V1/17UNDERSTANDING THE BENEFITS OF THE NEW ISO 9001 AND ISO 14001 MANAGEMENT SYSTEMS STANDARDS

MDSAP: RAISING THE BAR FOR MEDICAL DEVICE STANDARDS

BENEFITS OF CORPORATE TRAINING: FACE-TO-FACE AND ELEARNING

THE ORIGIN OF TIMBER, PAPER AND OTHER FOREST PRODUCTS

THE ONLINE REVOLUTION IN THEHOSPITALITY INDUSTRY

CYBER SECURITY TOP TRENDS & THREATS

MAKING WORKPLACES SAFER: ISO TO UNVEIL NEW OCCUPATIONAL HEALTH AND SAFETY MANAGEMENT SYSTEMS STANDARD

QUALITY INSIGHTSTHOUGHT LEADERS IN CERTIFICATION AND TECHNICAL CONSULTING

VOL.1 2017 PAGE 2ABOUT SGSLEADERSHIP AND INNOVATION SINCE 1878

1878

SGS transformed grain trading in Europe by offering innovative

agricultural inspection services.

TODAY

SGS celebrates more than 140 years in the business.

90,000EMPLOYEES

2,000OFFICES & LABORATORIES

1913

Became a leader in grain inspection (21 million tons).

1928

The company grew internationally, with offices and affiliates in 21 countries around the world.

1981

SGS was listed on the Swiss Stock Exchange.

1950

80% of the company’s revenue still came from its core Agricultural Services business.

1919

Adopted the name it carries today, Société Générale de Surveillance.

1946

Began inspection of European imports.

1980

The company now has 113 offices, 57 laboratories and 9,500 employees working in over 140 countries around the world.

SINCE 2000

Listed more than 160 acquisitions.

• 1,150 offices & laboratories; 36,900 employees in Europe, Africa & Middle East

• 450 offices & laboratories; 21,600 employees in Americas

• 400 offices & laboratories; 31,500 employees in Asia Pacific

VOL.1 2017 PAGE 3

• Deliver innovative solutions and services that transform our customers’ operations.

• Enhance processes, systems and skills.

• Offer solutions and services fundamental to ongoing success and sustained growth.

• Enable continuous improvement.

• Improve our customers’ operations, meet their stakeholder requirements and manage their sustainability and social responsibility needs.

• Transform our customers’ value chains.

SGS BUSINESS BENEFITS

CONSUMER GOODS AND RETAIL

INDUSTRIAL MANUFACTURING

TRANSPORTATION

AGRICULTURE AND FOOD

ENERGY MINING CONSTRUCTION

CHEMICAL LIFE SCIENCES

OIL AND GAS

PUBLIC SECTOR

OPERATING ACROSS A WIDE VARIETY OF INDUSTRY SECTORS

TRAVEL AND HOSPITALITY

QUALITY INSIGHTSQuality Insights covers the latest news and industry updates about certification and technical consulting. Each publication highlights a variety of industries, discussing the latest news and regulatory updates, written by leading industry experts.

200,000CUSTOMERS

165,000ISSUED CERTIFICATES

VOL.1 2017 PAGE 4

UNDERSTANDING THE BENEFITS OF THE NEW ISO 9001 AND ISO 14001 MANAGEMENT SYSTEMS STANDARDS

ISO 9001 and ISO 14001 are the world’s most commonly used standards for quality management and environmental management systems. With the deadline of the new versions being implemented in 2018, what are the benefits and how can you transition with ease?

Globally, over 1.1 million ISO 9001 certificates have been issued for ‘Quality Management’, and nearly 350,000 ISO 14001 certificates for ‘Environmental Management’. These are, by far, the most commonly used management system standards in the world. ISO 9001 currently represents 67%, and ISO 14001 21%, of all ISO management systems certificates issued globally.

Both standards were revised in September 2015. These updated versions of the standards more closely resemble modern business language and practice, reflecting both the current business environment and the needs of the user. The deadline for implementation of the new standards is 14 September 2018.

WHAT ARE THE BENEFITS?

