Shahi Enterprises Ltd. An ISO 9001:2008 Services Provider Company UAE Office : Shahi Enterprises FZE P.O. Box Al-Jazeera Al Hamra, Ras Al Khaimah United Arab Emirates Lead Auditor Shiv Shankar Mobile No Website: India Office: , Atmiya Complex, Maneja Crossing Vadodara – Gujarat, India. Tel: Website: ************************** Our Branches *************************** Lucknow, Gorakhpur, Raipur, Kolkatta, New Delhi, Mumbai, Rajkot,Mehsana, Jamnagar,Ranchi,Dehradoon, Guhawati Bangalore, Patna, Valsad. Welcome to

2 Shahi Enterprises Ltd. train and utilize highly capable staff to provide valuable service to assist our clients to achieve the international recognition and acceptance through the standard of the quality management system, it would cover systematic approach through format for: Purchase order/-monitoring Storage. Process control/production planning. Inventory management. Machine breakdown monitoring. Neat working place. Training management staff. Shahi Enterprises has been established in 2004 as a Quality Consulting firm in India at Baroda (Vadodara). Shahi Enterprises has grown from a Quality Consulting firm now become a limited company providing its quality management consulting services to various parts of India (Gujarat, Maharashtra, Uttar Pradesh, Uttarakhand, and Chhattisgarh) and started its quality consultancy services at UAE. We have our offices at Baroda, Lucknow, Mumbai, Guwahati. Shahi Enterprises Ltd is serving over more than two thousand certified clients providing them whole range of ISO Certification Consulting Services for ISO 9001, ISO14001, ISO 18001, ISO 22000, ISO 27001, HACCP, BRC, PED, UL/CE Marking, API Monogram, Trade Mark, GMP- WHO & Product Up gradation. A Unit of Shahi Group

3 We help for subsides for different quality standards from STATE & CENTRAL GOVT. Quality Up gradation System Subsidy 5% Interest Subsidy R&D Subsidy ETP (Environment Treatment Plan) Foreign Exhibition Subsidy IT Subsidy GEB Subsidy Our Associations have been rewarding in the following areas of activities. Quality Standard Developments ISO Environment Management System ISO Occupational Health & Safety Management System ISO Food Safety Management System ISO Information Security Management System HACCP – Hazard Analysis and Critical Control Points BRC - British Retail Consortium PED - Pressure Equipment Derivative QUALITY & HR- TRAINING Product Certification UL/CE Marking API Monogram GMP- WHO & Product Up gradation Business Development Franchise and Dealer Management Project Finance Liaison and Representation A Unit of Shahi Group

4 ISOs means "International Organization for Standardization Central Secretariat in Geneva, Switzerland International federation of over more than 176 countries Non-governmental organization founded in 1947 on the basis of one member per country ISO, derived from the Greek word isos, meaning equal Published more than International Standards

5 A Unit of Shahi Group Information is a valuable asset in any organization, whether it's printed or written on paper, stored electronically or sent by mail or electronic means. To effectively manage the threats and risks to your organization's information you should establish an Information Security Management System (ISMS). An ISMS based on the international standards ISO/IEC 27001: 2005 will help you to implement an effective framework to establish, manage and continually improve the security of your information.

6 A Unit of Shahi Group ISO is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes. According to its documentation, ISO was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system." ISO uses a top down, risk-based approach and is technology-neutral. The specification defines a six-part planning process: 1. Define a security policy. 2. Define the scope of the ISMS. 3. Conduct a risk assessment. 4. Manage identified risks. 5. Select control objectives and controls to be implemented. 6. Prepare a statement of applicability.

7 A Unit of Shahi Group The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organisation. The standard does not mandate specific information security controls, but it provides a checklist of controls that should be considered in the accompanying code of practice, ISO/IEC 27002:2005. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls. ISO contains 12 main sections: 1. Risk assessment 2. Security policy 3. Organization of information security 4. Asset management 5. Human resources security 6. Physical and environmental security

8 A Unit of Shahi Group 7. Communications and operations management 8. Access control 9. Information systems acquisition, development and maintenance 10. Information security incident management 11. Business continuity management 12. Compliance Organisations are required to apply these controls appropriately in line with their specific risks. Third-party accredited certification is recommended for ISO conformance. Other standards being developed in the family are: – implementation guidance an information security management measurement standard suggesting metrics to help improve the effectiveness of an ISMS – an information security risk management standard. (Published in 2008) a guide to the certification or registration process for accredited ISMS certification or registration bodies. (Published in 2007) – ISMS auditing guideline.

9 A Unit of Shahi Group

10 A Unit of Shahi Group

11 A Unit of Shahi Group Development, manufacturing and supply of products and services more efficient, safer and cleaner Provide governments with a technical base for health, safety and environmental legislation, and conformity assessment WHAT STANDARDS DO STANDARDS COVERS Risks Costs and benefits Management responsibility Quality system principles Other building blocks

12 A Unit of Shahi Group Say what is to be done Do the work Prove that it has been done

13 A Unit of Shahi Group 4 Information security management system 4.1 General requirements Define your organizations ISMS. Implement your organizations ISMS. Operate your organizations ISMS. Monitor your organizations ISMS. Review your organizations ISMS. Maintain your organizations ISMS. Improve your organizations ISMS. Document your organizations ISMS.

