ISO 27001:2013 Highlights of Change to the New Revision
ISO Has released new version of its information security management standard ISO IEC 27001 in September 2013. Supporting guideline ISO IEC 27002, has been also updated. All organizations already certified under ISO IEC 27001:2005 have to transition to the new version by October 2015.
The effective use of these standards can help companies achieve best practices in information security, avoid re-inventing security controls, optimize the use of scarce resources, and reduce the major security risks such as loss of proprietary information, hacking of network, spread of malware, , data compromise and failures of service providers to understand and meet customer requirements.
Thousands of companies have adopted ISO/IEC 27001 and 27002 as their standards for information security programs and controls. Together, they are the de facto standards and provide the requirements and code of practice for security requirements. ISO IEC 27001 also enable organizations to achieve regulatory compliances like FISMA, HIPAA and GBLA. They provide a baseline for initiating, implementing, maintaining and improving an information security management system in any size organization.
Increased scope of security risk to include enterprise risk assessment. This will enable organizations to use it for their Governance, Risk and Compliance (GRC) program. This is a major change towards a very right direction. This has also simplified documentation requirements to a great extent by replacing the word „documented procedure“ with „documented information“
New standard has also simplified the list of controls in Annexure A by reducing number of controls from 133 to 114. However, scope of application of the controls has significantly expanded.
Some of the major changes in the controls are:
- Inclusion of System engineering and project management: New controls added to address information security in project management (A.6.1.5), Secure development policy (A.14.2.1), Secure system engineering principles (A.14.2.5)
- Mobile device policy (A.6.2.1): This is to address increasing use of mobile devices in information processing and also use of personal devices to access organizational information assets.
- System security testing (A.14.2.8): information processing systems should be tested for its compliance to security requirements. This testing is in addition to the regular system acceptance test conducted after system changes.
Many of the changes will better align security objectives with business goals and objectives and that alignment will help everyone across the whole organization to better appreciate the importance of information security to the company’s sustainability, viability and reputation.
Interested in… Discussing the establishment of security controls in your organization? Developing testing protocol to ensure a self-sustaining system? A one-day security system review? Considering ISO 27001:2013 certification?
Please contact your local UL DQS Inc. Sales Executive:
Ernie Cumming – WA, OR, ID, MT, WY, UT, CO, AL, HI, Northern CA
Paul Mullenhoff – NV, AZ, Southern CA
Steve Pinter – ND, SD, NE, KS, MO, IA, MN, WI, IL
Randy Spivey – NM, TX, OK, AR, LA
Scott Adams – MI, IN, OH, KY, TN, WV
Morgan Blue – MS, AL, GA, SC, NC, VA. DC, PR, Caribbean Islands
Larry Dorf – FL
Jeff Spizuco – NY, VT, NH, ME, RI, MA, PA, NJ, DE, MD, CT
A global topic with local relevance: Energy Management Standard ISO 50001
The interest in ISO 50001 and energy management systems on the whole unites countries and industries worldwide. The need for handling resources carefully, for saving costs in energy consumption, and the necessity for fulfilling each country’s energy related political objectives are factors uniting organization in their desire for such a certification, no matter where they are located.
Before the backdrop of rising energy costs, “energy efficiency” has become a major topic on the agenda especially for energy intensive industries. Sustainability is the driving social force behind innovations and values, and will certainly be one of the strongest growing areas in corporate organizations in the years to come. With sustainable action based on certified management systems, organizations stand to realize benefits in many operational areas, from cost savings to cash-flow or market shares. In addition, organizations are likely to improve their environmental balance sheets regardless of location, size, industry sector or type of energy consumed. Additionally, governments of many countries increasingly make use of this tool in order to make legal requirements for energy savings more attractive. And they like to make use of the expertise of DQS UL Group for their national energy goals. DQS UL Group recognized the significance of energy management early on; through the experts at UL DQS Inc., the group was involved in the development of ISO 50001 from the start. At the end of December 2011, UL DQS was one of the first certification bodies to receive an accreditation to ISO 50001 by the German accreditation body DAkkS.
Energy management, a topic once “owned” by environmentalists, in increasingly being ranked “urgent” by senior executives from various industries. There has been a significant shift in business attitudes regarding climate change and energy worldwide. Companies are beginning to identify the true costs of carbon-centric energy consumption patterns. This congruence of concerns around cost, supply, reliability and environmental impacts of the energy needed to sustain our economies and way of life are increasingly influencing business and planetary decisions at the highest levels.
As a result of this rapid change in perceptions, corporate America has reached a tipping point, with companies across a host of industries now making the cost, availability and environmental impact of their end-to-end energy consumption a strategic priority. They are now frequently viewing energy management as a form of risk management. What once was managed as a cost in increasingly being managed as a strategic risk, and as a source of new value and opportunities.
Organizations that have adopted energy management plans have achieved major improvements. Since the end product of the EnMS standard is to provide measurable results, their implementation has become a business driver, enhancing ROI (Return On Investment) and achieving improvements in changes to how energy is managed. Organizations that have adopted effective energy management strategies and built successful energy programs have had interesting results: Ford Motor Company has saved over $75 million through effective energy management; Hines estimates the difference in operational costs between its energy efficient and inefficient buildings at more than $13 million; and Fairfax Country Public Schools estimates an annual energy savings of $4.5 million from energy efficiency improvements. Leading energy management companies such as Schneider Electric and Case New Holland (CNH) have been assessed and certified to ISO 50001 by UL DQS.
