plc has established, through its quality policy, the need to meet requirements and

continually improve its products and services. Quality objectives are reviewed for continuingsuitability and communicated as appropriate throughout SMS plc . Through its EnvironmentalPolicy it is committed to doing its very best to protect the environment through training,assessment of its activities and measuring and monitoring of targets and objectives. Through itsHealth & Safety Policy it commits to ensure best Health & Safety practice through riskassessment, training and measuring and monitoring of all Health & safety issues at regularintervals.

The H&S Policy should be/include:

a) Appropriate to the nature and scale of our OH&S risks.

b) Includes a commitment to prevention of injury and ill health and continualimprovement in OH&S management and OH&S performance.

c) Provides the framework for setting and reviewing OH&S objectives.d) Includes a commitment to continual improvement.e) Includes a commitment to at least comply with current applicable OH&S legislation

and with other requirements to which the organisation subscribes.f) Is documented, implemented and maintained.g) Is communicated to all persons working under the control of the organisation with

the intent that they are made aware of their individual OH&S obligations.h) Is available to interested parties; andi) Is reviewed periodically to ensure that it remains relevant and appropriate to the

organisation.

5.4 Planning (9001) (4.3 14001 & 18001) Objectives & TargetsSMS plc has established that all relevant functions and levels within SMS plc have clear,measurable quality Environmental & Health & Safety objectives that are consistent with thepolicies and product requirements. Adequate resources are available and output is planned in a controlled manner as is required bythe Management System, being mindful of the process and the need for continual improvement.

SMS plc has established and maintains environmental objectives and targets and programmes.The following are considered in establishing and reviewing these.

• Designation of responsibility for achieving objectives and targets at relevant functions

and levels of the organisation• The means and time-frame by which they can be achieved.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


5.6 Management Review (4.6 14001 & 18001) (7.1 27001)The complete Management System is reviewed at planned intervals to ensure its continuingsuitability, adequacy and effectiveness to evaluate the need for change.

The review includes the evaluation of current performance and improvement opportunities

related to audits, customer feedback, process and product performance, follow up from previousmeetings, and any changes that could affect product or service quality. The review addresses theneed for changes to policy, objectives and other elements of environmental issues in the light of

the audit results, changing circumstances and the commitment to continual improvement. Themanagement review has addressed the possible need for changes to policy, objectives and other

elements of the OHSAS in the light of audit results, changing circumstances and the commitmentto continual improvement.

All results of management review activity are recorded.

6. Resource Management

Provision of Resources (4.4.1 14001 & 18001)

SMS plc has ensured that the necessary resources needed to implement and improve theIntegrated Management System are available.

Human Resources (6.2 9001) (4.4.1 14001 & 18001) (5.2 27001)Where personnel are assigned responsibilities affecting product conformity, Environmental andHealth & Safety issues, SMS plc has ensured that they are competent on the basis of applicableeducation, training, skills and experience.

SMS plc has identified the training needs for Quality, Environmental and Health & Safety related

activities and provides training to satisfy these needs. Performance is evaluated and appropriatetraining records are maintained.

6.3 FacilitiesSuitable equipped workplaces with appropriate hardware and software with supporting services

are provided.

6.4 Work Environment

All aspects of the human and physical factors of the working environment that effect conformityof product or service, environmental and health & safety issues have been identified and aremanaged.

7. Product Realisation

7.1 Planning of realisation processThe production process for SMS plc products and services is planned and documented as definedin the Management System. Quality objectives, resources, processes and documentation needsare defined and acceptable criteria for verification and validation. Records appropriate to the level

of confidence required for the process and the product or service are maintained.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


7.2 Customer related processes (4.3.3 14001 & 18001) CommunicationThe needs of the customer in respect of availability, delivery and support are considered againstthe products’ intended use and regulatory and legal requirements are determined andimplemented.

SMS plc reviews its customers’ requirements and determines any additional requirements for

each contract or order. Where no customer requirements are documented details are confirmedbefore acceptance. Any changes to contracts or quotations are resolved before proceeding andthe company’s ability to meet the defined requirements is confirmed.

The customer is kept informed of product information, enquiries, order changes or amendmentsand progress on customer complaints. SMS plc has established and maintains procedures relating

to internal and external communicating regarding its environmental aspects and environmentalmanagement system. It responds to and documents all communications and will decide its levelof communication to third parties on environmental issues

7.3 Design and developmentThere may be occasions when a customer requires a specific design. The Organisation shall plan

and control the design and development of product. The Organisation shall determine the designand development stages, review, validate as appropriate each design and development stage anddetermine responsibilities and authorities for the design and development.

7.4 PurchasingSMS plc controls its purchasing function to ensure that the purchased product conforms torequirement. Suppliers are selected against defined criteria and are subject to planned reviewand evaluation. The results of evaluations and follow up actions are recorded.

Purchasing documents are reviewed before release for the adequacy of information on product,procedures, processes, equipment and personnel.

SMS plc verifies it’s purchased products and where verification takes place at the supplier’s

premises, details of the arrangements and the method of release are specified

7.5 Production and Service operations.

Production and services are controlled through product specifications and work instructions.Suitable equipment is used and properly maintained with the use of specified measuring andmonitoring equipment and activities. Product release and post delivery and delivery processes

are defined.

Where verification of product or service cannot be ensured during the process by measuring andmonitoring, control is exercised by qualification of the process, equipment and personnel throughdefined methods procedures and records and re-validation if required.

Where appropriate, SMS plc identifies the product throughout the production and serviceactivities and identifies its status with respect to measuring and monitoring activity throughoutproduct realisation. Where traceability is required, the unique identification of the product iscontrolled and recorded.

Where customer property for inclusion in the product comes within SMS plc control, it isidentified, verified, maintained and protected with details of adverse condition reported to thecustomer.

SMS plc preserves the conformity of the product or service from receipt of order to delivery.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


7.6 Control of measuring and monitoring equipmentMeasuring and monitoring equipment and software are identified throughout SMS plc wherequality is affected and the equipment used is controlled to appropriate standards for consistency.The equipment is protected against random adjustments, damage and deterioration and the

results of calibrations are recorded.

8. Measurement, analysis and improvement

8.1 Planning (9001)

The requirement for defining methods and equipment for measurement and monitoring productsand processes, and the method of use has been determined.

8.2 Measurement and Monitoring (4.5.1 14001 7 18001) (6 27001)Clear methods have been established to audit customer satisfaction and any failures to meet SMSplc standards. Suitably trained and impartial personnel conduct periodic independent internal

audits on a planned basis. All aspects of internal audits are recorded and reviewed and timelycorrective action taken where necessary.

Processes effecting customer requirements are periodically reviewed to ensure that the intendedpurpose is being met. Measuring and monitoring of the product throughout the process isdesigned to ensure the finished item meets specification and authorised personnel control itsrelease.

8.3 Control of nonconformity (4.5.3 14001) (4.5.3.2 18001) (8.3 27001)Documented procedures are in place to identify and isolate non-conforming products and beforerepaired product is returned to the process it is re-checked. In the event of non-conforming

product reaching the customer appropriate corrective action is taken.

For Environmental issues actions taken should be appropriate to the magnitude of the problemsand the environmental impacts encountered.

For Health & safety issues where the corrective or preventive action(s) identifies new or changeshazards or the need for new or changed controls, the procedure requires that a risk assessmentbe carried out prior to implementation.

8.4 Analysis of dataData referring to product quality problems is collected and analysed and where changes to theManagement System offer improvements these changes are introduced. Areas for attention when considering Quality are customer complaints, meeting the customer’sneeds, product characteristics and supplier performance.

8.5 Improvements (9001) (8.1 27001)The Management System is managed in a manner to offer continual improvement having regardto statements in its quality policy, Environmental Policy and Health & Safety Management Policy,objectives, audit results, data analysis, corrective and preventative action and management

review.

Appropriate action is taken to rectify faults and prevent their recurrence and the procedure is

documented. Requirements for identifying faults and determining their cause with appropriatecorrective action recorded and results reviewed for effectiveness.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


SMS plc identifies preventative actions to prevent the recurrence of non-conformities and theresults of such actions are recorded and reviewed for effectiveness.

HIERARCHY OF HEALTH & SAFETY MANAGEMENT

The organisation’s management appointee has defined roles, responsibilities and authority for:a) Ensuring that OH&S management system requirements are established, implemented

and maintained in accordance with this OHSAS specification;

b) Ensuring that reports on the performance of the OH&S management system arepresented to top management for review and as a basis for improvement of theOH&S management system.

All those with management responsibility can demonstrate their commitment to the continual

improvement of OH&S performance.

Responsibilities of the Managing Director

The Top Management of the company is ultimately responsible for everyone's health, safety andwelfare at work (including the public) and responsible for ensuring that:

• Adequate and effective planning, organisation, control and monitoring for safety areimplemented in accordance with relevant legislation.

• Sufficient financial, labour resources and time are available to meet statutory

requirements• Employees are fully aware of this policy and their duties in relation to health and safety.• All reported health and safety issues are reviewed and remedial action applied when

necessary.

Everyone working for the company receives adequate instruction, information, training andsupervision to achieve the requirements of this policy.

Equipment used by the company is suitable for the job and regularly inspected and maintained.Contractors are competent and have adequate health and safety arrangements.

Risk assessments are undertaken to assist in the implementation of safe systems of work.Employees are consulted and their views considered prior to implementing changes that mayaffect their health and safety.

Responsibilities of Safety Co-ordinatorThe Safety Coordinator of the company, shares responsibility for ensuring there are effective

arrangements, planning, organisation, control and monitoring for safety within the company and

that preventative measures are maintained and legal requirements met. His /her specificresponsibilities as Safety Coordinator includes:

• Supporting the Top Management in his/her general duty to ensure the health and safetyand welfare of employees and others.

• Acting on reports from employees and others on matters of health and safety andreporting back to the Top Management

• Ensuring that health and safety is taken fully into account in all dealings with the

company and using the competent advice available.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


• Implementing the arrangements set out in this policy and monitoring the safetyperformance across the company.

• Ensuring that employees and self-employed subcontractors are aware of their health and

safety responsibilities and comply with the requirements of the policy.

Responsibilities of the competent person

The Competent Person is responsible for the implementation of the OH&S policy and has beenclearly allocated responsibility.

This is a mandatory legal requirement with few exceptions

Competent Person(s) have been given authority and resources, including time, to carry out theirresponsibilities.

Accountability rests with the Competent Person to discharge his/her responsibilities Reporting relationships are clear and unambiguous.

Where personal appraisal systems are in place for Competent Person, performance of the OH&Smanagement system is included in the appraisal system.Specific responsibilities:

• Identifying employee training needs in respect of health and safety, arranging health andsafety training and keeping suitable records.

• Ensuring new employees receive suitable and adequate induction training.

• Ensuring suitable health and safety information is provided to employees.• Ensuring that risk assessments are undertaken in the premises concerned.• Ensuring that equipment procured by the company is suitable for the intended task,

complies with statutory safety standards, is CE marked and is accompanied by statutorydocumentation and manuals.

• Ensuring that contractors are competent and have adequate health & safety

arrangements.• Ensuring there is adequate first aid provision in the company.• Ensuring all accidents are entered in the accident book

• Ensuring that fire precautions are inspected and maintained and records retained.• Ensuring materials are stored safely and all areas are areas safe and tidy.

Responsibilities of employees and self employed sub contractors

All employees and sub contractors have a duty to ensure they abide by the Health & Safety

regulations of the country in which they are working.

Any employee responsibilities detailed in the policy are also applicable to self-employedsubcontractors. All employees and self-employed subcontract employees will therefore:

• Comply with the company safety policy, site health and safety plan, risk assessments andmethod statements, and office rules.

• Co-operate with both employer and managers and follow instructions.

• Use the appropriate equipment for the job and not misuse it• Keep equipment in good condition and report defects.• Report any accident, dangerous occurrence, ill health or condition to the safety co-

coordinator or the appointed responsible person.• Take all reasonable steps to ensure the safety of him/her and others.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


• Raise any Health & Safety concerns with the safety Coordinator or the appointedresponsible Person.

• Avoid improvised arrangements and suggest safe ways of reducing risks.

• Observe all warning notices and follow instructions• Not interfere with or misuse anything provided for them in the interests of health, safety

and welfare

• Report defective equipment to the safety Coordinator or the appointed responsibleperson and do not use until it is repaired.

• Inform the Top Management if they suffer from any allergy, health problem or are

receiving medication likely to affect their work ability to do normal tasks.

Any breach of these requirements is treated, as a breach of contract and appropriate disciplinary

action will be taken. The taking of any reasonable action to safeguard the Health, Safety andwelfare of themselves and others will not result in any form of disciplinary action.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Procedures Manual

Copy Holders: SMS plcQAS International (uncontrolled)

Registered Holder Signature ____________________________________

Date_______________________



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Quality Document Register

DocumentNumber

Description

QMF 01 Management Review Agenda

QMF 02 Training Record

QMF 03 Training Plan

QMF 04 Internal Audit Programme

QMF 05 Internal Audit Report

QMF 06 Customer Complaint Form

QMF 07 Complaints Register

QMF 08

QMF 09

QMF 10

QMF 11

QMF 12QMF 13

QMF 14

QMF 15

QMF 16

QMF 17

QMF 18

QMF 19

QMF 20

QMF 21

QMF 22

QMF 23

QMF 24



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005




ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Environmental Document Register

EN 01 Management Review Ref: QMF 01 QMS 9001:2008

EN 02 Training Records Ref: QMF 02 QMS 9001:2008

EN 03 Training Plan Ref: QMF 03 QMS 9001:2008

EN 04 Audit Program

EN 05 Audit Report

EN 06 Residential Complaints Form

EN 07 Residential ComplaintsRegister

EN 09 Aspects and Impacts Report

EN 10 Objectives and Targets Record

EN 11 Fire Evacuation Procedures

EN 12 Emergency PreparednessProcedures

EN 13 Non-Conformance/Near MissReport



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Health & Safety Document Register

SMF 01 Management Review

SMF 02 Training Plan

SMF 03 Training Record

SMF 04 Induction Form

SMF 05 Competent Persons List

SMF 06 Internal Audit Plan

SMF 07 Internal Audit Report

SMF 08 Risk Assessment.

SMF 09 Emergency Response Procedures

SMF 10 COSHH Register

SMF 11 First Aid Assessment Chart

SMF 12 Display Screen Equipment Checklist

SMF 13 Accident Investigation Form



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


PRM 01

DOCUMENT CONTROL AND RECORDS

1.0 Introduction

To demonstrate that SMS plc stated quality, objectives have been satisfied, a detailed system ofcontrol for quality related documentation and records needs to be maintained. This applies toEnvironmental and Health & Safety documentation and Information Security documentation.

2.0 ScopeSMS plc will produce and maintain adequate documentation to detail the requirements of themanagement system and to ensure that the requirements are met records must be maintained

for this purpose.

This procedure also applies to all records generated under the other procedures in themanagement system.

3.0 ResponsibilityIt is the responsibility of the Systems Representative to ensure:

• The management system is adequately documented.

• Documents are properly controlled and approved and are readily available to thosepersonnel that need to use them.

• Sufficient records are maintained and these are legible and readily found.

4.0 Procedure4.1 Document and Data Control

All documentation must carry a unique identification number, an issue number and the date from

which the document becomes effective.

Documents must be formally approved for use.

All documents must be clearly identified by their title or other reference, traceable from thedocument master register.