By updating ISO 9001 and ISO 14001, businesses will see several advantages to the 2015 iterations. These include:

• Greater emphasis on top management engagement and improved alignment between management systems and the strategic direction of the organisation. These should be an integral part of a business’ processes

• The adoption of Risk Based Thinking, giving opportunities to differentiate between the various processes based on their level of importance and impact on delivering conforming products/services. This will allow focus on key priorities

• Widening the concept of customers to include (in addition to the contractual customers) end-users, consumers, regulatory bodies, etc. This allows the definition and expectations of interested parties to be addressed

• Adopting High-Level Structure (Annex SL), facilitating the harmonisation and integration of different management system standards

• Lessening the requirements for documentation, enabling organisations to decide on what matters most to its operation and how to manage and control it in an era where automation and smart systems play an increasing role in management

WHAT’S THE FEEDBACK FROM EARLY ADOPTERS?

According to the ISO survey 2016, released in September 2017 both ISO 9001 and ISO 14001 have witnessed strong single digit growth – of 7% and 8% respectively.

Early adopters of the 2015 versions have given us positive feedback, identifying practical improvements gained from the experience.

One business has reported the introduction of new ways of working, such as post-project debriefings. These have improved knowledge-sharing around the company, fulfilling the new standard’s requirement for creating a business-wide ‘change to improve’ culture. Adoption of the 2015 standard has also led to the creation of a ‘Business Risks and Opportunities Register’, detailing all issues that may impact upon the business. This helps prioritise what will affect the business most, encouraging the identification and discussion of internal and external influences and helping to create more efficient management structures.

Another company, working in the jewellery sector, sought ISO 9001 and ISO 14001 certification because they realised it would help with sustainability and give them competitive advantage. The new versions of the standards have helped focus attention, both internally and externally, upon the core values of the business. They have used SWOT (strength, weakness, opportunity and threat) analysis to assess the company in relation to culture, corporate law adherence, technology and economic conditions.

Finally, a company in the Philippines has told us that the adoption of ISO 9001:2015 has helped them reduce losses resulting from customer dissatisfaction, when their service did not meet customer specifications or international standards. Higher customer satisfaction rates and improved trust have led to better cash flow and zero percent debt. They have also reported improved communication and employee engagement, citing the new standard as the cause of this improved work culture.

ACHIEVING SMOOTH TRANSITION?

The key to a smooth transition will be the identification of differences between current ISO standards and the 2015 versions. Gap analysis by a certification specialist, like SGS, will help to identify which areas need improvement, helping companies draw up a realistic plan for implementation.

Training on the new versions of both standards (either face to face or online) has proved to be one of the best choices companies have made to speed up the transition process and to avoid many pitfalls.

Working with businesses already accredited to ISO 9001:2015 and ISO 14001:2015, we have seen the benefits of early adoption. For companies not yet certified to latest versions of these standards, transition must be completed by 14 September 2018.

To learn more, contact:

MAGD HENDYRegional Manager, Africa t: +202 27263053

VOL.1 2017 PAGE 5

The demands on the modern worker are very different to those of a few decades ago. It is estimated that approximately thirty percent of employees now work at multiple sites, sometimes in remote locations. Many businesses actively encourage working from home and flexible working practices to support employees who are looking for a better work/life balance. Within this business culture, traditional training and development channels very often don’t work.

Business leaders are now acknowledging that a happy employee becomes a long-term member of staff. A key tool in the creation of the ‘happy employee’ is the ability to provide continuous support and training. This principle is backed-up by research in the UK, which showed 74% of UK workers felt they had not reached their potential and wished they were receiving more job training. A second study, conducted in Canada, revealed that around 40% of employees, who did not receive adequate training, left their posts within a year. [1]

For businesses, workforce development can be the difference between success and failure. [2] So, if business success is linked to training and development, why do so many employees report they are dissatisfied. The problem is not necessarily investment. For example, the 2013 Corporate Learning Factbook reported that US businesses spend more than $60 billion a year on employee development. On average, however, only one percent of the working week is devoted to training.

The problem may not be, therefore, the willingness to train but the approach to training.

FACE-TO-FACE

While many things can be done virtually in the digital age, physical interaction remains one of the best ways to learn. Communicating and developing relationships through personal interaction is one of the key reasons face-to-face learning continues to be a preferred methodology. Learners

gain from the depth of information and experience that is imparted to them by the tutor. Tutors will have many years of experience in their field, which will enrich their tutorials in a way online learning cannot. This personal element allows learners to ask questions and receive an immediate response in the verbal language and style that they are comfortable with, therefore avoiding any problems of miscommunication or misinterpretation.

