Shahi Enterprises Ltd. An ISO 9001:2008 Services Provider Company UAE Office : Shahi Enterprises FZE P.O. Box 31291 Al-Jazeera Al Hamra, Ras Al Khaimah

Shahi Enterprises Ltd. An ISO 9001:2008 Services Provider Company

UAE Office :Shahi Enterprises FZE

P.O. Box 31291 Al-JazeeraAl Hamra, Ras Al Khaimah

United Arab Emirates

Lead Auditor Shiv Shankar Mobile No. +971 562646057Email: [email protected]: www.shahifze.com

India Office:

205-206, Atmiya Complex, Maneja Crossing

Vadodara – 390 013Gujarat, India.

Tel: 9601349008Email: [email protected]: www.shahienterprises.com

**************************Our Branches

***************************

Lucknow, Gorakhpur, Raipur, Kolkatta, New Delhi, Mumbai, Rajkot,Mehsana, Jamnagar,Ranchi,Dehradoon,

Guhawati Bangalore, Patna, Valsad.

Welcome to

mailto:[email protected]

2

Shahi Enterprises Ltd. train and utilize highly capable staff to provide valuable service to assist our clients to achieve the international recognition and acceptance through the standard of the quality management system, it would cover systematic approach through format for:

Purchase order/-monitoring Storage. Process control/production planning. Inventory management. Machine breakdown monitoring. Neat working place. Training management staff.

Shahi Enterprises has been established in 2004 as a Quality Consulting firm in India at Baroda (Vadodara). Shahi Enterprises has grown from a Quality Consulting firm now become a limited company providing its quality management consulting services to various parts of India (Gujarat, Maharashtra, Uttar Pradesh, Uttarakhand, and Chhattisgarh) and started its quality consultancy services at UAE. We have our offices at Baroda, Lucknow, Mumbai, Guwahati.

Shahi Enterprises Ltd is serving over more than two thousand certified clients providing them whole range of ISO Certification Consulting Services for ISO 9001, ISO14001, ISO 18001, ISO 22000, ISO 27001, HACCP, BRC, PED, UL/CE Marking, API Monogram, Trade Mark, GMP- WHO & Product Up gradation.

A Unit of Shahi Group

3

We help for subsides for different quality standards from STATE & CENTRAL GOVT. Quality Up gradation System Subsidy 5% Interest Subsidy R&D Subsidy ETP (Environment Treatment Plan) Foreign Exhibition Subsidy IT Subsidy GEB Subsidy

Our Associations have been rewarding in the following areas of activities. Quality Standard Developments

ISO 14001-2004 Environment Management System ISO 18001-2007 Occupational Health & Safety Management System ISO 22000-2005 Food Safety Management System ISO 27001-2005 Information Security Management System HACCP – Hazard Analysis and Critical Control Points BRC - British Retail Consortium PED - Pressure Equipment Derivative QUALITY & HR- TRAINING

Product Certification UL/CE Marking API Monogram GMP- WHO & Product Up gradation

Business Development Franchise and Dealer Management Project Finance Liaison and Representation A Unit of Shahi Group

4A Unit of Shahi Group

ISO’s means "International Organization

for Standardization“

Central Secretariat in Geneva,

Switzerland International federation of

over more than 176 countries

Non-governmental organization founded in 1947 on the basis of one member per country “ISO”, derived from the Greek word isos, meaning ‘equal”

Published more than 17500 International Standards


Information is a valuable asset in any organization, whether it's printed or written on paper, stored electronically or sent by mail or electronic means.

To effectively manage the threats and risks to your organization's information you should establish an Information Security Management System (ISMS).

An ISMS based on the international standards ISO/IEC 27001: 2005 will help you to implement an effective framework to establish, manage and continually improve the security of your information.


ISO 27001 is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.

According to its documentation, ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."

ISO 27001 uses a top down, risk-based approach and is technology-neutral. The specification defines a six-part planning process:

1. Define a security policy.

2. Define the scope of the ISMS.

3. Conduct a risk assessment.

4. Manage identified risks.

5. Select control objectives and controls to be implemented.

6. Prepare a statement of applicability.


The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organisation.

The 27001 standard does not mandate specific information security controls, but it provides a checklist of controls that should be considered in the accompanying code of practice, ISO/IEC 27002:2005. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.

ISO 27002 contains 12 main sections:

1. Risk assessment2. Security policy3. Organization of information security4. Asset management 5. Human resources security6. Physical and environmental security


7. Communications and operations management8. Access control 9. Information systems acquisition, development and maintenance 10. Information security incident management 11. Business continuity management 12. Compliance

Organisations are required to apply these controls appropriately in line with their specific risks. Third-party accredited certification is recommended for ISO 27001 conformance.

Other standards being developed in the 27000 family are:

27003 – implementation guidance.

27004 - an information security management measurement standard suggesting metrics to help improve the effectiveness of an ISMS.

27005 – an information security risk management standard. (Published in 2008)

27006 - a guide to the certification or registration process for accredited ISMS certification or registration bodies. (Published in 2007)

27007 – ISMS auditing guideline.