A master register will be available and must carry the current issue of each document. Themaster register will be the only source for copies.

An electronic copy, if available must be controlled.Obsolete documents will be withdrawn from the system and a retention time should be agreedand document securely stored.

External documentation must be adequately controlled to ensure that it is not damaged or lost. All forms must be periodically assessed under the Internal Audit procedures for currency andfitness for use. Any changes required to documentation must be processed through the Management Reviewmeeting.

4.2 Records

All completed system documentation and records must be retained for at least three years unlessspecified in other regulations or by legislation.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Records must be correctly filed under suitable headings, in files, folders etc such that they can bereadily found. Adequate security must be maintained to ensure that records are not lost ordamaged.Records must be legible identifiable and retrievable.Records kept on computer or on other electronic media must be backed up on a regular basissuch that the information can be recovered if necessary.

Records may be destroyed at the end of their retention period.

Documents and Records Management (Environmental)

To ensure that environmental documentation is made available to relevant site personnel, it is

maintained in a controlled manner and is kept up-to-date and relevant to the site’s activities andenvironmental policy.

The environmental objectives, targets and action plans must be reviewed through the ProcedureReviewing and Updating Objectives and Targets.

All personnel may suggest modifications to the Environmental Representative who must discussany proposals with relevant personnel.

The Environmental Representative is responsible for approving all changes to the documentationand for authorising relevant personnel to approve changes on his behalf.

The Environmental Representative is responsible for signing-off any changes to the site on policy.

The Environmental Representative is responsible for making the agreed changes to the manualand for re-issuing the modified documentation to the manual and for ensuring that alldocumentation in this manual is in legible form and is appropriately authorised, dated, marked

with a revision number and readily identifiable with procedure/program number.

The Environmental Representative is responsible for ensuring that all procedures are written andprovide clear instructions and responsibilities.

The Environmental Representative is responsible for ensuring that obsolete documents arepromptly removed and destroyed to prevent re-introduction into the system unless subject tospecific record retention requirements.

The Environmental Representative is responsible for maintaining a master copy of all supersededdocuments for a period of three years beyond the date of the superseding revisions.Document retention, as referred to in the various sections of this manual, is the minimum tomeet the respective requirements. All documentation must be legible, dated and referenced.The Environmental Representative is responsible for updating this procedure when necessary.

Records Management (Health & Safety)To demonstrate that the Organisation’s stated safety objectives have been satisfied, a detailedsystem of control for Health & Safety related documentation and records needs to be maintained.

The Organisation will produce and maintain adequate documentation to detail the requirementsof the Health & Safety management system. Adequate records must be maintained.

This procedure also applies to all records generated under the other procedures in the Integratedmanagement system.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


It is the responsibility of Health &Safety Manager to ensure that the Health &Safety aspect isadequately documented.

• Documents are properly controlled and approved and are readily available to thosepersonnel that need to use them.

• Sufficient records are maintained and these are legible and readily found.

All Health &Safety manual documentation must carry a unique identification number, an issuenumber and the date from which the document becomes effective

Documents must be formally approved for use.

All forms must be periodically assessed under the Health &Safety Audit procedures for currencyand fitness for use.

All completed Health &Safety documentation and records must be retained for at least threeyears unless specified in other regulations or by legislation.

To ensure that Health & Safety documentation is made available to appropriate personnel, it ismaintained in a controlled manner and is up to date and relevant to the Organisation’s activities

and Health & Safety policy.

Control of Records (Information Security)

All records shall be maintained as is generic to all management systems in order to provideevidence of conformity to requirements and the effective operation of the information security

management system. These documents must be protected and controlled. They must be legible,identifiable and retrievable and should take into account all legal and regulatory and contractualrequirements. All documents shall be current issue and any changes identified in the amendment

table.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


PRM 02

MANAGEMENT REVIEW

IntroductionThe quality/environmental and Health & Safety management system needs periodic review toensure that it meets the requirements in respect of policy, objectives, effectiveness, resources,planning and is kept up to date. Minutes should be recorded and copies distributed to relevant

personnel.

2.0 Scope

The Management Review must cover the operation of the Management System throughout SMSplc .

3.0 ResponsibilityIt is the responsibility of the Systems Representative to ensure:

• The management system is reviewed at least annually to ensure its continued suitabilityand effectiveness.

• The minutes of the meeting are recorded.

• Any actions are identified and corrected.• Opportunities for improvement are identified and implemented.

4.0 ProcedureThe Management Review must be held at least once per year to address all parts of SMS plcquality/environmental and Health & Safety management system:

• To determine whether it is operating effectively to the benefit of SMS plc• To identify opportunities for improvement in all three disciplines.• To determine whether the SMS plc is continuing to meet the customer requirements.• To prevent nonconformity.• To address results of Aspects and Impacts• To measure and monitor environmental performance

The meeting must address the following topics:

Health & SafetyTo evaluate the continuing appropriateness and effectiveness of the Health & Safety Policy(inclusive of objectives) and supporting Health & Safety Management System and to ensure that

necessary modification takes place.

The Health & Safety representative is responsible for collating all the necessary information for

Health & Safety input including:

• Health & Safety manual• Register of significant Health & Safety effects• Register of requirements

• Overall performance against objectives and targets• Health & Safety Audit Reports• New and emerging Health & Safety issues of relevant to the site.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


The Health & Safety representative is responsible for monitoring the implementation of therecommended actions.

Actions from previous meeting.The aim is to ensure that any actions from the previous meeting have been corrected.Review of the Quality, Environmental and Health & Safety Policies and their Targets and

Objectives

The policies must be reviewed to check that they are still suitable for SMS plc . Any objectives

must be reviewed to check whether they are still appropriate and are being achieved. Newobjectives/targets must be set where necessary. Environmental Targets should be analyised and

results measured and recorded.

Improvement

The meeting must address methods of improvement to the system. Where areas forimprovement are identified, appropriate objectives and methods of monitoring will be agreed. Any of the topics addressed during the meeting may be considered for improvement initiatives.

Non-conformance and customer complaints

Non-conformances and customer complaints must be reviewed to check that the underlyingcause has been addressed. Their effect on customer satisfaction must be addressed.

Near misses, Accidents, Incidents Reports, Risk AssessmentsThese should be discussed and reviewed and any applicable paper work should be brought to themeeting.

Environmental Aspects and ImpactsThe Environmental Representative should bring results of Aspect/Impact assessments to the

meeting and these should be analyised.

Corrective and preventative actionCorrective and preventative actions must be reviewed to check that they have been effective inachieving an improvement in the management system.

Internal and external audits Audit results must be reviewed to check that any non-conformances were corrected within an

acceptable time scale. The frequency of auditing may be reviewed based on the audit results.Planning and future resource requirements (long term planning)

Any changes to the business that could affect the customer or the quality management systemshould be addressed. This will include changes related to personnel, equipment or otherresources.

TrainingTraining needs must be reviewed together with any proposals for carrying out training.

Supplier performance

Any need for changes to the suppliers used by SMS plc must be addressed.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Customer satisfactionThe meeting must address whether SMS plc is meeting or if possible exceeding the Customersrequirements and expectations. Where complete customer satisfaction is not being achieved SMSplc must plan and allocate suitable resources to resolve the problem.

Any other business.

This may include any initiatives for improvement, reduction in rework or waste etc.The review must cover as a minimum the period since the last Management Review. The personresponsible for any actions identified at the meeting must be recorded together with target dates

for completion where appropriate. SMS plc must allocate the necessary personnel and resourcesfor these corrective actions.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Start

Corrective &preventativeaction

Customer Feedback/ complaints

Collectinformation

Outsideinfluences Training records

External AuditReports

Internal qualityaudit reports

Non-conformancereports

Analyse

Prepareand

distribute

Input frommembers ofthe meeting

Discuss anddocument

inputs/outputs

Reviewaction from

previousmeetings

Check effectivenessof actions and

report

ManagementReview minutes

Set date of next meeting

Agreeactions

Guide to the Management Review Meeting

Aims andobjectives

External auditreports



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


PRM 03RESOURCES

1.0 Introduction

To meet the requirements of the customer, Environmental commitments and Health & Safetyrequirements SMS plc ensures that there are adequate resources in the form of personnel, plantand equipment. This may include additional resources from outside SMS plc where necessary.

2.0 ScopeThis procedure covers the systems and operations necessary to ensure that SMS plc has

adequate resources to meet the requirements of its customers and operate the business in andefficient and safe manner.

3.0 ResponsibilityIt is the responsibility of ‘Top Management’’ to ensure that:

• SMS plc resource requirements are reviewed on a regular basis.

• Training needs are identified.• Suitable training is carried out and checked for effectiveness.

4.0 Procedure4.1 GeneralThe review of resources must be formally carried out as part of the Management Review processbut is also part of the day to day management of SMS plc . See PRM 02 Management Review.

Records associated with personnel and training are maintained in accordance with PRM 01Document Control and Records. These records must be reviewed at least once per year.

4.2 Human Resources As part of the general planning and management process, SMS plc must identify the personnel

needed to ensure that it operates effectively and safely. The general structure of SMS plc isshown in the SMS plc organisation chart in the Quality Manual. Specific responsibilities andauthorities are defined in the SMS plc structure.

New personnel will be selected by management interview. SMS plc policy of recruiting andprocuring personnel with the required level of skills, experience and education is reviewed in thelight of labour availability and also changes in the nature of SMS plc work.

The training needs of all personnel will be identified by assessment on an ongoing basis. Wherepossible, measurable objectives will be set to assist in continual improvement.

All personnel must be given induction training including an explanation of the management

system and the health and safety requirements when they start work with SMS plc .

The training and experience of each employee will be assessed against defined objectives andany changes that have taken place, or are about to take place, to ensure that personnel areadequately trained and experienced to carry out their duties.

Where a specific training need is identified, this must be arranged and included on the TrainingPlan. (Form QMF03)

Training will be by means of ‘on the job’ or ‘on course’ training.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


• OH&S programmesThe following elements should be included in the process:

• A systematic identification of the OH&S awareness and competencies required at eachlevel and function within the Organisation ;

• Arrangements to identify and remedy any shortfalls between the levels currently

processed by the individual and the required OH&S awareness and competency.• Provision of any training identified as being necessary in a timely and systematic manner.• Assessment of individuals to ensure that they have acquired and that they maintain the

knowledge and competency required;• Maintenance of appropriate records of an individual’s training and competency

An OH&S awareness and training program has been established and maintained to address the

following areas:

• An understanding of the Organisation’s OH&S arrangements and individual specific roles

and responsibilities for them;• A systematic program of induction and ongoing training for employees and those who

transfer between divisions, sites, departments, areas, jobs or tasks within theOrganisation;

• Training in local OH&S arrangements and hazards, risks, precautions to be taken andprocedures to be followed, this training being provided before work commences;

• Training for performing hazard identification, risk assessment and risk control.• Training for all individuals who manage employees, contractors and others (e.g

temporary workers), in their OH&S responsibilities. This is to ensure that both they and

those under their control understand the hazards and risks of the operations for whichthey are responsible, wherever they take place.

4.3 FacilitiesTop Management must ensure that all buildings, plant and equipment are regularly maintained in

accordance with manufacturers or recognised good practice.

Records of maintenance will be maintained showing details of the work carried out. Whereappropriate copies of certificates or other evidence of maintenance work will be maintained.

4.4 Work Environment All employees must maintain a good standard of housekeeping within the work area.Waste materials must be cleared away regularly to maintain a safe working environment. Any faulty plant or equipment must be reported to senior management.

When working at a client’s site, (if applicable) all due care and attention must be afforded to theclient’s property and where possible logistical layouts must not be affected without priorpermission.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


PRM 04

CUSTOMER REQUIREMENT (ISO 9001:2008)

1.0 IntroductionMeeting the customers’ requirements is the principal objectives of SMS plc Their needs must befully understood and agreed and SMS plc must establish that it is in a position to meet theserequirements in an effective manner.

2.0 ScopeThe nature of the business is such that all orders and contracts are reviewed to ensure that

requirements are adequately defined and documented through means including phone, fax, e-mail and direct mailing.

The scope of this procedure includes:• Identification and documentation of the customer requirements.• Review of these requirements.

• Methods of communication with the customer.

• Outline planning of the work.

3.0 ResponsibilityIt is the responsibility of Top Management to ensure that:

• All verbal or written enquiries, orders and contracts are reviewed to ensure that the

requirements together with any changes are adequately defined and understood by bothparties.

• These requirements together with any changes are adequately documented.

• Adequate planning is carried out to ensure that SMS plc has or can obtain the necessaryresources to fulfill the order or contract.

• Effective lines of communication are set up between the customer and SMS plc• Sufficient records are kept to show that the above requirements have been achieved.

4.0 Procedure

4.1 GeneralCustomer requirements will be dealt with in stages:

• Receipt and understanding of the customer requirements.• Review of SMS plc capability to meet these requirements.• Confirmation of acceptance to the customer.

• Enquiries, requests for quotations, invitations to tender and orders are generally receivedby telephone, letter, fax, e-mail.

• Where SMS plc is unable to meet the customer’s requirements they will be advised

accordingly.

4.2 Customer Requirements (Receipt) All enquiries and tenders for business will be handled by the designated staff chosen by seniormanagement.The details will be recorded and may include:

• Customer name, address and telephone number.• Details of requirement.

• Delivery details/dates.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


• Customer contact (name, telephone number).• Date of enquiry or order.• Customer supplied documents, drawings, specification etc.

• Supporting services, spares, service contracts etc.• Regulatory or legislative requirements.• Any special requirements for product validation or verification.

4.3 Order FulfillmentWhen the details of the Customers requirements have been clearly identified, SMS plc ability tocarry out the work must be formally reviewed. This must be based on the documents or otherinformation provided by the Customer or SMS plc own documentation defining the requirements.

The review of SMS plc capability of carrying out the work must address the following:

• Can SMS plc carry out the work in accordance with the customers’ requirements without

any additional resources or changes to the normal SMS plc operations?• Is the organisation a new or existing customer?• Are any additional resources required?• Is there a need for additional investigation or research?• Is any additional staff training needed?• What goods, materials or services need to be obtained from outside suppliers?

• Does the work involve any special process not usually carried out by SMS plc• Are there any special legal or regulatory requirements? E.g. national standards, health

and safety etc.• Are any support services required or specifically called for? E.g. spares, maintenance

support?• Can the design requirements be met?

• Is any specific documentation needed?

Where any queries or discrepancies are found during this review process they must be resolved

with the customer. Where the enquiry or order is from a new customer the requirements will bereviewed.

4.4 CommunicationClear lines of communication must be established and maintained between the customer andSMS plc . This will be by means of telephone, fax, letter and e-mail.

Orders must be checked to ensure that they agree with any quotations or previous agreements.

Any differences must be resolved.

Communication within SMS plc will be by means of e-mail, phone and verbally.

All communications that could significantly affect SMS plc ability to fulfill the order or contactmust be recorded.

Any customer complaints must be dealt with in accordance with Procedure PRM09 and PRM10.

4.5 Planning As part of the process of review of the Customers requirements, SMS plc must plan how the workis to be carried out to ensure that sufficient resources are available to achieve the specifiedrequirements and quality.Planning will take into account:



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


• The customer’s delivery or other critical dates.• Any specific product verification or checking requirements.

