Integrated Management System (IMS) Manual

This document is classified as VC – Restricted if the Appendices are attached.
Integrated Management System (IMS)
Manual
Issue 6.17 – 9 September 2014
CONTENTS
Changes from Issue 6.16 ........................................................................................... 3
1 Purpose................................................................................................................. 4
2 Scope of the IMS and Exclusions from ISO 9001:2008 ........................................ 4
3 Components of the IMS ........................................................................................ 4
3.1 Policies ........................................................................................................................................... 4
3.2 Procedures ..................................................................................................................................... 4
3.2.1 Job Function (JF) Procedures ..................................................................................................... 5
3.2.2 Management System (MS) Procedures ...................................................................................... 5
3.2.3 Environmental Management (EM) Procedures ........................................................................... 6
3.2.4 Business Management (BM) Procedure ..................................................................................... 6
3.2.5 Information Security (IS) Procedures .......................................................................................... 6
3.2.6 Business Continuity (BC) Procedure .......................................................................................... 6
3.3 Process Diagram............................................................................................................................ 7
3.4 Work Instructions ........................................................................................................................... 7
3.5 Organisation Chart ......................................................................................................................... 7
3.6 Job Descriptions ............................................................................................................................. 8
3.7 Training Records ............................................................................................................................ 8
3.8 Approved Suppliers ........................................................................................................................ 8
3.9 Information Security and Governance ........................................................................................... 8
Appendix A – Key Performance Indicators (KPIs) ...................................................... 9
Appendix B – Job Descriptions ................................................................................ 10
Appendix C – ISO 9001:2008 Requirements ........................................................... 13
Appendix D – ISO 14001:2004 Requirements ......................................................... 17
Appendix E – ISO 27001:2013 Requirements.......................................................... 18
IMS Manual
Issue 6.17 – 9 September 2014
Page 2 of 21
Changes from Issue 6.16
Section 3.9
Added.
Annexes A to D
Removed.
Appendix A
Changed word “company” to “sales”.
IMS Manual
Issue 6.17 – 9 September 2014
Page 3 of 21
1
Purpose
Our Integrated Management System (IMS) enables us to implement the following.
(1)
Quality Management in accordance with ISO 9001:2008.
(2)
Some of the requirements of Investors In People (www.investorsinpeople.co.uk).
(3)
The requirements of the NHS Information Governance Statement of Compliance (IGSoC).
(4)
Information Security Management in accordance with ISO 27001:2013.
(5)
Environmental Management in accordance with ISO 14001:2004.
2
Scope of the IMS and Exclusions from ISO 9001:2008
Voice Connect design, develop, supply and support the following:
Integrated telephony and multiple media computer messaging products and services;
An Alarm Receiving Centre (ARC) that provides a lone worker monitoring service.
The Quality Management components of our IMS cover all of our operations except finance. It also
excludes the following sections of ISO 9001:2008.
Section 7.5.2
Validation of processes for production and service provision
All processes for the provision of products and services are verified
by testing. (We test all of our software and built computer systems.)
Section 7.6
Control of monitoring and measuring equipment
We do NOT use any monitoring or measuring equipment.
The Environmental Management components of our IMS cover all of our operations.
The Information Security Management components of our IMS cover all of our operations.
3
Components of the IMS
3.1
Policies
The IMS is based upon the following policies, available on our website (www.voiceconnect.co.uk).
Quality Policy
Environmental Policy
Information Security Policy
We give these to each new employee that joins the company. If any policy changes, we distribute the
changed policy to all employees. We also ask every employee to agree to, and sign, an Information
Security and Computer Use Agreement.
3.2
Procedures
The IMS contains six categories of procedures, which the following sub-sections describe.
IMS Manual
Issue 6.17 – 9 September 2014
Page 4 of 21
3.2.1
Job Function (JF) Procedures
These procedures describe core job functions that contribute to the provision of our products and
services. Each one specifies the skills required to do the procedure. [See also Section 3.6 (Page 8)
and Appendices C and D.]
Proc.
3.2.2
Title
JF-1
Software Design and Development
JF-2
Marketing
JF-3
Telemarketing
JF-4
Sales
JF-5
Manage Customer Account
JF-6
Channel Sales
JF-7
Project Management
JF-8
Purchasing
JF-9
Build
JF-10
Transport of Product
JF-11
Installation
JF-12
Training
JF-13
Help Desk Support
JF-14
Remote Service and Maintenance
JF-15
On-Site Service and Maintenance
JF-16
Return Used Items to Stock
JF-17
Technical Documentation
JF-18
Customer Support
JF-19
Alarm Receiving Centre Operation
Management System (MS) Procedures
These procedures cover requirements of ISO 9001:2008, ISO 14001:2004, ISO 27001:2013 and
ISO 22301:2012. Procedures MS1 to MS-4 and MS-6 cover explicit requirements for procedures.
Procedure MS-5 covers requirements for the inputs, outputs and records of management reviews.
ISO
9001
: 2008
Section
ISO
14001
: 2004
Section
ISO 27001
: 2013
Section or
Control
ISO
22301
: 2012
Section
Proc.
Title
MS-1
Control of Documents
4.2.3
4.4.5
7.5.3
7.5.3
MS-2
Control of Records
4.2.4
4.5.4
7.5.3
7.5.3
MS-3
Internal Audit
8.2.2
4.5.5
9.2
9.2
MS-4
Response to Nonconformity or Incident
(including Corrective Action)
8.3 &
8.5.2
4.5.3
10.1 & A.16.1
10.1
MS-5
IMS Review Meeting
5.6
4.6
9.3
9.3
MS-6
Preventive Action
8.5.3
4.5.3
IMS Manual
Issue 6.17 – 9 September 2014
Page 5 of 21
3.2.3
Environmental Management (EM) Procedures
These procedures satisfy requirements of ISO 14001:2004.
