OASIS IMS Procedures Manual 2012
OASIS IMS Procedures Manual 2012
OASIS IMS Procedures Manual 2012
CONTENTS TABLE
Document Control
Circulation List
All staff shall have access to the Integrated Management System Policy
Manual as a Read only document on the network. This shall be password
protected under the control of the Management Representative.
Amendment History
Copies of this document other than those listed above will not be revised,
such copies are marked as UNCONTROLLED.
Amendment Record
Authorisation
Page Number
Amendment
Amendment
Section and
New Issue
Details of
Number.
Number.
Date
1 Scope
2 Purpose
3 Responsibilities
4 Related Documentation
• Document List
5 Procedure
Amendments
The responsibility for generating and storing records shall be with the
relevant members of staff under the overall control of the Management
Representative.
All records associated with the IMS are retained in the appropriate files for
the duration specified on the Document List. The Document List also
includes any data stored electronically.
The purpose of the listing is to identify all items associated with the operation
of the Quality system that are retained in the record system, and indicate the
minimum time for which each record should be retained.
All data held electronically, including emails, are backed up on a daily basis
and stored at Head Office. The IT Department are responsible for ensuring
the Security and retrieval of documents held electronically. IT procedures
and policies are in place and are available from the IT Company. The
Company have compiled an email policy which is attached in Appendix E of
the IMS Policy Manual.
Classification of Information
Data Protection
Currently virus control software has been installed on all computers in the
Company. The software automatically requests updates electronically daily via
Internet.
Computerised data is backed up in accordance with Back-up Tapes
procedure OP04.
1 Scope
2 Purpose
3 Responsibility
4 Related Documentation
5 Procedure
• General Manager
• EVP Ops & Sales
• EVP Administration
• CFO Chief Financial Officer
The agenda for the meeting should be all elements of the Integrated
Management System, which gives an indication of its continuing
effectiveness. The inputs to this meeting shall include the following:
The results of the review meeting must be available in the form of minutes
maintained by the Management Representative. The output of the meeting
are any actions to be taken, a time scale for implementation and a date for a
follow-up action.
1 Scope
This procedure covers the training policy operated by the Company for all
staff. It also addresses the vetting controls operated by the Company.
2 Purpose
This procedure is to ensure that new and existing personnel are adequately
trained to perform the tasks assigned to them and that all personnel have
been satisfactorily vetted to handle secure and confidential information.
3 Responsibility
The General Manager and Branch Manager have overall responsibility for the
identification of the training requirements and the provision of training needs,
and is assisted in this activity by the Management Team.
5 Procedure
All employees and persons working for and on behalf of Oasis Group shall be
competent in their tasks based on their skills, experience and training. Roles
and responsibilities are defined within Purviews including Information Security
and Quality responsibilities.
On receipt of induction, the employee shall sign the training record sheet as
evidence of training received. A contract of employment shall also be signed
outlining Security related responsibilities and associated disciplinary
procedures.
All existing staff within the organisation shall receive training on the
Information Security and Quality Policies, and the requirements of the
Integrated Management System in general. This shall include the importance
of meeting objectives, conforming to policies, legal responsibilities and the
The department manager must also ensure that all employees are aware of
the need to follow specified procedures and the consequences of not following
them.
The skills required for a particular position are detailed in the relevant Purview.
On assignment to a particular position, staff members are trained in the skills
required to perform the job. A Personal Profile Form is raised for each
employee detailing training, education and experience. Extra training
requirements are identified through the appraisals and will be recorded on the
Appraisal Sheet.
Purviews - Purviews are available for all positions, which include Security
responsibilities. These are signed both by the employee and appropriate
manager. Employees are provided with a copy of the Purview.
Training for emergency situations shall be provided by the Company, e.g. fire
evacuation, Security breaches etc.
Training records are maintained by the Accounts Manager for all staff
members. Training Records shall detail all training, including both internal and
external training, completed by the employees.
All potential employees are made aware at the application stage that it is a
requirement for all site personnel to be vetted and any position in the
Company requires the completion of a vetting form on commencement of
employment.