• Availability of resources - both staff and plant and equipment.• Any longer term planning will be dealt with at the Management Review. The Quality

Representatives will provide feedback where problems have arisen with a view to

improvement in the quality system.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


PRM 05PROCESS CONTROL (ISO 9001:2008)

1.0 Introduction

It is essential that the work carried out by SMS plc is adequately controlled to ensure that itmeets the requirements of the customer. This is achieved by good planning, the provision ofadequate resources, properly trained and experienced personnel, clearly defined standards and

methods of working and correct monitoring and product verification.

2.0 Scope

The work carried out by SMS plc is “The provision of Gas Metering Infrastructure Services to the & Commercial sector The provisionof Meter Asset Management Services to Domestic and Industrial & Commercial Gas Suppliers”

Including:Planning of the work process (including validation that it is effective).Control of the work process. Validation of the work.Identification and traceability.Customer property.Control of associated activities including handling, packing, storage, preservation and delivery.

3.0 ResponsibilityIt is the responsibility of ‘Top Management’ of SMS plc to ensure that:

All work carried out by SMS plc is adequately defined and controlled. Appropriate instructions are provided and maintained to ensure that the quality of work issatisfactory and these are readily available.

Standards of workmanship and criteria for acceptance are defined.Suitable personnel are assigned for the work process and for product verification and checking

activities. Adequate resources are provided in the form of personnel, equipment and a suitable workingenvironment.

4.0 Procedure

4.1 General All work carried out by SMS plc must take into account any applicable Health and Safetyrequirements and statutory legislation.Good standards of housekeeping will be maintained at all times. All records associated with the work process are kept in accordance with PRM 01 DocumentControl and Records. All personnel carrying out work will be suitably trained and experienced in accordance with PRM

03 Resources.Measuring equipment where applicable, will be controlled in accordance with PRM 07 Measuringand Monitoring Equipment. All equipment will be maintained regularly in accordance with the manufacturers or suppliers

instructions.Process capability will be addressed in accordance with procedure PRM 11 Measurement andImprovement.

4.2 Planning



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Work will be planned and controlled by due delivery date and material availability.Planning must take into consideration:Inputs and outputs required. Allocation of responsibilities.Resources required. Validation of the process and analysis of any risks.

Legal or regulatory requirements.Procurement of goods, materials or services.Procedures, methods and work instructions.

Product validation, product verification and other validation processes.Control of changes and modifications.

Targets for the completion of the work.Records.Other requirements as appropriate to meet the quality objectives.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Inputs andInputs andInputs andInputs and

outputs requiredoutputs requiredoutputs requiredoutputs required

Allocation

of

responsibilities

ResourcesResourcesResourcesResources

requiredrequiredrequiredrequired

Validation of processes &

analysis

of risks

PLANNINGPLANNINGPLANNINGPLANNING

Legal

Requirements

Procurement

Of Goods &

Services

Validation of

product

and all processes

Control of

changesTargets

for

completion

Control of records and all

requirements to meet ‘quality

objectives’



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Where materials are required to be moved they will be dispatched by courier or own transport.When carriers are used the product will be packed to specifications developed by the trade toensure safe transit.Packages and containers will be marked to indicate contents and transit care requirements ifnecessary.

4.8 Associated Activities

There are a number of relationships which contribute to the activities of SMS plc :

The Gas Industry Regulator; OFGEM, who provides licenses to the Gas Shipper, Gas Supplier andGas Transporter and also regulates the processes of SMS plc in its role as Meter Asset Manager.

The Gas Shipper, who arranges with the Transporter for the entry of gas into the Network.

The Gas Supplier, who arranges a contract with a Consumer for the supply of gas to thatconsumer

The Transporter is the owner of the pipes who arranges contracts with the supplier for the

transportation of gas around the network.

The Consumer (or their Agent) who contracts with the Supplier for the use of gas

The Meter Asset Manager (MAM) who contracts with the gas supplier or the consumer (or theiragent) for the provision and use of a gas meter for the registration of the use of gas



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


OFGEMRegulateSuppliers,

Shippers andTransporters

Gas Supplier

Domestic Industrial & CommercialGas Shipper

Domestic Industrial & Commercial

Gas Transporter

(Owner of pipe (gas mains and gas services))

UK Meter Assets (a MAM)

UK DataManagement

Gas Consumer(Domestic)

UK Gas Connection

Gas Consumer or Agent (Industrial &

Commercial)

SMS plc



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


PRM 06PURCHASING1.0 IntroductionTo ensure that the quality of SMS plc products or services is maintained it is essential thatproducts or services bought in are of a high standard. Suppliers will be selected on their ability toconsistently meet SMS plc requirements.

2.0 Scope All purchased products and services used by SMS plc fall within the scope of this procedure.3.0 Responsibility

It is the responsibility of the Technical & Quality Manager to ensure that:• Suppliers are formally assessed to confirm that they can meet the Organisation’s

requirements.• The requirements for purchased products or services are clearly defined.• Purchased products or services are inspected or checked.

4.0 Procedure4.1 Supplier Approval

All suppliers of products or services are reviewed to ensure that they can meet the SMS plcrequirements. This review includes (as appropriate):

• Past history and performance.

• Evaluation of a trial order, samples or activity.• Evidence of registration by a recognised authority.• On site assessment of their capability and quality system.

• Comparative test results with the same or similar products.• Recommendation or references from other users.• 100% product verification of all services/products supplied.

• Financial viability.• The record of approved suppliers takes the form of a printed list of proven historical

supply.• Supplier approval is reviewed at least once per year. This is based on their performance

when meeting orders placed with them over the previous year. The results of the revieware addressed at the Management Review.

• Any problems must be investigated and where they cannot be resolved the supplier willno longer be used.

4.2 Purchasing• Items effecting Organisation products or services must be purchased from the Preferred

Suppliers List.

• Purchase orders must clearly define the product or service required. They will address:• Product or service required.• Any relevant standards or regulations that is applicable.

• Delivery requirements.•

Any documentation to be supplied. E.g. Certificates of conformity.• Price and payment details.

• Purchase requirements will be detailed and recorded with purchase order number whereapplicable.

• The supplier is required to supply to the specification, quantity and price as specified on

the purchase order.

4.3 Verification/Inspection



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


All goods and services must be checked against the purchase order and where appropriate thedelivery note. The purchase order or delivery note will be signed to confirm the productverification. Any discrepancies will be resolved with the supplier. Any discrepancies must be recorded as partof the supplier assessment process.Where verification is to be carried out at the suppliers’ premises, this will be arranged at the time

of placing the order. This will not absolve the supplier of their responsibility to provide anacceptance.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


PRM 07 Measuring and Monitoring Equipment

1.0 IntroductionIf equipment is used to check that the product meets the Customers requirements, then it needsto be properly controlled and maintained. It should be the correct equipment and be capable of

making the required measurements to the specified accuracy. Where test software is used, itshould be checked on commissioning and rechecked at specific intervals.

2.0 ScopeThe scope is applicable to UK Gas Connection only. This procedure covers all product verification,

product validation and measuring equipment owned by the Organisation, rented, on loan, ownedby employees or provided by the Customer. It also covers test hardware and software.

3.0 ResponsibilityIt is the responsibility of the Technical & Quality Manager, where applicable to:

• Identify the measurement and tests to be carried out together with the accuracy required

and the equipment to be used.• Ensure that all measuring, test and product verification equipment is identified,

maintained, controlled, and checked or calibrated at defined intervals.

• Ensure that test software is validated to ensure its capabilities and accuracy and isreleased in controlled manner.

• Maintain adequate records.

4.0 Procedure

• Measuring and product validation equipment used throughout the organisation will be

identified and logged.• Feeler gauges, steel rules and steel tapes will be subject to regular product verification

by their owner and changed when deterioration is apparent.• All other measuring and product validation equipment will have a calibration record

noting acceptance criteria, identification marking, location, checking frequency,calibration dates and results.

• The method of calibration will be identified e.g. by a calibration laboratory or in houseagainst calibrated standards.

• Equipment failing to meet the required standard must be identified for repair ordiscarded and the record amended.

• New equipment will be checked or calibrated before issue and the calibration record

prepared if necessary.• After completion of the calibration, the details will be amended on the calibration label on

the equipment.• All measuring and product validation equipment, whether organisation or employee

owned will be stored in conditions to ensure accuracy and fitness for use.• Test software will be validated by senior management to ensure that it is capable of

achieving the specified standard of accuracy and repeatability.• Existing software is approved on the basis of previous satisfactory performance.• Release of software including changes will be controlled.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Internal Audit

Plan

Internal Audit

carried out

During Audit

identify non-

compliance

Write Audit

Report on

QMF 05

Forward Audit Report onto

relevant Department for

action.

Complete corrective action

and write report on QMF 05

Forward to

Department

Head

Write Audit

Report on

QMF 05

No Non-

compliance

found

Write

Forward toTop

Management

File Audit

Report

Discuss Audit results at

Management Review

Meeting including any

corrective and preventative

action taken

File Audit Report

InternalInternalInternalInternal AuditsAuditsAuditsAudits



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


PRM 08CONTROL OF NON-CONFORMING PRODUCT (Quality)(ISO 9001:2008)

1.0 IntroductionIn the event of defective or substandard work being produced, the nonconforming product or

service needs to be identified and corrected to prevent potential customer complaints. Thecauses need to be reviewed to prevent recurrence, if possible.2.0 Scope

This procedure addresses non-conforming products and services at all stages in SMS plc workprocess.

3.0 ResponsibilityIt is the responsibility of the following personnel to ensure that non-conformances are identifiedand corrected, the root causes are addressed and the necessary records are maintained.

Customer complaints – Head of OperationsProduct/service non-conformances – Technical & Quality ManagerQuality system non-conformances - Technical & Quality Manager

4.0 ProcedureRoutine product verification and monitoring at all stages in the work process should be aimed atidentifying any nonconforming or defective products or services. All personnel must report non-conformances.Non-conformances must be identified by labels and segregation. All nonconforming products or services must be dealt with promptly to prevent the deficiencybecoming worse or affecting the Customer.The non-conformance will be corrected by the most appropriate and cost effective method.Non-conformances must be recorded together with the action taken to correct them. They mustbe reviewed to allow identification of the root causes and trends.

Non-conforming product will be discussed at the Management Review Meeting.

PRM 09CORRECTIVE AND PREVENTATIVE ACTION

1.0 Introduction A documented procedure needs to be established and maintained to ensure that faulty productsor services are identified and corrected. It is also important that causes of such faults aredetermined and that action is taken to reduce or eliminate the possibility of a recurrence.2.0 ScopeThis procedure details the method of dealing with corrective and preventative actions in order to

correct or prevent non-conformance including customer complaints.3.0 ResponsibilityIt is the responsibility of the following personnel to ensure that non-conformances and customer

complaints are corrected or prevented from happening.Customer complaints - Senior Management



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Product/service non-conformances – Senior ManagementQuality system non-conformances - Quality Representative4.0 Procedure4.1 GeneralWhen implementing corrective or preventative action, the amount of time and effort will take intoaccount the significance of the problem. The potential impact on the product or service, the

process, the customer and on safety will be evaluated.Sources of information for corrective and preventative action will include customer complaints,non-conformance records, management review and other management system records, internal

audits, customer satisfaction records and process measurements.Corrective and preventative action and customer complaints will be addressed at the

Management Review.Records will be maintained to document the non-conformance or preventative action planned,the corrective or preventative action taken and the confirmation that it was effective.

4.2 Corrective Action All non-conformances requiring corrective action must be clearly identified.The root cause of non-conformance must be determined and suitable corrective action will be

planned and carried out to eliminate or reduce the cause.

Checks must be carried out to ensure that the corrective action was effective and has eliminatedor reduced the risk of the non-conformance occurring again.4.3 Customer ComplaintsOn receipt of a customer complaint the details must be recorded on the Customer Complaintform (QMF06). The form will then be allocated a reference and entered to the complaintsregister. (QMF07)

4.4 Preventative Action All potential non-conformances requiring preventative action must be clearly identified.

The preventative action must be planned and carried out to remove or reduce the risk.Checks must be carried out to ensure that the preventative action was effective and haseliminated or reduced the risk of the potential non-conformance occurring.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


PRM 10

MEASUREMENT AND IMPROVEMENT

1.0 IntroductionTo ensure that high quality standards are maintained and improved, SMS plc monitors the workprocess to ensure the highest standards of customer satisfaction. Measurement is aimed at

added value and benefit to the customer and SMS plc . This process involves all personnel.2.0 ScopeThe scope of this procedure includes:

• Planning and control of all processes.• Collection and analysis of data and information.

• Measurement of customer satisfaction and dissatisfaction.

• Monitoring and improvement of process capability.• Continual improvement.

3.0 Responsibility

It is the responsibility of Top Management to ensure:• Procedures and initiatives are put in place to measure the SMS plc performance.• The quality management system is continually improved.

• Customer satisfaction is measured and deficiencies addressed.4.0 Procedure4.1 General

The measurement and improvement process must be planned in the same way as other activities

carried out by the SMS plc This will include:• Deciding what to address.

• Setting priorities and objectives.• Deciding on the methods to be used.• Allocating resources. e.g. time and personnel.

• Carrying out the measurements.• Analysing the results.• Communicating the results to the appropriate personnel such that it is clearly

understood.• Implementing the appropriate action.

• Checking that it was effective.

Other sources of information for the improvement process are covered in:PRM 02 Management ReviewPRM 07 Internal AuditPRM 08 Control of Non-conformancePRM 09 Corrective and Preventative ActionThe main discussion point for this process will be the Management Review meeting.4.2 Collection and analysis of dataIn order to measure performance, a certain amount of data and information needs to becollected. This will address:



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


• Meeting Customer requirements and measurement of Customer satisfaction anddissatisfaction.

• Performance of suppliers.

• Assessment of process and product characteristics and trends.This includes reject rates, delivery problems, information on supplier performance, assessment ofcustomer satisfaction and dissatisfaction, and data on process control such as down time and re-work.SMS plc must decide what the data is needed for, any specific methodology to be used and thefrequency of collection.

The aim will be to improve the efficiency and performance of SMS plc .4.3 Customer satisfaction and dissatisfactionCustomer satisfaction and dissatisfaction will be measured to ensure that:

• The product or service has the required characteristics.

• The price is satisfactory.• The delivery process is satisfactory.• The customer feels they are receiving good value for money.

Customer satisfaction and dissatisfaction will be measured by:• Feedback from customers and complaints.

• Feedback from the customer during sales and ordering activities.• Direct communication during the course of business.• Market trends.

• Evaluation of the competition.

• Questionnaires or surveys.• Analysis of repeat orders.

• Returns and repairs.

The information obtained must be analysed and the appropriate action taken to improvecustomer satisfaction or eliminate the reason for dissatisfaction.

4.4 Monitoring the processThe work process must be monitored to ensure that it is effective and to identify areas forimprovements, or savings, and should include review of equipment or new processes andmonitoring achievement of targets, down time and reduction in costs.4.5 Planning for continual improvementThe overall quality management system will be improved by:

• Setting objectives.• Monitoring these by means of audits, analysis of corrective and preventative action and

customer complaint information.• Evaluation of effectiveness of each process.• Taking the appropriate corrective action.

The improvement process will be reviewed and monitored at the Management Review.

New objectives will be set when the current objectives have been achieved.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


ENVIRONMENTAL

Table of Amendment – Environmental Manual Document

Number

Page

Number

Issue Date Description of Change Authorisation



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Aspects & ImpactsIntroduction and Scope

Environmental impacts are identified, evaluated and registered and the scope of this section is tocover all activity within the company that has an environmental aspect.