ELEARNING

Research shows that 70% of employees use search engines to learn on the job and most people habitually use their smartphones to answer unexpected questions. Accessing information online has become the norm for many people and, with the traditional model for training no longer appropriate in modern businesses, it is natural for companies to turn to eLearning to fill the gap.

There is a dilemma at the heart of modern business: employees need to be kept up to speed on developments in technology, standards and regulations, and yet only one percent of the working week is devoted to training. How can companies undertake effective staff development in today’s business culture?

BENEFITS OF CORPORATE TRAINING: FACE-TO-FACE AND ELEARNING

VOL.1 2017 PAGE 6

The flexibility afforded by eLearning means it provides a number of benefits to both the employee and the employer.

For the employee, it:

• Personalises the learning experience

• Gives them control over when, and how, learning takes place

• Aligns with their daily schedules for accessing information

• Provides a greater sense of connectivity, especially relevant for employees working in isolation or in remote locations

For the business or organisation, it:

• Makes it easy to reach staff at multiple locations

• Provides trackable and measurable results

• Delivers training that upskills employees

• Ties learning into behavioural changes and business results

A MIXTURE OF BOTH – BLENDED LEARNING

Organisations need to be willing to change the way they train their staff if they are to succeed. Josh Bersin cites the examples of Nokia and countless search engine businesses, who held highly trained workforces but were finally out-innovated by the business cultures at Apple and Google. [3] These companies developed training cultures that progressed the individual and the business, adapting to the changes around them.

For many organisations, the answer to successful training will be blended learning. Companies are able to choose the balance, ensuring alignment with both the requirements of the business and their employee’s needs, using a combination of traditional and high-tech learning solutions. The workforce then receives the training it needs, but in a format that is less stressful and more appropriate to their working lifestyle.

A face-to-face tutor can help further develop knowledge gained through eLearning by adding real-life examples, gained from personal experience. The tutor can also ensure new knowledge is being implemented in a manner that is suitable for the learner and the business. During this process, the tutor, as the conduit between employer and employee, is also able to assess the success of the learning solution for each student. The freedom to learn in this way has been shown to develop a more self-sufficient and result-orientated workforce. [4]

The world of corporate training is changing, just as the work environment is changing. With staff no longer situated at one location, and with an increasing dependence on online resources, companies need to

adapt the way they train to meet these new challenges. Companies, such as SGS, are developing a range of options to provide training that works around both the needs of the employer and the needs of the employee. Flexibility is key, as everyone is an individual and every business has a different culture. eLearning will provide employees with a more conducive studying environment that fits around their normal habits but, at the same time, the use of face-to-face training, drawn from the more traditional forms of instruction, will help employees to utilise that their learning effectively.

To learn more, contact:

AMANDA MANGANGlobal Head Training and Developmentt: +44 (0) 1276 697707 / 06

BENEFITS OF CORPORATE TRAINING: FACE-TO-FACE AND ELEARNING

VOL.1 2017 PAGE 7

How does a customer relate to a brand? How does a hotel understand and control its virtual image? In a Web 2.0 world, hotels need to be in control of their online image to protect their brand and encourage growth.

The online landscape for hotels has changed. The competition a hotel faces is no longer just another hotel but the online technology that drives customers to its doors. Twenty years ago, it was acceptable for a hotel to use a website as a passive supplier of information to potential customers but today consumers are used to interacting with businesses via the internet.

Currently, 88.1% of the population in North America is online, 80.2% of Europeans are online, with lesser but growing percentages in the other areas of the world. Globally, 3,885,567,619 people were registered as online users in June 2017 and this trend is to continue with service providers seeking to exploit new territories. [1] For hotels, this provides an opportunity to reach larger numbers of potential customers in a way that would have been unimaginable a few years ago. The ability to reach more customers is tempered, however, by the ease with which customers can review establishments and the potential damage a negative review can achieve.

