ul dqs india news letter - iseeek jun_2014

Jun 2014 | Volume 16 | Issue 13

ISO 27001: 2013 UPDATESSignificance of certifications in cement sector (Page 5 to 6)Managed training solutions (Page 7 to 8)

(Page 2 to 4) Proud momentsNews and updates (0)Customer feedback (Page 11)Services (Page 12)

(Page 9)

Index

Security and Safety of data (information asset) is critical to the survival of any organization. ISO 27001

addresses this very basic need and ensures that any crucial or critical data is not accessed by

unauthorized personnel or falls in the wrong hands. During its introduction, ISO 27001 was primarily

used in the Information Technology industries (and BPOs), however with time, it has found its relevance

in all sectors of industries wherever there is data/info security requirement. We present you with an

article on the latest revision in the standard ie the ISO 27001: 2013 version by Ashok Majmudar, one of

our very senior auditors and an IT expert.

Also included in this issue is an article on Significance of Certifications in Cement Sector, which was

published in the Indian Cement Review magazine. In addition to the above we have included a write up

on our new service offering 'Managed Training Solutions (MTS)'. This is a unique Training Service to

help and support organizations in managing the competency development of their employees and

personnel. Please do contact Pramod Satya for any further information on the same.

As usual we also share some proud moments and good words from our customers. We hope you will

find this issue informative and interesting and look forward to your continued feedback.

- 1ISO 27001: 2013 UPDATES

IntroductionISO/IEC 27001 - the international standard for information security management systems - was recently updated

to match current best practice and to recognise the changing threats to information security.

For some organisations, adapting their ISMS to the new requirements will be a trivial matter, while others will

need to engage in a more thorough examination. This green paper highlights the significant changes to ISO/IEC

27001, and offers a few points of advice to aid in preparing. It should be noted that the release of the new

standard does not negate or weaken any existing certification, and all organisations will have time to update their

ISMS in line with the standard for recertification.

The structure of the standard has changed, which is a direct result of some core changes in the recommended

process for developing the ISMS. While ISO 27001:2005 specified that the process used in the implementation

of the ISMS was PDCA (Plan - Do - Check - Act), the 2013 update removes this point. This is not to say that the

PDCA process is no longer valid; rather, it opens the process up to alternative methodologies and processes that

may be more suited to the organisation.

Annex A - Reference control objectives and controls

This structure no longer based on development through PDCA. The flow is entirely compatible with the PDCA

process, however, so existing ISMS workflows need not change unless alternative methodologies are more

appropriate.

Structure


UL DQS India Has conducted a Seminar ON update to 27001: 2013 and it was led by our experience IT

AUDITOR Ashok Majmudar.

By:

Lead Assessor

UL DQS India

Mr. Ashok Majmudar

This has been replaced with the following

structure in ISO 27001:2013:

0. Introduction

1. Scope

2. Normative references

3. Terms and definitions

4. Context of the organisation

5. Leadership

6. Planning

7. Support

8. Operation

9. Performance evaluation

10. Improvement

ISO 27001:2005 used the following structure:

0. Introduction

1. Scope

2. Normative references

3. Terms and definitions

4. Information security management system

5. Management responsibility

6. Internal ISMS audits

7. Management review of the ISMS

8. ISMS improvement

Annex A - Control objectives and controls

Terms and definitions

Clause deletions and new clauses

Key changes

Context of the organisation:

Continual improvement

Governance and management

Risk assessment and treatment

The terms and definitions are no longer supplied in ISO 27001:2013. Instead, clause 3 refers the reader to

ISO/IEC 27000, which has become a centralised reference for all 27000-series standards.

The majority of clauses from 27001:2005 still exist or have been slightly modified. Several, however, have been

removed entirely, and some new clauses have appeared. While compliance with the redundant clauses is no

longer necessary to achieve/maintain certification of an ISMS, there may be little harm in allowing them to remain

in your organisation's implementation. New clauses, however, must be complied with where relevant to your

organisation. The new clauses cover a number of new features or increased focus within the ISMS.