Responsibilities

Though the most senior manager in the company has the overall responsibility for theimplementation of this procedure, the environmental representative must cover day to dayoperation and the maintenance of records of impacts.

ProcedureThe environmental representative must develop and maintain the Impacts Record using thechart. High ratings must be considered significant.The environmental impacts of all SMS plc activities are entered to the ‘Impact Records’ chart

(high, medium, low) under the following main headings:• emissions to air• releases to water

• waste management• contamination of land• impact on communities

• use of raw materials and natural resources• other local environmental issues



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


All Employees review their impacts annually and inform the environmental representative of anychangesThe environmental representative in conjunction with the relevant employee is responsible forensuring that agreed targets are met and appropriate procedures developed and for reviewingnew and modified projects.Documentation

The Impacts Records must be maintained by the Environmental Representative until updated.Targets & ObjectivesIntroduction and Scope

This procedure is to define new objectives and targets, and to review and update existingobjectives and targets. Targets are quantifiable where possible and refer back to the

environmental policy.ResponsibilitiesThe Environmental Representative is responsibility for the implementation of this procedure.

ProcedureThe Environmental Representative is responsible for annually coordinating the objectives andtargets set out in the environmental procedures and ensuring that:-

• Targets are set for reducing waste, water consumption, and energy use

• The introduction of new procedures and better management of impacts.

• Targets are set for maintenance activities.• Friendly alternatives for hazardous materials are looked for• Objectives and targets are set.

Addition objectives and target setting may be suggested by employees to the EnvironmentalRepresentative who must also be responsible for their evaluation and for developing andcommunicating appropriate documentation e.g. incidents or new legislation.

The Environmental Representative is responsible for reviewing progress of implementation oftargets at the Management meetings and defining corrective actions or modifying targets, if

appropriate. The Environmental Representative is responsible for following up agreed correctiveactions.

ENVIRONMENTAL TARGETS AND OBJECTIVESFIRST YEAR RECORDINGS

Form EN 10

ACTIVITY USEAGE 2010 USEAGE 2011 REDUCTION %TARGET ACTUAL

GAS

ELECTRIC

WATER

FUEL GENERAL WASTE

INK/ CARTRIDGES



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


The Environmental Representative must ensure that:-Training is provided to employees and refresher courses given annually.General awareness training is provided to all appropriate employees.The training records are maintained and future needs are identified (e.g. refresher training,employee induction).Changes in legislative requirements are communicated to staff as soon as practicable

Documentation All special waste shipments where applicable, must be accompanied by completed Transfer Noteand where necessary a certificate of disposal must be kept on record.

Air Pollution Control/Objectives & Target

Introduction and ScopeTo ensure that all atmospheric emissions if discharged by SMS plc are minimised and managedin a safe and correct manner in accordance with statutory and company requirements and

promote continued improvement.ResponsibilitiesThe Environmental Representative will be responsible for ensuring compliance with this

procedure and monitoring, controlling and minimising atmospheric emissions should they occurother than emissions from the water heating. Atmospheric emissions comprise any discharge of pollutant to the air and include odours. DirectEmissions are those emanating from process equipment/operations and are planned and routedthrough vents or chimneys etc. Fugitive emissions are those relating to discharges which escapefrom process equipment or containers and dissipate to atmosphere.ProceduresIdentification and Characterisation All atmospheric emissions must be identified and characterized. This includes direct and fugitiveemissions.Definitions

All emission points must be marked on a plan of the site and each point allocated a reference.Each emission point must be cross-referenced to the source and nature of the emission.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Monitoring of Emissions (Where applicable)Each atmospheric emission must be quantified on an annual service basis and rectification of anyvariance must be corrected by the sub-contractors.

All emissions from the site must be managed so as to minimise quantities and/or environmentalimpact.

The Environmental Representative must also conduct periodic inspections of the facility to checkoperation practices conform to controlling emissions.

Targets and Objectives

The Environmental Representative must report annually on emissions management performance,in terms of:

• sources of emissions• types of emissions• quantities of emissions according to source and type

• costs of managing emissions (e.g. monitoring and air pollution control equipment)• achievement of regulatory requirements.

Awareness and TrainingThe Environmental Representative must:-

• Arrange comprehensive in-house training and annual refresher courses for all

employees.• Arrange general awareness training for all appropriate employees.• Maintain training records and coordinating future needs.

• Communicate changes in legislative requirements to employees as soon• as practical

Documentation

All monitoring, inspection and reporting records must be maintained properly and for the

statutory length of time, as appropriate, by the Environmental Representative. Rationales fornon-implementation of an emission reduction measure must also be maintained on file.

Water Pollution Control

Introduction and Scope All wastewater discharged by the SMS plc must be minimised and managed in a safe and correctmanner in accordance with statutory and company requirements.

The site discharges non-contact washing and domestic water to the trade sewer and storm waterrun-off to the storm water sewers. This procedure manages both these wastewater discharges.Responsibilities

The Environmental Representative must ensure compliance with this procedure and must havethe overview management responsibility for monitoring, controlling and minimising wastewaterdischarges and are aware of the relevant procedures.

All Employees have responsibilities for day to day management of wastewater discharges andthat the correct disposal systems are used.

ProceduresIdentification and Characterisation



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


All wastewater discharges must be identified and characterised. This includes storm waterdischarges. A drainage plan must be established and maintained which shows:

• the route of all trade sewers and storm water sewers• referenced discharge points/surface drains to sewers

The destination of the trade and storm water sewers must also be identified and referenced on

the plan.Monitoring of Discharges

All discharges from the site must be managed so as to minimise quantities and/or environmental

impact.Ways of reducing discharges in both volume and contaminant loading must be identified by:

• identifying alternative process

• implementing washing area awarenessManaging and Minimising DischargesNo chemicals (if used) are to be disposed of down surface water or sewer drains.No hazardous materials are to be stored close to storm-water drains.The water runs off into to the sewer drains.

InspectionsThe Environmental Representative must conduct monthly inspections of the facility to checkoperation practices conform to controlling wastewater discharges.

Targets and Objectives

The Environmental Representative must set performance targets for controlling wastewaterdischarges based on regulatory requirements and on the need for continuous improvement.

These may comprise targets for reducing/eliminating a sources process or material, or forreducing discharges by improvement management or control of operations.

The Environmental Representative must report at the Management Review on wastewaterdischarge.

ENVIRONMENTAL TARGETS AND OBJECTIVESFIRST YEAR RECORDINGS

Form EN 10

ACTIVITY USEAGE 2010 USEAGE 2011 REDUCTION %TARGET ACTUAL

GAS



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


ELECTRIC

WATER

FUEL GENERAL WASTE

INK/ CARTRIDGES

PAPER USEAGE

SMS plc will, in conjunction with it’s ‘Environmental Policy’, (targets & objectives) endeavor toestablish a process of reduction for the above elements. The reduction shall be monitored andrecorded annually and results filed for review.

Spill ResponseIntroduction and ObjectivesTo ensure that, in the event of a major spillage, (Where applicable) SMS plc is able to call uponsuitably trained personnel and have in place procedures to prevent and mitigate the effects ofthe spillage on the environmentIf there is spillage of any type on the premises of SMS plc or on site spillage action proceduresare in place. Spill Kits are available for use by suitably trained personnel.

The Environmental Representative has overall responsibility for the implementation of thisprocedure.In the event of spillage SMS plc will consider:

• Disposal of contaminated materials afterwards by registered carrier.

• Advise Environmental Agency• Possible disposal through foul sewer with sewage undertakings advice.• Fire fighting

The Environmental Representative must be responsible for the development and monitoring ofthe spillage response and the posting of notices where applicable.

Definitions For OHSAS 18001

ScopeThis Occupational Health and Safety Assessment Series (OHSAS) specification gives requirementsfor an occupational health and safety (OH&S) management system, to enable an organisation to



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


control its OH&S risks and improve its performance. It does not state specific OH&S performancecriteria, nor does it give detailed specifications for the design of a management system.This OHSAS specification has assisted the organisation to:a) Establish an OH&S management system to eliminate or minimize risk to employees andother interested parties who may be exposed to OH&S risks associated with its activities;b) Implement, maintain and continually improve an OH&S management system;

c) Assure itself of its conformance with its stated OH&S policy;d) Demonstrate such conformance to others;e) Seek certification/registration of its OH&S management system by an external

organisation.f) Make a self-determination and declaration of conformance with this OHSAS specification.

g) This Health & Safety Manual covers the activities and functions performed by operationsincluded in the scope.

Input to this Integrated System is based on OHSAS 18001:2007 Management SystemThis OHSAS specification is intended to address occupational health and safety rather thanproduct and services safety.

Reference publicationsOther publications that provide information or guidance are available from HSE Books. It isadvisable that the latest editions of such publications be consulted.

3.0 Terms and definitionsFor the purposes of this OHSAS specification the following terms and definitions apply.

3.1 Acceptable riskRisk that has been reduced to a level that can be tolerated by the organisation having regard toits legal obligations and its own OH & S Policy.

3.2 Audit

Systematic, independent and documented process for obtaining “audit evidence” and evaluatingit objectively to determine the extent to which “audit criteria” are full filled.

Note: Independent does not necessarily mean external to the organisation. In many cases,

particularly in smaller organisations, independence can be demonstrated by the freedom fromresponsibility for the activity being audited.

Further guidance on audit evidence and audit criteria can be found in ISO 19011.

3.3 Accident An undesired, unplanned event giving rise to death, ill health, injury, damage or other loss.3.4 Continual improvement A process of enhancing the OH&S management system, to achieve improvements in overalloccupational health and safety performances, in line with the organisation’s OH&S policy.3.5 Corrective Action

Action to eliminate the cause of a detected nonconformity or other undesirable situation.Note: There can be more than one cause for nonconformity.Note: Corrective action is taken to prevent recurrence whereas preventive action is taken to

prevent occurrence.3.6 Document



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Information and its supporting mediumNote: The medium can be paper, magnetic, electronic or optical computer disc, photograph ormaster sample, or a combination thereof.3.7 Hazard A source or situation, or act with a potential for harm in terms of human injury or ill health,damage to property, damage to the workplace environment, or a combination of any of these.

3.8 Hazard identification A process of recognizing that a hazard exists and defining its characteristics3.9 Ill Health

Identifiable, adverse physical or mental condition arising from and/or made worse by a workactivity and /or work related situation.

3.10 Incident A work related event(s) in which an injury or ill health (regardless of severity) or fatalityoccurred, or could have occurred.

Note: An accident is an incident, which has given rise to injury, ill health or fatality.Note: An incident where no ill health, injury, or fatality occurs may also be referred to as a “near-miss”, “near –hit”, “close Call” or dangerous occurrence”

Note: An emergency situation is a particular type of incident.3.11 Interested parties An individual or groups inside or outside the workplace concerned with or affected by the OH&Sperformance of an organisation.3.12 Non-conformityNon-fulfilment of a requirementNote: Nonconformity can be any deviation from:

• Relevant work standards, practices, procedures, legal requirements, etc.• OH&S management system requirements.

3.13 Occupational health and safety (OH&S)The conditions and factors that affect, or couldaffect the health and safety of employees, or other workers (including temporary workers,

contractor personnel), visitors and any other person in the workplace.Note: Organisations can be subject to legal requirements for the health and safety of personsbeyond the immediate workplace, or who are exposed to the workplace activities.3.14 OH&S management systemPart of an organisations management system used to develop and implement its OH&S policyand to manage its OH&S risks.Note: A management system is a set of interrelated elements used to establish policy andobjectives and to achieve those objectives.Note: a management system includes organisational structure, planning activities (including forexample risk assessment and the setting of objectives), responsibilities, practises, procedures,processes and resources.3.15 OH&S Objective

These are goals, in terms of OH&S performance, that an organisation sets itself to achieve.Note: Objectives should be qualified wherever practicable.Note: 4.3.3 requires that OH&S objectives are consistent with the OH&S policy.

3.16 OH&S performanceMeasurable results of an organisations management of its OH&S risks.

Note: OH&S performance measurement includes measuring the effectiveness of the organisationscontrols.Note: In the context of OH&S management systems results can also be measured against the

organisations OH&S policy, OH&S objectives and other OH&S performance requirements.3.17 OH&S policy



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Overall intentions and direction an organisation related to its OH&S objectives as formally expressby top management.Note: The OH&S policy provides a framework for action and for the setting of OH&S objectives.3.18 Organisation A company, corporation, operation, firm, enterprise, institution, authority or association, or partor combination thereof, whether incorporated or not, public or private, that has its own functions

and administration.3.19 Preventive ActionThe action to eliminate the cause of a potential nonconformity or other undesirable potential

situation.Note. There can be more than one cause for a potential nonconformity.

Note: Preventive action is taken to prevent occurrence. Where as corrective action is taken toprevent recurrence

3.20 Procedure A specified way to carry out an activity or a process.

3.21 Record A document stating results achieved or providing evidence of activities preformed.3.22 Risk A combination of the likelihood of an occurrence of a hazardous event or exposure(s) and theseverity of injury or ill health that can be caused by the event or exposure(s).3.23 Risk assessmentThe overall process of evaluating the risk(s) from a hazard(s) taking into account the adequacyof any existing controls and deciding whether or not the risk(s) is acceptable.3.24 SafetyFreedom from unacceptable risk of harm.3.25 Workplace

Any physical location in which work related activities are preformed under the control of theorganisation.

Note: When giving considerations to what constitutes a workplace, the organisation should takeinto account the OH&S effects on personnel who are, for example travelling or in transit (e.g.Driving, flying, on boats and trains), working at the premises of a client or customer, or working

at home.

Table of AMENDMENTS

DocumentNumber

PageNumber

Issue Date Description of Change Authorisation



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Accidents & Incidents

1. Introduction and Scope

The organisation ensures that all safety measures and risks that affect the workplace are fullyunderstood and that the workforce are fully aware of Health & Safety legislative requirementsand compliance to reduce accidents, incidents and hazards at all times.

2. ResponsibilitiesThe Health & Safety representative and the Management Appointee have overall responsibility for

the implementation of this procedure.3. ProcedureThe Organisation has established and maintained procedures for defining responsibility and

authority for:-a) The handling and investigation of:• Accidents;

• Incidents;• Non-conformancesb) taking action to mitigate any consequences arising from accidents, incidents or non-

conformances;c) the initiation and completion of corrective and preventive actions;d) confirmation of the effectiveness of corrective and preventive actions taken.

These procedures require that all proposed corrective and preventive actions shall be reviewedthrough the risk assessment process prior to implementation.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Any corrective or preventive action taken to eliminate the causes of actual and potential non-conformances shall be appropriate to the magnitude of problems and commensurate with theOH&S risk encountered.The Organisation shall implement and record any changes in the documented proceduresresulting from corrective and preventive action.4. Process

The organisation has prepared documented procedures to ensure that accidents, incidents andnon-conformances are investigated and corrective and/or preventive actions initiated.

Progress in the completion of corrective and preventive actions should be monitored and the

effectiveness of such actions reviewed.5. Procedures

The procedures should include consideration of the following items:-• define the responsibilities and authority of the persons involved in implementing,

reporting, investigating, follow-up and monitoring of corrective and preventive actions;• require that all non-conformances, accidents, incidents and hazards be reported;• apply to all personnel (i.e, employees, temporary workers, contractor personnel, visitors

and any other person in the work place).