3.2.4
Proc.
Title
ISO 14001:2004 Section(s)
EM-1
Environmental Operation
4.4.6
EM-2
Environmental Administration
4.3, 4.4.2, 4.4.3
EM-3
Environmental Monitoring and Compliance
4.5.1, 4.5.2
EM-4
Environmental Emergency
4.4.7
Business Management (BM) Procedure
This procedure satisfies general business requirements and requirements of ISO 27001:2013.
Proc.
Title
BM-1
Joining and Leaving Voice Connect
3.2.5
ISO 27001:2013 Section(s) or Control(s)
A.7.3.1, A8.1.4, A9.2.1, A.9.2.2, A.9.2.6
Information Security (IS) Procedures
These procedures satisfy requirements of ISO 27001:2013.
Proc.
Title
ISO 27001:2013 Section(s) or Control(s)
IS-1
Computer Data Backups
A.12.3.1
IS-2
Mobile Computing
A.6.2.1, A.6.2.2 and A.11.2.6
IS-3
Network Management
A.9.1.2 and A.10.1.1
IS-4
Change Control
A.12.1.2
IS-5
Privacy Impact Assessment
A.6.1.5, A.18.1.4 and HSCIC IG Req. 210
IS-6
Information Classification, Handling and,
Clear Desk and Screen
A.8.2.1, A.8.2.2, A.8.2.3, A.13.2.1 and
A.11.2.9
IS-7
Access Control and Rights Review
A.9.1.1 and A.9.2.5
IS-8
Intellectual Property
A.18.1.2
IS-9
Working in Secure Areas
A.11.1.5
IS-10
IT Systems Monitoring
A.12.4.1
NOTES
3.2.6
(1)
Some procedures in other sub-sub-sections also cover sections or controls of
ISO 27001.
(2)
The Employee’s Handbook contains a Disciplinary Procedure, which covers
ISO 27001:2013, Control A.7.2.3.
Business Continuity (BC) Procedure
This procedure satisfies general business requirements and requirements of ISO 27001:2013.
Proc.
BC-1
IMS Manual
Title
ISO 27001:2013 Section(s) or Control(s)
Business Continuity
A.17.1.1, A.17.1.2, A.17.1.3
Issue 6.17 – 9 September 2014
Page 6 of 21
3.3
Process Diagram
The following diagram illustrates the general sequence of [Job Function (JF)] procedures.
1 – Software Design
and Development
17 – Technical
Documentation
2 – Marketing
Input to Procedure 1 Software Design and
Development can
come from Procedures
4, 5, 13, 14 and 18
3 – Telemarketing
4 – Sales
and
6 – Channel Sales
7 – Project
Management
9 – Build
5 – Account
Management
12 – (Additional)
Training
13 – Helpdesk
Support
14 – Remote Service
and Maintenance
10 – Transport
12 – (Initial)
Training
11 – Installation
15 – On-Site Service
and Maintenance
16 – Return Used
Items to Stock
18 – Customer
Support
NOTE Procedure JF-19 – Alarm Receiving Centre Operation is entirely separate.
3.4
Work Instructions
Where appropriate, procedures may be supplemented by Work Instructions. For example, the
Installation procedure may be supplemented by Work Instructions, which refer to specific Voice
Connect software products. The appropriate team manager is responsible for the authorisation of any
Work Instructions.
3.5
Organisation Chart
The Organisation Chart is a separate document that shows the structure of Voice Connect, with the
names and job titles of all employees. It is updated and distributed to everyone, whenever somebody
joins or leaves the organisation, or there are changes.
IMS Manual
Issue 6.17 – 9 September 2014
Page 7 of 21
3.6
Job Descriptions
Most employees do one or more procedural job functions. Some also do non-procedural job functions,
such as administration or management.
(1)
Each Job Description specifies the following that the employee does:
(a)
(b)
(c)
(2)
Principal Job Function (JF) procedures, listed in Section 3.2.1 (Page 5);
Other applicable procedures, listed in the remainder of Section 3.2 (Page 4);
Additional non-procedural job functions.
Each Job Description also specifies the Knowledge and Skills that the employee requires.
These are an amalgamation of any Knowledge and Skills required by the following:
(a)
(b)
Any procedure(s) that the employee does;
Any additional non-procedural job functions.
NOTE The Job Descriptions correspond with the Organisation Chart [see Section 3.5 (Page 7)].
3.7
Training Records
(1)
Each employee’s Training Record contains the following.
(a)
(b)
(c)
The Knowledge and Skills that the employee had when he/she joined Voice Connect.
Any Training that Voice Connect has provided to the employee.
Any Training that Voice Connect schedules for the employee (to acquire any required
skills as specified on the employee’s job description).
(2)
The cumulative training required by all the employees of Voice Connect, enables the
organisation to plan and implement a schedule of training for its employees.
3.8
Approved Suppliers
The Stock and Purchases Database provides the facility to assign one of four categories to each
supplier.
ON Trial
Approved
Do Not Use
In Use
Initially, new suppliers are assigned the category On Trial and if found to be satisfactory are then
assigned the category Approved. The Technical Director authorises the assignment of a category to
a supplier in the Stock and Purchases Database. The database can output a List of Approved
Suppliers, which is a list of those suppliers, assigned the category Approved, as described above.
3.9
Information Security and Governance
The IMS documentation includes the following to manage Information Security and Governance.
Guide to Management of Risks and Opportunities
Information Asset Register
Risk Register
Statement of Applicability
IMS Manual
This details how the IMS satisfies the requirements of the
controls of ISO27001:2013, Annex A.
Issue 6.17 – 9 September 2014
Page 8 of 21