Download - UL DQS India News Letter - iSeeek jun_2014
Jun 2014 | Volume 16 | Issue 13
ISO 27001: 2013 UPDATESSignificance of certifications in cement sector (Page 5 to 6)Managed training solutions (Page 7 to 8)
(Page 2 to 4) Proud momentsNews and updates (Page 10)Customer feedback (Page 11)Services (Page 12)
(Page 9)
Index
Security and Safety of data (information asset) is critical to the survival of any organization. ISO 27001
addresses this very basic need and ensures that any crucial or critical data is not accessed by
unauthorized personnel or falls in the wrong hands. During its introduction, ISO 27001 was primarily
used in the Information Technology industries (and BPOs), however with time, it has found its relevance
in all sectors of industries wherever there is data/info security requirement. We present you with an
article on the latest revision in the standard ie the ISO 27001: 2013 version by Ashok Majmudar, one of
our very senior auditors and an IT expert.
Also included in this issue is an article on Significance of Certifications in Cement Sector, which was
published in the Indian Cement Review magazine. In addition to the above we have included a write up
on our new service offering 'Managed Training Solutions (MTS)'. This is a unique Training Service to
help and support organizations in managing the competency development of their employees and
personnel. Please do contact Pramod Satya for any further information on the same.
As usual we also share some proud moments and good words from our customers. We hope you will
find this issue informative and interesting and look forward to your continued feedback.
- 1ISO 27001: 2013 UPDATES
IntroductionISO/IEC 27001 - the international standard for information security management systems - was recently updated
to match current best practice and to recognise the changing threats to information security.
For some organisations, adapting their ISMS to the new requirements will be a trivial matter, while others will
need to engage in a more thorough examination. This green paper highlights the significant changes to ISO/IEC
27001, and offers a few points of advice to aid in preparing. It should be noted that the release of the new
standard does not negate or weaken any existing certification, and all organisations will have time to update their
ISMS in line with the standard for recertification.
The structure of the standard has changed, which is a direct result of some core changes in the recommended
process for developing the ISMS. While ISO 27001:2005 specified that the process used in the implementation
of the ISMS was PDCA (Plan - Do - Check - Act), the 2013 update removes this point. This is not to say that the
PDCA process is no longer valid; rather, it opens the process up to alternative methodologies and processes that
may be more suited to the organisation.
Annex A - Reference control objectives and controls
This structure no longer based on development through PDCA. The flow is entirely compatible with the PDCA
process, however, so existing ISMS workflows need not change unless alternative methodologies are more
appropriate.
Structure
Jun 2014 | Volume 16 | Issue 13
UL DQS India Has conducted a Seminar ON update to 27001: 2013 and it was led by our experience IT
AUDITOR Ashok Majmudar.
By:
Lead Assessor
UL DQS India
Mr. Ashok Majmudar
This has been replaced with the following
structure in ISO 27001:2013:
0. Introduction
1. Scope
2. Normative references
3. Terms and definitions
4. Context of the organisation
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement
ISO 27001:2005 used the following structure:
0. Introduction
1. Scope
2. Normative references
3. Terms and definitions
4. Information security management system
5. Management responsibility
6. Internal ISMS audits
7. Management review of the ISMS
8. ISMS improvement
Annex A - Control objectives and controls
Terms and definitions
Clause deletions and new clauses
Key changes
Context of the organisation:
Continual improvement
Governance and management
Risk assessment and treatment
The terms and definitions are no longer supplied in ISO 27001:2013. Instead, clause 3 refers the reader to
ISO/IEC 27000, which has become a centralised reference for all 27000-series standards.
The majority of clauses from 27001:2005 still exist or have been slightly modified. Several, however, have been
removed entirely, and some new clauses have appeared. While compliance with the redundant clauses is no
longer necessary to achieve/maintain certification of an ISMS, there may be little harm in allowing them to remain
in your organisation's implementation. New clauses, however, must be complied with where relevant to your
organisation. The new clauses cover a number of new features or increased focus within the ISMS.
The ISMS is approached - from the start - by understanding the organisation and its context business model,
industry, etc.). This clause forms the foundation of the whole ISMS and reflects the new focus upon making it
work for the organisation, rather than imposing a potentially rigid structure.