The ISMS is approached - from the start - by understanding the organisation and its context business model,

industry, etc.). This clause forms the foundation of the whole ISMS and reflects the new focus upon making it

work for the organisation, rather than imposing a potentially rigid structure.

This approach feeds into other new aspects, such as the changes to the risk assessment process. By

recognising the organisation's various responsibilities and ensuring that they are incorporated into the ISMS

from the start, the whole system become more robust and more reflective of the organisation.

ISO 27001:2013 does not mandate the use of the Plan-Do-Check-Act (PDCA) process. The organisation is free

to implement and manage the ISMS using whichever continual improvement process they prefer. Many

organisations may have existing processes (based on COBIT® or ITIL® for example), and can now manage the

ISMS using the same system. The clear advantage here is bringing the ISMS into than standing apart.

The previous standard was clearly focused on a strong sense of oversight from the board and a high level of

interaction between the board and management. The new edition, however, strips this back to clarify where

governance (board actions/interests) lie as distinct from leadership (management actions/interest). There are

also several more requirements for communication, which spreads the responsibility for information security

across more of the organisation. This can only be a good thing - a workforce that is invested in information

security will be more effective in the day-to-day operation of the ISMS.

This aspect of the ISMS receives some of the most significant changes, and is easier to explain as a brief

process:

Ÿ Risk is now defined as “effect of uncertainty on objectives”, which may be positive or negative.

Ÿ Select controls (from anywhere) to manage the risks associated with your organisation's business, contractual

and regulatory obligations. These can be considered 'baseline' controls.

Ÿ Conduct a risk assessment by identifying risks to your organisation's information. This does not have to be an

asset-based assessment.

Ÿ Each risk is assigned to a Risk Owner.

Ÿ Select controls (from anywhere) to manage the risks.

- 1ISO 27001: 2013 UPDATES (contd)


Ÿ Compare the baseline controls and those you have selected to those in

Annex A.

It is significant to note that the controls are selected before consulting Annex A. This minor change allows the

organisation to choose the controls that are the best fit for

Annex A controls

Like the clauses in the main body of the standard, the controls in Annex A have been restructured, and some

controls have either disappeared or been subsumed into other controls, and new controls have emerged. The

general trend has been to make it clearer how each control contributes to the ISMS.

- 1ISO 27001: 2013 UPDATES (contd)


The previous structure of Annex A was:

A5. Security policy

A6. Organisation of information security

A7. Asset management

A8. Human resources security

A9. Physical and environmental security

A10. Communications & operations management

A11. Access control

A12. Information systems acquisition, development

and maintenance

A13. Information security incident management

A14. Business continuity management A15.

Compliance

The controls have been restructured thusly

in ISO 27001:2013:

A5. Information security policies

A6. Organisation of information security

A7. Human resource security

A8. Asset management

A9. Access control

A10. Cryptography

A11. Physical and environmental security A12.

Operations security

A13. Communications security

A14. System acquisition, development and

maintenance

A15. Supplier relationships

A16. Information security incident management

A17. Information security aspects of business

continuity management

A18. Compliance

As can be seen, the controls have been distributed

across a slightly broader range of categories. The

controls have a more clearly delineated role within

the ISMS, but a blend of controls is still necessary to

provide the 'defence in depth. In addition to this, there

are now 114 controls, down from 133 in ISO

27001:2005.

Certifications and assessments will bring bountiful benefits such as reduced costs, improved efficiency and

productivity, reduced insurance claims and costs, improved brand image, better acceptance by the society and

investors, etc., writes Dr K Murugan.

India is a major power emerging country in the South Asian region. Focus on infrastructure and development is

fueling a huge growth in India´s success. With a major section of India´s population in the lower age bracket and

increasing per capita income has added to this growth in the real estate sector across major cities in India. In all,

cement plays a vital role in the growth and development of the sector, and today India is the second largest

producer of cement in the world. The cement industry has been expanding and consolidating on the back of

increasing infrastructure activities and demand from housing sector over the past many years.

In in the last few years, India´s cement industry has shown a consumption growth between 5-6 per cent, and can

grow to about 8-9 per cent in the coming years, subject to political stability, supported by an expected increase in

demand from the rural sector and tier II and tier III cities. In addition, cement production in India is expected to

touch 407 million tonne (mt) by 2020.

