by Abdul Halim | Apr 27, 2019 | iso 27001
ISO 27001:2013 is the latest version yet for ISMS Certification. Like other management system standards such as ISO 9001, 14001, 20,000, 45001 it has 10 clauses:
- Scope
- Normative References
- Terms and Definitions
- Context Of the Organization
- Leadership
- Planning
- Support
- Operation
- Performance Evaluation
- Improvement
The most important requirement for this standard is security threat. Online security threats are including Online hacking, data breaching, data theft, online robbery, money stealing from bank account etc are very common and great concern for IT and data management firm.
Clause 6 and clause 8 are the main clauses where an IT firm can work with more concentration. In the clause 6 it is told about planning. This planning should be done very carefully before starting implementation of ISO 27001 Standard throughout the processes of an organization.
Information security risk assessment and Risk Treatment both the two things are very important for a company who are going to implement this ISMS standard in his organization. Establishment of processes for risk assessment and treatment should be focus point of this clause. To do this two jobs carefully helps can be taken from ISO 31000 Standard.
Specially for financial organizations including bank, insurance, leasing company etc who are thinking to adopt this 27001 standard they should do this two things very carefully. If data or client information is disclosed by online hacker then there is a great loss for that organization. So, unauthorized network or server access is a very very risky incident for an financial institute. Risk assessment time this kind of risk should be taken very seriously.
After identifying risk what will be the possible treatment procedures to measure the risk and what will be be mitigation plan to minimize the losses against those risks. All this things should be clarified very carefully during the working time on the clause no 6.
Another important clause is Operation related and it is 8. It is the main process of a company. Most of the incidents happen in this stage. Due to lack of security knowledge of IT Staffs many risks are happened in this operation section. So, 8.2 and 8.3 Sub clauses can be implemented very carefully to minimize any loss in this section. But nothing is written with elaboration in this two sub clauses. That’s why an 27001 Consultant can guide you how to assess the risk and how to minimize the risk in operation.
Software attacks, theft of intellectual property or sabotage are just some of the many information security risks that organizations face in this operation section. And the consequences can be huge. Most organizations have controls in place to protect them, but how can we ensure those controls are enough? The international reference guidelines for assessing information security controls have just been updated to help. ISO 2700, 27002 and 27008 can be good references to work more closely on those risks.
Prof. Edward Humphreys, said,“In a world where cyber-attacks are not only more frequent but increasingly harder to detect and prevent, assessing and reviewing the security controls in place needs to be undertaken on a regular basis and be an essential aspect of the organization’s business processes,”
ISO 27001 is based on PDCA Plan. So before implementation of this ISMS standard you should consider the meaning of P. P means Planning. It should be done carefully. If your planning is not proper and related with your activities then implementation cannot be effective and successful.
So, an expert consultant on 27001 Standard can help you to do the plan properly by focusing on clauses 6 and 8 before real implementation of ISO 27001. Not only for that two clauses rather he will guide you how to apply other clauses like 6,7,9,10 etc in your processes to get real test of ISO 27001:2013 Certification in your organization.
But the problem is lack of 27001 consultant in Bangladesh. Hiring a foreign consultant is a matter of high cost. It is not hard for small and medium size financial organization and IT firm to hire an 27K foreign expert. On the other-hand it is also tough for many organizations to implement 27K requirements just buying some documents from online. There are two causes of it first of all the staffs have no enough time and they are not certified auditor on 27 standard.
So, to implement ISO 27001 requirements properly in your organization there is no alternative to hire a local consultant. Before implementing 27k requirements an ISMS consultant should study your processes and operation by regular visit plans. After introducing with your processes he will help to asses your risks and establishing your risk treatment plan to mitigation the risk.
AAS-BD has some local 27k Consultants who have working experience with foreign 27k expert in Bangladesh for the last 10 years. So, find your 27 implementer in Bangladesh contact now with AAS-BD.
by Abdul Halim | Mar 29, 2019 | 45001 certification, ISO 14001 Certification, ISO 45001
Banani FR Tower Fire Accident
Fire accident in Bangladesh is a great concern nowadays. Very frequently the fire accident is happening in the country. It is killing people and destroying valuable asset. Not only that it is destroying a family. It is making unexpected burn injury which is very miserable. How long it will continue?
There is building code and fire safety guideline and RAJUK guidelines on behalf of the government for the building maker. But the problem is most of the building owners i.e developers do not obey those rules. Due to the building owners negligence we are seeing this kind of heart broken incident in the city.
Definitely the government agency cannot deny their responsibility. Enough law is there to prevent or minimize fire accident but due to negligence and corruption in the agencies it is still happening very frequently. Lac of monitoring and establishment of judgement for the offenders it is happening. So, government cannot refuge their failure in this incidents.
There is a proverb that prevention is better than cure. During the building construction period developer or building owner should establish this kind of preventive measures. These are establishing fire fighting equipment throughout the building, fire extinguisher, hydrant, reserve water facilities and finally assigning a fire officer or safety officer for the building by providing him proper safety training.
Though some buildings have those facilities but most of the cases there is no designated fire or safety officer for the building. That’s why fire is not controlled in the emergency cases. There should be smoke detector or alarming system which can help people to exit rapidly in emergency cases. However there should have enough emergence exit ways also.
There are few ISO standards like ISO 14001 and ISO 45001 which can be good guidelines for building owners or developers to control the fire. The different between the government fire law and ISO standard is monitoring system. If any company adopt those standard then the Certification Body(CB) auditors contribute a lot.
Before certification they do the gap analysis and suggest what to do according to the ISO standard for minimization of fire accident. After establishing those system in the building the company can achieve the certificate.