• take into account property damage;• • • • ensure that no employee suffers any hardship as a result of reporting a non-

conformance, accident or incident;• clearly define the course of action to be taken following non-conformances identified in

the OH&S management system.6. Immediate actionImmediate action to be taken upon observation of non-conformances, accidents, incidents or

hazards should be known to all parties. The procedures should:-• Define the process for notification;

• Where appropriate, include co-ordination with emergency plans and procedures;• Define the scale of investigative effort in relation to the potential or actual harm (e.g

include management in the investigation for serious accidents).7. Recording Appropriate means should be used to record the factual information and the results of the

immediate investigation and the subsequent detailed investigation. The Organisation

should ensure that the procedures are followed for:-Recording the details of the non-conformance, accident or hazard;Defining where the records are to be stores and responsibility for the storage.

8. InvestigationThe procedures define how the investigation process should be handled. The procedures should

identify:-• The type of events to be investigated (e.g incidents that could have led to serious harm);• The purpose of investigations;

• Who is to investigate, the authority of the investigators, required qualifications (includingline management when appropriate);

• The root cause of non-conformance;

• Arrangements for witness interviews;• Practical issues such as availability of cameras and storage of evidence;• Investigation reporting arrangements including statutory reporting requirements.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Investigatory personnel should begin their preliminary analysis of the facts while furtherinformation is collected. Data collection and analysis should continue until an adequate andsufficiently comprehensive explanation is obtained.

9. Follow-upCorrective or preventive action taken as permanently and effectively as practicable. Checks

should be made on the effectiveness of corrective/preventive action taken. Outstanding/overdueactions should be reported to top management at the earliest opportunity.

10.Non-conformance, accident and incident analysisIdentified causes of non-conformances, accidents and incidents should be classified and

analysed on a regular basis. Accident frequency and severity ratings should becalculated in accordance with accepted industrial practice for comparison purposes.Classification and analysis should be carried out of the following items:-

• Reportable or lost-time injury/illness frequency or severity rates;• Location, injury type, body part, activity involved, agency involved, day, time of day

(whichever is appropriate);

• Type and amount of property damage;• Direct and root causes.

Due attention should be given to accidents involving property damage. Records relating to

repair of property could be an indicator of damage caused by an unreportedaccident/incident. Accident and illness data/information is vital as they can be a direct indicator of OH&S

performance. However, caution in their use should be exercised as the following pointsneed to be considered:

• Most Organisations have too few injury accidents or cases of work-related illness todistinguish real trends from random effects;

• If more work is done by the same number of people in the same time, increasedworkload alone can account for an increase in accident rates;

• The length of absence from work attributed through injury or work-related illness can beinfluenced by factors other than the severity of injury or occupational illness;

• Accidents are often under-reported (and occasionally over-reported). Levels of reportingcan change. They can improve as a result of increased workforce awareness and betterreporting and recording systems;

• A time delay will occur between OH&S management system failures and harmful effects.Moreover, many occupational diseases have long latent periods. It is not desirable towait for harm to occur before judging whether OH&S management systems are working.

Valid conclusions are drawn and corrective action taken. At least annually, this analysis iscirculated to top management and included in the management review.

Monitoring and communicating resultsThe effectiveness of OH&S investigations and reporting are assessed. The assessment will beobjective and will yield a quantitative result if possible.The Organisation, having studied the investigation, will:-

• Identify the root causes of deficiencies in the OH&S management system and generalmanagement of the Organisation where applicable;

• Communicate findings and recommendations to management and relevant interestedparties.

• Include relevant findings and recommendations from investigations;



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Participation Communication and Consultation1. Introduction and Scope

This procedure is to ensure that pertinent new information is communicated to and fromemployees and all other interested parties.

2. ResponsibilitiesThe Health & Safety Representative is responsible for the implementation of this procedure.3. ProcedureEmployee involvement and consultation arrangements shall be documented and interestedparties informed.Employees will be:

• Involved in the development and review of policies and procedures to manage risks;• Consulted where there are any changes that affect workplace health And safety.• Represented on health and safety matters; and

• Informed as to who is their employee OH&S representative(s) and Specifiedmanagement attendee

4. IntentThe Organisation encourages participation in good OH&S practices and support for its OH&S

policy and OH&S objectives from all those affected by its operations by a process ofconsultation and communication.

5. Typical InputsTypical inputs include the following items:

• OH&S policy and OH&S objectives;

• relevant OH&S management system documentation• hazard identification, risk assessment and risk control procedures;• definitions of OH&S roles and responsibilities;

• results of formal employee OH&S consultations with management;• information from employee OH&S consultations, review and improvement activities in the

workplace (these activities can be either reactive or proactive in nature);6. ProcessThe Organisation documents and promotes the arrangements by which it consults on and

communicates pertinent OH&S information to and from its employees and otherinterested parties (e.g contractors, visitors).This includes arrangements to involve employees in the following processes:-

• consultation over the development and review of policies, the development and review of

OH&S objectives and decisions on the implementation of processes and procedures tomanage risks, including the carrying out of hazard identification and in reviewing risk

assessments and risk controls relevant to their own activities;• • • • consultation over changes affecting workplace OH&S such as the introduction of new or

modified equipment, materials, chemicals, technologies, processes, procedures or work

patterns.

Employees are represented on OH&S matters and are informed as to who is their employee

representative and the specified management appointee.7. Typical Outputs

• Formal management and employee consultations through OH&S committee and similar

bodies;



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


• Employee involvement in hazard identification, risk assessment and risk control;• Initiatives to encourage employee OH&S consultations, review and improvement

activities in the workplace and feedback to management on OH&S issues;

• Notice board and poster information;• Employee OH&S representatives with defined roles and communication mechanisms with

management, including, for example, involvement in an accident and incident

investigations, site OH&S inspections etc

Purchasing and Sub-contractor Control

1. Introduction and Scope A system of instructions is needed for specifying Health & Safety requirements for purchasedproducts and services and for evaluating and monitoring suppliers and sub-contractors2. ResponsibilitiesThe Health & Safety Representative must identify purchased products and services associatedwith significant Health & Safety aspects and with Health & Safety objectives and targets and thepurchasing officer must evaluate the supplier’s ability to meet these requirements.3. ProcedureThe Health & Safety representative must develop and maintain the Accidents/Incidents records.High ratings must be considered significant.The Health & Safety requirements may be:-

• An OH&S policy from the supplier

• Material safety data sheets• Chemical analysis reports• Specific life cycle elements

• Packaging requirements• Performance and reliability requirements• Recycling considerations

The purchasing Officer must ensure that all specified Health & Safety requirements are included

in the purchase order or contract. When a product or service is seen not to meet its Health &Safety specification it will be reported to the Health & Safety representative who will evaluate theproblem and, if necessary, reports are the appropriate documentation. In the case of a failure tomeet the company specification, the non-conformance will be completed and processed through

the corrective and preventive action procedure.

Risk Assessment - Hazard Control

1. Introduction and ScopeThe OHSAS requires that Health & Safety impacts are identified, evaluated and registered and

the scope of this section is to cover all activity within the company that has a Health & Safetysystem. (a risk is an element of the Organisation’s activities, products or services which can

interact with the safe working systems).2. ResponsibilitiesThough the most senior manager in the company has the overall responsibility for theimplementation of this procedure, the Health & Safety representative must cover day to day

operation and the maintenance of records of impacts.3. ProcedureIntentThe Organisation has a total appreciation of all significant OH&S hazards in its domain, afterusing the processes of hazard identification, risk assessment and risk control.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


The hazard identification, risk assessment and risk control processes and their outputs is thebasis of the whole OH&S system. It is important that the links between the hazard identification,risk assessment and risk control processes and the other elements of the OH&S ManagementSystem are clearly established and apparent.4. Risk Assessment and Risk ControlThe hazard identification, risk assessment and risk control processes enables the Organisation to

identify, evaluate and control its OH&S risks on an ongoing basis.In all cases, consideration is given to normal and abnormal operations within the Organisationand to potential emergency conditions.

The Organisation has included (but not limited itself to) the following items:

• Legislative and regulatory requirements;• Identification of OH&S risks faces by the Organisation.• An examination of all existing OH&S management practices, processes and procedures;

• An evaluation of feedback from the investigation of previous incidents, accidents andemergencies.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


5. Typical Inputs (include the following items):-

• OH&S legal and other requirements.

• OH&S policy.• Records of incidents and accidents.• Non-conformances.

• OH&S Management System audit results.• Communications from employees and other interested parties.• Information from employee OH&S consultations, review and improvement activities in

the workplace (these activities can be either reactive or proactive in nature);• Information on best practice, typical hazards related to the Organisation, incidents and

accidents having occurred in similar Organisations;

• Details of change control procedures;• Site plans;• Process flow charts;

• Inventory of hazardous materials (raw materials, chemicals, wastes, products and sub

products);• Toxicology and other COSHH data.• Monitoring data;• Workplace environmental data

6. Review of hazard identification, Risk Assessment and Risk Controls

• Provision for the classification of risks and identification of those that are to be eliminated

or controlled.• Is consistent with operating experience and the capabilities of risk control measures

employed;• Provides input into the determination of facility requirements, identification of training

needs and/or development of operational controls;• Provision for the monitoring of required actions to ensure both the effectiveness and

timeliness of their implementation;• Nature of the hazard• Magnitude of the risk

• Changes from normal operation;• Changes in raw materials, chemicals etc;• Typical outputs;

• Level of risk, tolerable or not tolerable;• Measures and monitoring to control the risk;• Actions to monitor and reduce the risk;

• Training requirements to implement control measures;• Data recording as generated.

Emergency Preparedness & Response

Introduction and Objectives



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


To ensure that the site minimises the risk, injury and damage in the event of an emergency, firebeing the major identified effect and is therefore the focus of this procedure.Responsibilities2.1 The Health & Safety Representative/Competent person has overall responsibility for theimplementation of this procedure.2.2 The Managing Director has the ultimate responsible for the entire Organisation’s Health &

Safety both staff and the company’ premises.2.3 The Safety Representative/Competent person is to ensure fire safety plan is drawn upProcedure

To ensure that the Organisation is able to respond in the case of a fire it reviews the potential forsuch an occurrence and the most appropriate actions to take. To determine if these actions are

appropriate and understood they are tested from time to time.ProcessThe following precautions shall be instigated in order to reduce the risk of uncontrolled fires:-

• Suitable fire extinguishers shall be stationed in Offices, Stores and Canteens etc., inpositions where they can be easily seen and reached. The position of fire extinguishersshall be clearly indicated with appropriate signs.

• Consideration shall be given to the type of extinguisher issued bearing in mind the mostlikely use to which it may be put.

For example:-

WATER TYPE EXTINGUISHERS - general use on materials where no special risks are involved.NOT to be used on live electrical or flammable liquid fires.FOAM TYPE EXTINGUISHERS - suitable for flammable liquids but NOT to be used on live

electrical fires.DRY POWDER EXTINGUISHERS - suitable for most materials including live electrical and

flammable liquid fires.CARBON DIOXIDE EXTINGUISHERS suitable for most materials including live electrical andflammable liquid fires. It should be noted that carbon dioxide expels the oxygen and therefore in

small confined spaces there is a risk of asphyxiation. In addition, when these extinguishers areused in the open air their effectiveness can be reduced if the weather conditions are windy.

Where any process being carried out involves a special risk of fire e.g. Hot work thensuitable extinguishers shall be stationed nearby All extinguishers shall be regularly checked and re-charged as necessary. Access routes, stairwells and Fire Exits must be kept clear of rubbish and obstructions.

In areas where a special risk of fire exists i.e. gas bottle stores, paint stores, fuel delivery areasand fuel stores etc., suitable warning signs designating them as "NO SMOKING AREAS" must bedisplayedFire points with suitable extinguishers and signs to indicate their position will be provided to

protect the structure from fire risks. Employees will not place themselves at risk by fighting firesand shall only tackle fires that pose them no direct risk.Special care shall be taken to ensure that the passive fire protection arrangements for

premises are not breached by our works. For example, fire doors will not be wedged or proppedopen.

Where necessary to ensure the safety of persons on site emergency exit routes to a safe locationshall be established and clearly sign posted5.0 Fire Drills And Fire Alarms



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


The Organisation has effective measures to warn personnel in the event of fires. Alarms willbe regularly maintained and tested at intervals no greater than 3 months and a record of thesekept.The Safety Representative/Competent person will appoint fire marshals who will take charge inthe event of an outbreak of fire or during fire drills. Marshals will receive training.Fire notices shall be posted on notice boards to instruct staff on the measures to be taken

in the event of fireDesignated assembly points in suitable-locations will be provided and indicated with signs.Employees shall be advised which is their appropriate assembly point to attend in the event of

fire.Full evacuation fire drills should be conducted once, preferably twice per year.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Objectives and Targets

1. Introduction

The Organisation has established and maintained documented occupational Health & Safetyobjectives at each relevant function and level within the Organisation.Objectives should be quantified wherever practicable.

When establishing and reviewing its objectives, the Organisation has considered its legal andother requirements, its OH&S hazards and risks, its technological options, its financial,operational and business requirements and the views of interested parties. The objectives be

consistent with the OH&S policy including the commitment to continual improvement.It is necessary to ensure that, throughout the Organisation, measurable OH&S objectives areestablished to enable the OH&S policy to be achieved.2. Typical Inputs

Typical inputs include the following items:-• Policy and objectives relevant to the Organisation’s business as a whole;• Results of hazard identification, risk assessment and risk control.

• Legal and other requirements.

• Technological options;• Financial operational and business requirements;

• Views of employees and interested parties.

• Information from employee OH&S consultations, reviews and improvement;• Activities in the workplace (these activities can be either reactive or proactive in nature);• Analysis of performance against previously established OH&S objectives;

• Past records of OH&S non-conformances, accidents, incidents and property damage;• Results of the management review.

3. Process

Using information or data from the “Typical Inputs” described above, appropriate levels of OH&Sobjectives are set.During the establishment of OH&S objectives, particular regard should be given to information ordata from those most likely to be affected by individual OH&S objectives, as this assists inensuring that they are reasonable and more widely accepted. It is also useful to considerinformation or data from sources external to the Organisation, e.g from contractors or otherinterested parties.Meetings by the appropriate levels of management for the establishment of OH&S objectives areheld regularly (at least on an annual basis).

The OH&S objectives will address both broad corporate OH&S issues and OH&S issues that arespecific to individual functions and levels within the Organisation.

There should be clear links between the various levels of goals and OH&S objectives.Examples of types of OH&S objectives include:

• The introduction of additional features into the OH&S management system;

• The steps taken to improve existing features, or the consistency of their applicationThe OH&S objectives should be communicated (e.g via training or group briefing sessions torelevant personnel and be deployed through the OH&S management programTypical outputs include documented, measurable OH&S objectives for each function in theOrganisation.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Operational Control and Calibration1. Introduction and Scope

A system of instructions is needed for specifying operations associated with significant Health &Safety aspects, to assign responsibilities and provide systems for their control.