Development, manufacturing and supply of products and services more efficient, safer and cleaner

Provide governments with a technical base for health, safety and environmental legislation, and conformity assessment

WHAT STANDARDS DO

STANDARDS COVERS Risks Costs and benefits Management responsibility Quality system principles Other building blocks


“Say what is to be done

Do the work

Prove that it has been done”


4 Information security management system

4.1 General requirements

Define your organization’s ISMS.

Implement your organization’s ISMS.

Operate your organization’s ISMS.

Monitor your organization’s ISMS.

Review your organization’s ISMS.

Maintain your organization’s ISMS.

Improve your organization’s ISMS.

Document your organization’s ISMS.


4.2 Establishing and managing the ISMS

4.2.1 Establish the ISMS

Define the scope and boundaries of your ISMS.

Define your organization’s ISMS policy.

Define your approach to risk assessment.

Identify your organization’s security risks.

Analyze and evaluate your organization’s security risks.

Identify and evaluate risk treatment options and actions.

Select control objectives and controls to treat risks.

Make sure that management formally approves all

residual risks (those that are left over after you’ve

implemented your risk treatment decisions).

http://www.praxiom.com/iso-27001-definitions.htm





Get authorization from management before you

implement and operate your organization’s ISMS.

Prepare a Statement of Applicability that lists your

organization’s specific control objectives and controls.

4.2.2 Implement and operate the ISMS

Develop a risk treatment plan to manage your

organization’s information security risks.

Implement your organization’s risk treatment plan.

Implement your organization’s security controls.

Implement your organization’s educational programs.

Manage and operate your organization’s ISMS.

Manage your organization’s ISMS resources.

Implement your organization’s security procedures.







4.2.3 Monitor and review the ISMS

Use procedures and controls to monitor your ISMS.

Use procedures and controls to review your ISMS.

Perform regular reviews of your ISMS.

Verify that your security requirements are being met.

Review your risk assessments on a regular basis.

Review your residual risks on a regular basis.

Review acceptable levels of risk on a regular basis.

Perform regular internal audits of your ISMS.

Perform regular management reviews of your ISMS.

Update your information security plans.

Maintain a record of ISMS events and actions.

4.2.4 Maintain and improve the ISMS

Implement your ISMS improvements.









Take appropriate corrective actions. Take appropriate preventive actions. Apply the security lessons that you have learned. Communicate ISMS changes to all interested parties. Make sure that your organization’s ISMS changes achieve the intended objectives.

4.3 Documentation requirements4.3.1 General

Establish records that document decisions. Document your organization’s ISMS.

4.3.2 Control of documents Protect and control your ISMS documents.

Establish a procedure to control ISMS documents. 4.3.3 Control of records

Establish records for your organization’s ISMS. Maintain records for your organization’s ISMS.





5 Management responsibility5.1 Management commitment

Demonstrate that your management supports the establishment of an ISMS. Demonstrate that your management supports the implementation of an ISMS. Demonstrate that your management supports the operation of your ISMS. Demonstrate that your management supports the monitoring of your ISMS. Demonstrate that your management supports the review of your ISMS. Demonstrate that your management supports the maintenance of your ISMS. Demonstrate that your management supports the improvement of your ISMS.


5.2 Resource management5.2.1 Provision of resources

Identify your organization’s ISMS resource needs.

Provide the resources that your ISMS needs.

Identify the resources that will be needed in order to

ensure that your organization’s information security

procedures support its business requirements.

Identify the resources needed to meet your

organization’s legal security requirements.


organization’s regulatory security requirements.


organization’s contractual security obligations.

Identify the resources needed to ensure that all

implemented security controls are correctly applied.




Identify the resources needed to ensure that ISMS management reviews are routinely carried out. Identify the resources needed to ensure that you will be able to react appropriately to the results of your ISMS management reviews. Identify the resources needed to ensure that you will be able to improve the effectiveness of your ISMS when required to do so.

5.2.2 Training, awareness and competence Ensure that all ISMS personnel are competent and can perform the tasks that are assigned to them. Evaluate the effectiveness of your organization’s ISMS personnel training and employment activities. Maintain records that document the competence of personnel performing work that affects your ISMS. Make your personnel aware of how important their information security activities are.


6 Internal ISMS audits

ESTABLISH AN INTERNAL AUDIT PROCEDURE

Establish an internal ISMS audit procedure.

Document your internal ISMS audit procedure.

PLAN YOUR INTERNAL AUDITS

Plan your internal ISMS audit projects and activities.

Figure out how often internal audits should be done.

Schedule your internal audits at planned intervals.

Clarify the scope of each internal ISMS audit.

Specify the audit criteria for each internal audit.

Define your internal ISMS audit methods.

Select your internal ISMS auditors.



CONDUCT INTERNAL AUDITS

Carry out regular internal ISMS audits.

Audit your organization’s ISMS control objectives.

Audit your organization’s ISMS controls.

Audit your organization’s ISMS processes.

Audit your organization’s ISMS procedures.