• Network Management
• Database Administration
• Back-up
• Access Control Technology
• CCTV Security
Vacancy
Gap analysis
Security Vetting
Personnel Audit /
Appraisals
Training Plan
Training Matrix /
Training Records
1 Scope
2 Purpose
3 Responsibility
4 Related Documentation
5 Procedure
Problems, incidents and opportunities for improvement may include but are
not limited to the following circumstances:-
Incidents are recorded on an Incident Form, detailing the nature and details of
any incident, concern, non-conformance or Security breach. The reason or
root cause of the incident or concern is investigated and corrective action is
agreed to prevent reoccurrence. These are reviewed to ensure
corrective/preventative actions have been or are being taken at the weekly
Operations Meeting and again briefly at the monthly Management Meeting.
Responding to Incidents
Security incidents shall be reported using the current Incident Form. This
includes suspected Security weaknesses, software malfunctions, etc.
In addition to the above, all issues and opportunities for improvement are
reviewed as part of the management review process.
Preventive Action
Monthly management meetings shall be held to discuss and deal with any
problems, Quality issues, resource issues and potential problems arising in
order that proactive preventive actions may be determined and implemented.
All issues and resulting actions are recorded and monitored through the
minutes of the meetings.
1 Scope
2 Purpose
The purpose of the Internal Audit is to ensure that the Integrated Management
System is systematically reviewed on a regular basis to check its continuing
suitability and effectiveness.
3 Responsibility
4 Related Documentation
5 Procedure
Prior to each audit the auditor reads the section of the relevant procedure or
work instruction in order to prepare audit checks.
The auditor will satisfy his/herself whether or not the procedure is being
complied with. This is achieved by asking questions, checking a sample of
records, observing what is happening and listening to auditees.
The Audit Report is used to record areas checked, records checked, persons
The auditor discusses the audit findings with the person responsible for the
area being audited to obtain a commitment on corrective action and whenever
possible, decide upon a date for completion of same. This is recorded on the
Audit Report.
The Audits are reviewed within a month of audit to record the implementation
and effectiveness of the corrective action taken. This is recorded on the Audit
Report.
All audit reports are analysed and the findings summarised prior to the
Management Review for the purpose of identifying areas for improvement
Any changes to existing procedures, work instructions, etc. resulting from the
preventive action(s) must be made and recorded.
1 Scope
This procedure covers the process of risk identification and the subsequent
risk assessment process in the following areas:
2 Purpose
To ensure that all Security risks are assessed on a regular basis and in a
consistent manner.
3 Responsibilities
4 Related Documentation
• Statement of Applicability
• Visitors Book
• Security Risk Assessment
5 Procedure
Based on the risk assessment the Company will develop safe methods of
work, emergency preparedness plans and contingency plans which reflect the
potential emergency situations e.g. Security breaches, loss of information
through fire etc.
All personnel will be trained in the operation of the safe methods of work,
emergency preparedness and contingency plans.
The plans will also be reviewed after Security breaches and incidents and also
at the Management Review Meeting.
Where work is being carried out on the Company’s premises it will be the
responsibility of the Management Representative to ensure that the risks
associated with such work are assessed. Visiting contractors will be required
to sign a copy of the Company’s Confidentiality Agreement and details of
Visitors and Contractors will be recorded in the visitor’s book.
1 Scope
2 Purpose
3 Responsibilities
All staff are responsible for assisting in the achievement of the various
objectives and targets.
4 Related Documentation
5 Procedure
All details regarding IMS objectives and targets are recorded on the
Objectives and Targets Record Form. For each significant Security risk, at
least one objective is devised. All objectives with clearly defined targets will
include:
• Start date
• Completion date
• Responsibility
• Measurable targets
At the end of each calendar year, the objectives and targets are updated and
revised. The Management Team must set new objectives and targets for the
coming year. The new objectives and targets devised must be recorded on
the Objectives and Target Record Form.
The Management Representative must ensure that objectives and targets are
communicated to all employees through the publication of the objectives and
targets on the notice board in the Company.
In the event where the Company fails to achieve Objective(s) and Target(s) in
the stated timescale, an investigation shall be conducted by the Management
Representative to determine the cause of the failure. As a result of the
investigation, corrective action(s) and/or preventive action(s) must be outlined
and a new target date for completion of the corrective action(s) must be set.