2. ResponsibilitiesThe Health & Safety representative must identify operational activity associated with significantHealth & Safety risks with Health & Safety objectives and targets and the operation’s supervisors

must ensure that these requirements are carried out as specified.3. ProcedureThe Health & Safety representative must develop and maintain a Risk Assessment Record. High

ratings must be considered significant. The supervisors responsible for operational areas andactivities will evaluate the need for controls and consider the following:-

• • Legal and regulatory needs• Any history of Health & Safety incidents• Impact of the Organisation’s Health & Safety policy

• Potential severity of Health & Safety impacts that may arise• Use of available technology• Balancing the control of impact on productivity and cost

Where the absence of written work instructions may lead to deviation from the Health & Safetypolicy, they should be in written form. The work instructions need not be issued and controlledas a part of the Health & Safety Management System when adequate written control is availablein other areas such as departmental or Health &Safety management systems. The maintenanceof equipment and systems associated with significant risk is considered and must beimplemented where it is not covered by other departmental or Health &Safety managementsystems.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Information Security

ISM 01 Organisational Security

ISM 02 Asseset Clarification and Control

ISM 03 Personnel Security

ISM 04 Physical & Environmental Security

ISM 05 Access Control

ISM 06 Acquisitions, Development & Maintenance.

ISM 07 Incident Management

ISM 08 Compliance



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Information Security Master Forms Register

Number Standard Operating Procedure Title

Document Register Asset Register

Statement of Applicability

Information Security Training Record

Information Security Skills Matrix

Visitor Log

Feedback / Incoming Communications Action

Form

Information Security Internal Audit programme

Information Security Internal Audit Report

Information Security Management ReviewMeeting Report

Competent Person RegisterCompetent Person Detail Sheet

Information Processing Equipment Problems,Maintenance & Repair Record

Email and Internet Employee Policy

Password Security Policy

Confidentiality Agreement

System Fault, Security Incident & SoftwareMalfunction Log

Software Register

Mobile Computing Policy

Network Activity Log

Information Security Legislation (UK)Feedback / Incoming Communications Action Log

Non-Disclosure Agreement

IT Infrastructure Schematic

System Vulnerability Log

Disaster Recovery Plan

Confidentiality Agreement (Employee)

Server Maintenance Policy

Disciplinary Procedure-Contract of Employment

Contract of Employment

Data protection Registration

Physical Security Perimeter Schematic

Backup, Anti Virus, Spyware Routines



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Organisational Security ISM 01

Introduction

A management framework needs to be established to manage and control the implementation ofinformation security within the Organisation

ScopeThe Organisation should produce and maintain adequate documentation to establish, and provideappropriate management to control information security within the organization. Specialist advice

should be available when required and external contacts developed to ensure the Organisation isup to date with information security practices and a multi disciplined approach should be usedwhen circumstances require it.

ResponsibilityIt is the responsibility of the Information Security Management Representative to ensure:the Information Security Management System is adequately managed;documents are properly controlled and approved and are readily available to those personnel thatneed to use them;specialist advice is available through the competent person(s) when required;a multi-disciplined approach is adopted where significant benefits can be achieved.

Procedure

The objective is to manage information security within the organization.Where the organisation believes that input to a specific project would benefit from theestablishment of a multi-disciplined forum, it will convene a forum under the responsibility of a

chairman.However, it is the firm belief of the Senior Management that this requirement would not be of

value in the organisation at its present size and level of staffing and activity, except for theformal Information Security Management Review Meetings. The situation will be reviewed asactivity and staffing levels grow.

Specialist Advice

To meet its requirement to provide specialist advice when required, the organisation will identifya Competent Person to provide this service and contact will be made through the InformationSecurity Management Representative.Initial contact may be made verbally but the details of the request for advice, and the response,will always be confirmed in writing.

There may be more than one Competent Person identified at any one time, where differing

specialities are required. A Competent Person may be a member of the organisation’s own staffor the resource may be obtained from an external source.

Information security co-ordination

In the event of the organisation’s interests being best served by the formation of a managementforum, other than that convened for the formal Management Review Meetings a detailedspecification for its terms of reference will be developed. Allocation of responsibilities



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Responsibilities will be clearly defined for the protection of individual information security assetsas required in the Information Security Policy. Additional requirements for specific situations maybe added and may include business continuity planning.The overall responsibility for development and implementation of the information securitymanagement system rests with Information Security Management Representative but this is notintended to take control of resourcing and implementing the agreed Information Security

Controls away from individual functional managers.

Areas of responsibility for each functional manager are specified with consideration given to:

clear identification of each information asset and its allocation to an individual; documentation ofeach asset and who is responsible for it; authorisation levels being clearly defined.

Authorisation process for information processing facilities

New facilities will be approved by Top Management and all relevant information security policiesand requirements will be checked by the Information Security Representative.

Compatibility checks will be undertaken where necessary and personal information processing willrequire authorisation and will be kept under strict control.

Co-operation between organisationsThe organisation has established channels to appropriate external legal authorities, regulatorybodies, information service providers and telecommunications operators to enable rapidresolution of security incidents. Confidentiality is protected in all these dealings.Independent review of information securityPolicy documents will be reviewed at least annually by internal audit procedures and anindependent third party audit will be conducted and reported on at least annually.

External parties

The objective is to maintain the security of the company’s information and information processingsystems where they are accessed, processed, communicated to, or managed by external parties.When the organisation requires third party access to its information processing facilities there are

potential threats to security. Procedures must be put in place to protect against this threat.The Organisation will control access to its information processing facilities through its establishedrisk assessment procedures and these Controls will be agreed and defined in contractual formwith each applicable third party.

It is the responsibility of the Information Security Representative to ensure that the contract isagreed and signed by both parties before access to the facility is permitted.Details within the contract should be checked by Top Management and control of on-sitecontractors may be delegated to an identified manager.Identification of risks from third party access

The type of access will be defined as either physical access to premises or logical access todatabases or information systems.The reason for access permission will be defined, including off-site contractors supplying a

service, which may present an information security threat. Such reasons may include:• hardware & software support staff;



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Assets Classification & Control ISM 02

Introduction

The organisation’s information assets need to be protected and in order to achieve this, an assetregister has to be compiled and used as a basis for classification. ‘Owners’ need to be allocatedto key assets for maintenance and control

Scope All information assets need to be reviewed and the significant items need to be identified and

subjected to the organisation’s risk assessment procedures. This applies to assets within theorganisation and to those with subcontractors and outsources processors.

ResponsibilityIt is the responsibility of Top Management to:

• ensure that the asset register is completed;• approve the Asset Register and the Classification levels applied.

It is the responsibility of the Information Security Representative to:• ensure that the classification exercise and risk assessment follows the process as laid out

in the organisation’s procedures.

Responsibility for assetsThe objective is to achieve and maintain appropriate protection of the company’s informationassets.Inventory of assetsThe Information Security Management Representative will liaise with all Functional Managers toensure an Asset Register is generated with a complete inventory of information assets.

Information assets include:• items such as databases, data files system documentation, user manuals, training course

material, operation and support material, continuity plans, fallback arrangements, archiveinformation;

• software assets such as applications software, system software, development tools and

utilities;• • physical assets such as computers (laptops, modems, monitors, processors etc.)

communications equipment (routers, PABXs, faxes, answer machines etc.), magneticmedia, furniture, accommodation, power supplies, air conditioning units.

Each entry on the Asset Register will be allocated a unique Asset Register Number made up ofthe Category Item Number with a numeric extension for each asset in the Category.

Ownership of assets

For each information asset identified, the Information Security Management Representative willensure an owner is designated and recorded against the entry on the Asset Register.The term “owner” will identify an individual or entity that has been given approved management

responsibility for controlling the production, development, maintenance, use and security of anasset.

If the name of the owner does not clearly define the location of the asset, this will also be notedin the entry.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Acceptable use of assets

The company has established rules for the acceptable use of information assets and these willapply to employees, contractors and third parties.

Acceptable use rules cover:

• emails;• internet usage;• mobile devices, such as laptops, PDAs, and telephones.

Information classificationThe objective is to ensure that information receives an appropriate level of protection.

Classification guidelines

Asset Classification provides a means of determining how information is to be handled andprotected after taking in to account business needs for sharing and restricting the information.Information outputs may be classified according to value, sensitivity, integrity and availability.

Consideration will be given to “over classification” and an understanding that the value ofinformation can change with time, for example when it is made public. The number of categorieswill be limited to three to avoid uneconomic and unenforceable controls and a clear nomenclaturewill be used to prevent confusion with other classification systems.The Classification definition of each item of information will rest with the nominated owner andwill be checked by the Information Security Management Representative and approved by TopManagement.

Information asset classification levels An extension to the Asset Number, as appropriate to the type of asset, will be used to define thesensitivity level of the information itself:

• First Level: highly Confidential & restricted to top level management;• Second Level: restricted & available only to senior and specified management;• Third Level: private & will cover everything else that has value and will be

accessible to Company personnel.

Information labelling and handling

Information will be labelled in accordance with the appropriate procedure and the following typesof information processing activity are included:

• copying;

• storage;• transmission by fax, post and electronic mail;• transmission by spoken word, mobile phone, voicemail and answering machines;

• Destruction.Documentation and inputs to classified information systems will carry the applicable designatedClassification Level and examples would include printed report, screen displays, recorded media,(tapes, discs, CD’s, cassettes) electronic messages and file transfers.Where possible, physical labelling will be used but it is acceptable to use electronic labelling whenphysical labelling is clearly not possible.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Personnel Security ISM 03

IntroductionThere is the need to reduce the risk of human error, theft, fraud or misuse of facilities. To

minimise the prospects of such occurrences, security screening is introduced at the recruitmentor procurement stage and requirements included in contracts.

Scope All personnel and third parties with access to information security assets will be screened at therecruitment or procurement stage and required to sign confidentiality and / or non-disclosure

agreements as appropriate.


• ensure that clear controls are in place for the recruitment of employees and other thirdparty users such as contractors or temporary staff;

• sign, on behalf of the Company, all contracts generated;• ensure that the contracted requirements are observed.

Security in job definition and resourcingThe objective is to ensure that employees, contractors and third party users understand theirresponsibilities, and are suitable for the roles they are considered for, and to reduce the risk oftheft, fraud or misuse of facilities.Including security in job responsibilities

All security roles and responsibilities are documented as laid down in the organisation’sInformation Security Policy. The specification will include general and specific requirements.Personnel screening and policy

Prior to confirming an appointment of a job applicant, the following controls will be introduced;• satisfactory character references, normally, at least one business and one personal;

• check on the applicant’s CV, and all other documentation in the application form andsupporting documentation, for completeness and accuracy;

• confirmation of academic and professional qualifications where information security riskanalysis requires it;

• independent identity check (passport or similar document);• credit check where appropriate.

The same process will be required for contractors or temporary staff and where an agency is

involved, they should be made aware of the need to follow these procedures and the results willneed to be reviewed.

The levels of supervision required for new staff should be determined and a continual awarenessis encouraged of changes in the lifestyle and personal circumstances of employees.Terms and conditions of employment

Terms and conditions of employment will state the employee’s responsibility for informationsecurity and will define the period of cover on termination of employment including action to betaken if the security requirements are disregarded.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


During employmentThe objective is to ensure that all employees, contractors and third party users are:

• aware of information security threats and concerns;

• their responsibilities and liabilities;• are equipped to support the company’s Information Security Policy in the course of their

normal work;• the need to reduce the risk of human error.

Users of information will be made aware of threats and concerns and be equipped to support theorganisation in the fulfilment of its security policy.

Management responsibilitiesTop Management and senior management will have the overall responsibility to ensureemployees, contractors and third party users of the company’s information and informationprocessing systems are aware of the company’s information security policies and procedures.

Information security awareness, education and training

All employees, and contractors or third party users where relevant, will receive appropriatetraining and updates in security requirements, legal responsibilities, and business controls. Theywill also be formally trained in the use in the correct use of information processing facilities such

as log on and use of software packages before access is granted.Disciplinary processThere is a formal disciplinary process in place and noted in the contract of employment for

employees who violate the organisation’s information security policies.Termination or change of employmentThe objective is to ensure that employees , contractors, and third party users leave the companyor change employment in an orderly manner.

Termination responsibilities

Top Management, in consultation with the applicable manager or supervisor, will ensure that alltermination aspects of an employment contract have been complied with, including hand over ofresponsibilities and ongoing assignments.

Top Management will liaise with the representatives of a contractor or other third party user ofthe company’s systems to ensure that all termination aspects of a service or other contract havebeen complied with.

All termination requirements will be satisfactorily completed prior to the individuals finally leavingthe company, or will be the subject of a separate formal agreement.

Return of assetsPrior to leaving the company, all assets owned by the company will be returned upon terminationof employment or contract.

Assets will include:• financial, such as credit cards;

• human resource and fixed assets, such as cars etc.

The termination interview will include coverage of all the above asset classifications, particularlywith regard to documentation containing classified information.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Top Management will ensure a risk assessment is performed prior to the completion of thetermination action to identify any knowledge that should be retained and to plan methods forretaining it, particularly in the case of someone being unwillingly terminated.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Physical & Environmental Security ISM 04

IntroductionUnauthorised access to the organisation’s premises may result in information and its processing

being compromised.Scope All critical or sensitive business information processing facilities are housed in the server room

with appropriate access controls. The protection provided is commensurate with the classificationlevels of the assets.Responsibilities

It is the responsibility of Top Management to:

• ensure that clear controls are in place for the physical security of the premises within the

defined secure premises.Secure areasThe objective is to prevent unauthorised physical access, damage and interference to the

organisation’s premises and information.

Physical security perimeterIn the development of the secure perimeter the following guidelines will be considered:

• the perimeter needs to be defined;• the perimeter defences should be strong and external walls and doors should be of solid

construction;

• control mechanisms should be in place to protect against unauthorised access such asbars, alarms and locks;

• physical control of access to the site should be by via a controlled reception point and all

visitors should be authorised;• physical barriers should be from real floor to real ceiling to prevent unauthorised entry

and damage from fire or flood;• fire doors through the secure perimeter should be alarmed and should have automatic

closure.•

Physical entry controls

The following procedures will be followed when using entry controls to secure areas:

• the entry codes for each designated controlled access point will be issued to authorisedpersonnel only;

• Top Management will ensure entry codes are regularly changed and re-issued;• all visitors will be checked in and checked out using an entry in the Visitor Log

• • visitors will be made aware of existing security and emergency procedures;• sensitive information processing areas and sensitive information will be controlled and

restricted to authorised persons only;

• visitors will carry identification badges and staff should be encouraged to challengeunidentified strangers;

• a regular review of access rights to secure areas.

Securing offices, rooms and facilities



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


In designing secure areas, the organisation will take into consideration the possibilities ofdamage from flood, fire, explosion, civil unrest and other forms of man made disasters.The following points will also be considered as appropriate:

• key facilities should be sited to avoid public access, including being overlooked ifappropriate;

• no outward signs of the purpose of the building should be present;• support functions and equipment such as photocopiers and fax machines should be in

the secure areas to reduce unnecessary journeys through the controlled access point;

• doors and windows should be locked when unattended and external protection should beconsidered for windows, particularly at ground level;

• intruder alarms should be installed to appropriate standards and unoccupied areas

alarmed at all times;• there should be separate secure areas for the organisation’s information processing

facilities and those of third parties;

• internal directories should not be publicly available;• hazardous and combustible materials will be stored outside secure areas;• fallback equipment and back-up media should be stored off site.

Protecting against external and environmental threatsControls are in place to limit, as far as is practical, damage to the company’s premises, and inparticular any areas designated as secure areas, from external and environmental threats,including:

• fire;• flood;

• lightning strike;• explosion.