TAKE REMEDIAL ACTION

Eliminate nonconformities and their causes.

Take follow up actions to ensure that nonconformities

and causes have been eliminated without undue delay.

Verify that remedial actions have actually been taken.

Report the results of your verification activities.





7 Management review of the ISMS7.1 General

Carry out management reviews of your ISMS. Make sure that your organization’s management

people review your ISMS at planned intervals. Examine the performance of your ISMS.

Examine the ongoing suitability of your ISMS. Examine the ongoing adequacy of your ISMS. Examine the ongoing effectiveness of your ISMS.

Assess whether or not your organization’s ISMS should be changed or

improved. Assess whether or not your information security policy should be changed or improved.

Assess whether or not your information security objectives should be changed or improved.

Keep a record of your ISMS management reviews. Record the results of ISMS management reviews.





7.2 Review input

Examine information about your ISMS (inputs).

Examine the results of prior management reviews.

Examine the results of previous ISMS audits.

Examine previous ISMS measurement results.

Examine the status of previous remedial actions.

Examine security issues that were inadequately

addressed during the previous risk assessment.

Examine opportunities to improve your ISMS.

Examine changes that might affect your ISMS.




7.3 GENERATE MANAGEMENT REVIEW OUTPUTS

Generate decisions and actions (outputs).

Generate management review decisions and

actions to improve your organization’s ISMS.


actions to improve your organization’s ISMS.


actions to update your organization’s ISMS.


actions to respond to events that affect the ISMS.


actions to address your ISMS resource needs.




8 ISMS improvement8.1 Continual improvement

Improve the effectiveness of your ISMS. Use your security policy to continually improve the effectiveness of your ISMS. Use your security objectives to continually improve the effectiveness of your ISMS. Use your security audit results to continually improve the effectiveness of your ISMS. Use your management reviews to continually improve the effectiveness of your ISMS. Use your corrective actions to continually improve the effectiveness of your ISMS. Use your preventive actions to continually improve the effectiveness of your ISMS. Use your monitoring process to continually improve the effectiveness of your ISMS.






8.2 Corrective action Establish a corrective action procedure to prevent

the recurrence of actual nonconformities. Make sure that your corrective action procedure expects you to identify actual nonconformities. Make sure that your corrective action procedure expects you to identify the causes of your nonconformities. Make sure that your procedure expects you to evaluate whether you need to take action. Make sure that your procedure expects you to develop corrective actions when they are needed. Make sure that your procedure expects you to prevent the recurrence of actual nonconformities. Make sure that your corrective action procedure expects you to eliminate the causes of your organization’s nonconformities.



Make sure that your procedure expects you to

record the results of any corrective actions taken.


review the results of any corrective actions taken. Document your corrective action procedure. Implement your corrective action procedure.

Use your organization’s corrective action

procedure to identify nonconformities.

Use your organization’s corrective

action procedure to identify causes.

Use your procedure to evaluate whether

or not you need to take corrective action.

Use your procedure to develop corrective actions

whenever corrective actions are actually needed.





Use your procedure to take corrective actions.

Use your procedure to prevent the

recurrence of actual nonconformities.

Use your procedure to eliminate the

causes of actual nonconformities.

Use your procedure to record the

results of any corrective actions taken.

Use your procedure to review the

corrective actions that have been taken.

Maintain your corrective action procedure.


8.3 Preventive action Establish a preventive action procedure to prevent

the occurrence of potential nonconformities.

Make sure that your preventive action procedure

expects you to identify potential nonconformities.


identify the causes of potential nonconformities.


evaluate whether or not your organization needs

to take preventive action.


develop preventive actions when they are needed.


prevent the occurrence of potential nonconformities.




eliminate the causes of potential nonconformities.


record the results of any preventive actions taken.


review the results of any preventive actions taken.

Document your preventive action procedure.

Implement your preventive action procedure.

Use your organization’s preventive action

procedure to identify potential nonconformities.

Use your preventive action procedure to identify

the causes of potential nonconformities.





Use your preventive action procedure to evaluate

whether or not you need to take preventive action.

Use your preventive action procedure to develop

preventive actions whenever they are needed.

Use your procedure to take preventive actions.

Use your preventive action procedure to prevent

the occurrence of potential nonconformities.

Use your preventive action procedure to eliminate

the causes of potential nonconformities.

Use your preventive action procedure to record

the results of any preventive actions taken.

Use your preventive action procedure to review

the preventive actions that have been taken.

Maintain your preventive action procedure.


Assurance through discipline of complianceRisk Management

Protect information assets from range of threatsMinimized security breachesUse of appropriate controlsPrudent business practice

Secure EnvironmentCareful ContractingProtection of IPRLegal Compliance

Ensures Business Continuity

Increased Trust & Customer Confidence


we

care

with

quality

35

For

More

Detail

Visit our website

www. shahifze.com

www.shahienterprises.com




Documents

Shahi Enterprises Ltd. An ISO 9001:2008 Services Provider Company UAE Office : Shahi Enterprises FZE P.O. Box 31291 Al-Jazeera Al Hamra, Ras Al Khaimah