14 A Unit of Shahi Group 4.2 Establishing and managing the ISMS Establish the ISMS Define the scope and boundaries of your ISMS. Define your organizations ISMS policy. Define your approach to risk assessment.risk assessment Identify your organizations security risks.security risks Analyze and evaluate your organizations security risks. Identify and evaluate risk treatment options and actions.risk treatment Select control objectives and controls to treat risks.controls Make sure that management formally approves all residual risks (those that are left over after youve implemented your risk treatment decisions).

15 A Unit of Shahi Group Get authorization from management before you implement and operate your organizations ISMS. Prepare a Statement of Applicability that lists your organizations specific control objectives and controls.Statement of Applicability Implement and operate the ISMS Develop a risk treatment plan to manage your organizations information security risks.risk treatmentrisks Implement your organizations risk treatment plan. Implement your organizations security controls.security controls Implement your organizations educational programs. Manage and operate your organizations ISMS. Manage your organizations ISMS resources. Implement your organizations security procedures.procedures

16 A Unit of Shahi Group Monitor and review the ISMS Use procedures and controls to monitor your ISMS.procedurescontrols Use procedures and controls to review your ISMS. Perform regular reviews of your ISMS.reviews Verify that your security requirements are being met.requirements Review your risk assessments on a regular basis.risk assessments Review your residual risks on a regular basis.residual risks Review acceptable levels of risk on a regular basis. Perform regular internal audits of your ISMS. Perform regular management reviews of your ISMS.management reviews Update your information security plans. Maintain a record of ISMS events and actions Maintain and improve the ISMS Implement your ISMS improvements.

17 A Unit of Shahi Group Take appropriate corrective actions.corrective actions Take appropriate preventive actions.preventive actions Apply the security lessons that you have learned. Communicate ISMS changes to all interested parties. Make sure that your organizations ISMS changes achieve the intended objectives. 4.3 Documentation requirements General Establish records that document decisions. Document your organizations ISMS Control of documents Protect and control your ISMS documents. Establish a procedure to control ISMS documents.procedure Control of records Establish records for your organizations ISMS. Maintain records for your organizations ISMS.

18 A Unit of Shahi Group 5 Management responsibility 5.1 Management commitment Demonstrate that your management supports the establishment of an ISMS. Demonstrate that your management supports the implementation of an ISMS. Demonstrate that your management supports the operation of your ISMS. Demonstrate that your management supports the monitoring of your ISMS. Demonstrate that your management supports the review of your ISMS. Demonstrate that your management supports the maintenance of your ISMS. Demonstrate that your management supports the improvement of your ISMS.

19 A Unit of Shahi Group 5.2 Resource management Provision of resources Identify your organizations ISMS resource needs. Provide the resources that your ISMS needs. Identify the resources that will be needed in order to ensure that your organizations information security procedures support its business requirements.procedures Identify the resources needed to meet your organizations legal security requirements. Identify the resources needed to meet your organizations regulatory security requirements. Identify the resources needed to meet your organizations contractual security obligations. Identify the resources needed to ensure that all implemented security controls are correctly applied.controls

20 A Unit of Shahi Group Identify the resources needed to ensure that ISMS management reviews are routinely carried out. Identify the resources needed to ensure that you will be able to react appropriately to the results of your ISMS management reviews. Identify the resources needed to ensure that you will be able to improve the effectiveness of your ISMS when required to do so Training, awareness and competence Ensure that all ISMS personnel are competent and can perform the tasks that are assigned to them. Evaluate the effectiveness of your organizations ISMS personnel training and employment activities. Maintain records that document the competence of personnel performing work that affects your ISMS. Make your personnel aware of how important their information security activities are.

21 A Unit of Shahi Group 6Internal ISMS audits ESTABLISH AN INTERNAL AUDIT PROCEDUREPROCEDURE Establish an internal ISMS audit procedure. Document your internal ISMS audit procedure. PLAN YOUR INTERNAL AUDITS Plan your internal ISMS audit projects and activities. Figure out how often internal audits should be done. Schedule your internal audits at planned intervals. Clarify the scope of each internal ISMS audit. Specify the audit criteria for each internal audit. Define your internal ISMS audit methods. Select your internal ISMS auditors.

22 A Unit of Shahi Group CONDUCT INTERNAL AUDITS Carry out regular internal ISMS audits. Audit your organizations ISMS control objectives. Audit your organizations ISMS controls.controls Audit your organizations ISMS processes.processes Audit your organizations ISMS procedures.procedures TAKE REMEDIAL ACTION Eliminate nonconformities and their causes. Take follow up actions to ensure that nonconformities and causes have been eliminated without undue delay. Verify that remedial actions have actually been taken. Report the results of your verification activities.