Further, the cement and gypsum products sector in India has attracted foreign direct investments, and this will

further add to the growth in the sector with the focus of the government on strengthening infrastructure,

promotion of low-cost affordable housing, ever-increasing industrial activities, real estate, and construction and

infrastructure. In addition to the onset of various special economic zones being developed across the country,

there is a continuous demand for cement.

However, cement companies are not without their share of woes.

With continuously losing pricing power, costs continue to rise. A massive one-fourth of the overall capacities

are lying unutilised due to various reasons.

Importance of certifications

Pollution and particulate suspended matter in the environment in cement industries make it difficult for

employees to work in a conducive environment. Further there are safety hazards and risks in both the

cement and infrastructure projects, risking life and property of the organisation. Increasing power tariffs are

also putting a huge strain on the already strained industry.

Integrated Management Assessment (IMA/IMS) comprising of ISO 9001, ISO 14001 & OHSAS 18001

certifications-forms the pillar of this industry addressing the basic quality, environment, health and safety

requirement ensuring compliance to these crucial factors. IMS brings in discipline and ensures that our Mother

Earth is taken care of, employees are safe and in healthy working conditions in the organisation.

With the advent of ISO 50001 - Energy Management System, cement industry is a big gainer. Energy

Management System ensures that the organisation contributes to the reduction of energy consumption and

hence ensuring the sustainability of the organisation and the society. With the Perform Achieve & Trade (PAT)

- 1SIGNIFICANCE OF CERTIFICATIONS IN CEMENT SECTOR


By:

MD & CEO

UL DQS India

Dr. K Murugan

Article issued in indiancementreview.com

scheme in force, they have to ensure that they balance energy consumption, reduce their load on fossil fuels and

find new and renewable sources for energy. This would reduce the costs and make them sustainable in the

growing cost scenario, reduce load on the grid and help the nation become energy surplus.

Information and confidential data is crucial to any organisation. ISO 27001, the Information Security

Management System, helps in securing crucial, critical, sensitive and confidential information of the

organisation. This helps the company in investing in R&D with a free mind without the fear of crucial information

leaking into wrong hands. With heavy investment in formulation of cement varieties to meet varying needs of the

society it makes sense to invest in ISO 27001 and prevent any sabotage or loss of data or information.

Social Accountability (SA 8000) brings confidence to the employees and the society that there are no ill practices

within the organisation, and it takes care of its employees while ensuring free and fair treatment to all the

personnel working in the organisation. Safety is another major concern in any such industry. Working at heights,

electrical hazards, confined space working, fine dust, mining activities, crushers, transportation, etc. are some of

the areas of concern. Injuries and fatalities seriously affect the productivity and morale of the employees in

addition to attracting a slew of investigations and audits from the regulatory and statutory authorities. It also

affects the brand value in the market denting the valuation of the organisation. Safety, risk evaluation and

management play an important role here. Process safety and behaviour safety assessment and implementation

can help the company to assess the risk levels at a micro level and come up with mitigation plans to ensure a safe

working culture and environment in the company.

Certifications and assessments can also go beyond the boundaries of the company. Supplier and vendor

evaluations to the requirements of the cement/infrastructure industry helps improve inward quality of raw

material. Safe transport management helps bring safety in transportation of employees to site and their

residences. Supply Chain Security Management (ISO 28000) can help bring in safe transportation of goods and

materials hence reducing pilferages, accidents and any other incidents so as to reduce losses.