1 Scope
• The selection and evaluation of all suppliers of goods and services, and
of subcontractors used by the Company,
• The purchase of all goods and materials which directly affect Quality, and
• The inspection of all goods and materials received by the Company.
• The control of assets in accordance with ISO27001:2005
2 Purpose
3 Responsibility
The Accounts Department are responsible for the authorisation of all Purchase
Orders.
All office staff are responsible for the checking of goods delivered direct to site.
4 Related Documentation
• Purchase Order
• Approved Supplier/Subcontractor List
• Delivery Notes
5 Procedure
Supplier Control
A list of approved suppliers is maintained. Our basis requirements of our
suppliers are that they supply their goods on time and at the right price. Any
specific requirements will be provided in writing to our suppliers. The criteria
for approval can be one or all of the following:
• Price
• Availability
• Reputation
• Previous experience
• Quality
The basis for approval will be recorded on the Approved Suppliers List. An
account is set up on the computer system.
Supplier performance is reviewed on an ongoing basis and if any supplier is
no longer meeting the Company’s requirements appropriate action will be
taken. This may result in the supplier being removed from the Approved
suppliers List.
Purchasing Data
Goods Inwards
On receipt, goods are identified against the supplier delivery docket.
Goods are inspected against the supplier Delivery Docket for
• Quantity;
• Description;
• Condition of packaging.
Discrepancies are noted on the Supplier Delivery Docket and the Supplier
Delivery Docket is signed. The supplier invoices are checked against the
supplier delivery docket/ P.O.
Control of Assets
The General Manager and Branch Manager, in conjunction with the COO
where applicable, is responsible for the compilation of an Asset register for
Oasis (Belfast) and Oasis (Dublin). The Register shall identify assets in the
following categories,
• Information
• Hardware
• Software
The Register shall classify all assets and assign ownership of these (as
defined within ISO27001).
The General Manager and Branch Manager is responsible for the monitoring
of asset management and for the addition of assets and secure disposal of
assets as required.
Asset owners shall ensure the secure handling of assets and in particular the
transport, handling and storage of the confidential documents in a secure
manner.
The Asset Register shall be reviewed and updated on at least an annual basis
by the Management Team.
1 Scope
This procedure covers the preparation and submission of all estimates and
tenders within the Company, and the review and acceptance of all orders.
2 Purpose
The purpose of the procedure is to ensure that all estimates and tenders are
prepared in a consistent format, and that all orders are reviewed prior to
acceptance.
3 Responsibility
It is the responsibility of the Account Manager to ensure all enquiries are dealt
with and all orders reviewed upon receipt to ensure customer requirements
have been adequately identified and that orders can be met to the customers’
satisfaction.
4 Related Documentation
• Sales Procedures
5 Procedures
Sales & Marketing
Sales and marketing is managed in accordance with the Sales & Marketing
Process Document No. 4/2.
Identification of Customer Requirements
Customer requirements are identified in accordance with the Sales &
Marketing Procedure Document No. 4/2.
Customer accounts are set up in accordance with Account Creation/ Box
storage Procedure & Vault Storage Document No’s. 4/3 and 4/3 V.
Orders
Orders/ requisitions are received in accordance with the Maintaining Service
Level Agreements Procedure Document No. 4/4.
Customer Complaints
Customer complaints/Non-conformances are dealt with in accordance with the
Non-Conformance Issues Procedure Document No. 4/5.
1 Scope
2 Purpose
3 Responsibility
New installations and major changes to the IT facilitates are approved and
authorized by the Security Manager and the IT Consultant. Independent
advice is sought from an independent IT Consultant. The Independent
Consultant advises on Security threats.
4 Related Documentation
• Purviews
• Confidentiality Agreements
• Back-up logs
• Access Control records
5 Procedure
Physical and Environmental Security
Third party collections: Items for collection by third parties are left in the
lobby.
Third party deliveries: All deliveries held in the lobby until they are checked
against the Purchase Order.
Removal of Property
Removal of property such as equipment, data, software and documentation
belonging to the organisation requires authorisation.