The controls for the above threats are contained in the company’s procedures covering health

and safety and fire precautions.Other forms of natural or man-made disasters such as an earthquake, terrorism and civil unrest

are currently regarded as a very low or non-existent threat and therefore no active controls are inplace. However, the need for such controls will be regularly reviewed through monitoring localand national conditions, government advice and the formal Management Review Cycle.

Working in secure areas Additional controls for third parties and third party activities working in secure areas will include:

• awareness of activity in a secure area should be on a need to know basis;

• activity in secure areas should always be supervised;

• vacant secure areas should be locked and checked from time to time;•

there should be monitoring and authorised access of third parties to secure areas andthis only when required;• the necessity to ensure that a logical grouping of secure activities takes place to avoid

confusion in access permissions;

• it is prohibited to take video, audio or other recording equipment into secure areas

without permission.Equipment securityThe objective is to ensure equipment is protected against threats and environmental hazards to

prevent loss, damage or compromise of assets and interruption to business activities.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


The management of removable computer media will include:• the need to erase previous content;• authorisation of all media removed from the premises;

• safe storage of media as specified by the manufacturer.

Disposal of mediaItems to be considered for secure disposal will include:

• paper documents;• voice and other recordings;

• carbon paper;• printer ribbons;• output reports;

• magnetic tapes, removable discs and cassettes and optical storage media;• programme listings;• test data;

• system documentation.

To ensure the safe disposal of media the following will be considered:

• sensitive media will be stored safely and securely;• items will be disposed of in bulk rather than individually;

• control of contractors subcontracted for disposal;• audit trails for sensitive items;• avoidance of disposal of related documents together.

Information handling proceduresTo protect information from unauthorised disclosure or misuse the following will be considered:

• handling and labelling of all media;• access restriction;• handling by authorised personnel according to the applicable Classification Level;

• ensuring input data is complete, correctly entered and validated;• protection of spooled data awaiting output;• correct storage;

• minimum distribution;• clearly marked with recipients for distribution;• distribution list review.

Security of system documentationSystem documentation may contain sensitive information and should be stored securely,

accessed only by a minimum of authorised personnel and if held on a public network it shouldhave appropriate protection.Exchange of information

The objective is to maintain the security of information and software exchanged within thecompany and with any external party. Procedures are needed to prevent the loss, modification ormisuse of information exchanged between organisations.

Information exchange policies and proceduresWhere information is being exchanged internally and with external parties, the communicationprocesses require control, including:

• letter;

• email;



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


• voice;• facsimile; and• video communication.

Communication methods may compromise information security, such as:• personnel need to be aware that postal mail and email can go astray;

• verbal communication on mobile telephones in public places may be overheard;• answering machines may be overheard by someone other than the intended recipient;• unauthorised access to dial-in voice mail and teleconference systems is prevalent;

• • faxes may be sent to the wrong number or person;• mobile phones and other equipment may be stolen.

Employees should be aware of good practice and the controls required when using any of theabove communication methods, including:

• prevention of interception, copying, modification, misrouting and destruction;

• protection against malware;

• retention and disposal of information;

• use of dedicated fax machines or printers etc. as necessary;• awareness of the dangers inherent in wireless communication;

• awareness of eavesdropping possibilities and confidential information should only berevealed from secure locations;

• not to have confidential conversations in public places;

• avoid being overheard on business phone calls by external parties visiting the facility orother personnel where the classification level or sensitivity warrants it;

• discrete use of mobile phones;

• a reminder not to reveal sensitive information on faxes, as messages, voicemail or onanswering machines;

• checking fax numbers prior to transmission;

• unauthorised access to fax machines built-in message store;• programming of fax machines to deliver to specific number.

Controls and methods of protection will be implemented based on the classification level of theinformation being exchanged.

Electronic messagingControls will be implemented to reduce the risk created by the use of electronic mail.

Controls for protection against security risks include:• unauthorised access, modification and denial of service;• vulnerability to error;

• impact of changes of communication media;• legal considerations;• publication of staff lists;

• control of remote user access to electronic mail accounts.Controls will cover:

• Attacks such as viruses and interception;

• Protection of electronic mail attachments;• Guidelines on when not to use electronic mail;• Employee duty of care;

• Use of cryptographic techniques;

• Retention of messages not helpful to the business;• Additional controls for message vetting to authenticate.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


All employees will be required to acknowledge acceptance of the Company’s policies by signingthe Email and Internet Employee Policy statement retaining a copy for their information and

reference.

Business information systems

Consideration will be given to the following security implications:• vulnerability of information in office systems;

• policy and controls to manage information sharing;• exclusion of sensitive business information that cannot be protected;• restriction of diary information on selected security involved individuals;

• the suitability of systems support business applications;• categories of staff allowed to use the system and from where;• specific facilities for specific users;

• retention and backup of information held on the system;• fallback requirements and arrangements.

On-line transactionsOnline information should be protected so that it remains authentic, is complete, is not mis-routed, altered, disclosed or duplicated and, in particular, is not stolen so that it can used in afraudulent transaction elsewhere.Subject to cost-benefit analysis, these steps should be considered;

• electronic signatures, especially for sensitive commercial transactions;

• technical controls to verify user credentials to keep the transaction confidential and toprotect privacy;

• encrypted communications (possibly using the Microsoft Windows packages tools);

• personal information storage not accessible from the Internet;• legal issues.

Publicly available informationCare is required to prevent unauthorised modification of publicly available systems. Data on aweb server may need to comply with laws, rules and regulations and there should be formal

authorisation before it is made available.Software, data and other information requiring a high level of integrity and made public shouldbe protected. Electronic publishing systems should be carefully controlled so that:

• data protection legislation is complied with;• information input, processing and output is published accurately and in time;

• sensitive information is protected during collection during collection and storage;

• access to the publishing system does not allow access to connected networks.

MonitoringThe objective is to detect unauthorised activities and deviations from access control policy and tomonitor and record events to provide evidence in case of security incidents. Audit logging



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Audit logs record exceptions and other key events which can assist in future investigations andaccess control monitoring. Audit logs should also include :-

• Users Ids;

• Dates and times of log-off and log-on;• Terminal identity or location if possible;• Records of rejected and successful system access attempts;

• Records of successful and rejected data access attempts.

Audit logs of system use will be maintained in manual format or by the system itself, and will

subject to monitoring and review, and archive as necessary. Audit logs of security events will be maintained. Audit logs of Internal Audits will be recorded on Information Security Internal Audit Reports.

Monitoring system useProcedures for monitoring will be established to ensure that users are only performing authorisedactivities and the level of monitoring should be determined by risk assessment. Areas that shouldbe considered include:System use:

• user ID;• date and time of key events;• type of event;

• files accessed;• programmes/utilities used;• privileged use of supervisors account;

• privileged system start-up and stop;

• privileged I/O device attachment/detachment.Security events:

• unauthorised access failed attempts;

• unauthorised entry access policy violations and notifications for network gateways andfirewalls;

• unauthorised access alerts from proprietary intrusion detection systems

• systems alert/failure console alerts or messages;• system alerts/failure system log exceptions;• network management alarms.

The results of monitoring activities will be reviewed regularly and risk factors should beconsidered including:

• criticality of the application process;

• value, sensitivity or criticality of the information involved;• past experience of system infiltration and misuse;• extent of system interconnection (particularly on public networks).

Protection of log information

Logging and reviewing events involves understanding threats faced by the system and themanner in which these may arise. Controls should aim to protect against unauthorised changesand operational problems including:

• logging facility being deactivated;• alteration to the message types that are recorded;

• log files being edited or deleted;• log file media becoming exhausted with failure to record or overwriting.

Administrator and operator logs



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Personnel responsible for the networked system resources (system administrator and designatednetwork system operators) will maintain a log of their activities.The entries on the Log may include:

• system or event start and finish time;• event information, including files handled, processes involved;• system errors and corrective action taken;

• back-up timing with details of the back-up tapes etc. and other media handled;• each entry will be signed off by the person making the entry.

Fault logging

Faults and system errors in the operation and use of the Information Processing Systems, and

arising from problems with information processing or communications, will be recorded.The corrective action will be determined and approved by Top Management or InformationSecurity Management Representative. When the action programme has been completed it will bechecked for satisfactory resolution of the problem and the entry will then be signed off.The Log will be the subject of further review during the Management Review cycle to confirm

authorisation and that controls have not been compromised.

Access Control ISM 05

IntroductionIn order that the information processing facilities operate correctly, responsibilities and

procedures are developed including the correct response to incidents.Scope

All activities included in the information processing facility must be reviewed and formalinstructions developed to ensure correct and secure operation. Consideration to the segregationof duties is included to reduce the risk of negligence or deliberate system misuse.Responsibility

It is the responsibility of Top Management to:• ensure that clear controls are in place for the development and operation of procedures

covering the secure and correct operation of information processing facilities.

Procedure

Business Requirements for access controlThe objective is to ensure access to information and business processes is controlled on the basis

of business and security requirements.

Access control policyBusiness requirements for access control and the rights and rules for users and service providerswill include:

• security requirements of individual business applications;

• identification of all information related to business applications;

• policies for information dissemination and authorisation;• consistency between the access control and information classification policies of different

systems and networks;



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


• relevant legislation and any contractual obligations regarding protection of access to dataor services;

• standard user access profiles for common job categories;

• management of access rights in a distributed network environment which recognises alltypes of connections available.

In specifying the access control rules, care should be taken to consider the following:• difference between mandatory and optional rules;• changes in information labels that happen automatically and those that are discretionary;• changes in user permissions that are system generated and those initiated by the

administrator;• rules that require administrator approval and others.

User access managementThe objective is to prevent unauthorised access to information systems. Unique useridentifications (IDs) will ensure users can be linked to, and made responsible for, their actions.

User registrationFormal user registration will be required for granting access to multi user information systems

and services including:• unique user IDs with strict limits to group IDs and preferably not permitted;• checks on authority from the system’s owner for system entry;

• checks that the granted level of access is appropriate for purpose;• giving users a written statement of their access rights;• requiring statements from users to confirm understanding;

• withholding access until authorisation is completed;• recording all persons registered for use of the service;• cancelling rights for leavers or those changing jobs;

• periodic checks to remove redundant user account IDs.

Staff contracts should include clauses specifying sanctions for failure to observe rules coveringunauthorised access.Privilege management A “privilege” is any facility in a multi user system that enables one user to override system orapplication controls.The allocation of privileges should be should be restricted and controlled through a formalauthorisation process that should consider the following:

• privileges associated with each system product need to be identified;•

privileges should be allocated on a need-to-use and event-by-event basis;• an authorisation process and record of privileges should be maintained ;

• development and use of system routines should be promoted;• privilege identifiers should be different from that for normal business use.

User password management

Where passwords are used to validate a user’s personal identity for access to informationsystems or services, the allocation will be controlled through a formal management process thatwill consider:

• requiring a signed statement of confidentiality;



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


• control of the issue of temporary passwords;• issuing temporary passwords with a full level of security.

Passwords will not be stored on a computer system in an unprotected form.The issue, use and maintenance of Passwords will follow the Company policy defined in the latestissue of the Password Security Policy.

Review of user access rights A formal process is required to maintain effective control over access rights to data andinformation services so that:

• user access rights are reviewed at regular intervals and after changes;• • • special privilege access rights should be reviewed more frequently;• privilege allocations should be regularly checked

User responsibilitiesThe objective is to prevent access by unauthorised users, and the compromise or theft of

information and information processing facilities.Password useUsers will follow good security practice in password selection and the following should be

considered:• keep passwords confidential;• avoid keeping paper records unless securely stored;

• change passwords whenever security is threatened;

• select passwords with a minimum of eight characters, are easy to remember, not basedon anything easy to guess, free from consecutive characters or numbers;

• regular changing of passwords and avoidance of using old passwords;• change temporary passwords at first log-on;• do not use passwords in an automated log-on process;

• do not share individual passwords.

Special consideration should go to users of multiple services or platforms with a view to using asingle quality password.Unattended user equipmentUsers and contractors will ensure equipment left unattended, even temporarily, has appropriateprotection by:

• terminating active sessions when the session is finished;• logging off workstations, laptops, servers etc. when the session is finished;

• ensuring the log off procedure has been completed when switching off or leaving theequipment unattended;

• securing computers and terminals from unauthorised use.

Clear desk and clear screen policyThe following controls will be considered:

• storage of paper and computer media in locked cabinets;• sensitive or critical business information will be locked away when not required;• personal computers and terminals will not be left logged on when not attended and

should be protected by key locks, passwords and other appropriate controls;• in and out going mail and faxes should be protected;• photocopiers should be locked outside normal working hours;



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Access to remote ports should be securely controlled, especially to control the activity ofmaintenance engineers using remote diagnostic facilities.Dial up facilities should be protected by a key lock or similar with a support procedure whereaccess can only be achieved through arrangements between the Company and thehardware/software support personnel.Segregation of networks

Where multiple networks exist, the introduction of controls within the network, to segregategroups of information services, users and information systems should be considered.Consideration should be given to:

• separating networks into logical domains;• installation of a security gateway between networks ;

• use of gateways to filter traffic;

• use of gateways to Block unauthorised access between domains.Network connection controlWhere networks are shared, especially outside organizational boundaries, they may requirecontrols to restrict the connection capabilities of the users. Such controls can be achievedthrough the use of network gateways that filter traffic. Examples of applications to which

restrictions should apply are:• electronic mail;• one-way file transfer;

• both-ways file transfer;• interactive access;• network access linked to time of day or date.

Network routing controlShared networks may require the incorporation of routing controls to ensure that computerconnections and information flows do not breach the access control policy of the businessapplications. This is often essential for networks shared with a third party.Routing controls should be based on positive source and destination address checkingmechanisms. Network address translation is also useful for isolating networks and preventing

routes to propagate from the network of one organisation into another. This can be implementedin software or hardware.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Acquisitions, Development & Maintenance ISM 06

IntroductionThere is a need to ensure that security is built into information systems and that a programme toidentify all requirements is considered at the project phase.

ScopeThe requirement to build security into information systems applies to all aspects of informationsecurity with the level of security determined by appropriate risk assessment.


• initiate action at the project requirements phase and to ensure that all the necessaryhuman, physical and financial elements are available.

Procedure

Security requirements of information systems

The objective is to ensure that security is built into information systems including infrastructure,business applications and user-developed applications. Security requirements should be identifiedand agreed in advance.

Security requirements analysis and specificationWhere a new system, or an enhancement to an existing, is required, the re should be aStatement of Requirements drawn up that specifies the business requirements and theinformation security controls required, including both incorporated automatic controls and

supporting manual controls.The same consideration should be given whether the systems are being fully specified in-houseor existing software packages are being evaluated. Note: Software packages may already havebeen independently evaluated and certified.Security requirements and controls should reflect the business value of the information assets

involved, and the potential damage that might result from a failure or absence of security.Correct processing in applicationsThe objective is to prevent errors, loss, unauthorised modification or misuse of informationapplications. Appropriate controls and audit trails or activity logs should be designed into application systems.These should include the validation of input data, internal processing and output data.

Input data validationData input, particularly transaction inputs, to application systems should be validated to ensure itis correct and appropriate.