THE IMPORTANCE OF SOCIAL MEDIA

The impact of social media on the tourism sector cannot be underestimated. Social media now has a major impact upon the hotel and travel choices of both individuals and businesses. Social media platforms, such as Facebook, Instagram, Twitter, Youtube and LinkedIn, can be seen as trusted sources of review by potential customers. It is estimated around 69% of online people will use social media when considering booking a trip, with 44% of customers acknowledging they would only book a hotel after reading an online review. Studies have also shown that 74% of travellers will now write some form of online assessment of their trip. [2]

A recent article in the UK Hotel Industry magazine suggested, on average, guests pack three portable electronic devices for a weekday stay and five for a weekend stay. [3] These guests are remaining ‘online’ during their stay and it is normal for them to comment about their stay on social media.

Facebook, on which hospitality brands have the largest median audience size, has over 800 million active users. Each account is linked to, potentially, an enormous number of other accounts, meaning information and comments can very easily reach large numbers of people, and at great speed. This can be both positive and negative but it must not be underestimated by brand managers – 52% of Facebook users indicated that the photographs on their friends Facebook page had a direct impact upon their decisions when booking future holidays. [4]

TRIPADVISOR

In the tourism sector, TripAdvisor has become the globally dominant online platform. Each year, it is estimated TripAdvisor is responsible for over $10 billion in online travel purchases in the US alone. [5] It lists over 890,000 establishments, covering more than 45 countries. The site holds one of the largest collections of photographs in the online world and has a resource of well over 200 million reviews. [6] Every month, these reviews are accessed by over 260 million unique users. [7]

A major influence on the choices made by consumers is the rating given to them by TripAdvisor. Where a business is ranked in a list of local establishments can have a major effect on bookings. Businesses that are not listed in the first five positions on TripAdvisor, do find they lose business to their competitors. For small businesses, without the financial resources to turn around a negative review, a relatively small number of bad reviews can be catastrophic.

THE ONLINE REVOLUTION IN THE HOSPITALITY INDUSTRY

VOL.1 2017 PAGE 8

THE DANGER OF ONLINE REVIEWS

Research has shown that up to 98% of people believe TripAdvisor reviews are trustworthy. [8] Consumers are willing to believe social media reviews because they think they are written by people like themselves. The perception is that these reviews are unbiased and are therefore trustworthy. In the case of Facebook and Twitter, it is probable the consumer has a direct relationship with the contributor and so knows whether their opinion will correspond to their own. In the case of online review sites, however, this filtering factor is reduced.

There have been several instances where positive reviews that been shown to be written by members of staff. In other cases, disparaging reviews can be the work of competitors trying to sully a brand. Even if the review does come from a person who is independent and who has stayed at the hotel, it does not necessarily follow that the review is trustworthy. Review sites have tried to democratize the reviewing process but this means there is no single standard being applied to all

comments. Industry executive, Paul Kerr, while acknowledging the importance of online reviews, states there needs to be a way to “cull the rampaging herd.” [9]

The assumption is, the person reviewing is like ‘me’ and the problem is, they aren’t. The reviewer may come from a very different background, have very difference experiences of the types of hotel they are staying in. From this perspective, it is clear to see their review will be biased, either positively or negatively. In either instance, the value of the review is diminished.

WHY HOTELS SHOULD TAKE NOTE

Hotels must acknowledge that their customers will be using social media before they book a trip, during the trip and after the trip and so they must be ready to respond to this in real-time. They can no longer afford to use the same systems that worked effectively 20-30 years ago. Technology has moved on and the hotel sector must adapt to utilize it. [10]

The key to success is a reliable online reputation management (ORM) system that can engender a positive image across the internet. Accommodation staff, tour guides and restaurant managers need to consider ways in which positive comments can be encouraged. This can be through positive reviews on TripAdvisor or the sharing of unique content on social media. [11] The days of ignoring negative comments are gone, the hospitality sector must be prepared to use social media to its advantage and be ready to respond to negative observations in an appropriate way.

To learn more, contact:

PETER HVIDBERGGlobal Business Manager, Hospitalityt: +41 22 739 94 76

THE ONLINE REVOLUTION IN THE HOSPITALITY INDUSTRY

VOL.1 2017 PAGE 9

With Health Canada transitioning from CMDCAS to MDSAP, manufacturers must now consider the effects of the introduction of this global programme for medical device production.

Recognition of the need for a global programme for medical devices has led to the development of the Medical Device Single Audit Programme (MDSAP). The MDSAP has been jointly developed by the national regulatory authorities of five countries to help ensure the safety and quality of medical devices, and raise standards around the globe.

