This document is classified as VC – Restricted if the Appendices are attached. Integrated Management System (IMS) Manual Issue 6.17 – 9 September 2014 CONTENTS Changes from Issue 6.16 ........................................................................................... 3 1 Purpose................................................................................................................. 4 2 Scope of the IMS and Exclusions from ISO 9001:2008 ........................................ 4 3 Components of the IMS ........................................................................................ 4 3.1 Policies ........................................................................................................................................... 4 3.2 Procedures ..................................................................................................................................... 4 3.2.1 Job Function (JF) Procedures ..................................................................................................... 5 3.2.2 Management System (MS) Procedures ...................................................................................... 5 3.2.3 Environmental Management (EM) Procedures ........................................................................... 6 3.2.4 Business Management (BM) Procedure ..................................................................................... 6 3.2.5 Information Security (IS) Procedures .......................................................................................... 6 3.2.6 Business Continuity (BC) Procedure .......................................................................................... 6 3.3 Process Diagram............................................................................................................................ 7 3.4 Work Instructions ........................................................................................................................... 7 3.5 Organisation Chart ......................................................................................................................... 7 3.6 Job Descriptions ............................................................................................................................. 8 3.7 Training Records ............................................................................................................................ 8 3.8 Approved Suppliers ........................................................................................................................ 8 3.9 Information Security and Governance ........................................................................................... 8 Appendix A – Key Performance Indicators (KPIs) ...................................................... 9 Appendix B – Job Descriptions ................................................................................ 10 Appendix C – ISO 9001:2008 Requirements ........................................................... 13 Appendix D – ISO 14001:2004 Requirements ......................................................... 17 Appendix E – ISO 27001:2013 Requirements.......................................................... 18 IMS Manual Issue 6.17 – 9 September 2014 Page 2 of 21 Changes from Issue 6.16 Section 3.9 Added. Annexes A to D Removed. Appendix A Changed word “company” to “sales”. IMS Manual Issue 6.17 – 9 September 2014 Page 3 of 21 1 Purpose Our Integrated Management System (IMS) enables us to implement the following. (1) Quality Management in accordance with ISO 9001:2008. (2) Some of the requirements of Investors In People (www.investorsinpeople.co.uk). (3) The requirements of the NHS Information Governance Statement of Compliance (IGSoC). (4) Information Security Management in accordance with ISO 27001:2013. (5) Environmental Management in accordance with ISO 14001:2004. 2 Scope of the IMS and Exclusions from ISO 9001:2008 Voice Connect design, develop, supply and support the following: Integrated telephony and multiple media computer messaging products and services; An Alarm Receiving Centre (ARC) that provides a lone worker monitoring service. The Quality Management components of our IMS cover all of our operations except finance. It also excludes the following sections of ISO 9001:2008. Section 7.5.2 Validation of processes for production and service provision All processes for the provision of products and services are verified by testing. (We test all of our software and built computer systems.) Section 7.6 Control of monitoring and measuring equipment We do NOT use any monitoring or measuring equipment. The Environmental Management components of our IMS cover all of our operations. The Information Security Management components of our IMS cover all of our operations. 3 Components of the IMS 3.1 Policies The IMS is based upon the following policies, available on our website (www.voiceconnect.co.uk). Quality Policy Environmental Policy Information Security Policy We give these to each new employee that joins the company. If any policy changes, we distribute the changed policy to all employees. We also ask every employee to agree to, and sign, an Information Security and Computer Use Agreement. 3.2 Procedures The IMS contains six categories of procedures, which the following sub-sections describe. IMS Manual Issue 6.17 – 9 September 2014 Page 4 of 21 3.2.1 Job Function (JF) Procedures These procedures describe core job functions that contribute to the provision of our products and services. Each one specifies the skills required to do the procedure. [See also Section 3.6 (Page 8) and Appendices C and D.] Proc. 3.2.2 Title JF-1 Software Design and Development JF-2 Marketing JF-3 Telemarketing JF-4 Sales JF-5 Manage Customer Account JF-6 Channel Sales JF-7 Project Management JF-8 Purchasing JF-9 Build JF-10 Transport of Product JF-11 Installation JF-12 Training JF-13 Help Desk Support JF-14 Remote Service and Maintenance JF-15 On-Site Service and Maintenance JF-16 Return Used Items to Stock JF-17 Technical Documentation JF-18 Customer Support JF-19 Alarm Receiving Centre Operation Management System (MS) Procedures These procedures cover requirements of ISO 9001:2008, ISO 14001:2004, ISO 27001:2013 and ISO 22301:2012. Procedures MS1 to MS-4 and MS-6 cover explicit requirements for procedures. Procedure MS-5 covers requirements for the inputs, outputs and records of management reviews. ISO 9001 : 2008 Section ISO 14001 : 2004 Section ISO 27001 : 2013 Section or Control ISO 22301 : 2012 Section Proc. Title MS-1 Control of Documents 4.2.3 4.4.5 7.5.3 7.5.3 MS-2 Control of Records 4.2.4 4.5.4 7.5.3 7.5.3 MS-3 Internal Audit 8.2.2 4.5.5 9.2 9.2 MS-4 Response to Nonconformity or Incident (including Corrective Action) 8.3 & 8.5.2 4.5.3 10.1 & A.16.1 10.1 MS-5 IMS Review Meeting 5.6 4.6 9.3 9.3 MS-6 Preventive Action 8.5.3 4.5.3 IMS Manual Issue 6.17 – 9 September 2014 Page 5 of 21 3.2.3 Environmental Management (EM) Procedures These procedures satisfy requirements of ISO 14001:2004. 