This approach feeds into other new aspects, such as the changes to the risk assessment process. By
recognising the organisation's various responsibilities and ensuring that they are incorporated into the ISMS
from the start, the whole system become more robust and more reflective of the organisation.
ISO 27001:2013 does not mandate the use of the Plan-Do-Check-Act (PDCA) process. The organisation is free
to implement and manage the ISMS using whichever continual improvement process they prefer. Many
organisations may have existing processes (based on COBIT® or ITIL® for example), and can now manage the
ISMS using the same system. The clear advantage here is bringing the ISMS into than standing apart.
The previous standard was clearly focused on a strong sense of oversight from the board and a high level of
interaction between the board and management. The new edition, however, strips this back to clarify where
governance (board actions/interests) lie as distinct from leadership (management actions/interest). There are
also several more requirements for communication, which spreads the responsibility for information security
across more of the organisation. This can only be a good thing - a workforce that is invested in information
security will be more effective in the day-to-day operation of the ISMS.
This aspect of the ISMS receives some of the most significant changes, and is easier to explain as a brief
process:
Ÿ Risk is now defined as “effect of uncertainty on objectives”, which may be positive or negative.
Ÿ Select controls (from anywhere) to manage the risks associated with your organisation's business, contractual
and regulatory obligations. These can be considered 'baseline' controls.
Ÿ Conduct a risk assessment by identifying risks to your organisation's information. This does not have to be an
asset-based assessment.
Ÿ Each risk is assigned to a Risk Owner.
Ÿ Select controls (from anywhere) to manage the risks.
- 1ISO 27001: 2013 UPDATES (contd)
Jun 2014 | Volume 16 | Issue 13
Ÿ Compare the baseline controls and those you have selected to those in
Annex A.
It is significant to note that the controls are selected before consulting Annex A. This minor change allows the
organisation to choose the controls that are the best fit for
Annex A controls
Like the clauses in the main body of the standard, the controls in Annex A have been restructured, and some
controls have either disappeared or been subsumed into other controls, and new controls have emerged. The
general trend has been to make it clearer how each control contributes to the ISMS.
- 1ISO 27001: 2013 UPDATES (contd)
Jun 2014 | Volume 16 | Issue 13
The previous structure of Annex A was:
A5. Security policy
A6. Organisation of information security
A7. Asset management
A8. Human resources security
A9. Physical and environmental security
A10. Communications & operations management
A11. Access control
A12. Information systems acquisition, development
and maintenance
A13. Information security incident management
A14. Business continuity management A15.
Compliance
The controls have been restructured thusly
in ISO 27001:2013:
A5. Information security policies
A6. Organisation of information security
A7. Human resource security
A8. Asset management
A9. Access control
A10. Cryptography
A11. Physical and environmental security A12.
Operations security
A13. Communications security
A14. System acquisition, development and
maintenance
A15. Supplier relationships
A16. Information security incident management
A17. Information security aspects of business
continuity management
A18. Compliance
As can be seen, the controls have been distributed
across a slightly broader range of categories. The
controls have a more clearly delineated role within
the ISMS, but a blend of controls is still necessary to
provide the 'defence in depth. In addition to this, there
are now 114 controls, down from 133 in ISO
27001:2005.
Certifications and assessments will bring bountiful benefits such as reduced costs, improved efficiency and
productivity, reduced insurance claims and costs, improved brand image, better acceptance by the society and
investors, etc., writes Dr K Murugan.
India is a major power emerging country in the South Asian region. Focus on infrastructure and development is
fueling a huge growth in India´s success. With a major section of India´s population in the lower age bracket and
increasing per capita income has added to this growth in the real estate sector across major cities in India. In all,
cement plays a vital role in the growth and development of the sector, and today India is the second largest
producer of cement in the world. The cement industry has been expanding and consolidating on the back of
increasing infrastructure activities and demand from housing sector over the past many years.
In in the last few years, India´s cement industry has shown a consumption growth between 5-6 per cent, and can
grow to about 8-9 per cent in the coming years, subject to political stability, supported by an expected increase in
demand from the rural sector and tier II and tier III cities. In addition, cement production in India is expected to
touch 407 million tonne (mt) by 2020.