The regulatory authorities involved are:

• Therapeutic Goods Administration of Australia (TGA)

• Brazilian Agência Nacional de Vigilância Sanitária (ANVISA)

• Health Canada

• United States Food and Drug Administration (US FDA)

• Japan’s Ministry of Health, Labour and Welfare (MHLW) and Pharmaceuticals and Medical Devices Agency (PMDA)

In addition, the World Health Organisation (WHO) Prequalification of In Vitro Diagnostics (IVDs) Programme and the European Union (EU) acted as official observers on the development of the audit.

OBJECTIVES, DEVELOPMENT AND INTRODUCTION

MDSAP provides medical device manufacturers with a single quality management system audit that will satisfy the requirements of all participating regulatory authorities. The ultimate goal of the MDSAP is to create a coalition of countries that are dedicated to improving safety and oversight for medical device manufacturing.

Adoption of MDSAP among the five markets will create a more efficient auditing programme, by mininising regulatory overlaps. One objective is to create a less burdensome system of regulations for the sector without compromising public health. In addition, MDSAP seeks, where appropriate, to leverage the existing conformity assessment structures into one which is consistent, predictable and transparent, offering greater efficiency and sustainability in the oversight of medical device manufacturers.

Launched on 1 January, 2014, the MDSAP underwent a three-year pilot programme that ceased on 31 December, 2016. The operational phase of the programme then began on 1 January, 2017, marking the start of the transition period.

CANADA ADOPTS MDSAP

Health Canada had, however, already announced its intention to implement MDSAP as the sole mechanism for manufacturers to demonstrate compliance with the quality management system requirements of its Medical Devices Regulations, on 4 December, 2015. The adoption of MDSAP will mean the replacement of the current Canadian Medical Devices Conformity Assessment System (CMDCAS) programme, even for manufacturers who only intend to sell on the domestic Canadian market.

Transition from CMDCAS to MDSAP began on 1 January 2017, and will last for two years. During this period, Health Canada has announced it will accept both CMDCAS and MDSAP certification but, from 1 January 2019, all CMDCAS certificates will become invalid. After this

date, medical device manufacturers must certify against MDSAP.

BENEFITS OF MDSAP

By replacing multiple regulatory audits with a single medical device audit, MDSAP offers a number of advantages to participants. These include:

• Gaining access to multiple markets via a single audit

• Minimising business disruption, while optimising time and resources

• Assurance that products cover all the requirements of all five participating regulatory authorities

• The ease of having routine audits scheduled directly with the auditing organisation

For participants of the MDSAP, it is also important to note that it offers complete coverage but does not add to the requirements of the relevant regulatory authorities, including all the conditions of the ISO 13485 – Medical Devices: Quality management systems, requirements for regulatory purpose standard.

WHAT NOW?

With the transition from CMDCAS to MDSAP already underway in Canada, manufacturers who already market medical devices in Canada, and/or Australia, Brazil, Japan, and the USA, should now assess their readiness for the introduction of MDSAP.

To learn more, contact:

MIRELA BOUREANUGlobal Product Manager, MDSAPt: +44 798 330 6970

MDSAP: RAISING THE BAR FOR MEDICAL DEVICE STANDARDS

VOL.1 2017 PAGE 10

The certification of timber, paper and other forest products is a success story, with the area of certified forest and the number of certificates in the supply chain steadily increasing. Certification cannot, however, satisfy the increasing demand for information concerning the geographical origin of the wood. Furthermore, there is a limit to the number of certified products that can be made available. Complementary systems, such as online databases and timber due diligence schemes, may be the answer to filling this void.

Conventional methods for ensuring timber originates from responsible sources are the Forest Management and Chain of Custody (CoC) certification schemes, such as those run by the Forest Stewardship Council (FSC®) and the Programme for the Endorsement of Forest Certification (PEFC™). With these methods, forests and organisations, for processing or trading, are certified to the appropriate standard before being allowed to apply the label to their final product.

These systems are highly valued in the timber sector because they give assurance that sustainable forest management procedures have been followed and therefore the risk of using material from controversial sources is minimised. Globally, about 500 million hectares have been certified by FSC and PEFC and more than 40,000 CoC certificates have been issued. Certification is performed by approved assessors like SGS, the market leader in forestry, timber and paper certification.