Equipment Security
The Security PC’s and equipment are stored in a cabinet, secured behind two
locked doors. There is an air-cooling system and access is limited authorised
personnel only.
Power Supplies
There is a UPS system in place to protect against power surges and power
loss, allowing for a safe shutdown. A generator is contracted to be available
through the Company’s electricians.
Cabling Security
Power and telecommunications cabling is protected from interception or
damage. All cables are trunked. No sensitive information is transmitted by
cable.
Equipment Maintenance
There are service maintenance agreements with service providers in place for
all critical pieces of equipment. There are preventive maintenance
programmes in place. These maintenance service providers keep records of
maintenance.
The roller shutter zappers pose a risk of unauthorised access. In the event of
a lost zapper, the electrician can recode system.
Shutter Keys are issued to all personnel with the authority to lock-up and are
never left unattended.
In the event of disposal all memory of PCs are wiped and PC’s are
professionally destroyed. Similarly, any media containing sensitive data is
professionally destroyed.
1 Scope
This procedure covers all activities carried out by the Company in relation to the
collection, storage and retrieval of confidential documentation.
2 Purpose
The purpose of the procedure is to ensure that document storage and retrieval
activities are carried out with the utmost Security and to the customers’
requirements
3 Responsibility
4 Related Documentation
• Operational Procedures
5 Procedure
Operations Control
Work Environment
Records are stored in accordance with PRISM (Professional Records &
Information Systems Management) recommendations:
Magnetic Media Vault:
Boxes/files for storage are bar coded by the client in accordance with the Bar
coding Guidelines and box/ file transmittal sheet (Dublin). Media is bar coded
by Oasis Group in accordance with the Media Creation Procedure Document
No. OP16
Media is scanned into a location in accordance with the Box Movement
Procedure. OP06
The contents of boxes are entered into the computer system in accordance
with Data Entry Procedure Document No. OP09 & OP14
The status of material for storage during transit is monitored through the PDT /
MC50 Scanners in accordance with the Driver Scanner. The status of material
for storage while in the Depository is indicated by the database in accordance
with the Box Movement Procedure Document No. OP06 & OP13
Customer Property
On receipt, customer property is checked for condition/ suitability of boxes. If
deemed unsuitably boxed, the customer is informed and given an option to re-
box or instruct Oasis to re-box. The material is identified in accordance with
the Box Movement Procedure.
Material is safeguarded whilst in storage in accordance with the Structure and
Infrastructure Procedure. In the event that customer property is lost or
damaged the customer is informed. This would be recorded with in
accordance with the Non Conformance Procedure.
Preservation of Product
The preservation of product during transit and internal processing is detailed
in the Box movement In/ Box Procedure.
Client data under the jurisdiction of the FoI Act or Software Act would be the
sole responsibility of the Client.
1 Scope
This procedure covers the controls exercised over the calibration system
operated by the Company and also outlines how Company vehicles are
maintained in a manner to ensure that they are able to carry out their required
function.
2 Purpose
This procedure will apply to all inspection, measuring and test equipment
required to verify service Quality. This procedure is also to ensure all vehicles
are maintained in a roadworthy condition and safe from damage, deterioration
or theft.
3 Responsibilities
The General Manager and Branch Manager has overall responsibility for
ensuring that adequate monitoring and measurement is carried out and for
ensuring adequate control is maintained over the equipment. The General
Manager and Branch Manager may designate suitable staff for this purpose.
4 Related Documentation
• Calibration records
• Service reports
5 Procedure
Each piece of calibrated equipment will be identified with a label indicating its
calibration status, certificates will also be held.
Control of Vehicles
The Transport Manager retains a file for each vehicle operated by from the
Oasis (Dublin). This file contains details of all servicing and repair carried out
on each vehicle.
Vehicles are required to be kept in a clean and tidy manner at all times. All
vehicles are regularly washed by the technicians as required. There should
be no unsecured tools or equipment in the cab of the vehicle.
Each vehicle under goes an annual service prior to its PSV and a major
service approximately every 35,000 kilometres. The driver of the vehicle can
also request maintenance at any time.
It is the responsibility of the driver to check the vehicle before use and ensure
that it is in safe working order. The flower method should be used (Fuel,
Lights, Oil, Water, Electrics & Rubber).