23 A Unit of Shahi Group 7 Management review of the ISMS 7.1 General Carry out management reviews of your ISMS.management reviewsISMS Make sure that your organizations management people review your ISMS at planned intervals. Examine the performance of your ISMS. Examine the ongoing suitability of your ISMS. Examine the ongoing adequacy of your ISMS. Examine the ongoing effectiveness of your ISMS. Assess whether or not your organizations ISMS should be changed or improved. Assess whether or not your information security policy should be changed or improved.information security policy Assess whether or not your information security objectives should be changed or improved. Keep a record of your ISMS management reviews. Record the results of ISMS management reviews.

24 A Unit of Shahi Group 7.2 Review input Examine information about your ISMS (inputs). Examine the results of prior management reviews.management reviews Examine the results of previous ISMS audits. Examine previous ISMS measurement results. Examine the status of previous remedial actions. Examine security issues that were inadequately addressed during the previous risk assessment.risk assessment Examine opportunities to improve your ISMS. Examine changes that might affect your ISMS.

25 A Unit of Shahi Group 7.3 GENERATE MANAGEMENT REVIEW OUTPUTS Generate decisions and actions (outputs). Generate management review decisions and actions to improve your organizations ISMS.management review Generate management review decisions and actions to improve your organizations ISMS.management review Generate management review decisions and actions to update your organizations ISMS. Generate management review decisions and actions to respond to events that affect the ISMS. Generate management review decisions and actions to address your ISMS resource needs.

26 A Unit of Shahi Group 8 ISMS improvement 8.1 Continual improvement Improve the effectiveness of your ISMS. Use your security policy to continually improve the effectiveness of your ISMS.security policy Use your security objectives to continually improve the effectiveness of your ISMS. Use your security audit results to continually improve the effectiveness of your ISMS. Use your management reviews to continually improve the effectiveness of your ISMS.management reviews Use your corrective actions to continually improve the effectiveness of your ISMS.corrective actions Use your preventive actions to continually improve the effectiveness of your ISMS.preventive actions Use your monitoring process to continually improve the effectiveness of your ISMS.

27 A Unit of Shahi Group 8.2 Corrective action Establish a corrective action procedure to prevent the recurrence of actual nonconformities.corrective action Make sure that your corrective action procedure expects you to identify actual nonconformities. Make sure that your corrective action procedure expects you to identify the causes of your nonconformities. Make sure that your procedure expects you to evaluate whether you need to take action. Make sure that your procedure expects you to develop corrective actions when they are needed. Make sure that your procedure expects you to prevent the recurrence of actual nonconformities. Make sure that your corrective action procedure expects you to eliminate the causes of your organizations nonconformities.

28 A Unit of Shahi Group Make sure that your procedure expects you to record the results of any corrective actions taken. Make sure that your procedure expects you to review the results of any corrective actions taken. Document your corrective action procedure.Documentcorrective actionprocedure Implement your corrective action procedure. Use your organizations corrective action procedure to identify nonconformities. Use your organizations corrective action procedure to identify causes. Use your procedure to evaluate whether or not you need to take corrective action. Use your procedure to develop corrective actions whenever corrective actions are actually needed.

29 A Unit of Shahi Group Use your procedure to take corrective actions. Use your procedure to prevent the recurrence of actual nonconformities. Use your procedure to eliminate the causes of actual nonconformities. Use your procedure to record the results of any corrective actions taken. Use your procedure to review the corrective actions that have been taken. Maintain your corrective action procedure.

30 A Unit of Shahi Group 8.3 Preventive action Establish a preventive action procedure to prevent the occurrence of potential nonconformities.preventive action Make sure that your preventive action procedure expects you to identify potential nonconformities. Make sure that your procedure expects you to identify the causes of potential nonconformities. Make sure that your procedure expects you to evaluate whether or not your organization needs to take preventive action. Make sure that your procedure expects you to develop preventive actions when they are needed. Make sure that your procedure expects you to prevent the occurrence of potential nonconformities.

31 A Unit of Shahi Group Make sure that your procedure expects you to eliminate the causes of potential nonconformities. Make sure that your procedure expects you to record the results of any preventive actions taken. Make sure that your procedure expects you to review the results of any preventive actions taken. Document your preventive action procedure.Documentpreventive actionprocedure Implement your preventive action procedure. Use your organizations preventive action procedure to identify potential nonconformities. Use your preventive action procedure to identify the causes of potential nonconformities.

32 A Unit of Shahi Group Use your preventive action procedure to evaluate whether or not you need to take preventive action. Use your preventive action procedure to develop preventive actions whenever they are needed. Use your procedure to take preventive actions. Use your preventive action procedure to prevent the occurrence of potential nonconformities. Use your preventive action procedure to eliminate the causes of potential nonconformities. Use your preventive action procedure to record the results of any preventive actions taken. Use your preventive action procedure to review the preventive actions that have been taken. Maintain your preventive action procedure.

33 A Unit of Shahi Group Assurance through discipline of compliance Risk Management Protect information assets from range of threats Minimized security breaches Use of appropriate controls Prudent business practice Secure Environment Careful Contracting Protection of IPR Legal Compliance Ensures Business Continuity Increased Trust & Customer Confidence

34 A Unit of Shahi Group we care with quality

35 For More Detail Visit our website www. shahifze.com A Unit of Shahi Group

36 A Unit of Shahi Group