After certification it is mandatory the building owner to check their own fire fighting system by performing internal audit. It is mandatory for a ISO certified company to do internal audit regularly usually twice in a year. On the other-hand CB performs surveillance audit once in a year. So, ultimately there is three times mandatory checking system if any company adopts ISO Certificate on 14001 or 45001 Standard.
ISO 14001 and ISO 45001 standard is becoming more popular to save our environment and save people’s health. To prevent accident inside the building both standards can be a very effective tools who wants to control fire accident.
There are few CBs who are working in Bangladesh to provide ISO Certificates. Like others IQS Audits located in the UK is working in Bangladesh with the association of Advanced Assessment Services
by Abdul Halim | Feb 28, 2019 | UKAS
UKAS accreditation is a phrase which is used by many organizations who look for ISO Certification in Bangladesh. Sometimes it is used as UKAS Certification. This post will help you about this phrase UKAS accreditation or UKAS Certification.
UKAS is a short form of United Kingdom Accreditation Service. It is the sole national accreditation body recognized by the British government to assess the competence of organisations that provide certification, testing, inspection and calibration services.
UKAS actually does not provide direct certificate to any company. It take cares the Certification bodies who actually works with your company for ISO Certification and after certification.There are few certification bodies who are UKAS accredited and are working in Bangladesh.
Sometimes it makes confusion about which UKAS accredited CB is best for you. It also makes question what is the price of UKAS accredited Certification in Bangladesh? Actually the cost differs from CB to CB, Some CB(Certification Body) take less fee and some take higher fee, So how can you find the low cost UKAS accredited Body?
Though we do not provide direct UKAS accredited certificate but we can assist you to find the best UKAS accredited body in Bangladesh. As a part of certification industry it is well known to us about all UKAS accredited certification bodies in Bangladesh.
Actually the UKAS accreditation fee is same for all CBs but why the cost is different for different CB? The answer is easy and it is: some CB take much profit and some less.
The certification cost is also vary due to iso consultancy fee. UKAS accredited CB will never give you consultancy services. You will have to take this service from third party ISO Consultant. To find the best consultant you may contact with us.
Finally to get your best UKAS accredited CB and ISO Consultancy services please visit this page or call at 01742125232
by Abdul Halim | Jan 30, 2019 | Management Review Meeting
Management Review Meeting in a company
Management Review Meeting(MRM) is one of the mandatory documents for management system ISO standard Certification and ISO certified companies. Usually it is done twice in a year after performing Internal Audit.
What is the implementation status of ISO standard requirement in your organization is checked by Internal Audit. It can be done by company staffs or by hiring an ISO consultant. But MRM meeting cannot be done without top management. it is mandatory to sit with top management. Top Management is informed about the findings of audit and what is the improvement of previous findings etc . Many decisions come from this meeting.
Continual Improvement is one of of the major principles of ISO 9001 Standard. Fruitful management review meeting is the right option for practising continual improvement in your organization. So, it is management responsibility and mandatory to attend in the management review meeting.
Many important decisions come from this meeting. As an example we can say one finding has come about human resource shortage from internal audit. Employee shortage problem can be solved by employing a quality staff. The new staff cannot be hired without management decision. So, maintain quality in your system enough human resource is required and it will be ensured by the top management.
Usually it is heard that management is very busy. They have no time to attend in MRM meeting. There is a proverb that if there is a wish there is a will. So, if it is mandatory and if you wish you can do it easily. To manage time a short duration can be added with your regular management meeting. So, it is not necessary to arrange new time for doing ISO related MRM.
If any company do not does management review meeting that company will not receive or cannot hold the ISO certificate. So, obtaining and holding your present certificate you should do management review meeting on regular basis.
by Abdul Halim | Dec 24, 2018 | internal audit
ISO Internal audit training for a Consulting firm
Internal Audit is mandatory for ISO Certification and for ISO Certified company for any standard. Many companies do not like to do internal audit after certification. This happens because lack of awareness on internal audit and understanding the benefits of ISO Internal audit.
So, it is responsibility of Certification body to tell the company about the importance of Internal audit. Internal audit is a kind of monitoring system. It is written in the sub clause 9.2 of Clause no 9 of 9001:2015 Standard about Internal audit.
Internal audit is called the first party audit. Usually it is done cross section wise among the departments by the company staffs. However, it can also be done by hiring a third party or free lancer ISO auditor.
There is no specific quantity of internal audit mentioned in the standard. Company can do according to its need. However, most of the companies perform two internal audits in a year. Sometimes three or four can be done. Actually the quantity of internal audit depends on companies activities and complexities of the processes.
There should be a procedure for doing internal audit. All terms and conditions can be put in the procedure. Like who will be lead auditor, who will be auditors, how many members will perform the audit and how many times in a year etc should be written in the procedure.
However, for small companies who do not like to maintain procedure then they can use the following simple items for performing internal audit:
- Select team member and team leader
- Make plan and schedule
- Share audit plan to all departments
- Use check list for audit
- Use attendance sheet
- Use NC log sheet
- Prepare Audit Report (by team leader)
Why you should do internal audit? Internal audit helps to know what is happening actually inside your company. It helps to find the hidden things in a department. It finds the gaps of the processes. It creates competence among the staffs. It reminds the employees about their responsibilities. Internal audit report helps the management to take decision on any issues effectively.
After performing audit taking CA Plan is mandatory. CA plan helps for practicing for continual improvement. Which is a major principle of ISO 9001 Standard. CA Plan is the last and final stage of NC which is raised during internal audit.
To enjoy benefits of ISO Certification there is no alternative for doing internal audit. It is like a mirror. From this mirror you can see the status of your management quality.
SME organization who is unable to spend money on ISO Certification then Advanced Assessment Services (AAS) may be the right choice for him. AAS provides free internal audit training to its clients. It is a big save for SME. You can save around 50,000 taka from this service if you take certificate through AAS.