Certification schemes verify that an organisation is following the correct procedures relating to purchasing, processing and trading wood and timber products (CoC). However, no information regarding timber flow is retained and data, such as the

geographical origin of the harvested trees, is not necessarily passed along the supply chain. The system provides assurance that the timber is obtained from responsible sources but no more specific information.

ONLINE CLAIM PLATFORM

The FSC has tried to address this problem by creating its Online Claim Platform (OCP). This system collects information on the trading of all certified materials, allowing sellers and buyers to confirm deals. This allows certified organisations to access information relating to geographical origin but only independent control organisations are given access to information about the timber flow supply chain. The timber and paper industries are not currently willing to introduce such a system, stating concerns over confidentiality and security, as well as a fear of additional administrative costs.

Certification schemes also fall short on answering the question of origin because, on a global scale, certified woodland only represents a small percentage of forests. This means, only a small percentage of end-products can comply with the eligibility criteria needed for labelling.

Therefore, certification cannot fulfil the needs of retailers, traders and finally end-consumers, because they need an assurance that all products and packaging originates from timber sources that are not controversial and/or illegal.

TIMBER DUE DILIGENCE

A potential solution to this quandary is the Timber Due Diligence of Origin system. These programmes were originally developed by the standard-setting organisations (FSC and PEFC) to allow the mixing of certified and non-certified materials in industries where physical separation of the product would be impossible. For example, in the pulp and paper industries.

Timber Due Diligence schemes ensure that non-certified components do not originate from controversial sources, but certification systems do not allow that products which only consist only of such non-controversial and controlled sources are labelled. This would be in direct competition to the certified materials and undermine the reason for Forest Management Certification.

THE ORIGIN OF TIMBER, PAPER AND OTHER FOREST PRODUCTS

VOL.1 2017 PAGE 11

EUROPEAN TIMBER REGULATIONS

In March 2015, European Timber Regulation (EUTR 995/2010) came into force and includes prescriptions concerning Timber Due Diligence. It requires organisations placing timber products on the European market for the first time (so named Operators) to conduct Due Diligence on their origin.

The EU intends to prevent the import of timber that has been:

• Illegally harvested or traded

• Taken from regions with armed conflicts

• Traded from regions where export bans are in force

Operators working in Europe must comply with these mandatory regulations, or face penalties for non-compliance. To assist them, operators may request support and verification from formally registered ‘monitoring organisations’, such as SGS.

IMPLEMENTING DUE DILIGENCE SYSTEMS

All Timber Due Diligence systems have a similar structure. To verify due diligence, an organisation must demonstrate it has:

1. Gathered relevant information on species and geographical origin

2. Conducted a risk assessment, considering topics such as governance in the country of origin, the rarity or endangered status of the species

3. Mitigated all risks, if they have been identified

Because all systems work in the same way, they can be set up generically and to satisfy the certification systems or the timber regulations, including the US Lacey Act and Australia’s Timber Regulations. Finally, such systems can be used by wholesalers and retailers at the end of the supply chain to prevent

sourcing timber, paper and other forest products from controversial and illegal sources.

Without global coverage for forestry management schemes, Timber Due Diligence of Origin systems are an important and practical step towards assuring end-users that the wood in their products does not come from illegal or controversial sources.

For information about the SGS Forestry Accreditations see: click here

For information about SGS’s approval as a monitoring organisation by the EC: click here

To learn more, contact:

CHRISTIAN KOBELBusiness Manager, Forestryt: +41 78 621 75 52

THE ORIGIN OF TIMBER, PAPER AND OTHER FOREST PRODUCTS

VOL.1 2017 PAGE 12

ISO is currently in the final stages of developing its new occupational health and safety management systems standard – ISO 45001. Following approval, it is anticipated the new standard will be published during the first quarter of 2018, making it the first international standard for occupational health and safety management systems in the workplace.

The need for better occupational health and safety (OH&S) standards to be employed in the workplace has never been clearer. Figures collated by the International Labour Organisation estimate that work-related accidents and illnesses are costing the global economy 3.94% of Gross Domestic Product each year. In human terms, this represents around 2.3 million deaths and roughly 374 million non-fatal work-related injuries and illnesses a year.