Today sustainability is a buzz word. Global Reporting Initiative (GRI) or National Voluntary Guidelines (NVG) are

now a mandatory requirement for the top 100 BSE listed organisations. Most of the cement industries would fall

in the category and will have to ensure implementation of NVG, a directive from the government to the corporate

world to give back to the society and ensure a sustainable growth of the society. The list of certifications and

assessments would go on, however, if the organisation seriously implements the above certifications, it is bound

to bring bountiful benefits to the company and some of these could be:

Reduced costs

Ÿ Improved efficiency and productivity

Ÿ Reduced insurance claims and costs

Ÿ Improved brand image

Ÿ Better acceptance by the society and investors

Ÿ Building strong nation

See more at:

- 1SIGNIFICANCE OF CERTIFICATIONS IN CEMENT SECTOR


http://www.indiancementreview.com/News.aspx?nId=IB3cNUs+C7UeYvGe6QDAqw==&NewsType=Significa

nce-of-Certifications-in-Cement-Sector-India-Sector#sthash.CbmstM8F.dpuf)

http://www.indiancementreview.com/News.aspx?nId=IB3cNUs+C7UeYvGe6QDAqw==&NewsType=Significance-of-Certifications-in-Cement-Sector-India-Sector

Trainings and career development are very vital in any company or organization that aims at progressing. In

today's age retention through skill development and acquisition is a major challenge for any organization.

Investment in Trainings helps improve the skill sets, build confidence and increased affinity towards the

organization by its employees. Career development through Trainings helps bring in a better decision making,

creativity, innovation, product & service quality and better people management for the team.

To address the above need of any growing or large organization, UL DQS India has introduced a unique program

– Managed Training Solutions.

UL DQS India's most valued Offering - The Managed Training Solutions (MTS), a structured program ideal for

every Organization as it aims at enhancing deliverables and impacting employee performance through a

continued learning curve, and is a long-term training solution mutually beneficial for both the Organization and

UL DQS.

The MTS model proposes at least a long-term association with the Organization to cohesively pre-define the

Organizational Growth towards Peak Excellence Performance.

This long-term association allows UL DQS the scope to bring about transformation in the employees'

deliverables to meet the expected standards of the organization through Trainings, Evaluations and

Discussions.

Advantages Ÿ Course Schedule – Tailored and customized exclusively to

match the Organizational requirement

Ÿ Increased Evaluations and Reporting Process

Ÿ Continuous Learning Curve and Cross trainings (if required)

Ÿ On demand re-cap of Previous Trainings Review

Training MethodologyUL DQS carefully follows the Adult Learning's trusted theories for

any of its trainings, taking essence from all the major Instructional

Systems Designing (ISD) for preparing Course Materials.

Ÿ All UL DQS courses have

Ÿ Instructor Led Training

Ÿ Regain of Knowledge from previous trainings

Ÿ Role plays and live case studies

Ÿ Group discussions

In the case of MTS, UL DQS goes a step further and all the courses in addition to ISD are re-designed and

- 1MANAGED TRAINING SOLUTIONS


By:

Head Training and SolutionsUL DQS India

Mr. Pramod Durga Satya

Customized in accordance to the Organizational Training Need Identification (TNI) with major examples and

case studies coming not just from Good Industrial Practices but also from the Organization itself

Evaluations MTS allows us to follow the Kirkpatrick's 4 level method of evaluation as listed below

Ÿ Reaction – Through Feedback forms done after

Ÿ Learning – The learning of the training will be assessed by conducting series of tests and assessments during

and after the training

Ÿ Behavior – The actual application of Learning from the Training received over time is measured after 1 – 2

months through assessments and One on One feedbacks

Ÿ Results - Measures would typically be Change in business or organizational key performance indicators over a

period of time resulting out of MTS. The change here will be measured against the particular performance of the

previous year

Management Information Systems (MIS)UL DQS India periodically (On agreed frequency) will provide information on the progress and learning curve of

the individuals to the Organization.

CertificationAll trainings under MTS shall be on the norms of ISO 17024 with two levels of Certificates

Ÿ Level A: Awareness Training

Ÿ Level B: Advanced Training

The following Globally Recognized UL DQS India Registered Certificate with Co-branding of the Organization

will be awarded to:

Ÿ Completion: For participants scoring 70% and more in post training examination

Ÿ Participation: For participants scoring below 70% in post training examination

UL DQS does not limit the Organization to choose from the given

list of Trainings but allows the choice to request for any relevant

trainings deemed towards development of its Individuals.

For further details and inputs on the above.