Further, the cement and gypsum products sector in India has attracted foreign direct investments, and this will
further add to the growth in the sector with the focus of the government on strengthening infrastructure,
promotion of low-cost affordable housing, ever-increasing industrial activities, real estate, and construction and
infrastructure. In addition to the onset of various special economic zones being developed across the country,
there is a continuous demand for cement.
However, cement companies are not without their share of woes.
With continuously losing pricing power, costs continue to rise. A massive one-fourth of the overall capacities
are lying unutilised due to various reasons.
Importance of certifications
Pollution and particulate suspended matter in the environment in cement industries make it difficult for
employees to work in a conducive environment. Further there are safety hazards and risks in both the
cement and infrastructure projects, risking life and property of the organisation. Increasing power tariffs are
also putting a huge strain on the already strained industry.
Integrated Management Assessment (IMA/IMS) comprising of ISO 9001, ISO 14001 & OHSAS 18001
certifications-forms the pillar of this industry addressing the basic quality, environment, health and safety
requirement ensuring compliance to these crucial factors. IMS brings in discipline and ensures that our Mother
Earth is taken care of, employees are safe and in healthy working conditions in the organisation.
With the advent of ISO 50001 - Energy Management System, cement industry is a big gainer. Energy
Management System ensures that the organisation contributes to the reduction of energy consumption and
hence ensuring the sustainability of the organisation and the society. With the Perform Achieve & Trade (PAT)
- 1SIGNIFICANCE OF CERTIFICATIONS IN CEMENT SECTOR
Jun 2014 | Volume 16 | Issue 13
By:
MD & CEO
UL DQS India
Dr. K Murugan
Article issued in indiancementreview.com
scheme in force, they have to ensure that they balance energy consumption, reduce their load on fossil fuels and
find new and renewable sources for energy. This would reduce the costs and make them sustainable in the
growing cost scenario, reduce load on the grid and help the nation become energy surplus.
Information and confidential data is crucial to any organisation. ISO 27001, the Information Security
Management System, helps in securing crucial, critical, sensitive and confidential information of the
organisation. This helps the company in investing in R&D with a free mind without the fear of crucial information
leaking into wrong hands. With heavy investment in formulation of cement varieties to meet varying needs of the
society it makes sense to invest in ISO 27001 and prevent any sabotage or loss of data or information.
Social Accountability (SA 8000) brings confidence to the employees and the society that there are no ill practices
within the organisation, and it takes care of its employees while ensuring free and fair treatment to all the
personnel working in the organisation. Safety is another major concern in any such industry. Working at heights,
electrical hazards, confined space working, fine dust, mining activities, crushers, transportation, etc. are some of
the areas of concern. Injuries and fatalities seriously affect the productivity and morale of the employees in
addition to attracting a slew of investigations and audits from the regulatory and statutory authorities. It also
affects the brand value in the market denting the valuation of the organisation. Safety, risk evaluation and
management play an important role here. Process safety and behaviour safety assessment and implementation
can help the company to assess the risk levels at a micro level and come up with mitigation plans to ensure a safe
working culture and environment in the company.
Certifications and assessments can also go beyond the boundaries of the company. Supplier and vendor
evaluations to the requirements of the cement/infrastructure industry helps improve inward quality of raw
material. Safe transport management helps bring safety in transportation of employees to site and their
residences. Supply Chain Security Management (ISO 28000) can help bring in safe transportation of goods and
materials hence reducing pilferages, accidents and any other incidents so as to reduce losses.