1 Scope
2 Purpose
3 Responsibilities
All employees are expected to be familiar with and adhere to the requirements
of this procedure.
4 Related Documentation
5 Procedure
All employees are made aware of the fire evacuation procedure. Fire drills are
performed twice a year. An induction presentation also given to all new starts.
Evacuation Procedure
In the event of an evacuation from the site the alarm shall be raised and all
employees and persons on site are to follow the instructions given by Senior
Management.
All employees contractors and site visitors must evacuate the building through
the nearest safe escape routes. Ensure all personnel leave in an orderly
fashion. When outside, all employees must congregated at the assembly
area.
A plan showing the location of fire extinguishers and fire exit points is
displayed at various points in the building
No persons are allowed to re-enter the building unless it has been made safe
by the appropriate authority.
Finding A Fire
Tackling a Fire
Extinguishing appliances are only used for SMALL FIRES, if the fire is getting
“out of control”, withdraw, close door and call the fire brigade.
The estate where the facility is located has a Security barrier with 24 hour
guarding.
On notifying the relevant authorities all personnel are to remain outside the
premises until instructed to return by the most senior member of the
emergency services in attendance.
The COO and Management Team have prepared a Business Continuity Plan
in order to ensure the continued operation of services in the event of an
emergency.
To ensure that the Security requirements of the business are achieved, the
Business Continuity Plan shall be tested at planned intervals.
The COO shall, on an annual basis carry out a drill to ensure the successful
operation of the contingency plans.
The results of drills shall be reviewed at the Management review meeting and
any corrective or preventive actions agreed as necessary. Such actions may
include the amendment to contingency plans or procedures and all personnel
shall be instructed on relevant changes.
1 Scope
This procedure covers the control operated over visitors and contractors working
on the site.
2 Purpose
The purpose of the procedure is to ensure that all Security risks are minimised
and that all visitors and contractors are identified on site.
3 Responsibility
It is the responsibility of the Office staff to ensure all visitors sign in and out of
the premises and are accompanied by a member of staff while on site.
4 Related Documentation
• Visitors Book
• Confidentiality Agreement
5 Procedure
All visitors or contractors on site must report to the office and sign the visitors
book on entering and leaving the site.
Where an external party has requested to visit the site the names of the
visitors are to be made known to the Company prior to the visit.
1 Scope
2 Purpose
To ensure that service delivery not only meets but exceeds the requirements
of the Customer.
3 Responsibilities
4 Related Documentation
• Prism Guidelines
• Event Log
• Exceptions Report
• Service Level Report
5 Procedure
Environment
Service
Analysis of Data
The Management Representative will review the following records as part of
the Operations Meeting in order to identify areas for improvement.
• Non-Conformance issues
• Customer Feedback Surveys
• Operational issues
• Projects
• Staff Issues
Review for Improvement – Corrective/Preventative Action
The results of the above analysis are discussed at the Management Meeting.
The reason for the non-conformity, potential non-conformity or opportunity for
improvement will be investigated and recorded in the minutes.
Corrective and/or preventive action will be decided upon and recorded in the
minutes. The effectiveness of the corrective and preventive action taken will
be assessed at the subsequent management meeting.
Customers are surveyed using the Quality Control Survey form (annually to
assess their satisfaction with our product and services. Clients’ activity levels
are monitored on an ongoing basis through the O’Neills System.
Customer Services undertake regular Contact Calls, both telephone and site-
visit to ensure customer satisfaction. These are done on a minimum of an
annual basis.
Procedures
The following procedures are followed:
• Commencement of contact:
o Daily contact to ensure smooth transaction of
documents/multimedia.
o Annual call by phone or in person to ensure service levels are
meeting customers expectations.
• The following points are raised at this time:
o Collections and Deliveries are on time
o Collections and Deliveries are correct
o Drivers are polite and courteous
o Billing is correct and understood
o Informing the customer of how much storage intake they
currently have and enquiring what their expected growth maybe
so as we can accommodate them.
o Ensuring the customer is aware of the full range of services
offered by Oasis Group.
o Updating customer authorisation list
o Asking customers for any suggestions they might have for
improvements.