Contact: Pramod Durga Satya,

Head Training & Solutions

Email: [email protected]

- 1MANAGED TRAINING SOLUTIONS


ISO 14001 & OHSAS 18001Indian Register of ShippingCertificate handover to

- 1PROUD MOMENTS


UL DQS India is delighted to be associated with Indian Register of Shipping in their pursuit for ISO 14001 &

OHSAS 18001. Dr. K Murugan, Managing Director and CEO – UL DQS India (right) handing over the certificate to

Mr. Arun Sharma – Chairman & Managing Director of Indian Register of Shipping

ENERGIE Awareness Training Programme

An ISO 50001:Energy management System. ENERGIE Awareness Training Program for Foundries in

partnership with ASSIST Team, Coimbatore and Chennai on 08-05-2014

- 1NEWS AND UPDATES


ENERGIE Awareness Training Programme in association with MCCI & partnership with ASSIST Team, in

Chennai on 21-05-2014

ENERGIE project is co-financed by DEG and implemented by UL DQS India in association with ASSIST. The

project will capacitate energy management professionals and help in creating energy Efficient enterprises and

contribute to sustainable industrial development in India. This project is a public private partnership with a

developmental agenda of building capacity among The energy professionals and to help energy intensive

industries to adopt energy management system Benchmarking international standard like ISO 50001.

The beneficiaries of the project shall look forward to the following benefits:Ÿ A platform for key decision makers from the industry and other stakeholders, and technical experts to Interact.Ÿ A fully equipped training centre with energy lab in Chennai.Ÿ Access to awareness campaign materials, training materials and resources through web portal.Ÿ Opportunity for professionals to participate in the certification trainings and enhance their Qualification.Ÿ Opportunity for energy intensive industries to adopt energy management systems benchmarking ISO 50001

standard.Ÿ Participation in the project events to network and exchange best practices.

ISO 14001 & OHSAS 18001 Certificate Handover to M K Engineering under auto sustain PPP.

- 1CUSTOMER FEEDBACK

Dear Sir / Madam,

I would like to thank for assessing our quality systems and educating us in AIS and HIRA and other legal related issues. The assessment was really interactive and never felt uncomfortable at single point of time though the duration of audit was too long. The auditing style is really good and learnt good things from you and Mr. Shankaranarayana.

You removed most of my pains and helped me to walk in new journey once again. We will take all your comments and observations as positive sign for our improvement and definitely we will improve it through deep investigation and see how can be implemented in an effective way.At personnel view, I really thank for helping and guiding me

Thanks & Regards

The Audit conducted on 28th & 29th May 2014 was good and we are satisfied with the service of the auditor.We appreciate the suggestion given by the auditor, which will help to improve the performance of the organization.With Best Regards,

By Manjunath NalwadeGowri Ventures a group company of Indo US MIM TECH Pvt Ltd.

Mr Anil GadaveProduction Manager, Perfect Pins

Dear Sir / Madam,

Dear Sir / Madam,

First of all, thank you very much for spending your valuable time with us assessing our system in line with AS9100C requirement through 2nd surveillance audit. We appreciate your findings and we are glad that we were able perform better than last time.

However, we made notes of the observations made by you which are true futuristic building blocks to sustain and move towards excellence towards organisational growth in line with the AS standards requirements. We value your association with us and looking forward to take it further ahead.

Regards,

Sangamesh Natikar,Management Representative / HOD QA, Tata Industrial Services Limited


(Registered as: UL Management Systems Solutions India Pvt Ltd)Anjaneya Techno Park, 5th Floor, #147, HAL Airport Road, Kodihalli, Bangalore - 560 017, IndiaPh: +91 80 6661 6500, Fax: +91 80 6661 6530, Email: [email protected]

"We have offices at "Visit our India website: ; Visit our corporate website: www.dqs-ul.comwww.ul-dqs.in

Bangalore, Baroda, Chennai, Delhi and Pune

UL DQS India

https://www.facebook.com/UL.DQS.IN https://twitter.com/ULDQSIndia http://www.linkedin.com/company/ul-dqs-india

SERVICES

For feedbackQueries


Trainings & Solutions:

MTS