Today sustainability is a buzz word. Global Reporting Initiative (GRI) or National Voluntary Guidelines (NVG) are
now a mandatory requirement for the top 100 BSE listed organisations. Most of the cement industries would fall
in the category and will have to ensure implementation of NVG, a directive from the government to the corporate
world to give back to the society and ensure a sustainable growth of the society. The list of certifications and
assessments would go on, however, if the organisation seriously implements the above certifications, it is bound
to bring bountiful benefits to the company and some of these could be:
Reduced costs
Ÿ Improved efficiency and productivity
Ÿ Reduced insurance claims and costs
Ÿ Improved brand image
Ÿ Better acceptance by the society and investors
Ÿ Building strong nation
See more at:
- 1SIGNIFICANCE OF CERTIFICATIONS IN CEMENT SECTOR
Jun 2014 | Volume 16 | Issue 13
http://www.indiancementreview.com/News.aspx?nId=IB3cNUs+C7UeYvGe6QDAqw==&NewsType=Significa
nce-of-Certifications-in-Cement-Sector-India-Sector#sthash.CbmstM8F.dpuf)
Trainings and career development are very vital in any company or organization that aims at progressing. In
today's age retention through skill development and acquisition is a major challenge for any organization.
Investment in Trainings helps improve the skill sets, build confidence and increased affinity towards the
organization by its employees. Career development through Trainings helps bring in a better decision making,
creativity, innovation, product & service quality and better people management for the team.
To address the above need of any growing or large organization, UL DQS India has introduced a unique program
– Managed Training Solutions.
UL DQS India's most valued Offering - The Managed Training Solutions (MTS), a structured program ideal for
every Organization as it aims at enhancing deliverables and impacting employee performance through a
continued learning curve, and is a long-term training solution mutually beneficial for both the Organization and
UL DQS.
The MTS model proposes at least a long-term association with the Organization to cohesively pre-define the
Organizational Growth towards Peak Excellence Performance.
This long-term association allows UL DQS the scope to bring about transformation in the employees'
deliverables to meet the expected standards of the organization through Trainings, Evaluations and
Discussions.
Advantages Ÿ Course Schedule – Tailored and customized exclusively to
match the Organizational requirement
Ÿ Increased Evaluations and Reporting Process
Ÿ Continuous Learning Curve and Cross trainings (if required)
Ÿ On demand re-cap of Previous Trainings Review
Training MethodologyUL DQS carefully follows the Adult Learning's trusted theories for
any of its trainings, taking essence from all the major Instructional
Systems Designing (ISD) for preparing Course Materials.
Ÿ All UL DQS courses have
Ÿ Instructor Led Training
Ÿ Regain of Knowledge from previous trainings
Ÿ Role plays and live case studies
Ÿ Group discussions
In the case of MTS, UL DQS goes a step further and all the courses in addition to ISD are re-designed and
- 1MANAGED TRAINING SOLUTIONS
Jun 2014 | Volume 16 | Issue 13
By:
Head Training and SolutionsUL DQS India
Mr. Pramod Durga Satya
Customized in accordance to the Organizational Training Need Identification (TNI) with major examples and
case studies coming not just from Good Industrial Practices but also from the Organization itself
Evaluations MTS allows us to follow the Kirkpatrick's 4 level method of evaluation as listed below
Ÿ Reaction – Through Feedback forms done after
Ÿ Learning – The learning of the training will be assessed by conducting series of tests and assessments during
and after the training
Ÿ Behavior – The actual application of Learning from the Training received over time is measured after 1 – 2
months through assessments and One on One feedbacks
Ÿ Results - Measures would typically be Change in business or organizational key performance indicators over a
period of time resulting out of MTS. The change here will be measured against the particular performance of the
previous year
Management Information Systems (MIS)UL DQS India periodically (On agreed frequency) will provide information on the progress and learning curve of
the individuals to the Organization.
CertificationAll trainings under MTS shall be on the norms of ISO 17024 with two levels of Certificates
Ÿ Level A: Awareness Training
Ÿ Level B: Advanced Training
The following Globally Recognized UL DQS India Registered Certificate with Co-branding of the Organization
will be awarded to:
Ÿ Completion: For participants scoring 70% and more in post training examination
Ÿ Participation: For participants scoring below 70% in post training examination
UL DQS does not limit the Organization to choose from the given
list of Trainings but allows the choice to request for any relevant
trainings deemed towards development of its Individuals.
For further details and inputs on the above.