Japan has learned a lot since Fukushima. Late in August 2011, the Japanese government passed a law subsidizing the purchase of energy from renewable sources. According to this law, which became effective July 1, 2012, the government is allowed to define special tariffs for energy from renewable resources. In order to better understand the background and objectives of the German Renewable Energy Sources Act ( EEG), which served as an example for similar initiatives in about 50 other countries, the Japanese government sent energy experts to Germany. After meeting with the Federal Office of Economics and Export Control (BAFA), they proceeded to the DQS headquarters in Frankfurt to learn about the methods a certification body may use to verify implementation of the EEG. The DQS-UL office in Tokyo continues to enhance this contact with their government.
During a chamber conference of parliament in 2011, the President of the Republic of Kazakhstan, Nursultan Nazarbayev, emphasized that implementation of the “Energy Saving and Energy Effectiveness Law” would be one of their most important objectives, since the development of the energy market is very important for strengthening the economy. This law establishes a legal basis in the area of energy saving and improving of energy effectiveness. It also includes stipulations for the financing of activities through budgets at all levels. Additionally, the law includes provisions for implementing the rights of governmental bodies in modernizing production, storage, transportation and consumption of energy resources, conducting control over usage of energy resources etc.
Among the 300 attendants at the “Days of Energy Savings and Energy Effectiveness” were many officials from various government levels, as well as from large scale companies both foreign and domestic. As the official representative of DQS-UL Group in Kazakhstan, the general director of “DQS Certification KZ”, Mrs. Gaziza Omarova spoke on the approval and implementation of the ISO 50001:2011 standard and the importance of energy savings.
In Korea, DQS UL customer Samsung is a pioneer in the area of energy management. Four sites in Korea have already been certified to ISO 50001 by UL Management Systems Solutions (Korea) LLC, with plans to certify all sites overseas. The Korean government requires designated companies (large energy consuming companies such as steel, shipbuilding and chemical companies) to establish and achieve energy savings targets.
ISO 50001 is particularly sought after in Poland, especially due to the requirements of the new European Directive on Energy Efficiency (EED) stipulating 20% primary energy savings by 2020. The government has implemented working groups designed to generate plans for the implementation of these statements and goals. To date, the so-called “Act of 15th April 2011 on Energy Efficiency” is still applicable, which calls for energy savings of 9% as well as establishing responsibilities of the public sector in energy efficiency and rules of obtaining and remitting certificates for energy efficiency. The Act places much emphasis on conducting so-called “energy support audits” for thermo-operated buildings and renovations. Funding opportunities for financing and supporting initiatives aimed at saving energy and promoting renewable energy sources, with the aim of reducing greenhouse gas emissions and air pollutants, became available late 2012.
ISO/TS 16949: New Rules – Audit Planning
On October 1st 2013, the International Automotive Task Force (IATF) published new Certification Rules (4th Edition) for planning and conducting of audits according to ISO/TS 16949. These rules come into effect on April 1st, 2014.
Now that the effective date is upon us, we have summarized one significant change for audit planning, as well as the impact this will have on your organization.
Details – Audit Planning
(according to Rules, 4th edition, chapter 5.7.1 and 5.7.2)
UL DQS Inc. requires the organization to provide the following information as a basis for audit planning:
- The client’s quality management system documentation, including evidence about conformity to ISO/TS 16949 requirements and showing the linkages to, interfaces and interactions with any remote support functions
- Customer and internal performance data since the previous audit
- Customer satisfaction and Customer complaint summary since the previous audit, including the approval of latest customer reports and/or scorecards
- Identification of any customer special status (condition?) since the previous audit
- Notification about any new customers since the previous audit
- Results of internal audits and management reviews since the previous audit.
The UL DQS Inc. audit team will analyze the required information (see the bullet points above) to determine critical areas to be prioritized based upon risk to the customer, performance trends, and critical processes.
A summary of the client’s performance for the items provided by the client (see the bullet points above), the result of their analysis, and identified priorities will be recorded and retained as part of the audit records as minimum content. One member of the audit team will develop a process-oriented audit plan for each audit (initial, surveillance, recertification, special, and transfer audits).
An audit plan prepared according to the required information shall:
- Indentify a minimum of one (1) hour on site, prior to the Opening meeting, for verification of changes to current and internal performance data, including a review of current online customer reports and /or customer scorecards
- Identify the name of client processes to be audited
- Identify when the interactions with remote functions will be audited
- Identify each manufacturing process to be audited and respective shifts
- Identify when onsite reviews of corrective actions arising from previous audits on site will be verified
- Identify which customer-specific requirements have to be audited
- Record the total number of hours audited per day and the total number of audit days per audit team member
In creating the process-oriented audit plan, the audit trail shall be scheduled in such a way as to avoid unnecessary duplication of visits to the same process.
If the organization does not provide the required information, the de-certification process shall be initiated.
Please stay tuned for our upcoming webinars in May where we will expand on Audit Planning aspects of TS Rules 4th Edition changes.
UL DQS Inc. Team