Part 3 FOOD SAFETY MANAGEMENT SYSTEM ISO

22000:2005
To Ensure Integrity of Food Supply Chain

1. AIM:-
I. Control food safety hazards in order to consistently provide safe end
products that meet both requirements agreed with the customer
and those of applicable food safety regulation.
II.Enhance customer satisfaction through the effective control of food
safety hazards.

2. APPLICABILITY: - all type of organisations within the food chain

(Farm to fork)

– Feed producers
– Primary producers
– Food Manufacturers
– Transport and storage operators
– Subcontractors
– Retail and food service outlets (Hotels and caterers)
– Manufacturers of Equipment, packing material, cleaning agents&
Additives, Ingredients.

3. FOOD SAFETY: - Preventing food borne hazards at the point of

consumption

4. METHODOLOGY: - Combine HACCP plans and pre requisite

programmes (PRPs) to ensure hazard control. PRPs are further divided
into infrastructure and maintenance (PRPs) and operational PRPs.
Identify the risks evaluate the risks and take action. Keep improving
through verification of effectiveness.

5. BENEFITS:-
 Increased Due Diligence
 More Efficient And Dynamic Food Safety Hazard Control
 All Control Measures Subjected To Hazard Analysis
 Fill The Gap Between ISO 9001:2000 And HACCP.
  System Approach Rather Than Product Approach.
 Covers the entire Food chain.
 Make the organization ready to meet the requirements of new FOOD
SAFETY ACT.
 Easier to meet the new food safety bill requirements
 Better traceability

6. STEPS IN IMPLEMENTATION
1. Training of top management
2. Identification of FOOD SAFETY POLICY AND OBJECTIVES
3. Formation of inter disciplinary FOOD SAFETY TEAM & appointment
of Team Leader.
4. Development of documentation of the Quality Manual, Food Safety
Manual and procedures. ( Including the following lower level
documents )

i. Emergency preparedness and response plan

ii. Product description including raw materials ingredients and
food contact materials [also covering statutory & regulatory
requirements]
iii. Prerequisite Programmes (PRP)
iv. Quality Plan
v. Flow diagram, process steps, control measures, traceability
system
vi. Hazard assessment
vii. Selection and assessment of control measures
viii. HACCP Plan
ix. Operational Prerequisite programmes
x. Withdrawal programme(Product recall procedure)
xi. Formats

5. Training of Internal Auditors.

6. Implementation of the system
7. Internal Audits (Food Safety) as per the system and follow up
activities
8. Management Review Meetings
9. Pre-assessment audit by third party auditor
10. Audit of third party auditor and clearance of certification audit in
two phases
10.1 Pre assessment
10.2 Certification (valid for three years)

Part 4 INFORMATION SECURITY MANAGEMENT SYSTEM

(ISMS) ISO 27001

1) AIM: - A comprehensive information security management

system (ISMS) plays a critical role in ensuring the ability of your
organization to successfully face information security threats
from a wide range of sources and continue your operations. It is
so due to the present day trend of paperless office and
businesses being too dependent on internet/e-mail
communication/wide area networks etc. Being online can
sometimes be a nightmare. The sources of these threats may
include sabotage, espionage, vandalism, fraud, hacking etc
(remember the Gurgaon or the Bangalore BPO: Bank fraud
cases?)

The standard ISO 27001 lays down the principal elements and policies of
the organization’s information security system. These include risk
assessment and management, objectives for control of
information security practices and business continuity
management processes. The standard also seeks the organization to
establish a set of comprehensive and balanced system of measurements
to monitor and review the performance of information security
management system. The risk management and business continuity
management form the most important elements of the standard. These
help the management to determine the priorities for managing
information security risks and identify appropriate actions to address
these risks and to meet the requirements and expectations of interested
parties.

2) BENEFITS

➢ Commitment: certification serves as a guarantee of the

effectiveness of the effort put into rendering the organization secure
at all levels, and demonstrates the due diligence of its
administrators.
 ➢ Compliance: certification demonstrates to competent authorities
that the organization observes all applicable laws and regulations &
contractual requirements.
➢ Risk management: leads to a better knowledge of information
systems, their weaknesses and how to protect them. Equally, it
ensures a more dependable availability of both hardware and data.
➢ Credibility and confidence: Partners, Shareholders and
Customers are reassured when they see the importance afforded by
the organization to protecting information. Certification can help set
apart a company from its competitors and in the marketplace
➢ Reduced costs related to information security breaches, and
possible reduction in insurance premiums.
➢ Improves employee awareness of information related issues and
their responsibilities within the organization.
➢ Better Business continuity and recovery from emergency
situations so as to meet SLAs
3) SUMMARY OF THE STANDARD [CONTROL OBJECTIVES]

I. Information security policy

Provide management direction and support for information security.
Defines corporate objectives for information security

II. IT security organisation & 3rd party connections

Manage information security within the company. Maintain the security
of organizational information processing facilities and information assets
accessed by 3rd parties (suppliers, partners, customers).
Maintain the security of information when the responsibility for
information processing has been outsourced to another organization.

III. Assets classification and control

Determine and maintain appropriate protection of corporate assets.

IV. Personnel security

Reduce risks of human error, theft, fraud or misuse of facilities. Ensure
that users are aware of information security threats and concerns, and
are equipped to support the corporate security policy in the course of
their normal work. Minimize the damage from security incidents and
malfunctions and learn from such incidents.

V. Physical & environmental security

Prevent unauthorised access, damage and interference to business
premises and information. Prevent loss, damage or compromise of assets
and interruption to business activities. Prevent compromise or theft of
information and information processing facilities.