The knock-on effects of these statistics go beyond both the individual and the business, they also affect the wider community, which has to shoulder the burden of fatalities, early retirements, lengthy staff absence and higher insurance premiums.

WHAT CAN BE DONE?

In order to Improve health and safety standards in the workplace an organisation requires a clear and determined approach to its health and safety management.

Organisations need to develop and implement a clear OH&S policy that will protect their workers and other interested parties. It must have clear objectives, be focused on risk and facilitate compliance with legal and other requirements.

Currently, there is no definitive standard for OH&S available globally. The most common specification - OHSAS 18001, is currently available in 40 different versions and has been adopted in 127 countries.

The International Labour Organisation has also produced its own set of guidelines for OH&S management systems – ILO-OSH 2001 – which can be followed by those who have responsibility for OS&H management.

THE WORLD’S FIRST OHS STANDARD – ISO 45001

Since March 2013, the International Standards Organisation (ISO) has been working with Project committee PC283 to develop a single standard for OH&S. Building on the success and popularity of ISO 9001 for quality management and ISO 14001 for environmental management, the new standard will be aligned through the Annex SL framework.

ISO 45001 has been designed to act as a single standard to promote better OH&S management around the world. It will take into account existing national and international standards, specifications and guidelines, such as OHSAS 18001 and ILO-OSH 2001, making it the first international standard for OS&H.

ISO 45001 will incorporate new concepts on OH&S management, helping to strengthen both leadership, management of risk and worker involvement. It is anticipated that the new standard will reduce the potential for risks to both the employee and the employer, by reducing the cost of lost work days and regulatory action that can result from poor OH&S management.

ISO 45001 can be applied by any organisation regardless of its size and the nature of their work. An organisation implementing ISO 45001 needs to;

• Develop and implement effective OHS policies and objectives

• Implement processes that reflect the organisation’s context and help them manage risk.

• Implement processes for managing compliance with applicable legal and other requirements

• Manage operational risk within the workplace by identifying hazards and implementing effective controls.

• Implement processes for managing subcontractors and suppliers

• Introduce monitoring and measuring processes that facilitate continual improvements through involvement of the workforce in OHS matters

The final stages of development will be a period during which a Final Draft International Standard (FDIS) ballot will be issued and a ballot of the project committee. Should there be no significant comments or objections to the FDIS, ISO 45001 will be published in the first quarter of 2018. If a significant number of technical comments are received, publication may be put back to the third quarter of 2018.

MIGRATION FROM OHSAS 18001 TO ISO 45001?

It is expected that OHSAS 18001 will be withdrawn after a period of three years from publication of ISO 45001. Any Organisation that is currently certificated to OHSAS 18001 will have three-years to migrate to the new standard.

The key to a smooth migration from OHSAS 18001 to ISO 45001 will be the identification of differences between the two standards. As the world’s leading testing, inspection and certification company, SGS can help your business smoothly migrate to the new standard.

Effective implementation of the standard will help you protect your assets and improve your business.

For more information, contact:

MAKING WORKPLACES SAFER: ISO TO UNVEIL NEW OCCUPATIONAL HEALTH AND SAFETY MANAGEMENT SYSTEMS STANDARD

CARL DEAVESUK Technical and Accreditational Manager / Global Product Manager - OHSMSt: +44 (0)151 350 6756

VOL.1 2017 PAGE 13

Cyber-attacks are an increasing problem in an online world. SGS experts look at some of the main threats affecting businesses and private citizens.

Every day the news carries stories of companies being subjected to the destructive and costly affects of cyber-attacks. Like all organisations with an online presence, SGS is targeted by these criminals but, so far, we have been lucky enough to avoid a breach. This isn’t just a case of being fortunate. Successfully keeping cyber-attackers out of your systems requires a considerable amount of effort and planning, but the first step is to know the threat.

EMAIL: THE CYBER CRIMINALS FRIEND

One of the cyber-attackers’ main weapons continues to be email. It represents a clear and present danger to users, with security software company, Symantec, estimating that one in every 131 emails contains malware. Scams utilising these spear-phishing emails target over 4,000

businesses every day and are estimated to have cost around $3 billion over the last three years. Criminals are now finding ways to automate this form of attack by utilising tools designed for legitimate use, for example Microsoft’s PowerShell. This speeds up the process for the attacker, making the threat all the more worrying for users.