Controls should apply to data such as customer names and addresses, credit limits and referencenumbers, as well as parameter tables such sales prices, currency conversion rates and tax rates.Controls include:

• check for errors in, preferably automatically, out of range values, invalid• • characters, missing or incomplete data, exceeding upper or lower limits on data volumes,

unauthorised or inconsistent use of control data;• check of the content of key field and data files to confirm their validity and integrity;

• inspecting hard copy input documents for unauthorised changes to input data;

• simple procedure in response to validation errors;• simple procedure to check the plausibility of the input data;• all people in the input process should have clearly defined responsibilities.

Control of internal processing



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Areas of risk should be identified based on validation exercises carried out to detect systemcorruption and should include consideration of the following:

• use of add and delete functions in the programme to implement data changes;

• procedures to prevent programmes running in the wrong order or after failure of priorprocessing;

• protection against buffer overflow / overrun attacks;

• use of correct programmes to recover from failure.Checks and controls will depend on the nature of the application and the business impact of anycorruption and the following should be considered for inclusion:

• session or batch controls to reconcile data file balances;• balancing controls to check opening balances against previous closing balances including

run to run controls, file update totals and programme to programme controls;

• validation of system generated data;• checks on the integrity of downloaded data or between computers;• hash totals of records and files;

• checks to ensure application programmes are run at the correct time;• checks to ensure that programmes are run in the correct order and terminate in case of

failure;• logging of the activities involved.

Message integrityIs a technique used to detect unauthorised changes or corruption in the content of a transmitted

electronic message. Cryptographic techniques can be used but it should be remembered that theauthentication is not designed to prevent unauthorised disclosure.Message authentication should be considered for electronic funds transfer, specifications,contracts, proposals etc. with a high importance, etc.

Output data validation Validation of output data from an application system may include:

• plausibility checks to test if the data is reasonable;

• reconciliation control counts to ensure processing of all data;

• providing sufficient information for accuracy to be determined;• procedures for responding to output validation tests;

• defining responsibilities for personnel on data output processing.

Cryptographic controlsThe objective is to protect confidentiality, authenticity or integrity of information and should be

used for information considered to be at risk and for which other controls do not provideadequate protection.

Policy on the use of cryptographic controlsThe decision to employ cryptographic controls would be based on risk assessment and from thisthe type of cryptographic control that would be appropriate can be determined. A policy should

consider the following:• management approach towards the use of cryptographic controls;

• approach to key management;• roles and responsibilities;• key management;

• how to determine appropriate levels of cryptographic protection;• the standards to be adopted for which business process.

Key management



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


• Vendor supplied software used in operational systems should be maintained at a level supportedby the supplier and decisions to upgrade should take into account the security of the release.

Physical or logical access should only be given for support services when necessary and withmanagement approval.

Protection of system dataTest data should be protected and controlled and the use of operational databases with personalinformation should be avoided. The following controls should be applied to protect operationaldata when testing:

• access to control procedures for operational systems should also apply to test applicationsystems;

• separate authorisation is required whenever operational information is used for testpurposes;

• operational information should be erased from test applications on completion of thetests;

• copying and using of operational information logged to provide an audit trail.

Access control to programme source codeTo reduce the potential for corruption of computer programmes, strict control should bemaintained over access to programme source libraries as follows:

• where possible, programme libraries should not be held in operational systems;• a programme librarian should be nominated for each application;• IT support staff should not have unrestricted access;

• programmes under development should not be held in operational libraries;• updating programmes and issues to programmers should be authorised and issued by

the librarian;

• programme listings should be held in a secure environment;• an audit log should be maintained of all library accesses;• old programme versions should be timed, dated and archived with supporting software,

job control, data definitions and procedures;• maintenance and programme copying should be strictly controlled to a change

procedure.

Security in development and support processesThe objective is to maintain the security of application system software and information. Projectand support environments should be strictly controlled.Change control proceduresTo minimise corruption of information systems there should be strict control of changes andformal change procedures should be enforced. They should ensure that security and controlprocedures are not compromised, that access to programmes is limited to need and formalagreement is obtained for any change. Where practicable, operation and application changecontrol procedures should be integrated and the process should include:

• maintaining a record of agreed authorisation levels;

• ensuring changes are submitted by authorised users;• reviewing controls and integrity procedures to ensure that they will not be compromised

by the change;• identify all computer software, information, database entities and hardware that require

amendment;



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


• obtain formal approval for detailed proposals before work starts;• ensuring that the authorised user accepts changes prior to implementation;• ensuring that implementation is carried out with minimum disruption;

• ensuring that the system documentation set is updated on the completion of eachchange and that old documentation is archived or disposed of;

• maintain a version control for all software updates;

• maintain an audit trail for all change requests;• ensuring that the operating documentation and user procedures are changed as

necessary to be appropriate;

• ensuring that the implementation of changes takes place at the right time and is not

disturbing the business processes involved.

Where possible new software should be tested in a separate environment from development andproduction environments.

Technical review of applications after operating system changesWhen it is necessary to change the operating system the application system should be reviewed

and tested to ensure that there is no adverse impact on operation or security. This reviewprocess should cover:

• application control and integrity procedures to ensure they have not been compromisedby the operating system changes;

• ensuring that the annual support plan and budget will cover reviews and system testingresulting from the operating system changes;

• ensuring notification of operating system changes is provided to allow appropriate

reviews to take place before implementation;• ensuring that appropriate changes are made to the business continuity plans.

Restrictions on changes to software packages

Modifications to software packages should be discouraged, limited to necessary changes, and allchanges will be strictly controlled. Where it is deemed essential the following should be

considered:• risk of built in controls and integrity processes being compromised;

• whether the consent of the vendor should be obtained;• possibility of obtaining vendor generated standard updates;• impact if the organization then becomes responsible for future maintenance because of

the changes.If the changes are considered essential, the original software should be retained and changesapplied to a clearly identified copy. All changes should be fully tested and documented.Information leakageInformation leakage through a covert channel can expose information by some indirect andobscure means. Trojan code is designed to effect systems in a way that is not authorised and not

readily noticed and not required by the recipient or user of the programme. Neither occurs by

accident and where they are a concern the following should be considered:• buying programmes only from a reputable source;

• buying programmes in source code so the code may be verified;• using evaluated products;

• inspecting all source code before operational use;

• controlling access to and modification of code once installed;• use staff of proven trust to work on key systems.

Outsourced software development



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Where software development is outsourced the following problems should be considered:• licensing agreements, code ownership and intellectual property rights;• certification of the quality and accuracy of work carried out;

• escrow arrangements in the event of failure of the third party;• rights of access for audit of the quality and accuracy of work done;

• contractual requirements for quality of code;• testing before installation to detect Trojan code.

Technical vulnerability managementThe objective is to reduce risks resulting from exploitation of published technical vulnerabilities insoftware.

Control of technical vulnerabilitiesThe company will monitor publicly available details of newly discovered software vulnerabilities,

either through the software vendor or other published data sites.The Information Security Management Representative will ensure regular checks of software

vulnerabilities are made.The company will ensure, as far as is practical, the timely, systematic, comprehensive andreliable updating of systems with all patches and fixes issued by the software manufacturers.

A list of all current authorised software, with serial numbers and version number, will bemaintained on the Software RegisterDecisions on updating software in information processing systems should take the following intoconsideration:• identification, for each software package, the source of information on new vulnerabilities,

and patch release such as the vendor website;

• careful testing prior to formally updating the system;• review the risk assessment for each system asset;• allowance of emergency change requirement following a software malfunction of other

security incident;• involve the Information Security Advisor (Competent Person).



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Incident Management ISM 07

IntroductionThere is a need to ensure that events that relate to or might compromise information security, or

weaknesses associated with the information systems, are communicated in a way that ensurestimely identification of security incidents and appropriate corrective action. An event is not necessarily and incident, whereas an incident is always an event. There are a

number of information security related events that, either because they are expected orunexpected, might not compromise the integrity, availability or confidentiality of the company’s

information.Security related events will be reported, a determination will then be made to decide as towhether a security incident has occurred, that will then require an action programme.

ScopeThe requirement to have an efficient security event reporting process, allied with a timelydetermination of incident occurrence and their corrective action, will apply to all aspects of the

information security system.

ResponsibilityIt is the responsibility of Top Management to:• ensure that all security related events that may be determined as an incident are efficiently

reported, reviewed, and a decision made as to whether corrective actions are required;• ensure that all corrective action programmes in response to information security incidents are

dealt with in a timely manner and satisfactorily resolve the problem.

Procedure

Reporting information security events and weaknessesThe objective is to ensure information security events and weaknesses associated with

information systems are communicated in a manner allowing timely corrective action to be taken.

Reporting information security events An information security event response control will be in place and all employees and contractorswill be made aware of its content and notify the Information Security ManagementRepresentative, or Operations Manager, of events.

Reporting software malfunctionsSoftware malfunctions will be reported with the following actions taken into consideration:• any symptoms or screen messages should be noted;

• the computer should be isolated and usage stopped and the incident reported;

• disconnection from network is essential before suspect computers are re-powered;• diskettes should not be loaded to other computers;• it should be left to appropriately trained staff to remove suspected software.

The Information Security Management Representative, or Operations Manager, will be notifiedimmediately.The details of all information security events, including incidents and software malfunctions, willbe recorded in the Department’s or Location’s System Fault, Security Incident and SoftwareMalfunction Log



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


Reporting security weaknesses

All users of the information services are required to note and report any observed or suspectedsecurity weakness in systems or services. Reporting should be to the Information SecurityManagement Representative, or Operations Manager as quickly as possible and await amanagement decision on appropriate action.

The Information Security Management Representative, or Operations Manager, will ensure anentry is made and maintained in the System Fault, Security Incident and Software MalfunctionLog.

Management of information security incidents and improvement

The objective is to ensure a consistent and effective approach is applied to the management ofinformation security incidents.Responsibilities and procedures

The Information Security Management Representative, or Operations Manager, as appropriate,will ensure the matter is investigated promptly and the appropriate actions determined.The Information Security Management Representative, or Operations Manager, as appropriate,

will determine whether to involve the InformationSecurity Competent Person in the investigation and determination of whether an incident hasoccurred and the required actions.In determining whether an incident has occurred, the following are likely to be classified asincidents, and therefore subject to an incident response process and determination of appropriatecorrective action:• malware infections;• excessive spam;

• information system failures;• denial or loss of service;• business information errors resulting from errors in input data, such as incomplete or

inaccurate;• breaches of confidentiality or integrity;• misuse of information systems.

An orderly, effective and swift response is required where a security incident has been identified,and the following will be considered as standard:• contingency plans analysis to ensure the company continues functioning while the incident is

being dealt with;• immediate limiting or restricting of any further impact of the incident;• identification and cause of the incident, and of its seriousness;• tactics for containing the incident so that damage does not spread, allowing for prioritisation

and cost-benefit analysis;• corrective action, including plans for its implementation;• prevention of recurrence;

• communication to those affected, and with those involved in the corrective action andrecovery process;

• incident reporting, including through to the formal Management Review Cycle.

The maintenance of an audit trail will be required for internal problem analysis, evidence ofwrong doing, and negotiations for compensation. Any entry in the System Fault, Security Incident and Software Malfunction Log will be signed offwhen an incident is satisfactorily cleared.Learning from incidents



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


The organisation will respond to security incidents and malfunctions and through their analysis,will learn from the incidents. Reporting will be through defined channels and it is essential thatthis be done quickly.

All employees and contractors will be trained to recognise an incident that may impact on thesecurity of the organisation’s assets and where there is a breach of security by an employee or

contractor they will be aware of the disciplinary actions available to the organization.The Information Security Management Representative will analyse the entries in the SecurityIncident and Software Malfunction Log to quantify volumes and costs of incidents. The

information will be reported to the Management Review Meeting to enable improvements to bedetermined.

Collection of evidenceShould the follow-up from a security incident include action against a person or organization

involving legal action, either civil or criminal, evidence will be collected, retained, and presentedto conform with the rules of evidence laid down in the court in the jurisdiction in which the actionwill be held.

To achieve compliance with published standards or codes of practice for the production ofadmissible evidence, there should be a reasonable prospect that the evidence produced will beboth admissible and of adequate quality. The Company’s lawyers are likely to be involved at this juncture.The steps to be taken in the investigation process, include:• the collection of originals of all relevant documents;• details of who found the problem, where and when;• witness details if available;

• records should be securely retained so that they can be accessed only by authorised persons

and so that there is no tampering with them;• copies of computer media should be retained in secure storage;• copies of access logs should be retained, again in secure storage.

Rules of evidence should be observed to support an action against a person or organization.Where the action involves the law, either civil or criminal the evidence presented should conform

to the applicable rules of evidence. In general these rules cover:• admissibility of evidence;• weight of evidence;

• adequate evidence that controls that controls have operated correctly and consistently. Admissibility of evidence should be achieved if organisations ensure their information systemscomply with a published code of practice for the production of admissible evidence.

Quality and completeness of evidence is achieved by a strong evidence trail which can beestablished under the following conditions:

• For paper documents: the original is kept securely and it is recorded who found it, where itwas found, when it was found and who witnessed the recovery. Any investigation shouldensure that the originals are not tampered with;

• For information on computer media: copies of any removable media, information on harddisc or in memory should be taken to ensure availability.

• A log of all actions during the copying process should be kept and the processes witnessed.One copy of the media and the log should be kept securely.



ISO 9001:2008 ISO 14001:2004 OHSAS 18001:2007 ISO 27001:2005


All software in use in the Company and on information security assets, whether used in house oraway from the company’s facility, will be listed on the Software Register The serial numbers andlatest version numbers will be included in the listing.The Software Register will also list the software products that are authorised to be loaded foreach particular asset.The Software Register will be approved by Top Management.

Other controls that should be considered are:• publishing a software copyright compliance policy which defines legal use of software and

information products;• issuing standards for the procedures for acquisition of software;• maintaining awareness of software copyright with disciplinary action for breaches;

• maintaining proof and evidence of ownership;

• implementing controls to control maximum number of users;• checks that only authorised software/licensed products are installed;• providing a policy to maintain appropriate license conditions;

• providing a policy for disposal and transfer of software;• using appropriate audit tools;• complying with software/information conditions from public networks.

Protection of organisational records

Important organisation records need to be protected from loss, destruction and falsification and

some may need retained to meet statutory or regulatory requirements. The time period forretention may be set by law or regulation and should be checked.

Records should be categorised into record types such as accounts, database records, transactionlogs, audit logs and operation procedures each with its retention period and type of storagemedia (paper, microfiche, magnetic, optical) Any cryptographic keys associated with the records

should be kept separate.

The possibilities of degradation of media used for storage of records should be considered andstorage and handling should be in accordance with manufacturer’s recommendations.When electronic storage media are chosen, procedures to allow access should be includedbearing in mind the need that the retrieval manner should be acceptable to a court of law.Clear identification should be ensured and it should permit appropriate destruction of recordsafter the statutory or regulatory period or their value to the organization. To meet theseobligations the following steps should be taken:• guidelines should be issued on the retention, storage, handling and disposal of records and

information;• a retention schedule identifying record types and retention periods should be drawn up;

• an inventory of sources of key information should be maintained;• appropriate controls should be implemented to protect essential records and information

from loss, destruction and falsification.

Data protection and privacy of personal informationLegislation is in place to control the processing of personal information (generally information onliving individuals who can be identified from that information) and it imposes duties on thosecollecting, processing and disseminating that information.This may restrict the ability to transfer such data to other countries. The appointment of

someone to act as the data protection officer may be required but it is the responsibility of theowner of the data to seek advice about any proposals to keep personal information in astructured file.