VI. Computer & network management

Ensure the correct and secure operation of information processing
facilities.
Minimise the risk of systems failures. Protect the integrity of software
and information.
 Maintain the integrity and availability of information processing and
communications.
Ensure the safeguarding of information in networks and the protection of
the supporting infrastructure.
Prevent damage to assets and interruptions to business activities.
Prevent loss, modification or misuse of information exchanged between
organizations.
VII. System access control
Control access to information. Prevent unauthorized access to
information systems. Ensure the protection of networked services.
Prevent unauthorized computer access.
Detect unauthorised activities. Ensure information security when using
mobile computing and teleworking facilities.
VIII. System development & maintenance
Ensure security is built into operational systems. Prevent loss,
modification or misuse of user data in application systems. Protect the
confidentiality, authenticity

and integrity of information. Ensure IT projects and support activities are

conducted in a secure manner. Maintain the security of application
system software and data.
IX. Business continuity planning
Counteract or prevent interruptions to business activities and to critical
business processes from the effects of major failures or disasters.
X. Compliance
Avoid breaches of any criminal or civil law, statutory, regulatory or
contractual obligations and of any security requirements.
Ensure systems security parameters, operating procedures etc. comply
with organisational security policies and standards.
Maximize the effectiveness of and to minimize interference to/from the
system audit process.
4) STEPS IN IMPLEMENTATION OF ISMS
1. Training of top management
2. Identification of ISMS POLICY AND OBJECTIVES
3. Awareness training to all employees
4. Development of documentation ISMS DOCUMENTS
i. Identification of information assets
ii. Risk assessment methodology [ including legal & contractual
requirements]
iii. Risk assessment
iv. Defining the scope of ISMS
v. Identifying the appropriate control objectives and controls
vi. Statement of applicability
vii. Risk treatment plan
viii. Procedures as per ISMS
ix. Business continuity Plan
x. Formats
5. Training of Internal Auditors.
6. Implementation of the documented system
7. Internal Audits (ISMS) as per the system and follow up activities
8. Management Review Meetings
9. Pre-assessment audit by third party auditor
10. Audit of third party auditor and clearance of certification audit in
two phases
10.1 Pre assessment
10.2 Certification (valid for three years)

SA8000
SA8000 is a global social accountability standard for decent working
conditions, developed and overseen by Social Accountability
International (SAI). Detailed guidance for implementing or auditing to
SA8000 is available from its website. SAI offers training in SA8000 and
other workplace standards to managers, workers and auditors. It also
operates an accreditation agency that licenses and oversees auditing
organizations to ward certification to employers that comply with
SA8000.
Basis
SA8000 is based on the UN Universal Declaration of Human Rights,
Convention on the Rights of the Child and various International Labour
Organization (ILO) conventions. SA8000 covers the following areas of
accountability:
Child labour
Forced labour
Workplace safety and health
The right to organize
Discrimination
Workplace discipline
Working hours
Wages
Management system for Human Resources
Corporate social responsibility

Respect for human rights

Fair treatment for the workforce
Protecting the environment
Ethical behaviour of the organization
Being a good neighbour

Details of the standard

The first global standard for ethical sourcing

Designed for independent verificationA global standard, designed for use
by any
company, anywhere in the worldHas been developed with stakeholders Is
designed to take local laws and requirements into account
 Certifications
More than 640,000 workers are employed in 1200 facilities certified to
SA8000, in 60 countries and 70 industrial sectors. The industrial sectors
with the most certifications include apparel and textiles; building
materials; agriculture; construction; chemicals; cosmetics; cleaning
services and transportation. The countries with the most certification to
SA8000 include Brazil, India, China and Italy.
The cost of acquiring a certification for a factory, farm or office varies with the number of
employees and the location. It can range up to 10-12,000 USD for large facilities.
Significance
Dominic A. Tarantino, Chairman of Price Waterhouse World Firm described SA8000 in
1998 as "the first ever universal standard for ethical sourcing... It provides a common
framework for ethical sourcing for companies of any size and any type, anywhere in the
world. SA8000 sets out provisions for issues such as trade union rights, the use of child
labor, working hours, health and safety at work, and fair pay." However, it does not address
broader issues of ecology or bribery or other issues which may require more consumer or
executive restraint. Tarantino further argued the need for moral leadership: Pricing,
products and services are no longer the sole arbiters of commercial
success... it is business that must take the lead in taming the global
frontier. Business must take the lead in establishing rule of law in
emerging markets. Business must take the lead in stopping bribery.
Business must take the lead in bringing order to cyberspace. Business
must take the lead in ensuring that technology does not split the world
into haves and have nots."
1. Benefits Fewer accidents
2. Enhanced opportunities to be organized
3. A way to address and improve the conditions where people work
4. Increased worker awareness about core labor rights
5. Enhanced communication to the management
6. Evidence that labor rights are good for society and business
7. Improved business practices lead to economic growth and new job
opportunitiesA credible and effective way to put social responsability
into action
8. Enhanced company and brand reputation
9. Improved employee recruitment, retention and performance
10.Gains in quality and productivity
11.Savings from fewer workdays lost and lower insurance bills
12.Less expensive than an internal compliance program
13.Better relationships among workers, trade unions, companies,
customers, NGOs and government

14.Clear, credible information for those who want to make ethical

purchasng decisions
15.Useful data for socially responsible investors
16.Identification of products made under humane conditions
17.Identification of companies making progress toward humane
conditions
18.Broad coverage of product categories and production geography

Why to implement SA8000

To differentiate and offer value to customers.

Driven by commitment to provide safe workplaces.

Set a global standard that complies with all local laws and customs.