Another common threat, which we should all be aware of, is phishing, or identity theft. This targets users in an attempt to acquire their banking details. Commonly, the approach will come via an email, proporting to be from the bank itself, asking for log-in details and passwords. Research suggests that less than half of one percent of customers oblige, but when you consider the millions of emails that are sent out, this still represents a significant number of victims. Criminals have now developed a more sophisticated version of phishing, called cross-site scripting. In this case, users think they are accessing a genuine bank website with their log-in details, when it is actually a counterfeit site set up by the criminals.

THE RISE OF RANSOMWARE

An increasingly popular form of cyber-attack is ransomware – a type of malicious software that threatens to publish a victim‘s data or perpetually block access to it via encryption. The criminal will demand a ransom to remove the encryption, and current figures suggest around 60 percent of Americans yield to this form of extortion, which explains its increasing popularity. It is reported that ransomware attacks have seen a 35 percent increase in 2017, with some estimates suggesting a further ten-fold increase over the next year. This is not a problem restricted to just private citizens, businesses (regardless of size) are susceptible to these threats.

CYBER SECURITY TOP TRENDS & THREATS

VOL.1 2017 PAGE 14

Perhaps more worrying still are the threats to our power plants, electrical grids and telecommunications networks from nation-states, terrorists and organised cybercriminals. Our infrastructure has increasingly been targeted in recent years and its trend is likely to continue. These attacks obviously create inconvenience and can be extremely expensive to fix but, more worryingly, they threaten our way of life and can sometimes prove to be fatal.

NEW THREATS IN THE CLOUD

With companies ceding more and more of their data and processing power to the cloud, cybercriminals are increasingly looking for ways to exploit the cracks in its security. Last year, thousands of MongoDB (an American software company that develops and provides commercial support for open source databases) files were hijacked and held for ransom after users left outdated versions exposed without authentication enabled. Certification for cloud vendors is available, from companies like SGS, to help mitigate this risk.

The largest retail breaches from the last few years, however, and the cause of multi-million dollar losses, have been malicious software and malware, installed on point-of-sale (POS) systems. These collect clear-text credit and debit card numbers automatically for the criminal. Kaspersky Lab, the antivirus provider, recently reported that around 323,000 new malware files are identified each day. There are a number of ways to mitigate this risk, including the adoption of PCI DSS, the Payment Card Industry Data Security Standard, an information security standard for organisations that handle branded credit cards.

NEW OPPORTUNITIES IN THE “INTERNET OF THINGS”

As technology advances, the adoption of network enabled devices is rapid and widespread. Everything, from your car to your refridgerator will soon be on the ‘net’, leaving them vulnerable to cyber-attack. The IoT, “Internet of Things”, offers convenience and connectivity, but it also comes with its own vulnerabilities, which can be exploited. In 2016, IoT devices faced their first major Distributed Denial of Service (DDoS) attack.

The US Government has acknowledged the threat, with a recent bill submitted to the U.S. Senate seeking to improve IoT security. The bill requires device makers to meet basic security standards, if they want to do business with the federal government. The bill mandates that any internet-connected device provided by government contractors must be free from known security vulnerabilities, can receive regular software updates, and use up-to-date communications and encryption industry standards. The IoT can be a good business model to pursue but organisations implementing IoT technologies must be aware of the current tradeoff between security and convenience.

This article provides an introduction to the issues surrounding cyber-security but it is by no means an exhaustive list of all threats. Technology evolves rapidly, meaning companies like SGS are constantly expanding their range of cyber-security offerings, in order to meet each new challenge.

To learn more, contact:

EDWARD BEESLEYGlobal Head of Digital Servicest: +201 508 3071

CYBER SECURITY TOP TRENDS & THREATS

TO SUBSCRIBE FOR QUALITY INSIGHTS PLEASE CONTACT US VIA:

www.sgs.com/ facebook

www.sgs.com/ linkedin

www.sgs.com/ twitter

www.sgs.com/qualityinsights

WWW.SGS.COM

© S

GS

Gro

up M

anag

emen

t SA

– 2

017

– A

ll rig

hts

rese

rved

– S

GS

is a

reg

iste

red

trad

emar

k of

SG

S G

roup

Man

agem

ent

SA