Contact: Pramod Durga Satya,
Head Training & Solutions
Email: [email protected]
- 1MANAGED TRAINING SOLUTIONS
Jun 2014 | Volume 16 | Issue 13
ISO 14001 & OHSAS 18001Indian Register of ShippingCertificate handover to
- 1PROUD MOMENTS
Jun 2014 | Volume 16 | Issue 13
UL DQS India is delighted to be associated with Indian Register of Shipping in their pursuit for ISO 14001 &
OHSAS 18001. Dr. K Murugan, Managing Director and CEO – UL DQS India (right) handing over the certificate to
Mr. Arun Sharma – Chairman & Managing Director of Indian Register of Shipping
ENERGIE Awareness Training Programme
An ISO 50001:Energy management System. ENERGIE Awareness Training Program for Foundries in
partnership with ASSIST Team, Coimbatore and Chennai on 08-05-2014
- 1NEWS AND UPDATES
Jun 2014 | Volume 16 | Issue 13
ENERGIE Awareness Training Programme in association with MCCI & partnership with ASSIST Team, in
Chennai on 21-05-2014
ENERGIE project is co-financed by DEG and implemented by UL DQS India in association with ASSIST. The
project will capacitate energy management professionals and help in creating energy Efficient enterprises and
contribute to sustainable industrial development in India. This project is a public private partnership with a
developmental agenda of building capacity among The energy professionals and to help energy intensive
industries to adopt energy management system Benchmarking international standard like ISO 50001.
The beneficiaries of the project shall look forward to the following benefits:Ÿ A platform for key decision makers from the industry and other stakeholders, and technical experts to Interact.Ÿ A fully equipped training centre with energy lab in Chennai.Ÿ Access to awareness campaign materials, training materials and resources through web portal.Ÿ Opportunity for professionals to participate in the certification trainings and enhance their Qualification.Ÿ Opportunity for energy intensive industries to adopt energy management systems benchmarking ISO 50001
standard.Ÿ Participation in the project events to network and exchange best practices.
ISO 14001 & OHSAS 18001 Certificate Handover to M K Engineering under auto sustain PPP.
- 1CUSTOMER FEEDBACK
Dear Sir / Madam,
I would like to thank for assessing our quality systems and educating us in AIS and HIRA and other legal related issues. The assessment was really interactive and never felt uncomfortable at single point of time though the duration of audit was too long. The auditing style is really good and learnt good things from you and Mr. Shankaranarayana.
You removed most of my pains and helped me to walk in new journey once again. We will take all your comments and observations as positive sign for our improvement and definitely we will improve it through deep investigation and see how can be implemented in an effective way.At personnel view, I really thank for helping and guiding me
Thanks & Regards
The Audit conducted on 28th & 29th May 2014 was good and we are satisfied with the service of the auditor.We appreciate the suggestion given by the auditor, which will help to improve the performance of the organization.With Best Regards,
By Manjunath NalwadeGowri Ventures a group company of Indo US MIM TECH Pvt Ltd.
Mr Anil GadaveProduction Manager, Perfect Pins
Dear Sir / Madam,
Dear Sir / Madam,
First of all, thank you very much for spending your valuable time with us assessing our system in line with AS9100C requirement through 2nd surveillance audit. We appreciate your findings and we are glad that we were able perform better than last time.
However, we made notes of the observations made by you which are true futuristic building blocks to sustain and move towards excellence towards organisational growth in line with the AS standards requirements. We value your association with us and looking forward to take it further ahead.
Regards,
Sangamesh Natikar,Management Representative / HOD QA, Tata Industrial Services Limited
Jun 2014 | Volume 16 | Issue 13
(Registered as: UL Management Systems Solutions India Pvt Ltd)Anjaneya Techno Park, 5th Floor, #147, HAL Airport Road, Kodihalli, Bangalore - 560 017, IndiaPh: +91 80 6661 6500, Fax: +91 80 6661 6530, Email: [email protected]
"We have offices at "Visit our India website: ; Visit our corporate website: www.dqs-ul.comwww.ul-dqs.in
Bangalore, Baroda, Chennai, Delhi and Pune
UL DQS India
https://www.facebook.com/UL.DQS.IN https://twitter.com/ULDQSIndia http://www.linkedin.com/company/ul-dqs-india
SERVICES
For feedbackQueries
Jun 2014 | Volume 16 | Issue 13
Trainings & Solutions:
MTS