3.2.4 Proc. Title ISO 14001:2004 Section(s) EM-1 Environmental Operation 4.4.6 EM-2 Environmental Administration 4.3, 4.4.2, 4.4.3 EM-3 Environmental Monitoring and Compliance 4.5.1, 4.5.2 EM-4 Environmental Emergency 4.4.7 Business Management (BM) Procedure This procedure satisfies general business requirements and requirements of ISO 27001:2013. Proc. Title BM-1 Joining and Leaving Voice Connect 3.2.5 ISO 27001:2013 Section(s) or Control(s) A.7.3.1, A8.1.4, A9.2.1, A.9.2.2, A.9.2.6 Information Security (IS) Procedures These procedures satisfy requirements of ISO 27001:2013. Proc. Title ISO 27001:2013 Section(s) or Control(s) IS-1 Computer Data Backups A.12.3.1 IS-2 Mobile Computing A.6.2.1, A.6.2.2 and A.11.2.6 IS-3 Network Management A.9.1.2 and A.10.1.1 IS-4 Change Control A.12.1.2 IS-5 Privacy Impact Assessment A.6.1.5, A.18.1.4 and HSCIC IG Req. 210 IS-6 Information Classification, Handling and, Clear Desk and Screen A.8.2.1, A.8.2.2, A.8.2.3, A.13.2.1 and A.11.2.9 IS-7 Access Control and Rights Review A.9.1.1 and A.9.2.5 IS-8 Intellectual Property A.18.1.2 IS-9 Working in Secure Areas A.11.1.5 IS-10 IT Systems Monitoring A.12.4.1 NOTES 3.2.6 (1) Some procedures in other sub-sub-sections also cover sections or controls of ISO 27001. (2) The Employee’s Handbook contains a Disciplinary Procedure, which covers ISO 27001:2013, Control A.7.2.3. Business Continuity (BC) Procedure This procedure satisfies general business requirements and requirements of ISO 27001:2013. Proc. BC-1 IMS Manual Title ISO 27001:2013 Section(s) or Control(s) Business Continuity A.17.1.1, A.17.1.2, A.17.1.3 Issue 6.17 – 9 September 2014 Page 6 of 21 3.3 Process Diagram The following diagram illustrates the general sequence of [Job Function (JF)] procedures. 1 – Software Design and Development 17 – Technical Documentation 2 – Marketing Input to Procedure 1 Software Design and Development can come from Procedures 4, 5, 13, 14 and 18 3 – Telemarketing 4 – Sales and 6 – Channel Sales 7 – Project Management 9 – Build 5 – Account Management 12 – (Additional) Training 13 – Helpdesk Support 14 – Remote Service and Maintenance 10 – Transport 12 – (Initial) Training 11 – Installation 15 – On-Site Service and Maintenance 16 – Return Used Items to Stock 18 – Customer Support NOTE Procedure JF-19 – Alarm Receiving Centre Operation is entirely separate. 3.4 Work Instructions Where appropriate, procedures may be supplemented by Work Instructions. For example, the Installation procedure may be supplemented by Work Instructions, which refer to specific Voice Connect software products. The appropriate team manager is responsible for the authorisation of any Work Instructions. 3.5 Organisation Chart The Organisation Chart is a separate document that shows the structure of Voice Connect, with the names and job titles of all employees. It is updated and distributed to everyone, whenever somebody joins or leaves the organisation, or there are changes. IMS Manual Issue 6.17 – 9 September 2014 Page 7 of 21 3.6 Job Descriptions Most employees do one or more procedural job functions. Some also do non-procedural job functions, such as administration or management. (1) Each Job Description specifies the following that the employee does: (a) (b) (c) (2) Principal Job Function (JF) procedures, listed in Section 3.2.1 (Page 5); Other applicable procedures, listed in the remainder of Section 3.2 (Page 4); Additional non-procedural job functions. Each Job Description also specifies the Knowledge and Skills that the employee requires. These are an amalgamation of any Knowledge and Skills required by the following: (a) (b) Any procedure(s) that the employee does; Any additional non-procedural job functions. NOTE The Job Descriptions correspond with the Organisation Chart [see Section 3.5 (Page 7)]. 3.7 Training Records (1) Each employee’s Training Record contains the following. (a) (b) (c) The Knowledge and Skills that the employee had when he/she joined Voice Connect. Any Training that Voice Connect has provided to the employee. Any Training that Voice Connect schedules for the employee (to acquire any required skills as specified on the employee’s job description). (2) The cumulative training required by all the employees of Voice Connect, enables the organisation to plan and implement a schedule of training for its employees. 3.8 Approved Suppliers The Stock and Purchases Database provides the facility to assign one of four categories to each supplier. ON Trial Approved Do Not Use In Use Initially, new suppliers are assigned the category On Trial and if found to be satisfactory are then assigned the category Approved. The Technical Director authorises the assignment of a category to a supplier in the Stock and Purchases Database. The database can output a List of Approved Suppliers, which is a list of those suppliers, assigned the category Approved, as described above. 3.9 Information Security and Governance The IMS documentation includes the following to manage Information Security and Governance. Guide to Management of Risks and Opportunities Information Asset Register Risk Register Statement of Applicability IMS Manual This details how the IMS satisfies the requirements of the controls of ISO27001:2013, Annex A. Issue 6.17 – 9 September 2014 Page 8 of 21
© Copyright 2024